Skip to content
This repository has been archived by the owner on Aug 7, 2020. It is now read-only.


Repository files navigation

⚠️ NOTE: This tool is no longer under active maintenance.


DoHC2 allows the ExternalC2 library from Ryan Hanson ( to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (


This project was released on October 23rd 2018 at Mitre ATT&CKcon.

Slides: Playing Devil’s Advocate to Security Initiatives with ATT&CK

Blog Article: DOH! DNS Over HTTPS Poses Possible Risks to Enterprises




  1. Install and launch Cobaltstrike teamserver.
  2. Launch a beacon_http/beacon_https listener - Gotcha This can be firewalled off but you need this for External C2 to work.
  3. Load in script 'external_c2.cna' to Start ExternalC2 port 2222 (Firewall off).
  4. Install dependencies for python3 server.
  5. Allow port 53/udp to Internet (or to the DoH provider IP ranges).
  6. Create an A record on your domain to point to the teamserver/DNS server IP i.e. [A] ->
  7. Create an NS record to point to the A record for send channel (INPUTDOMAIN) i.e. [NS] ->
  8. Create an NS record to point to the A record for receive channel (OUTPUTDOMAIN) i.e. [NS] ->
  9. Change INPUTDOMAIN and OUTPUTDOMAIN in Change encryption key/IV - this is used to encrypt the path from Teamserver-->Client Only (Encrypts Stager). Change max_records from 1 depending on DoH provider, some providers reorder records returned which is not currently handled. Max 5 works well with DNS server.
  10. Launch python3 DNS server.
  11. Build ExternalC2 library. Change encryption key/IV in DoHChannel.cs to match python3 server.
  12. Configure and launch DoHC2() as below being sure to set INPUTDOMAIN, OUTPUTDOMAIN and a DoH provider in format ''.


Python DNS server based on ACME DNS Server

  • This interfaces raw DNS to the Cobalt Strike Teamserver on by default.
  • Change INPUTDOMAIN and OUTPUTDOMAIN to be hosts that are NS of the server's external IP:
	pip3 install -r requirements.txt
	sudo python3 ./


@ryhanson's ExternalC2 with the following additions:

Example Client

  • As with rest of ExternalC2 DoHC2 is COMVisible for JScript/DotNetToJS but this is a simple example to initiate it.
  • The example client DoHC2Runner is a simple C# program to demo loading the library and setting it up as follows:
	DoHC2 doh = new DoHC2();
	doh.Configure("<INPUTDOMAIN>","<OUTPUTDOMAIN>","<DoH URI i.e. or");




Some elements created by David Middlehurst, SpiderLabs as described above (Please refer to resepective licenses where other open-source projects are utilised).

Copyright (C) 2018 Trustwave Holdings, Inc.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.




DoHC2 allows the ExternalC2 library from Ryan Hanson ( to be leveraged for command and control (C2) via DNS over HTTPS (DoH).






No releases published


No packages published