Everhart,Glenn From: Oskar Pearson [wosp@ICON.CO.ZA] Sent: Monday, April 13, 1998 2:38 PM To: BUGTRAQ@NETSPACE.ORG Subject: DNS Tunnel - through bastion hosts Hi All I assume that you all know the benefits of using a bastion host and packet filtering all other hosts out so that people don't tunnel data in UDP packets. Well, it's not enough anymore. (This was originally going to be a Phrack article, but since I submitted it they haven't answered any of my mail.) The complete code (Perl) and so forth are available at http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz (it's about 8kb, so that's why I didn't post it here.) Note that some parts (most) of it is under different copyright, since I adapted another DNS server for my code. It's currently written as a system for someone to get into the internal network from home, but it could be changed into a system to get into machines that you haven't even heard of (if you convert it into a trojan.) To get it to work: You need root on an external host with a static IP address. This acts as an external endpoint for the server 'tunnel'. It mustn't be running a DNS server (though you could make this thing transparent or use IP aliases) You need some test domain (or subdomain) that you can delegate to this server (something in 'ml.org' would be fine, I guess.) How it works: The client does DNS lookups for a host in the delegated domain. If the server wants to connect it responds with a 'key' IP address. The client then starts a shell in a pipe and feeds the output of the shell (in the form of DNS queries) to the server. The server reads your keystrokes and passes them back to the client (and hence to the shell) as the IP addresses returned for the DNS queries. This isn't exactly how it works in practice, but it gives you the idea: Client: Server: -------------------------------------------------------------------------- connect.1.test.domain.example. host#>.2.test.domain.example. (you type something, say 'su -') poll.3.test.domain.example. Password:.4.test.domain.example. (you try something, say 'god') etc etc Obvious things: 1) You can't have "#" in a domain name. This effectively means that you just encode it by giving the ascii value. This is done in this code. 2) It's slow. (This code especially, since it makes no attempt to pack things into as few packets as possible.) I haven't heard of this method before. If it's been done, and somehow filtered through to my subconsious without me remembering, apologies!