iagox86 / dnscat2 Goto Github PK

Go through and update documentation before doing a release

Right now, if you connect to a session that already exists (a 1/65k chance, but birthday paradox applies), it'll just send a SYN with the same session id each time, till the user gets annoyed and kills/restarts. That's not great.. I'd like to randomize the session_id each time, but then if a packet is slow to get back, a connection will never get made.

Find some middle ground - like picking a new session id every X attempts?

Right now, the client outputs just about nothing unless packet_trace or debug is on. By default, make it print a summary of the sessions it's involved in and the status of each.

It turns out that when there are multiple records in a DNS packet, they get shuffled. I'll have to be creative to use A/AAAA!

Observed during Derbycon (luckily, not during my talk :D)

On the client: ./dnscat --console skullseclabs.org < file

On the server:

[[WARNING]] :: Session killed: 28517
There was an error processing the line: No such file or directory - skullseclabs.org
If you think it was my fault, please submit a bug report with the following stacktrace:

/home/ron/tools/dnscat2/server/ui_interface.rb:106:in `gets'

Right now, the --ping command is fairly limited.. it doesn't respect --host and --port and stuff like that. Make it better.

Hi, Ron,

When I ran the server and client following the "Quick start" in the README file, I got some errors as shown in the attached figure. Both server and client are running on the same machine. The machine is not a DNS server, so I was just connecting directly. Do you know how to solve the problem?

Thanks a lot

,

Hi,

I set up the server in my office and connect to it from my apartment. Everything works fine.

But when I tested with my friends from Nigeria and China, both cannot connect to my server. I have attached the screenshots from the client side when connected from China. I forget to save the screenshot of the server side. I will test it again tomorrow.

Any idea?

Thanks,
Lu

$ gdb --args ./dnscat --host 1.1.1.1 foobar.com
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://bugs.launchpad.net/gdb-linaro/...
Reading symbols from /home/user/dnscat2/client/dnscat...done.
(gdb) run
Starting program: /home/user/dnscat2/client/dnscat --host 1.1.1.1 foobar.com
[[ WARNING ]] :: INPUT: Command
[[ WARNING ]] :: Session successfully created: 22552
[[ WARNING ]] :: Session creation request
[[ WARNING ]] :: Setting config: max_packet_length => 109
[[ WARNING ]] :: OUTPUT: DNS tunnel to foobar.com
Got a command: COMMAND_PING [request] :: request_id: 0x0001 :: data: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Got a ping request! Responding!
Response: COMMAND_PING [response] :: request_id: 0x0001 :: data: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
handle_message (message=<error reading variable: Cannot access memory at address 0x7ffeffffffe8>,
message@entry=<error reading variable: Cannot access memory at address 0x7fff00000008>,
d=<error reading variable: Cannot access memory at address 0x7ffeffffffe0>,
d@entry=<error reading variable: Cannot access memory at address 0x7fff00000008>)
at driver_command.c:137
137 }

I comment out all AAAA stuff on Windows, because the Windows libraries I'm compiling against don't have a function for parsing an IPv6 address (iirc). I need to go and figure out exactly what functionality is missing and see if I can find it elsewhere or write it.

When I downloaded /bin/sh, I couldn't tell when it finished

Right now, I use flags in the SYN header for tunneled protocols (like ping, command, and listen (when I get it working).

I want to make the protocol easier to extend to tunnel other stuff that needs special handling on the server (say, socks5 or something). But using flags, I'll run out after 16 protocols, total, and I already have like 6. Super unsustainable!

My plan is to have a flag in the header for TUNNELED_PROTOCOL. If that's enabled, then there'll be another field (16 or 32 bits) indicating the tunneled protocol. That way, the client can only attempt one at a time (without crazy sanity checks) and the server will instantly know whether or not it's supported.

I'll likely use that to re-implement some of the stuff I already have, like "download" and "chunk" mode, which are pretty ugly right now (and removed from the client in my current branch because they're useless)

Let the "set" option set/get anything that can be set on the commandline.

One tricky part might be dealing with hosts / ports, since I don't exactly know how the dns library can be started/stopped, but I think I can deal with it!

Maybe I can convince somebody else to do this :)

The sessions command currently only shows sessions "under" the current session. That's kinda confusing - it should show ALL sessions, but call out the session that you're currently 'in' specifically.

dnscat [command: 27791]> Didn't know how to handle command packet: COMMAND_ERROR :: request_id = 0x0001, status = 0xffff, reason = Error opening file for reading

Client on my work machine

Server on normal place

This command:

download /etc/passwd /tmp/a

causes a segfault.

