Currently viewing the tag: "covert channels"

Scary tool – dnscat

By On · 9 Comments

The idea of this tool is that you can run just about any program and/or copy files to/from the machine, say an ssh session, using DNS packets to/from the client.  In other words, a workstation sitting on a network somewhere, behind the companies firewalls, IPS/IDS, AV, etc., etc. could communicate with a system on the Internet, using DNS packets.  Thus completely bypassing the security that the company has setup.  Certainly not something that a company would want to happen.  Also hard to detect, since DNS queries are a common thing on a network.

You should know that from a attack/defend perspective, I am currently, much more of a defender than an attacker.  That is to say, when I learn about tools like this, my brain starts to think “okay how do I defend against or stop this?”.

The answer in this case is that the clients (i.e. workstations/other internal devices) are not allowed to get information about any domain on the Internet.  In other words any request from them for say www.google.com or www.cnn.com would get back a response from their DNS server(s) of does not exist, period the end.  The internal DNS servers to the company would perform recursive DNS calls but only for the internal zone.

Then how do they reach the Internet for say www.cnn.com?  The clients must use proxies.  The proxy server(s) are allowed to talk with specific DNS servers inside the DMZ that would allow recursive queries from only the proxy servers and thus enable the proxy to fetch the data from www.cnn.com, for example.

Compared to say an Internet Cafe offering free WiFi service, such a corporate network would seem very restrictive and probably not considered “friendly” to the employees.  On the other hand if I was the owner of the company or the CSO I’d sleep better at night.   Defense in depth is something I learned early on in my days of information security and continue to refine.

Of course these same rules apply within the company as well.  If a particular area needs additional protections, then it should treat the rest of the company just like the Internet and barricade itself off.

What do you think?