SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 19 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.


  • Authors: Saif El-Sherei
  • Cost: Free
  • Source Code:
  • License: 1.0
  • License: GPL
  • Release date: 2016-10-05

DNS-Shell is an interactive Shell over DNS channel. The server is Python based and can run on any operating system that has python installed, the payload is an encoded PowerShell command. Think of this as an Empire agent payload or Metasploit payload, but through DNS

Understanding DNS-Shell

The payload, generated when the server script is invoked, utilizes the nslookup command to perform queries and query the server for new commands. The server itself listens on port 53 for incoming communications. One the payload is executed on the target machine (via a vulnerabity such as Remote Command Execution) the server will spawn an interactive shell.

Once the channel is established, the payload will query the server for commands if a new command is entered, it will execute it and return the result back to the server.

Using DNS-Shell

Running DNS-Shell is relatively simple

DNS-Shell supports two mode of operations: direct and recursive modes.

  • Perform a git clone from our Github page
  • DNS-Shell direct mode: sudo python -l -d [Server IP]
  • DNS-Shell recursive mode: sudo python -l -r [Domain]

DNS-Shell In Action

The following video shows how DNS-Shell can be run. If you have any questions about using DNS-Shell, drop us a mail