Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?

DC7499
November 10, 2018

Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?

This report will cover currently existing solutions for TCP-traffic tunneling through a DNS tunnel. Also an utility of own development will be presented. The advantages of it can be distinguished by the presence of universal scripting clients on powershell and bash, forwarding of certain ports and support for socks-proxy. And, of course, it's open source.

DC7499

November 10, 2018
Tweet

More Decks by DC7499

Other Decks in Research

Transcript

  1. DNS-туннелирование в 2k18.
    Что есть и что с этим делать?
    Скуратов Андрей
    Мигалин Сергей

    View Slide

  2. Who we are?
    We are a subsidiary of the largest
    Russian audit and consulting FBK Grant
    Thornton and specializes in providing
    services in the field of practical
    information security.
    Andrey Skuratov
    Information security engineer
    Pen-tester
    Sergey Migalin
    Information security engineer
    Digital forensic engineer

    View Slide

  3. What is DNS - tunnel?

    View Slide

  4. Prehistory of research

    View Slide

  5. What we need for that?
    • Network connection
    • DNS resolve possibility

    View Slide

  6. What does the open-source market offer?
    • dnscat2
    • iodine
    • dns2tcp
    • Heyoka
    • OzymanDNS

    View Slide

  7. Lets look closer
    Name «IN»
    speed, Kb/s
    «OUT»
    speed, KB/s
    Advantages Disadvantages
    dnscat2 0.7 10 Easy setting, large
    functionality,
    multisession
    Compiled clients,
    unstable Windows
    work
    iodine 9,8 9.8 High speed, auto
    optimization
    Only root use,
    compiled client, spec.
    Windows drivers
    needed
    dns2tcp 5 13 404 Compiled clients,
    only «www to local»
    mode
    Heyoka NaN NaN 404 Launch troubles
    OzymanD
    NS
    NaN NaN 404 Launch troubles

    View Slide

  8. So what problems we face?
    • Compiled clients
    • Unstable windows work
    • Low level additional software needed (sometimes)

    View Slide

  9. Our goal?
    Try to remove described flaws!

    View Slide

  10. And here comes...
    ThunderDNS
    Alpha version

    View Slide

  11. Our architecture

    View Slide

  12. Protocol
    0 – registrer action
    <7 random chars> – random ASCII symbols to avoid caching
    – the name given to the client at startup
    – domain configured to work (ex.: xakep.ru)
    Client registration
    0<7 random chars>.
    DNS query
    DNS Response (TXT)
    In case of successful registration, client id assigned to him, which he will
    continue to use.

    View Slide

  13. Protocol
    1 – get data action
    <7 random chars> – random ASCII symbols to avoid caching
    – the id given at registration
    – domain configured to work (ex.: xakep.ru)
    Client main loop
    1<7 random chars>.
    DNS query
    DNS Response (TXT)
    If there is new data, response will be in the format
    ::
    …or ND if not

    View Slide

  14. Protocol
    2 – upload data action
    <4 random chars> – random ASCII symbols to avoid caching
    – the id given at registration
    – number of block in buffer
    – domain configured to work (ex.: xakep.ru)
    Client upload data loop
    2<4 random chars>.data.
    DNS query
    DNS Response (TXT)
    :OK message if all right, or Error message if not

    View Slide

  15. Protocol
    Pentester proxy
    \x00GETCLIENTS\n`
    Get clients list
    \x02RESET:client_id\n
    Initialize connection
    \x01:::\n
    Set up aim
    \x03
    Data transfer to server

    Data transfer to application

    View Slide

  16. Our architecture
    Another time

    View Slide

  17. Server
    Python3 + dnslib
    Make our custom resolver
    resolve method processes requests

    View Slide

  18. Server
    Python3 + dnslib
    Your code here
    Send ordinary requests to
    GoogleDNS
    request address in var request.q.qname

    View Slide

  19. Server
    Python3 + dnslib
    Send reply
    We must divide reply in 255 char strings

    View Slide

  20. Server
    Our code
    To put the data from the pentester into the
    buffer, we wrote a small “receiver”, which
    is launched in a separate thread.
    catch connections
    from the pentester
    performs routing
    Transport buffer structure

    View Slide

  21. Our architecture
    Another time

    View Slide

  22. PowerShell client
    Client for Windows is based on the standard
    nslookup and object.Net.Sockets.TcpClient
    Each iteration of the loop is a call to the nslookup
    command using the Protocol described earlier.
    Works simple
    The work was tested and the code for Windows
    was unified from version 7 to 10 and standard
    versions of PowerShell
    From 7 to 10
    Less than 400 lines of code
    Minimum of code

    View Slide

  23. Bash client
    Client for Linux works on the standard dig
    commands and Bash shortcuts
    Connection to local hosts creates with help of
    /dev/tcp/ip/port Bash standard shortcut
    Bash shortcuts
    The work was tested on popular Linux
    distributives
    All Bash-linux systems support
    Less than 300 lines of code
    Also minimum of code

    View Slide

  24. Our architecture
    Another time

    View Slide

  25. Pentester proxy
    Written on Python3 + socketserver library
    Supports simple forwarding: pentester specifies
    local ip, port, client id and all traffic goes there.
    Simple TCP-forwarding
    Proxy can works as SOCKS5 server. Pentester
    should specify only client id
    SOCKS5 proxy
    Universal
    Work does not depend on the application.
    You can use both Metasploit and nmap.

    View Slide

  26. Stop talking, lets look!
    Example 1: Forwarding ssh through meterpreter session

    View Slide

  27. Stop talking, lets look!
    Step 1: Description
    Step 1: run DNS – server
    Step 2: set up msf reverse TCP handler and load ps1 client code to
    meterpreter
    Step 3: run ps1 client from meterpreter (we are in some local network)
    Step 4: get list of available clients and set up proxy
    Step 5: run ssh to proxy
    Step 6: b|b|b|b|b|

    View Slide

  28. Stop talking, lets look!
    Example 2: SOCKS5 usage

    View Slide

  29. Stop talking, lets look!
    Step 2: Description
    Step 1: run DNS – server
    Step 2: run bash client local machine
    Step 3: run proxy on socks5 mode
    Step 4: make curl to service in other local network, using proxychains
    Step 5: b|b|b|b|b|

    View Slide

  30. Summary
    1. 4.9 Kb/s with compasrassion
    2. Interpretable clients
    3. No root needed
    4. SOCKS5 avaliable

    View Slide

  31. What problems could be?
    1. Unstable work in unstable network (thanks, cap.)
    2. Sometimes session isn’t setting on first time, proxy restart helps
    3. Some magic if your local DNS - server is wizard :)

    View Slide

  32. Stay in touch
    fbkcs.ru – official site
    blog.fbkcs.ru – tech blog
    @fbk_cs - Twitter
    @skuratov_andrey – Twitter
    @h3llraiser - Telegram
    @smigalin – Twitter
    @migalin - Telegram

    View Slide

  33. Thanks!

    View Slide