Added Simulate-DNSTunnel.ps1

This commit is contained in:
mb 2019-02-19 08:50:44 -05:00
parent 899ceee361
commit 089710422d
2 changed files with 136 additions and 0 deletions

View File

@ -22,4 +22,6 @@
- **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9))
- **`Simulate-DNSTunnel.ps1`** - Performs DNS Tunnelling simulation for purpose of triggering installed Network IPS and IDS systems, generating SIEM offenses and picking up Blue Teams.
- **`win-clean-logs.bat`** - Batch script to hide malware execution from Windows box. Source: Mandiant M-Trends 2017. ([gist](https://gist.github.com/mgeeky/3561be7e697c62f543910851c0a26d00))

View File

@ -0,0 +1,134 @@
<#
Simulate-DNSTunnel.ps1
Author: Mariusz Banach (@mgeeky)
License: GPL
Required Dependencies: None
Optional Dependencies: None
#>
$MaxQueryLength = 253
$MaxDnsLabelLength = 63
# Although it can get even up to 127, keeping it lower value may seem more genuine
$MaxNumberOfLevels = 5
function Simulate-DNSTunnel
{
<#
.SYNOPSIS
Performs DNS Tunnelling simulation.
.DESCRIPTION
This function performs DNS tunelling simulation for purpose
of triggering installed Network IPS and IDS systems. By issuing
DNS queries over system's default resolver, will introduce peak
in high-entropy anomalous queries to be picked up by blue teams.
.PARAMETER Domain
Domain to be queried against randomly generated anomalous-looking long subdomain.
This domain should have a '*' type A record pointing to some IP address
for every wildcard subdomain queried, to avoid subsequent DNS failures.
Also, obviously the domain should be resolveable.
.PARAMETER Interval
This parameter introduces delay between subsequent queries (in seconds). When unset,
every query will be triggered sequentially one after another. Otherwise,
a sleep will be introduced between queries, simulating thus DNS beaconing.
.PARAMETER QueriesNumber
Number of DNS queries to perform. If unset, script will perform inifinite number
of DNS queries. In such case, it can be terminated by CTRL+C.
.EXAMPLE
Simulate-DNSTunnel -Domain google.com
#>
[CmdletBinding()] Param(
[String]
$Domain,
[Double]
$Interval = 0.0,
[Int]
$QueriesNumber = 0
)
$Num = 0
While ( ($Num -lt $QueriesNumber) -or ($QueriesNumber -eq 0))
{
$Num += 1
$Query = Generate-AnomalousQuery -Domain $Domain
If ($Interval -ne 0.0 )
{
Start-Sleep -m ($Interval * 1000)
}
Try
{
Write-Host "[+] $Num. Querying: $Query"
[System.Net.Dns]::GetHostByName($Query).Hostname
}
Catch
{
}
}
}
function Get-RandomString
{
[CmdletBinding()] Param(
[int]
$Count
)
return -join ((65..90) + (97..122) | Get-Random -Count $Count | %{[char]$_})
}
function Generate-AnomalousQuery
{
Param(
[String]
$Domain
)
$QueryToGenerateLen = (Get-Random) % ($MaxQueryLength - $Domain.Length - 1)
$PartLen = [math]::Min($MaxDnsLabelLength, $QueryToGenerateLen)
$NumberOfParts = (Get-Random) % $MaxNumberOfLevels
$Query = ""
For ($i = 0; $i -lt $NumberOfParts; $i++ )
{
$Query += Get-RandomString -Count ($PartLen / $NumberOfParts)
$Query += "."
}
While ($Query.Length -lt $QueryToGenerateLen )
{
$Query += Get-RandomString -Count 1
}
If (($Query.Length + $Domain.Length) -ge ($MaxQueryLength + 1) )
{
$Query = $Query.Substring(0, $MaxQueryLength - $Domain.Length - 1)
}
$Query = $Query -replace "\.\.", "."
$Query += ".$Domain"
return $Query
}