DNSPUMP - File delivery over DNS

Delivering cat pictures to restrictively firewalled targets.

Travis dropped

This tool helps you deliver files to machines entirely over DNS using TXT records. Point ns records at a box, host DNSPUMP and you’re ready to roll.

DNSPUMP was hastily hacked together over the course of two days and relies entirely on the excellence of Miek Gieben’s Go DNS package miekg/dns 1.


In this recorded session - crime.cash’s authoritative nameservers are pointed to a DigitalOcean droplet. I generate a 1MB test file from /dev/urandom - then spin up DNSPUMP to serve it out. DNSPUMP has a simple mechanism for retrieving the results of commands run on foreign servers - we grab the target hosts’ /etc/passwd as a first step.

Operator Notes

DNS is robust - but using it to send files isn’t.

From the target’s point of view - resolution of records is done recursively through its upstream DNS infrastructure. Any of those servers may not enjoy the default ~1100 byte TXT replies. YOLO it up with the defaults, or tweak the payload size for each target using a variety of test files.

Readers may enjoy delivering a 2nd stage implant with DNS-based C2 - such as a sliver from BishopFox’s Sliver.

Grab your own copy

From https://github.com/tbiehn/DNSPUMP.