sdt_dns_poll: res_search: Unknown host, biatch v2!

[kotee4ko]

Gr33t3ng5, Sir.

Thank you for you're awesome work.

I have a problem with running on client side.

(DOM)root@dom0:/opt/sods/sdt# ./sdt -v -v -v myhost.ml
session id = 56777, opt = 0, session = 0
POLL:0.54375.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host
POLL:0.52824.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host
POLL:0.40600.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host
POLL:0.53272.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host

i use different combinations of args, including -t <DNS type> TXT, CNAME, NULL [Default = TXT] also, i try to modify a bit this :0.52824.id.51677.down. random value in source - the "-" char to the "." char. with no luck.

When i use, for example, dnscat2 - myhost.ml accepted the DNS tunnel. Even if i run dnscat2-client-side and on myhost.ml run SODS server side - it see packets, so, the trouble is in the client side. Also tcpdump is void when i run SODS client side on target host.

I have some project, i'm new to C programming. my profile is cyber-security, and PWN :+1: I need something very-very light and very-very stealthy. to do "pulse" to myhost.ml from target server. My idea is to make DNS tunnel every N seconds, send UDP/TCP packet*** to the serve. Receive the response from server, and, if there are nothing to do - close the tunnel. and sleep. I have everything but DNS tunnelling.

***sending to the host, as i can understand will be inside DNS tunnel, so i will be able to do on the target host something like echo 777 | netcat 127.0.0.1 1337 and on the server side netcal -lvtp 31337 will receive 777. this will be faking awesome :) or, if this is impossible - just common communication way.

So, can you please help me with this? p.s. sorry, if my English is bad :)

[msantos]

On Sun, Aug 02, 2020 at 08:47:10PM -0700, kotee4ko wrote:

Gr33t3ng5, Sir.

Hey kotee4ko!

Thank you for you're awesome work.

I have a problem with running on client side.

(DOM)root@dom0:/opt/sods/sdt# ./sdt -v -v -v myhost.ml
session id = 56777, opt = 0, session = 0
POLL:0.54375.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host
POLL:0.52824.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host
POLL:0.40600.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host
POLL:0.53272.id.51677.down.myhost.ml
sdt_dns_poll: res_search: Unknown host

The nameserver for myhost.ml is replying with "unknown host". Is sods the name server for myhost.ml? If not, a subdomain may need to be delegated to the sods server.

For example:

• nameserver for the myhost.ml domain is 2.2.2.2

  A DNS record for myhost.ml points to a subdomain nameserver for z.myhost.mlA:

z 10800 IN NS 3.3.3.3

• sods is the nameserver for the dns tunnel subdomain and listens on 3.3.3.3

Then test the path is working by running tcpdump on 3.3.3.3 and doing any name resolution:

dig @3.3.3.3 foo.z.myhost.ml # name server is reachable
dig foo.z.myhost.ml # name requests are being routed to the subdomain

i use different combinations of args, including -t <DNS type> TXT, CNAME, NULL [Default = TXT] also, i try to modify a bit this :0.52824.id.51677.down. random value in source - the "-" char to the "." char. with no luck.

When i use, for example, dnscat2 - myhost.ml accepted the DNS tunnel. Even if i run dnscat2-client-side and on myhost.ml run SODS server side - it see packets, so, the trouble is in the client side. Also tcpdump is void when i run SODS client side on target host.

Check sdt can reach the tunnel endoint directly:

sdt -r 3.3.3.3 ...

I have some project, i'm new to C programming. my profile is cyber-security, and PWN :+1: I need something very-very light and very-very stealthy. to do "pulse" to myhost.ml from target server. My idea is to make DNS tunnel every N seconds, send UDP/TCP packet to the serve. Receive the response from server, and, if there are nothing to do - close the tunnel. and sleep. I have everything but DNS tunnelling.

That should work with the sdt -b option. sdt will still poll periodically in case there is any pending data from the other side of the tunnel.

So, can you please help me with this?

Hope that helps, if you're still running into issues, feel free to update the issue.

[msantos]

Missed the edits:

• for TCP, see the sdt -T option

• netcat to a local port can be done using ssh port forwarding

  If you're ok sending the data unencrypted, might work by doing something like:

  
  # client
  sdt -p 1337 ....

server

nc -k -l 31337 sods -L 127.0.0.1:31337

[kotee4ko]

thank you for reply. i do 40.206.1.37.in-addr.arpa domain name pointer nera.ml so, when i try to https://dnschecker.org/#CNAME/tun.myhost.ml i can see

root@server:/opt/sods/sods# ./sods -vvvv -d /tmp -L 127.0.0.1:31337 tun.myhost.ml &
2020-08-03 21:20:02 Truncating query: no_additional = 1, no_answers = 0, no_authority = 0
2020-08-03 21:20:02     google.com

with which configuration i should run the sods server?

[msantos]

To test directly, something like:

# shelll 1
sudo sods -vvvv -d /tmp -L 127.0.0.1:31337 tun.myhost.ml

# shell 2
nc -kl 31337

# shell 3: from localhost
sdt -r 127.0.0.1 sshdns.tun.myhost.ml

If you type in the sdt shell, you'll see the keystrokes in the nc window and the opposite. You should also be able to go directly over the internet to the public IP address, if port 53 isn't blocked.

The issue is tun.myhost.ml is a CNAME to an A record. If going directly to the IP address works, going to the CNAME should also work:

sdt -r tun.myhost.ml sshdns.tun.myhost.ml

Usually we would want to go via the local network name server because outgoing network connections are blocked. The local resolver forwards DNS requests to your name server. For that to happen, myhost.ml must delegate the tun.myhost.ml subdomain to your cname, i.e., use an NS record, not a CNAME.

[kotee4ko]

Got it. thank you.

i get ~23 kBit per second without gzipping and with using A requests only. from host to the server. but, from server to the host, with TXT records - the situation is crappy - some packages lost.

Can you hint me?

[msantos]

Just some general suggestions.

Try to determine who is dropping the packets:

• test via the loopback
• test by going directly from client to server
• test by going via an intermediary DNS

Check the output of netstat -us on each hop.

I'm not clear if you were using an intermediary DNS server. If so, they may be throttling the number of requests:

• slow down the number of requests
• minimize the size by using shorter domain components: a.b.myhost.ml
• use multiple domain names for the tunnel: sometimes requests are throttled per domain

[kotee4ko]

yes, a'm thinking about dns server pool.

but now, i'm stacked with sockets. how to get data, compress data, crypt data, encode data, send data, receive data, ..... put data on socket and.... and make it sync

[kotee4ko]

Sir, what about segmentation when port forwarding?

i have two ideas: 1 - make TXT requests from HOST to SERVER in qname send data from host to srv in srv add in txt field data from srv and reply to host

2 - make two NS on srv, for example p1.srv.net & p2.srv.net send in thread1 A with data from host to p1 send in thread2 txt with empty qname (only p2.srv.net) and receive reply with data from srv

which one is better?

also, what about TCP packet size? we can send < 255 byte for 1 request and we can set SOCK_SEGM_SIZE to custom value

is it better to set it bigger, for example 4KB or set it ~250 b and synk it like tcp_seg -> dns_req

thank you! :)