OzymanDNS - Tunneling SSH over DNS
Hak5 Episode 504 Shownotes
(In the episode I say that it’s cross platform, use the release links for the Windows binaries to get it working on windows or use cygwin)
DISCLAIMER - I IN NO WAY ENDORSE ILLEGAL ACTIVITIES - USE THE FOLLOWING GUIDE IN A TEST ENVIRONMENT OR AT YOUR OWN LEGAL RISK.
UPDATE:Thanks to Chris Gates and Robin Wood for pointing me towards a fixed up version of OzymanDNS and a great tutorial: HERE
UPDATE 2: Since Ozyman is no longer hosted on Dan’s site, I have posted it here:
Download: ozymandns_src_0.1.tgz
(Until of course/if he asks me to take it down)
DNS Tunneling isn’t new. Dan Kaminsky’s post for OzymanDNS’ release was July 29th 2004 (There was DNS Tunneling linux packages dating back to the late 90s even). I will however comment that it’s still in it’s release version, but very functional. Also, DNS Tunnel isn’t “Big News” so it really hasn’t been ‘mitigated’ anywhere yet. Everywhere I have tested it, it has worked, even behind a certain switch that rhymes with ‘Panera’
What does OzymanDNS do? It has two parts, server, and client. The server is a set and forget. It sits there waiting for a connection (caveat: from anywhere) But we are getting ahead of ourselves, lets setup up DNS first.
(I’m going to assume that you have a SSH server somewhere that you have already setup)
Step 1 - DNS Setup:
Each “Domain Manager” or DNS Server has a different set up, So I’m not going to go into the details. The jist of the change you need to make is either make a domain or a subdomain that points it’s nameserver records towards the host that you are running your server on.
ihaztunnel.room362.com IN NS mubixpwnsyour.homedns.org
In this example we have setup a subdomain called “ihaztunnel” and set it’s Name Server Record pointing to a dynamic dns host that points at the location of my OzymanDNS server.
Step 2 - Server Setup:
You need Perl, the MIME::Base32, and Net::DNS modules. After that you just run nomde.pl from whatever directory that you extracted the OzymanDNS scripts with the following context:
./nomed.pl -i 0.0.0.0 ihaztunnel.room362.com
This tells it to listen on any IP the host has (you can specifiy one if you wish), and tells it the DNS name that it’s supporting. Don’t forget to do port forwarding on your router or whatever may be in the way of port 53 UDP and TCP coming inbound. Also keep in mind that your ISP may be blocking, so field test the connection before you try to use it in the wild.
Step 3 - Client Connection:
For the client, the setup is the same, get perl, the modules and OzymanDNS. Then you run the following command:
ssh -D 8080 -C -o ProxyCommand="/home/mubix/ozymandns/droute.pl whatever.ihaztunnel.room362.com" room362.com
Breaking this command down:
-
“-D 8080” starts SSH tunneling (Socks Proxy) on port 8080 once a connection is made.
-
“-C” requests compression so that we can get the best speeds possible.
-
“-o ProxyCommand” sets the SSH option to the location of the droute.pl script and…
-
“whatever.ihaztunnel.room362.com” the ‘whatever’ portion of this is the important part. It can be whatever you want it to be but the “magic” happens by adding this subdomain of the one you already set up.
-
“room362.com” the hostname or IP of the SSH server that you will be tunneling through.
If all worked out, you will get prompted to enter your password. That’s it folks. Now you can use FoxyProxy or just your standard proxy settings to use the tunnel. Or, you can use product that, IMHO, is well worth the 30 bucks for the PORTABLE EDITION: Proxifier. It hooks the OS and makes every connection go through the proxy (games, IM, Java, Flash).
Notes:
Before you go the DNS route, it might pay off to try the ?.jpg trick first. Check out the debuggable.com post for more details. - Thanks Xanfantasy for the memory jog.
http://www.dnstunnel.de/ - A site that has an in-depth walk-through of setting up OzymanDNS if I didn’t answer all of your questions. They even have a script that will make OzymanDNS a service on Linux boxes
http://thomer.com/howtos/nstx.html - A write up on NSTX which doesn’t require SSH but doesn’t look like it’s still in production. It is however in the Ubuntu and Gentoo repositories so feel free to mess with it there, and since Back|Track 4 is now Ubuntu based you may be able to get it set up on BT4 as well.
Iodine:
http://code.kryo.se/iodine/ - Another DNS Tunneling project that looks to be the most up to date. I haven’t tested it out to make sure it functions.
Dns2tcp:
http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en - Another DNS Tunneling Project
And if DNS isn’t your thing and you want to tunnel over HTTP, check out Corkscrew: http://www.agroman.net/corkscrew/