DNS协议隧道
防火墙禁止TCP出站访问流量
- SSH隧道、端口准发全部失效
- 使用基于UPD协议的隧道
- DNS的工作原理适合用于实现隧道
DNS工作原理
- DNS隧道原理: 注册受自己控制的DNS记录
DNS协议隧道—–dns2tcp
Dns2tcp
- 利用合法DNS服务器实现DNS隧道
- C/S(dns3tcpc / dns2tcpd)结构
- 通过TXT记录加密传输数据(A记录长度有限)
- 隧道建立后保持连接
- 默认记录生存时间TTL值为3秒
安装
- apt-get install dns2tcp
- Kali默认安装
** This is mOnOwall, version 1.8.1
built on Web Jan 15 13:32:38 GET 2014 for generic-pc
Copyright (C) 2002-2014 by Manuel Kasper. All rights reserved.
Visit http://mOnO.ch/wall for updates.
LAN IP address: 192.168.1.1
WAN IP address: (unknown)
Port configuration:
LAN -> em0
WLAn -> em1
mOnOwall console setup
1) Interfaces: assign network ports
2) Set up LAN IP address
3) Reset webGUI password
4) Reset to factory defaults
5) Reboot system
6) Ping host
7) Install on Hard Drive
Enter a number:
yuanfh@Bodhi:~$ ifconfig
1.1.1.10
yuanfh@Bodhi:~$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Windows irtt Iface
0.0.0.0 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
monowall IP: 192.168.1.123
yuanfh@Bodhi:~$ sudo apt-get install dns2tcp wireshark firefox
DNS协议隧道—–dns2tcp
演示环境-1
- Win 2003: 安装DNS服务;配置转发器;创建区域lab.com;指派二级域
test.lab.com,NS记录指向Kali
- 防火墙:只允许出站UDP 53端口流量
- Bodhi Linux:
安装dns2tcp、wireshark、firebox
dns2tcpc -c -k pass -d 1 -l 2222 -r ssh -z test.lab.com
安装DNS
开始运行“appwiz.cpl”—–>添加/删除windows组件—–>网络服务—–>域名系统—–>确定—–>下一步
DNS—–>正向查找区域—–>主要区域—–>lab.com—–>创建新文件,文件名为(C):lab.com.dns—–>不允许动态更新—–>完成
新建主机记录—–>kali—–>192.168.1.110—–>添加主机—–>完成
lab.com—–>右键”新建委派”—–>受委派域名,test—–>名称服务器,添加“kali”—–>完成
配置转发器
服务器图标“W2K3”—–>属性—–>转发器—–>所选与的转发器的IP地址列表:127.207.160.106,添加。219.239.26.42,添加—–>应用,确定
yuanfh@Bodhi:~$ cat /etc/resolv.conf
nameserver 172.0.0.1
search local
yuanfh@Bodhi:~$ sudo vi /etc/resolv.conf
nameserver 192.168.1.124
search local
yuanfh@Bodhi:~$ nslookup
set q=ns
lab.com
Server: 192.168.1.124
Address: 192.168.1.124#53
lab.com nameserver = w2k3
set q=ns
test.lab.com
Server: 192.168.1.124
Address: 192.168.1.124#53
Non-authoritative answer:
test.lab.com nameserver = kali.lab.com.
Authoritative answer can be found from:
kali.lab.com internet address = 192.168.1.110
set q=a
kali.lab.com
Server: 192.168.1.124
Address: 192.168.1.124#53
Name: kali.lab.com
Address:192.168.1.110
www.baidu.com
Server: 192.168.1.124
Address: 192.168.1.124#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 119.75.218.70
Name: www.a.shifen.com
Address: 119.75.217.109
www.taobao.com
Server: 192.168.1.124
Address: 192.168.1.124#53
Non-authoritative answer:
www.taobao.com canonical name = www.taobao.com.danuoyi.thcache.com.
Name: www.taobao.com.danuoyi.thcache.com.
Address: 124.193.235.253
Name: www.taobao.com.danuoyi.thcache.com.
