DNS and DNScat

So the other day I was conducting a penetration test, and compromising the host in question was easy enough, but I wanted something that would make a bit more of an impact in the report, rather than the standard, used Metasploit with X exploit and a reverse shell. So I spent some time looking through my little bag of tricks and came across DNScat. Now I’ve been wanting to use this tool for a while now, as it just seems like it’d make a nice high impact paragraph to have in a report, with a bit of a different swing on it.

For those of you who haven’t heard of DNScat before, here’s the blurb taken directly from the web site, which can be found here.

“DNScat (pronounced “D-N-S cat”) is a “swiss-army knife” tool to tunnel traffic through DNS servers. It provides a bi-directional communication through DNS servers, and in conjunction with PPP, can be used to set up a virtual private network (VPN).
DNScat, like a swiss army knife can be used for a variety of purposes, including:
- penetration testing of networks behind firewalls
- sending messages though firewalled networks
- setting up a VPN though firewalled networks
- learning how to detect covert channels through DNS servers
- and more… ”

So lo and behold, I finally got a chance to play with DNScat, and the look on the security managers face when he read the report was priceless, he words were something along the lines of. “We made sure to secure everything we could think of, but DNS, really?”

For those of you that do professional penetration testing, if you haven’t used DNScat yet, take the time to have a look at it, and learn how to use, it’s a decent tool and a lot of fun!