Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of the organization nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Welcome to dnscat2, a DNS tunnel that WON'T make you sick and kill you!
This tool is designed to create an encrypted command-and-control (C&C)
channel over the DNS protocol, which is an effective tunnel out of
almost every network.
This README file should contain everything you need to get up and
running! If you're interested in digging deeper into the protocol, how
the code is structured, future plans, or other esoteric stuff, check
out the doc/ folder.
# License
This is released under the BSD license. See [LICENSE.md](LICENSE.md) for
more information.
# Overview
dnscat2 comes in two parts: the client and the server.
The client is designed to be run on a compromised machine. It's written
in C and has the minimum possible dependencies. It should run just about
anywhere (if you find a system where it doesn't compile or run, please
file a ticket, particularly if you can help me get access to said
system).
When you run the client, you typically specify a domain name. All
requests will be sent to the local DNS server, which are then redirected
to the authoritative DNS server for that domain (which you, presumably,
have control of).
If you don't have an authoritative DNS server, you can also use direct
connections on UDP/53 (or whatever you choose). They'll be faster, and
still look like DNS traffic to the casual viewer, but it's much more
obvious in a packet log (all domains are prefixed with "dnscat.", unless
you hack the source). This mode will frequently be blocked by firewalls.
The server is designed to be run on an [authoritative DNS
server](doc/authoritative_dns_setup.md). It's in ruby, and depends on
several different gems. When you run it, much like the client, you
specify which domain(s) it should listen for in addition to listening
for messages sent directly to it on UDP/53. When it receives traffic for
one of those domains, it attempts to establish a logical connection. If
it receives other traffic, it ignores it by default, but can also
forward it upstream.
Detailed instructions for both parts are below.
# How is this different from .....
dnscat2 strives to be different from other DNS tunneling protocols by
being designed for a special purpose: command and control.
This isn't designed to get you off a hotel network, or to get free
Internet on a plane. And it doesn't just tunnel TCP.
It can tunnel any data, with no protocol attached. Which means it can
upload and download files, it can run a shell, and it can do those
things well. It can also potentially tunnel TCP, but that's only going
to be added in the context of a pen-testing tool (that is, tunneling TCP
into a network), not as a general purpose tunneling tool. That's been
done, it's not interesting (to me).
It's also encrypted by default. I don't believe any other public DNS
tunnel encrypts all traffic!
# Where to get it
Here are some important links:
*[Sourcecode on Github](https://github.com/iagox86/dnscat2)
*[Downloads](https://downloads.skullsecurity.org/dnscat2/)(you'll find [signed](https://downloads.skullsecurity.org/ron.pgp) Linux 32-bit, Linux 64-bit, Win32, and source code versions of the client, plus an archive of the server - keep in mind that that signature file is hosted on the same server as the files, so if you're worried, please verify my PGP key :) )
*[User documentation](/doc/README.md) A collection of files, both for end-users (like the [Changelog](doc/changelog.md)) and for developers (like the [Contributing](/doc/contributing.md) doc)
*[Issue tracker](https://github.com/iagox86/dnscat2/issues)(you can also email me issues, just put my first name (ron) in front of my domain name (skullsecurity.net))
# How to play
The theory behind dnscat2 is simple: it creates a tunnel over the DNS
protocol.
Why? Because DNS has an amazing property: it'll make its way from server
to server until it figures out where it's supposed to go.
That means that for dnscat to get traffic off a secure network, it
simply has to send messages to *a* DNS server, which will happily
forward things through the DNS network until it gets to *your* DNS
server.
That, of course, assumes you have access to an authoritative DNS server.
dnscat2 also supports "direct" connections - that is, running a dnscat
client that directly connects to your dnscat on your ip address and UDP
port 53 (by default). The traffic still looks like DNS traffic, and
might get past dumber IDS/IPS systems, but is still likely to be stopped
by firewalls.
If you aren't clear on how to set up an authoritative DNS server, it's
something you have to set up with a domain provider.
