DNS C2 Spec #418
Replies: 6 comments 6 replies
-
|
I think it would be great to be able to specify different record types to be used, (TXT, AAAA, A), etc |
Beta Was this translation helpful? Give feedback.
-
|
Absolutely! It would be great to make sure they match too. So if you're requesting an A record, you get back a standard response. Having the request type being dynamically configurable would be really helpful too so that you could use something like A records normally, but for large output or file transfers switch to TXT |
Beta Was this translation helpful? Give feedback.
-
|
A lot of dns servers (e.g 8.8.8.8) randomize the case of dns queries to purposefully break dns tunnels using base64. An option to use base32 (case insensitive) instead is a must have |
Beta Was this translation helpful? Give feedback.
-
|
Oh, I hadn't heard of that before! That's super good to know! We could also use something like the netbios encoding used by Cobalt Strike (https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/) to constrain the character set and always lowercase it so that the sensitivity doesn't matter |
Beta Was this translation helpful? Give feedback.
-
|
DNS-0x20 encoding randomly capitalizes the characters https://astrolavos.gatech.edu/articles/increased_dns_resistance.pdf |
Beta Was this translation helpful? Give feedback.
-
|
Does existing DNS C2 profile working? |
Beta Was this translation helpful? Give feedback.
-
|
That hasn't been updated, no. It's still on my roadmap to do, other things just came up that needed to happen first |
Beta Was this translation helpful? Give feedback.
-
|
Possiblity use multiple domain for receive one message. That for evade detection based on volume requests for one domain. |
Beta Was this translation helpful? Give feedback.
-
|
To be clear, are you referring to rotational hosts in the same way it is being discussed here? If so, +1 on my end. |
Beta Was this translation helpful? Give feedback.
-
|
Yes this is exactly what I had in mind. |
Beta Was this translation helpful? Give feedback.
-
|
Minimalize sended data e.g. payloadUUID/callbackUUID is long and consume plce for date in small dns message storage. |
Beta Was this translation helpful? Give feedback.
-
|
The dns profile is now released in a beta state along with support for it in the Poseidon agent. If you pull the latest of those two you can test it out and see if it meets all the things we've discussed here so far. The only thing I'm tracking that isn't included yet is DoH, but I want to make sure to get the standard DNS piece how we want first, then tackle that part. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
On the roadmap for Mythic is to create a DNS C2 profile, so I'd like to start a discussion as to the features, requirements, and specifications people would like to see in it before we start the development process
Beta Was this translation helpful? Give feedback.
All reactions