COMMAND

    DNS Tunnel

SYSTEMS AFFECTED

    Most systems

PROBLEM

    Oskar Pearson found following.  Let's assume that you all know the
    benefits of using  a bastion host  and packet filtering  all other
    hosts out so that people don't tunnel data in UDP packets.   Well,
    it's  not  enough  anymore.   (This  was  originally going to be a
    Phrack article)

    The complete code (Perl) and so forth are available at:

        http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz

    Note that some  parts (most) of  it is under  different copyright,
    since  it  was  adapted  another  DNS  server for that code.  It's
    currently written as a system for someone to get into the internal
    network from home, but  it could be changed  into a system to  get
    into machines that  you haven't even  heard of (if  you convert it
    into a trojan.)

    To  get  it  to  work,  you  need  root on an external host with a
    static IP  address.   This acts  as an  external endpoint  for the
    server 'tunnel'.  It mustn't  be running a DNS server  (though you
    could make this  thing transparent or  use IP aliases).   You need
    some test  domain (or  subdomain) that  you can  delegate to  this
    server (something in 'ml.org' would be fine, I guess.)

    The client does  DNS lookups for  a host in  the delegated domain.
    If  the  server  wants  to  connect  it  responds  with a 'key' IP
    address.  The client then starts  a shell in a pipe and  feeds the
    output of the shell  (in the form of  DNS queries) to the  server.
    The  server  reads  your  keystrokes  and  passes them back to the
    client (and hence to the  shell) as the IP addresses  returned for
    the DNS queries.  This isn't exactly how it works in practice, but
    it gives you the idea:

        Client:                                         Server:
    ------------------------------------------------------------------
    connect.1.test.domain.example.           <Yes - I want to connect>

    host#>.2.test.domain.example.            <Thanks - no keypresses>
    (you type something, say 'su -')
    poll.3.test.domain.example.              <He typed 'su -'>
    Password:.4.test.domain.example.         <Thanks - no keypresses>
    (you try something, say 'god')
    etc etc

    Obvious things:

    1) You  can't have  "#" in  a domain  name. This effectively means
       that you just encode it by giving the ascii value. This is done
       in this code.
    2) It's slow. (This code especially, since it makes no attempt  to
       pack things into as few packets as possible.)

SOLUTION

    Nothing yet.