Cobalt-Strike/Listeners/Beacon-DNS
Jump to navigation
Jump to search
| You are here | Beacon DNS
|
Infrastructure
This payload uses DNS requests to beacon back to you. These DNS requests are lookups against domains that your Cobalt Strike team server is authoritative for. The DNS response tells Beacon to go to sleep or to connect to you to download tasks. The DNS response will also tell the Beacon how to download tasks from your team server.
Is host in my
DNS request cache? NO
┌─────────────┐ abcd.c2.domain.com? ┌─────────────┐ ┌───────────────┐
│ compromised │ ───────────────────> │ Local DNS │ ────────> │ Root │ I don't know,
│ host │<──────────────────── │ server │ <──────── │ server │ ask .COM
└─────────────┘ answer from └─────────────┘ └───────────────┘
c2.malwr.com ▲│ ▲│ ▲│
││ ││ ││ ┌───────────────┐
││ ││ │└───────────> │ .COM │ I don't know,
││ ││ └───────────── │ │ ask DOMAIN.COM
││ ││ └───────────────┘
││ ││
││ ││ ┌───────────────┐
││ │└───────────────> │ DOMAIN.COM │ I don't know,
││ └───────────────── │ │ ask C2.DOMAIN.COM
││ └───────────────┘
││
││ ┌───────────────┐
│└────────────────────> │ │ I know!
└────────────────────── │ C2.DOMAIN.COM │ Here is the answer (payload)!
└───────────────┘
You can check this chain by entering dig +trace abcd.c2.domain.com.
$ dig +trace abcd.freepics.losenolove.com ; <<>> DiG 9.11.20-RedHat-9.11.20-1.fc32 <<>> +trace abcd.freepics.losenolove.com ;; global options: +cmd . 67364 IN NS a.root-servers.net. . 67364 IN NS b.root-servers.net. . 67364 IN NS c.root-servers.net. . 67364 IN NS d.root-servers.net. . 67364 IN NS e.root-servers.net. . 67364 IN NS f.root-servers.net. . 67364 IN NS g.root-servers.net. . 67364 IN NS h.root-servers.net. . 67364 IN NS i.root-servers.net. . 67364 IN NS j.root-servers.net. . 67364 IN NS k.root-servers.net. . 67364 IN NS l.root-servers.net. . 67364 IN NS m.root-servers.net. . 67364 IN RRSIG NS 8 0 518400 20200712050000 20200629040000 48903 . XR6Wwml5KEULaz2PeSv+bPFmN4eVutuXXxrVkIYMWLkNtiDYJquVM72x 3aTAum7woebmMWN5Cp/8MElPG5Jr6EfkNsYHZTeOuWMcnMQ5QswxGsiE zFiBHVCeXug5zmMu4ha7uouXKKtoLil2MoZ+arh4bRfeC+b4mETeik3u fR+mCmGo+LKofwbKjwn6v0haqB/RBF0iM0/AToRD7CUPcP2aIB+6lT7G xG9Y2xKoHVhvZLkLM7DfrTUnBnYU77HV4Gjtq5bZNKS80VLugyu9oAVK 7JghipJPkKSsA+Brz3QMz2u08Cc6YiuNv53jbUK9pjiiD1zRDPem5cDh 3RGv7w== ;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 27 ms com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20200712050000 20200629040000 48903 . hTCmJ6Lmboip/zeloid166bAch7Rp0Z8ic2iIZaK3gGxvFjtGHEOSbGe 6F0glg5ilSvcBChkis7bXj/qVyiW3ZLtQia5M9p23n6I1DN7FEDm4wTx aD4Soj5B00r7XRuaNX0su5N3OPKmh++ixACD8/Bfec/HvW+IfrtwNXNO gGE0j02VTyCzKVOMK6crILVYppESTsStJGv2bXTdPw83gtIok+4d6t54 b0ikOHibeQC8Xx5X3HXLdrcOWWCp92/qi987kC0ZhhUpdu8ZptoGmr0S X6+Nh4nAKj+IICctVlhA2201UBdNtD8WvFCctbssml2A+p6UoeMDfmgu J7j9oQ== ;; Received 1219 bytes from 192.36.148.17#53(i.root-servers.net) in 41 ms losenolove.com. 172800 IN NS ns23.domaincontrol.com. losenolove.com. 172800 IN NS ns24.domaincontrol.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200704044105 20200627033105 39844 com. U6KHXoxwLOiBxHpFki7eSplrbsGjWO1/PDMMQ0khki1IJG4upE7qgD3S wIsi04RC/SySlAq0lBeZNlSep7dcr7W386nwb1yZ4xeAK/KdMmabRai5 K/5K7AE6OCoJo25anBuIhxpdj82Uh3WU+mXwsnJMhG0WoaJ9bQWdgV78 vOzel9kugowAbj/xSmqq/gX4iPWi57ULopZ7SGf5t4gqQg== OJO49JF0OOTR05JNP5OKIL4RKT3U2B17.com. 86400 IN NSEC3 1 1 0 - OJO557D8G9VPR852BSVG6JK5LC875LA0 NS DS RRSIG OJO49JF0OOTR05JNP5OKIL4RKT3U2B17.com. 86400 IN RRSIG NSEC3 8 2 86400 20200706051007 20200629040007 39844 com. b5igmaTuTmfvK/TJEgK5ZaPt95GBqVSo1JnWFtgds2yUyoDjGxGFmts+ ZAESfWt9MG0kdx1jm0U40uloy1vGYqTpVFTiq5mmHGuO5oo7pOUQMlIE mxX6o/7guxr9p1m/Q33rOmVVcrCmh3tJn34d4Q7cwCUsQ/6zlj4pYfeC ZfYcqThWxEf6aDW+JWaspv2EhpxLANYaD2DhvZ63rzwcew== ;; Received 746 bytes from 192.52.178.30#53(k.gtld-servers.net) in 36 ms freepics.losenolove.com. 3600 IN NS malwarec2.losenolove.com. ;; Received 97 bytes from 97.74.101.12#53(ns23.domaincontrol.com) in 36 ms ;; expected opt record in response abcd.freepics.losenolove.com. 1 IN A 8.8.8.8 ;; Received 90 bytes from 54.80.166.26#53(malwarec2.losenolove.com) in 199 ms
Information
In Cobalt Strike 4.0 and later, the DNS Beacon is a DNS-only payload. There is no HTTP communication mode in this payload.
DNS entries
You'll need to publish specific DNS entries:
- Create an A record for the Cobalt strike server
- Create NS records that point to the FQDN of the Cobalt Strike Team server
Create a DNS-beacon listener
|
|
Once created, the DNS beacon listener will act as a DNS server, waiting for requests. If no attack (payload) is configured, it will return 0.0.0.0 as shown below:
unknown@kali:~$ nslookup
> server c2.malwr.com
Default server: c2.malwr.com
Address: 172.16.222.130#53
> google.com
Server: c2.malwr.com
Address: 172.16.222.130#53
Non-authoritative answer:
Name: google.com
Address: 0.0.0.0