Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
November 10, 2018

Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?

This report will cover currently existing solutions for TCP-traffic tunneling through a DNS tunnel. Also an utility of own development will be presented. The advantages of it can be distinguished by the presence of universal scripting clients on powershell and bash, forwarding of certain ports and support for socks-proxy. And, of course, it's open source.

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

November 10, 2018
Tweet

Transcript

  1. 1.
  2. 2.

    Who we are? We are a subsidiary of the largest

    Russian audit and consulting FBK Grant Thornton and specializes in providing services in the field of practical information security. Andrey Skuratov Information security engineer Pen-tester Sergey Migalin Information security engineer Digital forensic engineer
  3. 6.
  4. 7.

    Lets look closer Name «IN» speed, Kb/s «OUT» speed, KB/s

    Advantages Disadvantages dnscat2 0.7 10 Easy setting, large functionality, multisession Compiled clients, unstable Windows work iodine 9,8 9.8 High speed, auto optimization Only root use, compiled client, spec. Windows drivers needed dns2tcp 5 13 404 Compiled clients, only «www to local» mode Heyoka NaN NaN 404 Launch troubles OzymanD NS NaN NaN 404 Launch troubles
  5. 8.

    So what problems we face? • Compiled clients • Unstable

    windows work • Low level additional software needed (sometimes)
  6. 12.

    Protocol 0 – registrer action <7 random chars> – random

    ASCII symbols to avoid caching <client name> – the name given to the client at startup <your domain> – domain configured to work (ex.: xakep.ru) Client registration 0<7 random chars><client name>.<your domain> DNS query DNS Response (TXT) In case of successful registration, client id assigned to him, which he will continue to use.
  7. 13.

    Protocol 1 – get data action <7 random chars> –

    random ASCII symbols to avoid caching <client id> – the id given at registration <your domain> – domain configured to work (ex.: xakep.ru) Client main loop 1<7 random chars><client id>.<your domain> DNS query DNS Response (TXT) If there is new data, response will be in the format <client id><target ip>:<target port>:<data in base64> …or <client id>ND if not
  8. 14.

    Protocol 2 – upload data action <4 random chars> –

    random ASCII symbols to avoid caching <client id> – the id given at registration <block id> – number of block in buffer <your domain> – domain configured to work (ex.: xakep.ru) Client upload data loop 2<4 random chars><client id><block id>.data.<your domain> DNS query DNS Response (TXT) <client id><block id>:OK message if all right, or Error message if not
  9. 15.

    Protocol Pentester proxy \x00GETCLIENTS\n` Get clients list \x02RESET:client_id\n Initialize connection

    \x01<client_id>:<ip>:<port>:\n Set up aim \x03<data> Data transfer to server <data> Data transfer to application
  10. 18.

    Server Python3 + dnslib Your code here Send ordinary requests

    to GoogleDNS request address in var request.q.qname
  11. 20.

    Server Our code To put the data from the pentester

    into the buffer, we wrote a small “receiver”, which is launched in a separate thread. catch connections from the pentester performs routing Transport buffer structure
  12. 22.

    PowerShell client Client for Windows is based on the standard

    nslookup and object.Net.Sockets.TcpClient Each iteration of the loop is a call to the nslookup command using the Protocol described earlier. Works simple The work was tested and the code for Windows was unified from version 7 to 10 and standard versions of PowerShell From 7 to 10 Less than 400 lines of code Minimum of code
  13. 23.

    Bash client Client for Linux works on the standard dig

    commands and Bash shortcuts Connection to local hosts creates with help of /dev/tcp/ip/port Bash standard shortcut Bash shortcuts The work was tested on popular Linux distributives All Bash-linux systems support Less than 300 lines of code Also minimum of code
  14. 25.

    Pentester proxy Written on Python3 + socketserver library Supports simple

    forwarding: pentester specifies local ip, port, client id and all traffic goes there. Simple TCP-forwarding Proxy can works as SOCKS5 server. Pentester should specify only client id SOCKS5 proxy Universal Work does not depend on the application. You can use both Metasploit and nmap.
  15. 27.

    Stop talking, lets look! Step 1: Description Step 1: run

    DNS – server Step 2: set up msf reverse TCP handler and load ps1 client code to meterpreter Step 3: run ps1 client from meterpreter (we are in some local network) Step 4: get list of available clients and set up proxy Step 5: run ssh to proxy Step 6: b|b|b|b|b|
  16. 29.

    Stop talking, lets look! Step 2: Description Step 1: run

    DNS – server Step 2: run bash client local machine Step 3: run proxy on socks5 mode Step 4: make curl to service in other local network, using proxychains Step 5: b|b|b|b|b|
  17. 31.

    What problems could be? 1. Unstable work in unstable network

    (thanks, cap.) 2. Sometimes session isn’t setting on first time, proxy restart helps 3. Some magic if your local DNS - server is wizard :)
  18. 32.

    Stay in touch fbkcs.ru – official site blog.fbkcs.ru – tech

    blog @fbk_cs - Twitter @skuratov_andrey – Twitter @h3llraiser - Telegram @smigalin – Twitter @migalin - Telegram
  19. 33.