DNS Canaries

DNS Canaries are unique per-binary domains that are optionally inserted during the string obfuscation process. These domains are not actually used by the implant code and are deliberately not obfuscated so that they show up if someone runs strings on the implant. If these domains are ever resolved (and you have a dns listener running) you'll get an alert telling which specific file was discovered by the blue team.

To setup DNS domains, check DNS C2
To manage DNS Canaries, check Canaries
To use/set DNS Canaries, check Payload Modules

Ubuntu

NOTE: On recent versions of Ubuntu, you may need to disable the piece of shit that is systemd-resolved as this binds to your local UDP:53 and fucks up everything about how DNS is supposed to work. To use a sane DNS configuration run the following commands as root because resolved probably broke sudo too:

systemctl disable systemd-resolved.service
systemctl stop systemd-resolved
rm -f /etc/resolv.conf
vim /etc/resolv.conf

Add a normal resolv.conf:

nameserver 1.1.1.1
nameserver 8.8.8.8

Home

Overview

Install

Data Service

C2 Server

Console

Getting Started
Config
Commands
- Core
- Help
- Users
- Server
- Jobs
- Profiles
- Canaries
- Websites
- Workspace
- Stack
- Modules
- Ghosts (implants)
- Sessions
Troubleshooting

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DNS Canaries

Ubuntu

Overview

Install

Data Service

C2 Server

Console

Modules

Implants

Writing Modules

Configuration

Clone this wiki locally