Using type A records in dnscat2 client, results in the server responding with "No such name" due to its failing to understand the A query due to incompatible character encoding:

Client:
./dnscat --type A
[[ ERROR ]] :: DNS: RCODE_NAME_ERROR

Server:
ruby ./dnscat2.rb

New session established: 57993
[ERROR] Error caught:
[ERROR] [Encoding::CompatibilityError]: incompatible character encodings: ASCII-8BIT and UTF-8
[ERROR] /home/ithilgore/Downloads/dnscat2-master/server/driver_dns.rb:67:in ljust' [ERROR] /home/ithilgore/Downloads/dnscat2-master/server/driver_dns.rb:67:inblock (2 levels) in class:DriverDNS'
[ERROR] /home/ithilgore/Downloads/dnscat2-master/server/driver_dns.rb:66:in map' [ERROR] /home/ithilgore/Downloads/dnscat2-master/server/driver_dns.rb:66:inblock in class:DriverDNS'
[ERROR] /home/ithilgore/Downloads/dnscat2-master/server/driver_dns.rb:236:in call' [ERROR] /home/ithilgore/Downloads/dnscat2-master/server/driver_dns.rb:236:inblock (2 levels) in recv'
[ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:170:in []' [ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:170:incall'
[ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:277:in block (2 levels) in process' [ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:275:incatch'
[ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:275:in block in process' [ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:272:ineach'
[ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:272:in process' [ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/transaction.rb:210:inprocess'
[ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:84:in block (2 levels) in process_query' [ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:79:ineach'
[ERROR] /var/lib/gems/2.1.0/gems/rubydns-0.7.3/lib/rubydns/server.rb:79:in `block in process_query'

I envision being able to be able to stand up a dnscat service that runs a dns server + a web site, and that can manage dnscat sessions for multiple users visually. This may be a crazy pipedream, but might be cool enough to be worth it!

If this happens, it won't be in the near timeframe, it'll be a future improvement.

There should be a tweet in my inbox about it

Make sure the client-size session is being terminated appropriately when an exception happens on the server

For certain input, a response packet whose size is greater than max_length is created, throwing an error in session_manager.rb.

dnscat2> [ERROR] Error caught:
[ERROR] [NoMethodError]: undefined method `length' for #<Packet:0x007fc32a09ae30>
[ERROR] /Users/irvinzhan/Documents/open-source/tor/dnscat2/server/session_manager.rb:153:in `block in go'
[ERROR] /Users/irvinzhan/Documents/open-source/tor/dnscat2/server/driver_dns.rb:226:in `block (2 levels) in recv'
[ERROR] /Users/irvinzhan/.rvm/gems/ruby-2.0.0-p353/gems/rubydns-0.7.3/lib/rubydns/server.rb:170:in `[]'

Note the "undefined method length" error message is fixed in an existing PR (#41).

To replicate:

1. download the binary file located here: https://drive.google.com/file/d/0B8q-4HfjZWI7Znl5aHJjbkdRcnM/view?usp=sharing
2. copy it to your clipboard — for instance, use cat dummyfile8 | pbcopy if you are using a Mac
3. start up the server with rvmsudo ruby ./dnscat2.rb -u
4. start up the client with ./dnscat --host 0.0.0.0 --port 53 --console
5. paste the contents of the binary file into the console for the server side

The error is only found for messages from server to client, and not from client to server.

I want to be able to tunnel connections - either arbitrary port/ip pairs or socks4/5 - out of a client. The idea is, you compromise a service, install the client on it, and tunnel other connections through the client. They'll be exposed "out of the box", and will also be able to be created through 'command mode'.

How it'll actually look on the client and server remains to be seen. I'll likely imitate the ssh options (-L/-R/-D), but if anybody is invested in this then please let me know!

dnscat2> session -i 24197

Welcome to a command session! Use 'help' for a list of commands or ^z for the main menu
dnscat [command: 24197]> ping2
Ping request 0x1 sent! (0x100 bytes)
dnscat [command: 24197]> Bad sequence number: expected 0xfb09, received 0xfa9f
Bad sequence number: expected 0xfb09, received 0xfa9f
Bad sequence number: expected 0xfb09, received 0xfa9f

The server should be able to proxy traffic through a client. I think I wrote the code for it, but it isn't hooked up to anything

Right now, there isn't a great way to nest sessions. When a client creates a new connection, there's no "created on behalf of session X" field, which means it has to basically be randomly assigned. Figure out if there's a better way.

Hi, I get the following repeated errors from a session:

[WARNING] INCOMING: [0x2962] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
SYN received in invalid state
[WARNING] INCOMING: [0x2962] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
SYN received in invalid state
[WARNING] INCOMING: [0x22a4] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
SYN received in invalid state
[WARNING] INCOMING: [0x22a4] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
dnscat [command: 4316]> SYN received in invalid state
[WARNING] INCOMING: [0x4cc5] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
SYN received in invalid state
[WARNING] INCOMING: [0x4cc5] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
SYN received in invalid state
[WARNING] INCOMING: [0x5bb1] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:
SYN received in invalid state
[WARNING] INCOMING: [0x5bb1] session = 10dc :: [[SYN]] :: isn = 1c7e, options = 0021
[WARNING] OUTGOING:

Is there any other data you would want to analyse this? PCAPs etc?

If I set my DNS server to 8.8.8.8 connections are fine, however the current DNS resolution is:

VM -> VMWare Host -> Router -> ISP -> THE CLOUD

I'm sure something is probably mangling the request so its not in the format expected.

