Exploit code with DNS tunnel
Hacker Ron Bowes has released various payloads that connect a shell's standard input and output with a suitable online counterpart through DNS. This allows attackers to bypass many firewalls and even attack systems that have no internet connection themselves.
For a DNS tunnel, the host computer only needs to be able to resolve external host names such as www.h-online.com. It can then handle its network traffic via sent DNS queries and responses. This concept was already demonstrated by Julien Oster and Florian Heinz via the Name Server Transfer protocol (NSTX), which tunnels entire IP connections via DNS.
DNS tunneling requires a suitable server software to run on the DNS server responsible for a domain such as mytunnel.com. The host then simply sends DNS lookup queries such as -
The host name contains the packet data in a suitably encoded format. The request is sent to the local DNS server which will eventually pass it to the responsible name server; in the example this could be dns.mytunnel.com. The DNS server can then decode the hostname and respond. The server can add to its response using, for example, the TXT resource record field, which, together with the IP address, will be returned to the computer which made the request. While NSTX tunnels an entire PPP connection this way, DNScat, like netcat, only transports a raw data channel through the net.
Ron Bowes has combined this with a command line shell for Linux and Windows, packaging the shell code in such a way that it can conveniently be integrated into exploits. He has even created a metasploit payload. However, the code has not been tested for functionality by The H's associates at heise Security; if anyone can confirm that it is functional, they would welcome a message to firstname.lastname@example.org
- Weaponizing dnscat with shellcode and Metasploit, Blog posting by Ron Bowes