Hacking through a Straw (Pivoting over DNS)

Hacking through a Straw (Pivoting over DNS)

(Posted from Raphael Mudge’s blog >> http://blog.strategiccyber.com/2013/07/09/hacking-through-a-straw-pivoting-over-dns/)

Last month, I announced Beacon’s ability to control a host over DNS. I see Beacon as a low and slow lifeline to get an active session, when it’s needed. Sometimes though, Beacon is all you have. There are times when Meterpreter gets caught too quickly or just can’t get past the network egress restrictions.

For these situations, Beacon has the basic post exploitation tools. Beacon can execute commands, get files, put files, log keystrokes, and inject shellcode to spawn another session. Today, Beacon can now act as a pivot to relay your scans and attacks into a compromised network. If you can’t get a Meterpreter session or if Beacon’s DNS channel is your only way out, it’s now possible to continue your march into your target’s network.

beaconpivot

Setup

To pivot through a Beacon, go to View -> Beacons, and interact with the Beacon you would like to pivot through. First, you will want to decide on the right data channel. Cobalt Strike’s DNS Beacon gives you three options:

Use mode http to ask Beacon to use HTTP as a data channel. When it’s time to checkin, Beacon will connect to you and download tasks as an HTTP GET request. When there’s data to send back, Beacon will use an HTTP POST request to send data. This option is the default data channel. It is also very fast and has much more capacity than both of the DNS data channels.

Use mode dns to ask Beacon to use DNS as a data channel. When it’s time to checkin, Beacon will make several A record requests for a domain your Cobalt Strike system is authoritative for. Each request will download 4 bytes of the tasking at a time. Data is sent back as a series of A record requests with data embedded in the requested hostname.

The normal DNS mode is sufficient for controlling a compromised host, but for pivoting, 4 bytes per DNS request is not a lot of capacity. To make up for this shortcoming, I’ve added mode dns-txt which asks Beacon to use DNS as a data channel, but download tasks using TXT records. This gives Beacon a capacity of ~184 bytes of base64 encoded data per request. If you’d like to use Beacon to relay traffic over DNS, I recommend that you use this mode first.

Next, you will want to change want to change Beacon’s sleep time. By default, Beacon calls home every sixty seconds. When relaying traffic through Beacon, this sleep time introduces unnecessary latency. Use sleep 0 to task Beacon to call home several times a second.

Now, type socks 8080 to set up a SOCKS4 proxy server on port 8080. Beacon exposes its pivoting capability as a SOCKS proxy server. This gives you the freedom to relay traffic from the Metasploit Framework, proxy aware tools and external tools.

Continue reading the whole article

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"
Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

Black Hat Arsenal 2024 Next Stop Singapore !

Black Hat Arsenal 2024 Next Stop Singapore !

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community