C2 OVER DNS

The client will attempt to connect to a series of DNS servers in sequence. These are explicit defined in the check_update handler for the c2 client.

For our scenario it will try the IPs and authoritative domain names below. The server must be the authoritative NS for one these domains or have one of these IPs for the attack to run successfully (or the handler must be modified)

• server=10.10.10.1
• domain=590J.com
• server=192.168.0.1
• server=10.0.1.4
• domain=590J.net

Installation

(From dnscat2 project, https://github.com/iagox86/dnscat2)

If required get ruby-dev $ sudo apt install ruby-dev

Install the repos code

$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server/
$ gem install bundler
$ bundle install

Running the Server

For this scenario, the client uses the pre-shared secret 590J

$ sudo ruby $PATH_TO_SERVER_CODE/dnscat2.rb [DOMAIN NAME] --secret=590J 

Use the domain name if the serve is the authoritative name server for the domain

See https://github.com/iagox86/dnscat2 for instructions on using the server or additional options when starting the server