Python Reverse DNS Shell
Recently a friend needed a reverse shell during a pentest, but could only connect out using DNS. To solve this, T1 and I whipped together a killer DNS based reverse shell. The shell uses legitimate DNS requests and responses to encode commands and exfiltrated data, making the traffic look like just a bunch of funky DNS requests on the wire. (I recently discovered dnscat, after writing my tool.)
The victim shell queries a specific IP address (the reverse shell server) for a DNS TXT record with a specific sentinel value. The reverse shell server will then respond with a DNS TXT record of base64 encoded commands. The victim shell will run these commands, and send the output back to the reverse shell server (this time as DNS A record requests, for multiple domains which together make up the output of the commands run on the server). This process will repeat until the reverse shell server issues the "quit" command to the victim. Like our other python reverse shells, this is pretty easy to build down to a native executable.
The backdoor more or less works as described in the below video, but there are still some major short comings in our backdoor, which we will be updating over time:
The victim shell queries a specific IP address (the reverse shell server) for a DNS TXT record with a specific sentinel value. The reverse shell server will then respond with a DNS TXT record of base64 encoded commands. The victim shell will run these commands, and send the output back to the reverse shell server (this time as DNS A record requests, for multiple domains which together make up the output of the commands run on the server). This process will repeat until the reverse shell server issues the "quit" command to the victim. Like our other python reverse shells, this is pretty easy to build down to a native executable.
The backdoor more or less works as described in the below video, but there are still some major short comings in our backdoor, which we will be updating over time: