Published on July 11th, 2013 | by NJ Ouchn0
Hacking through a Straw (Pivoting over DNS)
(Posted from Raphael Mudge’s blog >> http://blog.strategiccyber.com/2013/07/09/hacking-through-a-straw-pivoting-over-dns/)
Last month, I announced Beacon’s ability to control a host over DNS. I see Beacon as a low and slow lifeline to get an active session, when it’s needed. Sometimes though, Beacon is all you have. There are times when Meterpreter gets caught too quickly or just can’t get past the network egress restrictions.
For these situations, Beacon has the basic post exploitation tools. Beacon can execute commands, get files, put files, log keystrokes, and inject shellcode to spawn another session. Today, Beacon can now act as a pivot to relay your scans and attacks into a compromised network. If you can’t get a Meterpreter session or if Beacon’s DNS channel is your only way out, it’s now possible to continue your march into your target’s network.
To pivot through a Beacon, go to View -> Beacons, and interact with the Beacon you would like to pivot through. First, you will want to decide on the right data channel. Cobalt Strike’s DNS Beacon gives you three options:
Use mode http to ask Beacon to use HTTP as a data channel. When it’s time to checkin, Beacon will connect to you and download tasks as an HTTP GET request. When there’s data to send back, Beacon will use an HTTP POST request to send data. This option is the default data channel. It is also very fast and has much more capacity than both of the DNS data channels.
Use mode dns to ask Beacon to use DNS as a data channel. When it’s time to checkin, Beacon will make several A record requests for a domain your Cobalt Strike system is authoritative for. Each request will download 4 bytes of the tasking at a time. Data is sent back as a series of A record requests with data embedded in the requested hostname.
The normal DNS mode is sufficient for controlling a compromised host, but for pivoting, 4 bytes per DNS request is not a lot of capacity. To make up for this shortcoming, I’ve added mode dns-txt which asks Beacon to use DNS as a data channel, but download tasks using TXT records. This gives Beacon a capacity of ~184 bytes of base64 encoded data per request. If you’d like to use Beacon to relay traffic over DNS, I recommend that you use this mode first.
Next, you will want to change want to change Beacon’s sleep time. By default, Beacon calls home every sixty seconds. When relaying traffic through Beacon, this sleep time introduces unnecessary latency. Use sleep 0 to task Beacon to call home several times a second.
Now, type socks 8080 to set up a SOCKS4 proxy server on port 8080. Beacon exposes its pivoting capability as a SOCKS proxy server. This gives you the freedom to relay traffic from the Metasploit Framework, proxy aware tools and external tools.