search

mitre / sandcat

A CALDERA plugin
https://caldera.mitre.org/
Apache License 2.0
61 stars 36 forks source link

How to run Sandcat with DNS tunneling contact #362

Closed Rayhawk11 closed 3 years ago

Rayhawk11 commented 3 years ago

I'd like to experiment with Sandcat's DNS tunneling functionality. I've got it compiling with the DNS tunneling extension, but I can't figure out how to pass the DNS contact address to Sandcat. Any tips? Thank you! image

uruwhy commented 3 years ago

Your command line arguments look correct to me. May I ask which version of the sandcat and gocat plugins you are using? There were changes that were made in both plugins that handle the way the agent loads the server address before attempting to set up a communications channel, so if the sandcat/gocat plugins are too far out of sync, then there may be incompatibilities.

Rayhawk11 commented 3 years ago

When I originally wrote that up, I was on Sandcat 23257d and Gocat 1b4b19. Those are what's included in Caldera 3.1.0, I believe.

Pulled and checked out origin/master of both repos as of right now to test after seeing your comment--it works, thank you!

Just one more question then: It looks like Sandcat, when running with the args I'm using, tries to do lookups for [data].mycaldera.mycaldera. If the server's app.contact.dns.domain is not mycaldera.mycaldera, this crashes Sandcat. Is there a command-line option to configure the DNS domain on Sandcat's side yet?

uruwhy commented 3 years ago

There currently isn't a command-line option to update the DNS domain within the sandcat code. Right now the only way would be to modify the golang file yourself, which I understand is not the best solution. I can look into a feature that will automatically update the domain within the golang file during compilation time based on what is provided in the config file (that way you don't need to do anything additional in the command line).

Rayhawk11 commented 3 years ago

Alright, I was just wondering if I was missing something like an undocumented arg. Thanks for your help!

uruwhy commented 3 years ago

You're welcome!

uruwhy commented 3 years ago

@Rayhawk11 just letting you know, the latest version of sandcat will now dynamically use the DNS C2 domain specified in your caldera config file. Simply request the DNS tunneling extension as before, and make sure the domain of your choice is set in the "app.contact.dns.domain" configuration setting in the YAML config file.

Reference PRs: