DNSPUMP - File delivery over DNS
Delivering cat pictures to restrictively firewalled targets.
Travis dropped
This tool helps you deliver files to machines entirely over DNS using TXT
records. Point ns
records at a box, host DNSPUMP and you’re ready to roll.
DNSPUMP was hastily hacked together over the course of two days and relies entirely on the excellence of Miek Gieben’s Go DNS package miekg/dns 1.
Demo
In this recorded session - crime.cash
’s authoritative nameservers are pointed to a DigitalOcean droplet. I generate a 1MB test file from /dev/urandom
- then spin up DNSPUMP to serve it out. DNSPUMP has a simple mechanism for retrieving the results of commands run on foreign servers - we grab the target hosts’ /etc/passwd
as a first step.
Operator Notes
DNS is robust - but using it to send files isn’t.
From the target’s point of view - resolution of records is done recursively through its upstream DNS infrastructure. Any of those servers may not enjoy the default ~1100 byte TXT replies. YOLO it up with the defaults, or tweak the payload size for each target using a variety of test files.
Readers may enjoy delivering a 2nd stage implant with DNS-based C2 - such as a sliver from BishopFox’s Sliver.