utilization of dns hidden tunnel in cobalt strike and detection with dlp

Posted by fierce at 2020-03-13

This series of tutorials introduces techniques, tactics, and tools to demonstrate common external intrusions and internal threats, and gives practical methods for detection and response using existing mature products.


Now, whether it is open source or commercial package penetration software applications have been widely used. Although there are many entry-level articles on the major security technology websites at present, most of them come from the imagination of translators added to the overseas translation, and many of the content errors highlight the lack of practical experience of translators. At the same time, how to use the existing products on the market to carry out the guidance of testing is rare. Therefore, the author plans to write a series of tutorials to introduce the means, tactics, and tools to demonstrate common external intrusion and internal threats, and to provide practical methods for detection and response using existing mature products.

Malicious use of DNS tunneling has existed for many years. It is a standard tool for high-level threat gangs to encapsulate data in DNS protocol. Most firewalls and intrusion detection devices rarely filter DNS traffic. Botnet and intrusion attacks can be used almost unlimited to realize operations such as remote control and file transmission, such as the xshell Trojan horse, Iran hacker organization oilrig just disclosed by panw, etc. At the same time, internal malicious employees have gradually learned to use similar tools to steal key data assets.

DNS covert tunnel can easily bypass traditional security products by establishing communication and stealing data, which is difficult to detect by using feature technology. The well-known penetration commercial software cobalt strike and open-source software iodine, dnscat2, etc. also provide ready-made modules, which can be used quickly and easily. For the Red Army conducting penetration test, it is very important to master the concealed and unobstructed DNS tunnel. For the security and risk control team of Party A, when the tools and methods of stealing data from DNS hidden tunnel are popularized, such data leakage channels must be paid due attention.

This article explains the setting and utilization of DNS hidden tunnel in cobalt strike, a widely used commercial penetration software, step by step, to lead the readers to successfully transmit the data in the target system, and briefly show and analyze its communication data package, explain the detection algorithm, and finally demonstrate the use of existing DLP products to detect unknown threats.

The step-by-step tutorial should be as simple and easy to use as possible. I hope every reader can learn how to use it everyday.

Setting up experimental environment

Let's set up the actual verification environment first. The author chooses an alicloud Server to install Ubuntu 16.04 system as the Cobalt Strike Team server, a Windows 7 x86 virtual machine as the target of being attacked to steal data, and a local Kali Linux to run the Cobalt Strike management interface. Finally, a configurable domain name is required. Readers can modify them as they like.

First, install team server on the cloud server (IP: 3 *. 1 * *. *. * * *. *). * *. * *. * *). It's very easy to install cobalt strike according to the official manual. At present, to install Java 1.7 on Ubuntu, you need to add apt source. For the specific operation steps, you can search for it. After decompressing cobalt strike, run the command. / teamserver [IP] [password] to start team server. To prevent SSH from closing after logging in and logging out, you need to add the nohup or & command to keep running in the background. In addition, most cloud service providers need users to configure and open the server port by themselves. Generally speaking, the default management port of team server is 50050, at least 53 UDP is required for DNS protocol, and 80 and 8080 ports are also commonly used.

Then, run cobalt strike in Kali and connect to the team server using IP and password.

The official Manual of the above steps is very clear, so I won't go over it here.

Next, we configure the domain name cirrus. [domain] for DNS covert tunnel, as shown in the following figure: create a record, point your own domain name resolution server (NS. Cirrus. [domain]) to team server; then create an ns record, and give the resolution of the dnsch subdomain name to ns. Cirrus. [domain].

After that, create a listener using DNS in cobalt strike, as shown in the following figure.

Please note that the mode of payload is Windows / Beacon? DNS / reverse? DNS? TXT, and then it will use DNS TXT record to download payload, avoiding the detection of traditional security products.

Then the pop-up window will prompt you to configure the domain name for monitoring, and fill in the subdomain name of the NS record you just set.

Then we can test whether the domain name configuration is correct: NSLOOKUP cirrus.dnsch.cirrus. [domain]

Cobalt strike comes with its own DNS server. If the returned result is, the configuration is correct. Otherwise, please query the basic knowledge of DNS configuration for correction. Some domain name resolution providers may have limitations in functional implementation. If the verification is always unsuccessful, readers can use the dig command to try to find problems, or even switch service providers.

Build the launch artifact and load it

Cobalt strike provides many artifact generation methods. In general, the tutorial will use simple exe for explanation. The author prefers to use PowerShell in daily life, and the benefits of no file landing are obvious. The actual operation is not complicated, please refer to the following overview.

Use the menu attacks - > web drive by - > scripted web delivery

Now that the artifact for delivery has been hung in the dnsch path of the server, let's take a look at what it looks like.

Readers can immediately use their imagination, create more scenes flexibly, and save and publish artifacts in different places, not limited to the way cobalt strike provides.

Then the available PowerShell command pops up and copies to save.

Open the attack target Windows 7 virtual machine, run PowerShell, enter this command and enter.

