Inspecting the packet capture above, we can see that the client is sending different forms of requests about once every second. We have control over the domain and name server of “”. To demonstrate DNS Tunneling, we are running dnscat2. This means it will not show up as a beacon or long connection.
Instead, the request will be sent out to the DNS resolver and then probably bounce around the internet until it gets to the authoritative name server for the domain queried. The compromised system is not making a direct connection to the C2 server. Then the client side is installed on the target’s computer, which will begin making DNS requests that will be parsed by the program running on the server.Ĭ2 over DNS can be difficult to detect because it blends in well with existing legitimate DNS traffic.
The attacker must first register an authoritative domain, such as “” which points to the server with the server-side malware installed. The data is usually prepended to the domain name. Another recent malware, FrameworkPOS, steals payment data and exfiltrates it over a DNS channel.ĭNS is meant for internet resource lookups, but it can also be used for transferring small amounts of data. Recent malware such as the Anchor malware, which targets high profile targets in manufacturing, retail, and finance was discovered to be using DNS for its C2 communications. There are many free tools available that make it easy to launch an attack, even for the less experienced hackers out there. Using DNS for C2 communications is a well-established attack vector. In this post, we are exploring DNS Tunneling specifically as a command and control channel ( MITRE ATT&CK ID T1071.004). It is almost always allowed through firewalls even in highly restricted networks. Given its large role in the workings of the internet, as well as the fact that it is not indented to be used for data transfer, DNS is often poorly monitored. DNS Tunneling is one of many attacks that use DNS. Like any protocol however, DNS can be abused. It performs the simple but integral task of taking human-readable names and determining the machine-readable IP Address that your computer uses to route you to your destination. The Domain Name System (DNS) is sometimes referred to as the backbone of the internet, and rightfully so. MITRE Tactics: T1071.004 DNS, TA0011 Command and Control, T1048 Exfiltration Over Alternative Protocol
0 kommentar(er)
