Hybrid HTTP and DNS Beacon
The Hybrid HTTP and DNS Beacon payload is a favorite Cobalt Strike feature. This payload uses DNS requests to beacon back to you. These DNS requests are lookups against domains that your Cobalt Strike team server is authoritative for. The DNS response tells Beacon to go to sleep or to connect to you to download tasks. The DNS response will also tell the Beacon how to download tasks from your team server.
DNS Beacon in Action
Originally, this payload would download all of its tasks via an HTTP GET connection. The purpose of the DNS beaconing was to minimize the payload's need to connect directly to you. Over time, it became obvious that there were situations where it would be nice to download tasks over DNS as well.
Today, the Hybrid HTTP and DNS Beacon can download tasks over HTTP, DNS A records, DNS AAAA records, or DNS TXT records. Better, this payload has the flexibility to change between these data channels while its on target. Use Beacon's mode command to change the current Beacon's data channel. mode http is the HTTP data channel. mode dns is the DNS A record data channel. mode dns6 is the DNS AAAA record channel. And, mode dns-txt is the DNS TXT record data channel.
The HTTP data channel uses HTTP POST requests to send information back to you. The DNS data channels embed data destined for your team server into a long hostname. The maximum length of this hostname is set by the Malleable C2 maxdns option. The DNS TXT channel will use 100% of this value. The DNS AAAA channel will use 50% of this value. The DNS A channel will use 25% of this value.
Be aware that DNS Beacon does not check in until there's a task available. Use the checkin command to request that the DNS Beacon check in next time it calls home.
The windows/beacon_dns/reverse_http payload stages over an HTTP connection. When you create this listener, be aware that you’re configuring the host and port Cobalt Strike will use to stage this payload over HTTP. Cobalt Strike knows to stand up a DNS server on port 53 when you choose to setup this payload.
The windows/beacon_dns/reverse_dns_txt payload uses DNS TXT records to download and stage the Hybrid HTTP and DNS Beacon. When you create this listener, be aware that you're configuring which port this payload will use for HTTP communication. Again, Cobalt Strike knows to stand up a DNS server on port 53.
If you setup the Hybrid HTTP and DNS Beacon payload with the HTTP stager, be aware that you can still request the DNS TXT record stager too. Many Cobalt Strike features will let you specify the listener name (DNS) to force the use of the DNS TXT record stager.
DNS Beaconing Domains
Once you create a listener and press Save, Cobalt Strike will ask you to provide a list of domains to beacon to. Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A record and point it to your Cobalt Strike team server. Use DNS NS records to delegate several domains or sub-domains to your Cobalt Strike team server's A record.
To test your DNS configuration, open a terminal and type
nslookup jibberish.beacon.domain. If
you get an A record reply of 0.0.0.0—then your DNS is correctly setup. If you do not get a reply, then your
DNS configuration is not correct and the Hybrid HTTP and DNS Beacon will not communicate with you.
Make sure your DNS records reference the primary address on your network interface. Cobalt Strike's DNS server will always send responses from your network interface's primary address. DNS resolvers tend to drop replies when they request information from one server, but receive a reply from another.
If you are behind a NAT device, make sure that you use your public IP address for the NS record and set your firewall to forward UDP traffic on port 53 to your system. Cobalt Strike includes a DNS server to control Beacon.