search

iagox86 / dnscat2

BSD 3-Clause "New" or "Revised" License
3.43k stars 601 forks source link

DNS server returned an unknown character in the string: 0xc1 #95

Open DrDoof opened 8 years ago

DrDoof commented 8 years ago

Sometimes I recive error

DNS server returned an unknown character in the string: 0xc1 Unrecoverable error in libs/dns.c(92): Couldn't process string

on client while establishing ssh session.

iagox86 commented 8 years ago

Does it keep working, or does it fail at that point?

Can you get me a packet capture while it's happening? Running the client with --packet-trace and possibly -d should cover that.

More info on how to capture all the bug report info I need: https://github.com/iagox86/dnscat2/blob/master/doc/how_to_bug_report.md

On Tue, May 17, 2016 at 8:13 AM, DrDoof notifications@github.com wrote:

Sometimes I recive error

DNS server returned an unknown character in the string: 0xc1

on client while establishing ssh session.

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/iagox86/dnscat2/issues/95

sam-dumont commented 8 years ago

I had the same issue. In my setup, the clients are connecting first to windows dns servers, which forwards to bind servers for external resolving. If I use the windows server in my resolv.conf, I experience this issue. If I change it by the bind server, no issue anymore, so I suppose that windows dns server is changing something somewhere.

I have a client log if you need it :)

iagox86 commented 8 years ago

Interesting! Does it break the connection, or does it just print a warning?

I'd like to be able to replicate it (or even just see a pcap) so I can make sure it's being handled properly.

On Mon, May 23, 2016 at 5:12 AM, samueldumont notifications@github.com wrote:

I had the same issue. In my setup, the clients are connecting first to windows dns servers, which forwards to bind servers for external resolving. If I use the windows server in my resolv.conf, I experience this issue. If I change it by the bind server, no issue anymore, so I suppose that windows dns server is changing something somewhere.

I have a client log if you need it :)

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/iagox86/dnscat2/issues/95#issuecomment-220963267

sam-dumont commented 8 years ago

It breaks the connection and the client crashes :( I will generate a pcap and send it to you in the next days.

iagox86 commented 8 years ago

Ahh, that sucks! A Pcap would be great, I should look into making that a "softer" error.

On Mon, May 23, 2016 at 10:48 PM, samueldumont notifications@github.com wrote:

It breaks the connection and the client crashes :( I will generate a pcap and send it to you in the next days.

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/iagox86/dnscat2/issues/95#issuecomment-221172647

0x71 commented 7 years ago

Hi,

I face the same problem. The client crashes when it receives a MX response that was forwarded by a windows dns server. I created a log with --packet-trace and -d. Taking a quick look at the source code (dns.c), the problem seems to occure while parsing the dns label length.

dnscat-windns.txt

osakaaa commented 7 years ago

Same problem here Are there any solutions yet?

slohin-st commented 7 years ago

I am also very interested in the solution. If it is the MX response, is there any way to tell DNScat to not use MX responses? For example, when the DNS driver gets created it shows "type = TXT, CNAME, MX". Is there a flag that tells it to use just CNAME?

dnscat2 is great, by the way. Thanks for sharing! 💃

update: I figured out the type flag. Duh :) . TXT record seems to be fine. I wonder if this is because the TXT record allows more data?

iagox86 commented 7 years ago

Yeah, there is; on the client:

Driver options:
 --dns <options>         Enable DNS mode with the given domain.
   domain=<domain>       The domain to make requests for.
   host=<hostname>       The host to listen on (default: 0.0.0.0).
   port=<port>           The port to listen on (default: 53).
   type=<type>           The type of DNS requests to use, can use
                         multiple comma-separated (options: TXT, MX,
                         CNAME, A, AAAA) (default: TXT,CNAME,MX).
   server=<server>       The upstream server for making DNS requests
                         (default: autodetected = 127.0.1.1).

So something like, --dns="domain=domain.com,host=8.8.8.8,port=53,type=cname"

On Thu, Mar 23, 2017 at 1:03 PM, slohin-st notifications@github.com wrote:

I am also very interested in the solution. If it is the MX response, is there any way to tell DNScat to not use MX responses? For example, when the DNS driver gets created it shows "type = TXT, CNAME, MX". Is there a flag that tells it to use just CNAME?

dnscat2 is great, by the way. Thanks for sharing! 💃

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/iagox86/dnscat2/issues/95#issuecomment-288843390, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgITGFGDytxbpz-w9A1MexQPsDnnEHFks5rotAOgaJpZM4IgYlc .

slohin-st commented 7 years ago

Thanks! I did figure it out, thanks! Do you think it may have something to do with the size of records? I believe that the TXT record allows a larger payload, so maybe Windows DNS doesn't agree with the string that is being inserted into the subdomain for MX and CNAME records?

BenMoore71 commented 6 years ago

Hello, having same issue, tryed A, TXT MX and CNAME all does fail, got a cb session that is unresponsive. ./dnscat --secret=4f9f64d1518407f54a322ff13fe05254 --dns="domain=xxx,type=MX"

DNS server returned an unknown character in the string: 0xc1 Unrecoverable error in libs/dns.c(92): Couldn't process string Creating DNS driver: domain = xxxx host = 0.0.0.0 port = 53 type = MX server = 10.0.0.2 Aborted

updated:legacy dnscat seems to have same type of issue Starting DNS requests to domain 'xxxx' xxxx:53... Creating new session exejatnr with sequence number 67416268 Attempting to start process '/bin/bash' for session exejatnr Started: /bin/bash (pid: 26998) DNS server returned an unknown character in the string: 0xc1 Unrecoverable error in dns.c(91): Couldn't process string

just after i type ls -al it starts to give output but crashes.

Please suggest the solution I am going crazy here :)

ovcrash commented 2 years ago

I got this error. Anyone knows exaclty why this happens ?