Address: 124.193.235.253
DNS协议隧道—–dns2tcp
服务器配置文件
- /etc/dns2tcpd.conf
- .dns2tcprcd
- 资源可以是其他地址
启动
- dns2tcpd -F -d 1 -f /etc/dns2tcpd.conf
- F:前端运行
- d:debug level 1-3
- f:指定配置文件
listen = 0.0.0.0
port = 53
user = nobody
chroot = /tmp
key = password123
domain = test.lab.com
resources = ssh:127.0.0.1:22 , smtp:127.0.0.1:25 , socks:127.0.0.1:1082,
https:127.0.0.1:8087 , http:127.0.0.1:3128
root@K:~# vi /etc/dns2tcpd.conf
listen = 0.0.0.0
port = 53
user = nobody
chroot = /tmp
domain = test.lab.com
resources = ssh:127.0.0.1:22 , smtp:127.0.0.1:25 , socks:127.0.0.1:1082,
http:127.0.0.1:3128 , https:127.0.0.1:8087
root@K:~# vi /etc/ssh/sshd_config
PermitRootlogin yes
PasswordAuthentication yes
root@K:~# service ssh start
root@K:~# dns2tcpd -F -d 1 -f /etc/dns2tcpd/conf
19:22:22 : Debug options.c:97 Add resource ssh:127.0.0.1 port 22
19:22:22 : Debug options.c:97 Add resource smtp:127.0.0.1 port 25
19:22:22 : Debug options.c:97 Add resource socks:127.0.0.1 port 1080
19:22:22 : Debug options.c:97 Add resource http:127.0.0.1 port 3128
19:22:22 : Debug options.c:97 Add resource https:127.0.0.1 port 8087
19:22:22 : Debug options.c:55 Listening on 0.0.0.0:53 for domain test.lab.com
Starting Server v0.5.2…
19:22:22 : Debug mian.c:132 Chroot to /tmp
19:22:24 : Debug main.c:142 Change to user nobody
root@K:~# service ssh start
root@K:~# vi /etc/sshd_config
listen = 0.0.0.0
port = 53
user = nobody
chroot = /tmp
domain = test.lab.com
key = pass123
resources = ssh:127.0.0.1:22 , smtp:127.0.0.1:25 , socks:127.0.0.1:1082,
http:192.168.1.1:80 , https:127.0.0.1:8087
root@K:~# dns2tcpd -F -d 1 -f /etc/dns2tcpd/conf
19:22:42 : Debug options.c:97 Add resource ssh:127.0.0.1 port 22
19:22:42 : Debug options.c:97 Add resource smtp:127.0.0.1 port 25
19:22:42 : Debug options.c:97 Add resource socks:127.0.0.1 port 1080
19:22:42 : Debug options.c:97 Add resource http:192.168.1.1 port 3128
19:22:42 : Debug options.c:97 Add resource https:127.0.0.1 port 8087
19:22:242 : Debug options.c:55 Listening on 0.0.0.0:53 for domain test.lab.com
Starting Server v0.5.2…
19:22:42 : Debug mian.c:132 Chroot to /tmp
19:22:42 : Debug main.c:142 Change to user nobody
yuanfh@Bodhi:~$ dns2tcpc -c -k pass123 -d 1 -l 2222 -r ssh -z test.lab.com
No DNS given, using 192.168.1.124 (first entry found in resolv.conf)
debug level 1
Listening on port : 2222
No response from DNS 192.168.1.124
19:46:26 : Debug session.c:54 Session created (0xd97d)
19:46:26 : Debug auth.c:94 Connect to resource “ssh”
19:46:26 : Debug client.c:141 Adding client auth OK:0xd97d
19:46:26 : Debug requests.c:274 send desauth
19:46:26 : Debug client.c:69 free client
^C
yuanfh@Bodhi:~$ sudo wireshark
[sudo] password for yuanfh:
(!(ipv6.version == 6)&&!(ip.src == 192.168.56.1)
yuanfh@Bodhi:~$ ssh [email protected] -p 2222
The authenticity of host ‘[127.0.0.1]:2222 ([127.0.0.1]:2222)’ can’t be established.
ECDSA key fingerprint is 6f:bf:fc:e5:d0:96:65:34:99:7d:81:06:b6:5e:44:50.
Are you sure want to continue connectione (yes\no)? yes
Warning: Permanently added ‘[127.0.0.1]:2222’ (ECDSA) to the list of known hosts.
[email protected]’s password:
The programs included with the Kali GHU/Linux system are free softwere:
the exact distribution terms for each program are described in the indicidual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY. to the extent
permitted by applicable law.
yuanfh@Bodhi:~$ dns2tcpc -c -k pass123 -d 1 -l 2222 -r http -z test.lab.com
No DNS given, using 192.168.1.124 (first entry found in resolv.conf)
debug level 1
Listening on port : 2222
yuanfh@Bodhi:~$ dns2tcpc -c -k pass123 -d 1 -l 7001 -r https -z test.lab.com
No DNS given, using 192.168.1.124 (first entry found in resolv.conf)
debug level 1
Listening on port : 7001
root@K:~# whois 107.178.195.142
root@K:~# apt-get install squid
squid squidclient squid-deb-proxy squidguard-doc squidtaild
squid3 squid-common squid-deb-proxy-client squid-langpack squidview
squid-cql squid-dbg squidguard squid-purge
root@K:~# apt-get install squid3
DNS协议隧道—–dns2tcp
资源访问
- 本地SSH资源
- 远程http资源
- http资源(squid)
apt-get install squid3
- http代理
- 隧道嵌套
基于SSH资源将SSH动态端口转发隧道嵌套与DNS隧道中
ssh -CFNg [email protected] -p 2222 -D 7001
XP IE、Firefox使用嵌套的Socks代理上网
抓包分析DNS隧道通信
yuanfh@Bodhi:~$ netstat -pantu | grep 7001
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:7001 0.0.0.0:* LISTEN 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55888 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55716 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55724 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:55714 127.0.0.1:7001 TIME_WAIT -
tcp 0 0 127.0.0.1:7001 127.0.0.1:55768 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55766 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55718 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55720 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55712 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55722 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:55730 127.0.0.1:7001 TIME_WAIT -
tcp 0 0 127.0.0.1:55888 127.0.0.1:7001 FIN_WAIT2 -
tcp 0 0 127.0.0.1:7001 127.0.0.1:55770 CLOSE_WAIT 2588/dns2tcpc
tcp 0 0 127.0.0.1:7001 127.0.0.1:55736 CLOSE_WAIT 2588/dns2tcpc
yuanfh@Bodhi:~$ dns2tcpc -k pass123 -d 1 -l 2222 -r ssh -z test.lab.com
No DNS given, using 192.168.1.124 (first entry found in resolv.conf)
debug level 1
Listening on port : 2222
yuanfh@Bodhi:~$ ssh -CFNg [email protected] -p 2222 -D 7002
[email protected] password:
yuanfh@Bodhi:~$ netstat -pantu | grep 7002
(Not all processes could be indentified, non-owned process info
will not be shown, you would have to be root to se it all.)
tcp 0 0 127.0.0.1:7002 0.0.0.0:* LISTEN 2692/sshd