I originally planned to build a Dante Socks proxy on CentOS 7, but it took a morning to get it out, there were too many pits, and the case was clear, but as soon as I got started, I got all kinds of bugs. Slipped away and switched to an SSH attempt. The main purpose of this experiment is to enable the bot to connect to the Internet based on the DNS protocol, and the bot must also be able to directly access the C&C host, which belongs to the direct-connected DNS tunnel.
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
Step 1: Add the IP address of the C&C server (c2.hackbiji.top) to the A record
Step 2: Add a record to the NS record to indicate that any zombie domain name (bot.hackbiji.top) is resolved by the C&C server
Step 3: Run the dns2tcp server on the C&C server
By the way, there are many pitfalls in centos, I am compiled from source code, it is recommended that you use ubuntu for testing, I only configure ssh resources in the configuration file, so that the bot host can use the ssh protocol to communicate with the C&C host.
Step 4: Run the DNS2TCP client on the bot host
Forward SSH traffic on port 10080 to DNS for request
Step 5: Run the SSH login command on the bot host
In fact, it is to log in to the C&C server from the bot locally, and you need to know the username and password of the C&C host
Step 6: Use Wireshark to perform packet capture analysis
It can be found that dns2tcp uses TXT records for DNS communication and the TTL field value is equal to 3