WEASEL: DNS covert channel implant for Red Teams

by do son · April 2, 2020

WEASEL: A Stealthy DNS Beacon

WEASEL is a small in-memory implant using Python 3 with no dependencies. The beacon client sends a small amount of identifying information about its host to a DNS zone you control. WEASEL server can task clients to execute pre-baked or arbitrary commands.

WEASEL is a stage 1 payload, meant to be difficult to detect and useful for regaining access when your noisy full-featured stages are caught.

Status

Has been successfully used on the operation and evaded detections.
Client can initialize a session with the server and establish bi-directional communication.
Server has a fully working CLI.
Client supports a number of functions that the server can task.
Client is 5.2KB when minified + obfuscated.
Automatic obfuscation is lacking and needs manual fixing (see Limitations in client README).
Server does not have multi-player (simultaneous multiple operator) support.

Architecture

You do not need to understand any of this to use WEASEL.

Beacon communicates over DNS using AAAA queries and answers. It does not use TXT records due to those being known as being used by DNS malware and tunnels. Blue teams often have DNS tunneling detections that alert on large TXT queries.

The client-side does not need root to operate, does not use raw sockets, and does not create malformed DNS packets. It uses a regular system and language provided interfaces to make DNS requests. The information is encoded + encrypted in the records themselves.

A single A record (IPv4 address) can contain 4 bytes of information.
A single AAAA record (IPv6 address) can contain 16 bytes of information.
CNAME records and hostnames used in queries can contain up to 64 bytes per subdomain and should be no longer than 255 total bytes per RFC. However, SANS DNS detection guidelines say that subdomains longer than 52 characters are suspect. For this reason, we limit subdomains to 52 characters (configurable in the code) and we try to use no more subdomains and requests than we need.
A response can contain multiple records, up to the size limit of a UDP datagram (65,507 bytes).

This beacon is meant to be low and slow, with little bandwidth. It should tell us which hosts it is on and give us a way to launch further stages as needed, and nothing more. While this does have arbitrary command support, it is not meant to be used as a regular interactive shell or communications channel.

WEASEL is a stage 1 that you leave running, ensuring ongoing access as your full-featured (and therefore noisier) stages get caught.