Florian Neumann 15h ago
k3ym𖺀

In today's episode of "Can It Run Doom": DNS fucking TXT records.

Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.

RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.

Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.

blog: https://blog.rice.is/post/doom-over-dns/

repo: https://github.com/resumex/doom-over-dns

Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.

It was always DNS.

#infosec #dns #doom #itisalwaysdns

Mar 26 at 8:02pmWeb
Show threadkajer :notverified:16h ago
@k3ym0 new cloud storage just dropped
Show threadkajer :notverified:16h ago

@k3ym0 big DNSFS energy

https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-storage-dnsfs

DNSFS. Store your files in others DNS resolver caches

Show threadB'ad Samurai 🐐🇺🇦16h ago

@k3ym0

#dns

Show threadCaden15h ago
@k3ym0 you may already know this, but on a related note you can tunnel basically any IPv4 traffic over DNS: https://code.kryo.se/iodine/
kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel)

iodine is a free (ISC licensed) tunnel application to forward IPv4 traffic through DNS servers (IP over DNS). Works on Linux, FreeBSD, NetBSD, OpenBSD and Mac OS X.

Show threadnackmack8h ago
@k3ym0 shit like this makes me glad I no longer work in #cybersec
Show threadsabik6h ago

@k3ym0
IP over DNS has been a thing for a while now, sometimes used to bypass captive portals for paid internet access

#infosec #dns #doom #itisalwaysdns

Show thread"Musty Bits" McGee5h ago
@sabik @k3ym0 ...go on?
Show threadSimon Dassow5h ago
@k3ym0 Doom Network Service 🎉
Show threadDanielius Goriunovas // dago4h ago
@k3ym0 shit. Time to do Bad Apple on DNS.
Show threadAris Adamantiadis 💲Paid3h ago
@k3ym0 The concept is very old, I was using dns2tcp to have free wifi on plane trips in 2010 and even before during pentests. Long TXT replies trigger red alerts on most intrusion detection systems nowadays.
Show threadRenalia - #1 pizza downloader2h ago
@k3ym0 now... can it do deathmatch over doom over dns? :3
Show threadTor Lillqvist1h ago
@k3ym0 For quite a loose definition of "run".
Show threadWolf480pl1h ago

@k3ym0
> covert data exfil channel

as if iodine wasn't already a thing