Mission complete, payload implanted. There are many skills in the generation and loading of artifact. Only the main process steps are shown here. Interested readers can try various advanced methods by themselves.

Remote control

At this time, in the cobalt strike management interface, you can see that the target system we just implanted in the artifact has reported the status to the server, and automatically downloaded the payload required for running.

Right click this terminal and select interact. We can use the command line to try remote control, such as screenshots, process lists, download files, etc.

We can also use the mode command to change the data transmission channel at any time, for example, mode DNS uses a record transmission, mode dns6 uses AAAA record, mode HTTP obviously uses HTTP channel and so on. The graphic interface menu of cobalt strike is also very perfect, and the common remote control operation tasks can be completed with a few mouse clicks.

Readers may as well try some command operations.

Remote screen capture.

Use the download command to download files remotely.

Internal malicious employees with a certain basic software ability can easily and quickly build infrastructure within a few days by purchasing ECS according to the introduction course circulated on the Internet. Without installing software on the office computer, they can use DNS hidden tunnel to steal key data for a long time, which can not be detected by traditional security products. The potential harm is huge. This is what the security team must pay attention to Risk.


Readers who have spare time can try some advanced DNS hidden tunnel construction techniques.

In the evaluation of red team penetration, many factors affect the success or failure of the attack. One of the most important factors is to try to keep the C2 infrastructure hidden so that the blue team can hardly find it. If your opponent finds and blocks your C2, at least it slows you down, even if it doesn't end the battle immediately, and you're wasting a lot of time and energy rebuilding your infrastructure. Using DNS is a way to hide communication from the endpoint to C2, but it can be troublesome if the blue team can perform recursive DNS lookup to team server. We can prevent the blue team from doing these reverse lookups, or at least create some barriers, and use host redirection to further hide traffic.

The reference architecture is shown in the figure above, and interested advanced readers can try it. Because this is an introductory course, I will not go over it.

Readers who just want to learn how to use Cobalt strike to transmit data outside the DNS tunnel have reached the basic goal here, and can operate smoothly only by looking at the official manual. Next, readers interested in the specific communication mechanism behind it can install Wireshark software on the windows virtual machine to capture network traffic packets, and then let's do a simple analysis together.

DNS tunneling mechanism

The DNS hidden tunnel is based on the indispensable DNS basic protocol of the Internet, which naturally has the advantage of strong penetration and is a powerful tool for malicious gangs to penetrate the security protection. Let's use an official sketch of cobalt strike to understand its communication framework.

DNS request and response mechanism is adopted between the controlled end and the control end, that is, the controlled end actively sends DNS request to realize the return of operation output data, and the control end replies DNS response to realize the distribution of control command.

Trojan asks server regularly

The default setting is to send a record resolution request in the format [session ID]. Dnsch. Cirrus. [domain] every 60 seconds, and report to C2 server.

Download module from server using TXT field

We randomly select a record and observe the result returned by the txt record.

Generally, the data records of the type of TXT are used to carry down data. The txt records are mainly used to save the additional text information of the domain name. In order to facilitate the transmission of general application base-64 for coding, each byte encodes 6 bits of original data.

Use a record to query and upload data to

A DNS query message can carry up to 242 characters, each character can have 37 different values. If you want to use DNS covert channel to transfer any data, you must first code the data to be transferred to meet the requirements of DNS protocol standards.

Using DLP to detect data stealing through DNS tunnel

DNS covert tunnel detection is a key technology to identify unknown threats. The target of more than 90% external invasion and internal threat is to steal data assets. Therefore, the channel of monitoring data leakage is a very important part of security confrontation.

Due to the complexity of concealment and variability of DNS tunnel, traditional DLP products cannot be detected. In the actual scene, the technology of adding the domain name generation algorithm DGA and changing the data outgoing coding greatly increases the complexity of automatic identification, resulting in the security products based on the feature matching rules can not be accurately identified. Even if you crack the DNS communication mode of a specific Trojan horse, it will not work for the new format in the future. For open source software, it's easy to change the characteristics of network communication, and feature matching technology can't cope with the endless variety obviously.

The legitimate software also uses DNS tunnel. If it is not processed, the number of false positives is huge and unacceptable.

Some technical articles propose to detect according to the number of requests and the statistics of long subdomain names. However, the frequent requests for a large number of subdomain names in the same domain are common in the actual environment, which is very easy to produce false positives. At the same time, it is easy to ignore the channels with low frequency and low bandwidth, resulting in false positives. If special resource record type statistics is used to detect the commonly used txt and null resource records of DNS covert channel, iodine and other records using a record request will invalidate this method. Even if the character frequency statistical algorithm is used, the legitimate traffic for training comes from Alexa's top million websites, which only represents the characteristics of web domain names, and has a large difference from the actual DNS traffic characteristics, so the effect is not ideal.

SRG DLP products can accurately detect DNS hidden tunnel by using machine learning algorithm to analyze the network traffic behavior of terminals and other entities, including the means of downloading payload, uploading data from a record to C & C server such as TXT record used by cobalt strike. The test results are shown in the figure below.