Table of Contents
Dnsstager is one of the powerful Tool this tool will help you to hide your payload using DNS. You can create any payload with this Dnsstager. and this tool should be run on the root.
What is Dnsstager?
DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.
This will create a malicious DNS server that handles DNS requests to your domain and return your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding the payload using different algorithms.
DNSStager can generate a custom agent written in C or GoLang that will resolve a sequence of domains, retrieve the payload, decode it and finally inject it into the memory based on any technique you want.
You can edit the code of the DNSStager agent as you wish, and build it using your own custom execution techniques.
The main goal of using DNSStager is to help red teamers/pentesters to deliver their payloads in the stealthy channels using DNS.
How does it work?
Based on your DNS resolution option, DNSStager will split your payload into chunks and save each chunk of the payload as a response for a subdomain.
For example, if you choose IPV6 as your option to retrieve the payload, the DNS response will be something like:
cloud-srv-1.test.mydnsserver.live. 300 IN AAAA 5648:31d2:6548:8b52:6048:8b52:1848:8b52
Where 5648:31d2:6548:8b52:6048:8b52:1848:8b52 is a part of your payload.
So, the agent will resolve some domains to retrieve the payload and then decode it and finally inject it into memory.
Currently, DNSStager only supports two records, AAAA and TXT. You can encode your payload using XOR for the AAAA record and by default, it will be encoded as base64 if you choose TXT record.
Why use Dnsstager?
A best use case for DNSStager is when you need to retrieve your payload through DNS while it’s the only channel available for you to receive data from.
You can use the C or GoLang client to resolve the full payload through DNS and customize the agent to use your own process/memory injection, which means you can fully customize it for your operation and your target.
DNSStager currently supports two DNS records to resolve the full payload which are:
- IPv6 via AAAA record.
- TXT record.
DNSStager key features
DNSStager has some key features such as:
- Hide and Resolve your payload in IPV6 records.
- Hide and Resolve your payload in TXT records.
- XOR encoder to encode your payload.
- Base64 encoder to encode your payload (only for TXT records).
- The pure agent wrote in C with the ability to customize it.
- The pure agent wrote in with the ability to customize it.
- The ability to use sleep between each DNS request.
- AND MUCH MORE TO COME!
- Git package
- Python Package
- Golang 1.16.3
How to install?
To get the latest version of DNSStager, make sure to clone it from this repo using the following command
git clone https://github.com/mhaskar/DNSStager
Then you need to install the requirements using the following command
pip3 install -r requirements.txt
And make sure to install all the previously mentioned requirements too.
After doing all that, you are ready to execute this script as root to get the following
┌─[askar@hackbook]─[/opt/redteaming/DNSStager] └──╼ $sudo ./dnsstager.py ██████╗░███╗░░██╗░██████╗░██████╗████████╗░█████╗░░██████╗░███████╗██████╗░ ██╔══██╗████╗░██║██╔════╝██╔════╝╚══██╔══╝██╔══██╗██╔════╝░██╔════╝██╔══██╗ ██║░░██║██╔██╗██║╚█████╗░╚█████╗░░░░██║░░░███████║██║░░██╗░█████╗░░██████╔╝ ██║░░██║██║╚████║░╚═══██╗░╚═══██╗░░░██║░░░██╔══██║██║░░╚██╗██╔══╝░░██╔══██╗ ██████╔╝██║░╚███║██████╔╝██████╔╝░░░██║░░░██║░░██║╚██████╔╝███████╗██║░░██║ ╚═════╝░╚═╝░░╚══╝╚═════╝░╚═════╝░░░░╚═╝░░░╚═╝░░╚═╝░╚═════╝░╚══════╝╚═╝░░╚═╝ Beta Version Hide your payload in DNS [-] Please specify a domain name using --domain
To start using DNSStager, make sure to set up your DNS settings first, you need to make your domain points to the DNSStager instance as an NS record to handle all the DNS requests to your domain.
You can read this full article about how to set up and use.
And you can check the options using the -h switch like the following:
┌─[askar@hackbook]─[/opt/redteaming/DNSStager] └──╼ $sudo ./dnsstager.py -h usage: dnsstager.py [-h] [--domain DOMAIN] [--payloads] [--prefix PREFIX] [--payload PAYLOAD] [--output OUTPUT] [--shellcode_path SHELLCODE_PATH] [--xorkey XORKEY] [--sleep SLEEP] DNSStager main parser optional arguments: -h, --help show this help message and exit --domain DOMAIN The domain you want to use as staging host --payloads show all payloads --prefix PREFIX Prefix to use as part of your subdomain schema --payload PAYLOAD Payload to use, see --payloads for more details --output OUTPUT Agent output path --shellcode_path SHELLCODE_PATH Shellcode file path --xorkey XORKEY XOR key to encode your payload with --sleep SLEEP sleep for N seconds between each DNS request