diff --git a/windows/README.md b/windows/README.md index d50ed5c..5011717 100644 --- a/windows/README.md +++ b/windows/README.md @@ -22,4 +22,6 @@ - **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9)) +- **`Simulate-DNSTunnel.ps1`** - Performs DNS Tunnelling simulation for purpose of triggering installed Network IPS and IDS systems, generating SIEM offenses and picking up Blue Teams. + - **`win-clean-logs.bat`** - Batch script to hide malware execution from Windows box. Source: Mandiant M-Trends 2017. ([gist](https://gist.github.com/mgeeky/3561be7e697c62f543910851c0a26d00)) diff --git a/windows/Simulate-DNSTunnel.ps1 b/windows/Simulate-DNSTunnel.ps1 new file mode 100644 index 0000000..f2885b1 --- /dev/null +++ b/windows/Simulate-DNSTunnel.ps1 @@ -0,0 +1,134 @@ +<# + Simulate-DNSTunnel.ps1 + + Author: Mariusz Banach (@mgeeky) + License: GPL + Required Dependencies: None + Optional Dependencies: None + +#> + +$MaxQueryLength = 253 +$MaxDnsLabelLength = 63 + +# Although it can get even up to 127, keeping it lower value may seem more genuine +$MaxNumberOfLevels = 5 + + +function Simulate-DNSTunnel +{ +<# + .SYNOPSIS + + Performs DNS Tunnelling simulation. + + + .DESCRIPTION + + This function performs DNS tunelling simulation for purpose + of triggering installed Network IPS and IDS systems. By issuing + DNS queries over system's default resolver, will introduce peak + in high-entropy anomalous queries to be picked up by blue teams. + + .PARAMETER Domain + + Domain to be queried against randomly generated anomalous-looking long subdomain. + This domain should have a '*' type A record pointing to some IP address + for every wildcard subdomain queried, to avoid subsequent DNS failures. + Also, obviously the domain should be resolveable. + + .PARAMETER Interval + + This parameter introduces delay between subsequent queries (in seconds). When unset, + every query will be triggered sequentially one after another. Otherwise, + a sleep will be introduced between queries, simulating thus DNS beaconing. + + .PARAMETER QueriesNumber + + Number of DNS queries to perform. If unset, script will perform inifinite number + of DNS queries. In such case, it can be terminated by CTRL+C. + + .EXAMPLE + + Simulate-DNSTunnel -Domain google.com + +#> + + [CmdletBinding()] Param( + [String] + $Domain, + + [Double] + $Interval = 0.0, + + [Int] + $QueriesNumber = 0 + ) + + $Num = 0 + + While ( ($Num -lt $QueriesNumber) -or ($QueriesNumber -eq 0)) + { + $Num += 1 + $Query = Generate-AnomalousQuery -Domain $Domain + + If ($Interval -ne 0.0 ) + { + Start-Sleep -m ($Interval * 1000) + } + + Try + { + Write-Host "[+] $Num. Querying: $Query" + [System.Net.Dns]::GetHostByName($Query).Hostname + } + Catch + { + } + } + +} + +function Get-RandomString +{ + [CmdletBinding()] Param( + [int] + $Count + ) + return -join ((65..90) + (97..122) | Get-Random -Count $Count | %{[char]$_}) +} + +function Generate-AnomalousQuery +{ + Param( + [String] + $Domain + ) + + $QueryToGenerateLen = (Get-Random) % ($MaxQueryLength - $Domain.Length - 1) + $PartLen = [math]::Min($MaxDnsLabelLength, $QueryToGenerateLen) + $NumberOfParts = (Get-Random) % $MaxNumberOfLevels + + $Query = "" + + For ($i = 0; $i -lt $NumberOfParts; $i++ ) + { + $Query += Get-RandomString -Count ($PartLen / $NumberOfParts) + $Query += "." + } + + While ($Query.Length -lt $QueryToGenerateLen ) + { + $Query += Get-RandomString -Count 1 + } + + If (($Query.Length + $Domain.Length) -ge ($MaxQueryLength + 1) ) + { + $Query = $Query.Substring(0, $MaxQueryLength - $Domain.Length - 1) + } + + $Query = $Query -replace "\.\.", "." + + $Query += ".$Domain" + return $Query +} \ No newline at end of file