In this experiment, under Cobalt Strike 4.3, the DNS tunnel zombie host was launched, and the C&C host was not exposed, which belonged to an iterative DNS tunnel, and the bot host could be directly controlled from the Cobalt Strike 4.3 client, but the number of DNS in this tunnel was not very large, and the speed was also very slow.
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
Step 1: Add the IP address of the C&C server (c2.hackbiji.top) to the A record
Step 2: Add a record to the NS record to indicate that any zombie domain name (bot.hackbiji.top) is resolved by the C&C server
Step 3: Run the server of Cobalt Strike 4.3 on the C&C host
Step 4: Run the Cobalt Strike 4.3 client on kali
Crafting an attack nucleus, found that it can only be x86
Step 5: Run the attack core on the bot host
Step 6: You can see that the bot has been launched in Kali
Step 7: Enable Wireshark to capture packets
It was found that this DNS tunnel was based on A records