X-RDate: Tue, 14 Apr 1998 17:10:21 +0600 (YEKST)
X-UIDL: 35317d3400000019
Date: Mon, 13 Apr 1998 20:38:18 +0200
From: Oskar Pearson <wosp@ICON.CO.ZA>
To: BUGTRAQ@NETSPACE.ORG
Subject: DNS Tunnel - through bastion hosts
Hi All
I assume that you all know the benefits of using a bastion host
and packet filtering all other hosts out so that people don't tunnel
data in UDP packets.
Well, it's not enough anymore.
(This was originally going to be a Phrack article, but since I submitted
it they haven't answered any of my mail.)
The complete code (Perl) and so forth are available at
http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz (it's about 8kb, so
that's why I didn't post it here.) Note that some parts (most) of it
is under different copyright, since I adapted another DNS server for
my code.
It's currently written as a system for someone to get into the internal
network from home, but it could be changed into a system to get into
machines that you haven't even heard of (if you convert it into a
trojan.)
To get it to work:
You need root on an external host with a static IP address. This acts as an
external endpoint for the server 'tunnel'. It mustn't be running a
DNS server (though you could make this thing transparent or use IP
aliases) You need some test domain (or subdomain) that you can delegate to
this server (something in 'ml.org' would be fine, I guess.)
How it works:
The client does DNS lookups for a host in the delegated domain. If the
server wants to connect it responds with a 'key' IP address. The client
then starts a shell in a pipe and feeds the output of the shell (in the form
of DNS queries) to the server. The server reads your keystrokes and
passes them back to the client (and hence to the shell) as the IP addresses
returned for the DNS queries.
This isn't exactly how it works in practice, but it gives you
the idea:
Client: Server:
--------------------------------------------------------------------------
connect.1.test.domain.example. <Yes - I want to connect>
host#>.2.test.domain.example. <Thanks - no keypresses>
(you type something, say 'su -')
poll.3.test.domain.example. <He typed 'su -'>
Password:.4.test.domain.example. <Thanks - no keypresses>
(you try something, say 'god')
etc etc
Obvious things:
1) You can't have "#" in a domain name. This effectively means that you
just encode it by giving the ascii value. This is done in this code.
2) It's slow. (This code especially, since it makes no attempt to
pack things into as few packets as possible.)
I haven't heard of this method before. If it's been done, and somehow
filtered through to my subconsious without me remembering, apologies!
