m0d9

DNS TUNNEl学习笔记

DNS TUNNEL

利用域名泛解析+自定义域名解析服务器

1. dns2tcp

tcp over dns

server

编辑dns2tcpd.conf

1
2
3
4
5
6
7
8
9
10
vim /etc/dns2tcpd.conf
listen = 107.170.238.97
domain = ceye.m0d9.me
port = 53
user = nobody
chroot = /var/empty/dns2tcp/
resources = ssh:127.0.0.1:22,http:127.0.0.1:3128
dns2tcpd -F -f /etc/dns2tcpd.conf

开启代理(proxy2,其它proxy.py…)

1
2
3
git clone https://github.com/inaz2/proxy2.git
cd proxy2
python proxy2 3128

client

编辑dns2tcpc.conf

1
2
3
4
5
vim /etc/dnst2cp.conf
domain = ceye.m0d9.me
resource = http
local_port = 2139


2. iodine

server

1
./iodined -DD -c -f -P test 192.168.16.1 ceye.m0d9.me

client

1
iodine -f -r -P test 107.170.238.97 ceye.m0d9.me

3. dnscat2

dnscat2与以上不同,可以理解为走dns协议的远控
风格类似msf、set

server

client


4. DNS tunnel攻击平台

  • cloudeye/noeye

检测

REQ请求的特征明显,体现在

  • suffix domain长度
  • 请求频度(tunnel会有)
  • suffix随机性
  • domain稀有性()
  1. dns tunnel
    简单统计识别
  2. dns sql injection
    随机文本识别

参考资料