When running a shell, if you type 'exit' on the server, the connection isn't closed properly:

[[ WARNING ]] :: Session 23990 is out of data and closed, killing it!
[[ WARNING ]] :: Trying to close a closed session: 23990
[[ WARNING ]] :: Session closure request: 23990
[[ ERROR ]] :: DNS: RCODE_SERVER_FAILURE
[[ ERROR ]] :: Tried to access a non-existent session (handle_packet_in): 23990

Hi,
I am using the old version of Dnscat (both server and client are written in C) talking with my Friend in West Africa. BTW, I am in the US. The session is very unstable and timed out every a couple of minutes. In the worst case, we cannot even finish saying hello to each other. We used iperf to test the bandwidth between us, which is about 600bit/sec. I think this is not too bad.

Is it possible that this is caused by the "not very quick bandwidth"? Is the performance of dnscat affected by the bandwidth coz when I talk with my friend in US we did not have the problem. Or, is this a problem of the old version, which can be solved with the new version?

Thanks,

Dnscat2 client is left hanging if server is restarted, although normal behavior would be to try to reconnect.
I coded a temporary workaround which wraps around the main client loop, checking for timeouts (the heartbeat mechanism wasn't enough apparently) and though it is working in most cases, the server gets a lot of extra sessions which are left hanging and are proportionate to the number of times the server has been restarted.

In addition, the server prints the "SYN received in invalid state" (which is ignored), "Bad sequence number on incoming packet" and "FIN received in non-existent session". The above are triggered probably because the client (since no process restarting has taken place on its part) still keeps its previous state and it doesn't eventually clear them, thus resulting in the proportionate increase of round-trip packets.

I had a few issues when setting up dnscat2 on my Mac OS X (v 10.10.2) — here were the issues and how I solved it.

Client

• running make for the client gives me the error:

cc -Wall -D_BSD_SOURCE -O2 -fstack-protector-all -Wformat -Wformat-security -g -Werror -ansi -std=c89 -o dnscat buffer.o command_packet.o command_packet_stream.o driver_command.o driver_console.o driver_dns.o driver_exec.o driver_listener.o driver_ping.o tcp.o types.o memory.o dns.o log.o message.o packet.o select_group.o session.o udp.o  dnscat.o
clang: error: argument unused during compilation: '-ansi'
make: [dnscat] Error 1 (ignored)
Compile should be complete

I fixed it by changing a line in the Makefile: COMMON_CFLAGS=-ansi -std=c89 => COMMON_CFLAGS=-std=c89

Server

• bundle fails for certain versions of ruby. Here's the error:

An error occurred while installing eventmachine (1.0.3), and Bundler cannot continue.
Make sure that `gem install eventmachine -v '1.0.3'` succeeds before bundling.

Confirmed to not work on 1.9.3 and 2.2 (both on Linux & Mac OS X) See http://stackoverflow.com/questions/23038190/ruby-gem-eventmachine-will-not-install-using-the-bundler-gem Fixed when I used Ruby 2.0.0

• sudo ruby ./dnscat2.rb gives me the error /Users/irvinzhan/.rvm/rubies/ruby-2.0.0-p353/lib/ruby/site_ruby/2.0.0/rubygems/core_ext/kernel_require.rb:55:in 'require': cannot load such file -- rubydns (LoadError). Fixed by running rvmsudo ruby ./dnscat2.rb instead.

When I send the "download" command, the client sees it, but the file never makes it back

Reported by mat

Right now, if you mistype the domain name or if things aren't configured correctly, it's difficult to tell what's going on. At least with a ping, we can detect whether or not there's a properly configured dnscat2 server there!

The one in particular that I'm thinking of: buffers are used for incoming and outgoing data. They expand, but we never actually clean them up and remove data that's been acknowledged or displayed or anything.

I need to go through and audit the use of buffer.h and see where we're infinitely growing, and deal with that.

It messes up the indenting. :)

There isn't really a clear separation of the "DNS Tunneling Protocol" and the "dnscat protocol" right now. There should be, on both the client and the server.

dnscat2> kill 65152
Couldn't kill session!

Also, add a 'kill' to the each session so I can terminate it

I think I broke it at some point

I had implemented dnscat1 in both Linux and Windows shellcode. I'd like to do that again for dnscat2, including a stager.

Instead of displaying a blank window when a shell session is opened, print some sort of output at the top like "type your command now!"

Kind of embarrassing to ask but I really don't know much about Ruby.o(╯□╰)o......

Thanks.
Lu

Could you add the option to read the current proxy configuration of the system and use that to tunnel your trafic?

Right now, if you have multiple connections from multiple servers, you'll just see a bunch of "sh" or whatever for names. I'd like to add some identification fields that will vary depending on the OS - will probably do arbitrary name/value pairs.

So, you enable a flag in the SYN packet, then send a series of "key=value" pairs in a header, such as "local_ip=x,internet_ip=y,uname=z,etc".

While writing docs today, I had an idea that would solve a bunch of bugs/annoyances!

Basically, change the protocol so that the client's initial SYN no longer contains a session_id value, and instead it requests one (perhaps this can require some particular flag is set, so the server can stay backwards compatible).

The server would dole out an incremental session id.