Continual learning and investment

We enjoy looking at devices, networks and applications (including mobile) for vulnerabilities and weaknesses. Let us tear apart your product to see what risks you might be exposing yourself to when it goes live.


  • Authors: Saif El-Sherei
  • Cost: Free
  • Source Code:
  • License: 1.0
  • License: GPL
  • Release date: 2016-10-05

DNS-Shell is an interactive Shell over DNS channel. The server is Python based and can run on any operating system that has python installed, the payload is an encoded PowerShell command. Think of this as an Empire agent payload or Metasploit payload, but through DNS

Understanding DNS-Shell

The payload, generated when the server script is invoked, utilizes the nslookup command to perform queries and query the server for new commands. The server itself listens on port 53 for incoming communications. One the payload is executed on the target machine (via a vulnerabity such as Remote Command Execution) the server will spawn an interactive shell.

Once the channel is established, the payload will query the server for commands if a new command is entered, it will execute it and return the result back to the server.

Using DNS-Shell

Running DNS-Shell is relatively simple

DNS-Shell supports two mode of operations: direct and recursive modes.

  • Perform a git clone from our Github page
  • DNS-Shell direct mode: sudo python -l -d [Server IP]
  • DNS-Shell recursive mode: sudo python -l -r [Domain]

DNS-Shell In Action

The following video shows how DNS-Shell can be run. If you have any questions about using DNS-Shell, drop us a mail