Added Simulate-DNSTunnel.ps1

windows/README.md

@@ -22,4 +22,6 @@
 
 - **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9))
 
+- **`Simulate-DNSTunnel.ps1`** - Performs DNS Tunnelling simulation for purpose of triggering installed Network IPS and IDS systems, generating SIEM offenses and picking up Blue Teams.
+
 - **`win-clean-logs.bat`** - Batch script to hide malware execution from Windows box. Source: Mandiant M-Trends 2017. ([gist](https://gist.github.com/mgeeky/3561be7e697c62f543910851c0a26d00))

windows/Simulate-DNSTunnel.ps1

@@ -0,0 +1,134 @@
+<#
+    Simulate-DNSTunnel.ps1
+
+    Author: Mariusz Banach (@mgeeky)
+    License: GPL
+    Required Dependencies: None
+    Optional Dependencies: None
+
+#>
+
+$MaxQueryLength = 253
+$MaxDnsLabelLength = 63
+
+# Although it can get even up to 127, keeping it lower value may seem more genuine
+$MaxNumberOfLevels = 5
+
+
+function Simulate-DNSTunnel
+{
+<#
+    .SYNOPSIS
+
+        Performs DNS Tunnelling simulation.
+
+
+    .DESCRIPTION
+
+        This function performs DNS tunelling simulation for purpose 
+        of triggering installed Network IPS and IDS systems. By issuing 
+        DNS queries over system's default resolver, will introduce peak 
+        in high-entropy anomalous queries to be picked up by blue teams.
+
+    .PARAMETER Domain
+
+        Domain to be queried against randomly generated anomalous-looking long subdomain.
+        This domain should have a '*' type A record pointing to some IP address
+        for every wildcard subdomain queried, to avoid subsequent DNS failures.
+        Also, obviously the domain should be resolveable.
+
+    .PARAMETER Interval
+
+        This parameter introduces delay between subsequent queries (in seconds). When unset, 
+        every query will be triggered sequentially one after another. Otherwise,
+        a sleep will be introduced between queries, simulating thus DNS beaconing.
+
+    .PARAMETER QueriesNumber
+
+        Number of DNS queries to perform. If unset, script will perform inifinite number
+        of DNS queries. In such case, it can be terminated by CTRL+C.
+
+    .EXAMPLE
+
+        Simulate-DNSTunnel -Domain google.com
+
+#>
+    
+    [CmdletBinding()] Param(
+        [String]
+        $Domain,
+
+        [Double]
+        $Interval = 0.0,
+
+        [Int]
+        $QueriesNumber = 0
+    )
+
+    $Num = 0
+
+    While ( ($Num -lt $QueriesNumber) -or ($QueriesNumber -eq 0))
+    {
+        $Num += 1
+        $Query = Generate-AnomalousQuery -Domain $Domain
+
+        If ($Interval -ne 0.0 )
+        {
+            Start-Sleep -m ($Interval * 1000)
+        }
+
+        Try
+        {
+            Write-Host "[+] $Num. Querying: $Query"
+            [System.Net.Dns]::GetHostByName($Query).Hostname
+        }
+        Catch
+        {
+        }
+    }
+
+}
+
+function Get-RandomString
+{
+    [CmdletBinding()] Param(
+        [int]
+        $Count
+    )
+    return -join ((65..90) + (97..122) | Get-Random -Count $Count | %{[char]$_})
+}
+
+function Generate-AnomalousQuery
+{
+    Param(
+        [String]
+        $Domain
+    )
+
+    $QueryToGenerateLen = (Get-Random) % ($MaxQueryLength - $Domain.Length - 1)
+    $PartLen = [math]::Min($MaxDnsLabelLength, $QueryToGenerateLen)
+    $NumberOfParts = (Get-Random) % $MaxNumberOfLevels
+
+    $Query = ""
+
+    For ($i = 0; $i -lt $NumberOfParts; $i++ )
+    {
+        $Query += Get-RandomString -Count ($PartLen / $NumberOfParts)
+        $Query += "."
+    }
+
+    While ($Query.Length -lt $QueryToGenerateLen )
+    {
+        $Query += Get-RandomString -Count 1
+    }
+
+    If (($Query.Length + $Domain.Length) -ge ($MaxQueryLength + 1) )
+    {
+        $Query = $Query.Substring(0, $MaxQueryLength - $Domain.Length - 1)
+    }
+
+    $Query = $Query -replace "\.\.", "."
+
+    $Query += ".$Domain"
+    return $Query
+}