 Hello, DDS Tevens here with the fifth video on my new tool DNS resolver and this time we are going to serve files over DNS So let's look at the man page Okay So you have a payload command that allows you to serve files Over DNS records TXT or null records You have to provide a file with the content that you want to serve or you can also provide The data via the command line that you want to serve If you use data, then you have to provide a label if use file you can Provide a label, but it's not mandatory if there is no label then the file name without the extension will be used As a label and then there are different encodings that you can apply so encoding on The records that are being served the DNS records the content of them or Data encoding for the data that you provide through the command line So let's start serving an air car file This is the air car file and I'm going to serve this over DNS So it's a payload and the file is a car That's it Now this is being served and if here I do a lookup for A car I did not provide a label So the label is the name of the file without the extension. So that's a car Yeah, I'm going to request a TXT record So a car example come and Through the local machine here and then you can see in the text record here the air car string Here you can see the output of DNS resolver and That's the way you can serve a file now over DNS Text records. There's not that much data that you can serve. They they are around 500 Bytes large I limit the size of a of a string in the TXT record to maximum 250 bytes So with my tool you can serve at most 500 bytes via UDP TXT record So let's do this for a larger file. I did copy here for example, right a small executable 11 K So we are going to be serving this So the file is right Dot xz and this time I'm going to provide a label and I'm going to use the the label serve like this and now if I Do a request For surf sorry surf not server Like this Here you can see two strings the start of an PE file em see now the Complete start of the file has been shared, but there is a problem There are null bytes in here and NS lookup cannot properly Represent those null bytes. So if you look at wire shark here, I have wire shark running So here I have my response for a car So here you have a byte here that indicates the the length of the string and here you have the string itself and Now let's go take a look for surf Example so the air car here. You can see the length is 250 250 And here you actually have the complete Start of the PE file for D5 a 90 But then there's a zero and that's why the string here is not displayed as well in wire shark as Here with NS lookup so What you can do if you wanted is say to My DNS resolver tool that it has to encode the data before it is put in a txt or a null record And it's quite simple. You say just encoding Let's say hex So you can say hex base 64 or dynamic and now When we do exactly the same request here, you can see you have a hexadecimal answer You see here for D5 a 9 0 0 0 and so on Now these two strings of 250 bytes hexadecimal digits actually So that's the first part of the file if you want the next part You have to use an index the next part is is one So here I did request serve example Come I can also do serve zero example.com. That's exactly the same. I Get the first part and then I can do one and I get the next part And so on and then When you arrive at the last part, I think 44 here Yeah, 44 all zeros 45, yeah, that's almost the end of the file if you do a 46 Then you get an nx domain. I are code three. That's your return So that's how you know that the complete file has been served Of course, I'm doing this here with NS lookup as a demonstration But this is something that can be scripted in in VBA or in PowerShell for example to to automate its complete download If I select base 64 the file here is saved as base 64 So you will need less records and you can also make it dynamic Dynamic that means that the client decides which encoding Is to be provided So if you do it like this or zero you get the row unencoded data if you say here hex Then you get hexadecimal and here if you say base 64 Then you get base 64 and you see this is the typical base 64 start for an PE file now MZ header now These are of course if you want to transfer large files, this will take quite some time now If you look at the help of the NS resolver There's also a TCP option If I enable the TCP option and let me say that I'm going to do again base 64 Well, no, let's do hexadecimal encoding TCP Now the NS resolver is not only listening on a UDP port, but also on a TCP port so 53 And if I do a request like this, I get a lot of output The thing that is happening so the request comes in and Then a UDP request and then my DNS resolver answer this time with again the TXT recall but it also said that the content is truncated at a truncated flag is set and It does this only when you use the option TCP Because a client that then also support communication over TCP will see the TCP Sorry the truncate flag and then it will do the req the request again but over TCP and over TCP you get Around 64k that that can be transferred. So that's a much more data that can be transferred and I can show you that so I'm going to do the request again. I'm going to use my RE search command to extract the hexadecimal code so It's between double quoted strings. So I'm going to extract this So here I have a complete hexadecimal strings Now I'm going to convert this hexadecimal Binary and I'm going to calculate a hash So this is the hushes. These are the hushes of the file that was served over a single DNS record over TCP And if I calculate the hash You can see that they are identical now This was serving of files You can also serve larger files For example, I have here also a notepad that will require. Well, let's do that Let's just do this base 64 Notepad again with the TCP option. I use the same label serve So this is the first part base 64 encoded second part third part fourth part This indicates that we're already reaching some zeros Fifth part and here we are already the answer. Sorry sixth part here So here we're already at the end now that was Serving of files at our own disk via data. You can also serve content That you provide through the command line. So payload, sorry Type is payload The label I'm going to say well file less data This is a test Let's serve this do a request for File less and here you see the file that is as well the content that is being served You could also serve for example the a car file like this because the a car string is Pure ASCII so I could say something like this Ask again for the a car string Then I get the a car string The data that you provide here via the command line You can also encode this extra day small basic or base 64 So that this is not how the data will be served but how the data is provided through the command line So I'm going to type 41 42 43 44 in extra day small So that's uppercase letter a b c d and so I say that the data encoding is hex Like this and now if I ask for a car, well, it's actually not an a car. What okay? I kept the label a car Then you can see here a b c d