Dnsstager – hide and transfer your payload using DNS

Table of Contents

Dnsstager  is one of the powerful Tool this tool will help you to hide your payload using DNS. You can create any payload with this Dnsstager. and this tool should be run on the root.

What is Dnsstager?

DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

This will create a malicious DNS server that handles DNS requests to your domain and return your payload as a response to specific record requests such as AAAA or TXT records after splitting it into chunks and encoding the payload using different algorithms.

DNSStager can generate a custom agent written in C or GoLang that will resolve a sequence of domains, retrieve the payload, decode it and finally inject it into the memory based on any technique you want.

You can edit the code of the DNSStager agent as you wish, and build it using your own custom execution techniques.

The main goal of using DNSStager is to help red teamers/pentesters to deliver their payloads in the stealthy channels using DNS.

How does it work?

Based on your DNS resolution option, DNSStager will split your payload into chunks and save each chunk of the payload as a response for a subdomain.

For example, if you choose IPV6 as your option to retrieve the payload, the DNS response will be something like:

cloud-srv-1.test.mydnsserver.live. 300 IN AAAA 5648:31d2:6548:8b52:6048:8b52:1848:8b52

Where 5648:31d2:6548:8b52:6048:8b52:1848:8b52 is a part of your payload.

So, the agent will resolve some domains to retrieve the payload and then decode it and finally inject it into memory.

Currently, DNSStager only supports two records, AAAA and TXT. You can encode your payload using XOR for the AAAA record and by default, it will be encoded as base64 if you choose TXT record.

Why use Dnsstager?

A best use case for DNSStager is when you need to retrieve your payload through DNS while it’s the only channel available for you to receive data from.

You can use the C or GoLang client to resolve the full payload through DNS and customize the agent to use your own process/memory injection, which means you can fully customize it for your operation and your target.

DNSStager currently supports two DNS records to resolve the full payload which are:

  • IPv6 via AAAA record.
  • TXT record.

DNSStager key features

DNSStager has some key features such as:

  1. Hide and Resolve your payload in IPV6 records.
  2. Hide and Resolve your payload in TXT records.
  3. XOR encoder to encode your payload.
  4. Base64 encoder to encode your payload (only for TXT records).
  5. The pure agent wrote in C with the ability to customize it.
  6. The pure agent wrote in with the ability to customize it.
  7. The ability to use sleep between each DNS request.
  8. AND MUCH MORE TO COME!

Requirements

  1. Git package
  2. Python Package
  3. Mingw-w64
  4. Golang 1.16.3

How to install?

To get the latest version of DNSStager, make sure to clone it from this repo using the following command

				
					git clone https://github.com/mhaskar/DNSStager
				
			

Then you need to install the requirements using the following command

				
					pip3 install -r requirements.txt
				
			

And make sure to install all the previously mentioned requirements too.

After doing all that, you are ready to execute this script as root to get the following

				
					┌─[askar@hackbook]─[/opt/redteaming/DNSStager]
└──╼ $sudo ./dnsstager.py



██████╗░███╗░░██╗░██████╗░██████╗████████╗░█████╗░░██████╗░███████╗██████╗░
██╔══██╗████╗░██║██╔════╝██╔════╝╚══██╔══╝██╔══██╗██╔════╝░██╔════╝██╔══██╗
██║░░██║██╔██╗██║╚█████╗░╚█████╗░░░░██║░░░███████║██║░░██╗░█████╗░░██████╔╝
██║░░██║██║╚████║░╚═══██╗░╚═══██╗░░░██║░░░██╔══██║██║░░╚██╗██╔══╝░░██╔══██╗
██████╔╝██║░╚███║██████╔╝██████╔╝░░░██║░░░██║░░██║╚██████╔╝███████╗██║░░██║
╚═════╝░╚═╝░░╚══╝╚═════╝░╚═════╝░░░░╚═╝░░░╚═╝░░╚═╝░╚═════╝░╚══════╝╚═╝░░╚═╝    

    Beta Version                           Hide your payload in DNS

[-] Please specify a domain name using --domain
				
			

Usage

To start using DNSStager, make sure to set up your DNS settings first, you need to make your domain points to the DNSStager instance as an NS record to handle all the DNS requests to your domain.

You can read this full article about how to set up and use.

And you can check the options using the -h switch like the following:

				
					┌─[askar@hackbook]─[/opt/redteaming/DNSStager]
└──╼ $sudo ./dnsstager.py -h
usage: dnsstager.py [-h] [--domain DOMAIN] [--payloads] [--prefix PREFIX]
                    [--payload PAYLOAD] [--output OUTPUT]
                    [--shellcode_path SHELLCODE_PATH] [--xorkey XORKEY]
                    [--sleep SLEEP]

DNSStager main parser

optional arguments:
  -h, --help            show this help message and exit
  --domain DOMAIN       The domain you want to use as staging host
  --payloads            show all payloads
  --prefix PREFIX       Prefix to use as part of your subdomain schema
  --payload PAYLOAD     Payload to use, see --payloads for more details
  --output OUTPUT       Agent output path
  --shellcode_path SHELLCODE_PATH
                        Shellcode file path
  --xorkey XORKEY       XOR key to encode your payload with
  --sleep SLEEP         sleep for N seconds between each DNS request


				
			

Leave a Reply

Your email address will not be published. Required fields are marked *