DNS协议隧道、DNS协议隧道-dns2tcp

DNS协议隧道

防火墙禁止TCP出站访问流量

- SSH隧道、端口准发全部失效           

- 使用基于UPD协议的隧道               

- DNS的工作原理适合用于实现隧道       

DNS工作原理

- DNS隧道原理: 注册受自己控制的DNS记录

DNS协议隧道—–dns2tcp

Dns2tcp

- 利用合法DNS服务器实现DNS隧道            

- C/S（dns3tcpc / dns2tcpd）结构          

- 通过TXT记录加密传输数据（A记录长度有限）

- 隧道建立后保持连接                      

- 默认记录生存时间TTL值为3秒              

安装

- apt-get install dns2tcp                 

- Kali默认安装

** This is mOnOwall, version 1.8.1

 built on Web Jan 15 13:32:38 GET 2014 for generic-pc

 Copyright (C) 2002-2014 by Manuel Kasper. All rights reserved.

 Visit http://mOnO.ch/wall for updates.

 LAN IP address: 192.168.1.1

 WAN IP address: (unknown)

 Port configuration:

 LAN    -> em0

 WLAn   -> em1

mOnOwall console setup

---

1) Interfaces: assign network ports

2) Set up LAN IP address

3) Reset webGUI password

4) Reset to factory defaults

5) Reboot system

6) Ping host

7) Install on Hard Drive

Enter a number:

yuanfh@Bodhi:~$ ifconfig

1.1.1.10

yuanfh@Bodhi:~$ netstat -nr

Kernel IP routing table

Destination Gateway Genmask Flags MSS Windows irtt Iface

0.0.0.0 1.1.1.1 0.0.0.0 UG 0 0 0 eth0

1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

monowall IP: 192.168.1.123

yuanfh@Bodhi:~$ sudo apt-get install dns2tcp wireshark firefox

DNS协议隧道—–dns2tcp

演示环境-1

- Win 2003: 安装DNS服务；配置转发器；创建区域lab.com;指派二级域

  test.lab.com，NS记录指向Kali                                  

- 防火墙：只允许出站UDP 53端口流量                             

- Bodhi Linux:                                                  

      安装dns2tcp、wireshark、firebox                           

      dns2tcpc -c -k pass -d 1 -l 2222 -r ssh -z test.lab.com

安装DNS

开始运行“appwiz.cpl”—–>添加/删除windows组件—–>网络服务—–>域名系统—–>确定—–>下一步

DNS—–>正向查找区域—–>主要区域—–>lab.com—–>创建新文件，文件名为(C):lab.com.dns—–>不允许动态更新—–>完成

新建主机记录—–>kali—–>192.168.1.110—–>添加主机—–>完成

lab.com—–>右键”新建委派”—–>受委派域名，test—–>名称服务器，添加“kali”—–>完成

配置转发器

服务器图标“W2K3”—–>属性—–>转发器—–>所选与的转发器的IP地址列表：127.207.160.106，添加。219.239.26.42，添加—–>应用，确定

yuanfh@Bodhi:~$ cat /etc/resolv.conf

Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN

nameserver 172.0.0.1

search local

yuanfh@Bodhi:~$ sudo vi /etc/resolv.conf

Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN

nameserver 192.168.1.124

search local

yuanfh@Bodhi:~$ nslookup

set q=ns

lab.com

Server: 192.168.1.124

Address: 192.168.1.124#53

lab.com nameserver = w2k3

set q=ns

test.lab.com

Server: 192.168.1.124

Address: 192.168.1.124#53

Non-authoritative answer:

test.lab.com nameserver = kali.lab.com.

Authoritative answer can be found from:

kali.lab.com internet address = 192.168.1.110

set q=a

kali.lab.com

Server: 192.168.1.124

Address: 192.168.1.124#53

Name: kali.lab.com

Address:192.168.1.110

www.baidu.com

Server: 192.168.1.124

Address: 192.168.1.124#53

Non-authoritative answer:

www.baidu.com canonical name = www.a.shifen.com.

Name: www.a.shifen.com

Address: 119.75.218.70

Name: www.a.shifen.com

Address: 119.75.217.109

www.taobao.com

Server: 192.168.1.124

Address: 192.168.1.124#53

Non-authoritative answer:

www.taobao.com canonical name = www.taobao.com.danuoyi.thcache.com.

Name: www.taobao.com.danuoyi.thcache.com.

Address: 124.193.235.253

Name: www.taobao.com.danuoyi.thcache.com.

Address: 124.193.235.253

DNS协议隧道—–dns2tcp

服务器配置文件

- /etc/dns2tcpd.conf                      

- .dns2tcprcd                             

- 资源可以是其他地址                      

启动

- dns2tcpd -F -d 1 -f /etc/dns2tcpd.conf  

- F：前端运行                             

- d：debug level 1-3                      

- f：指定配置文件

listen = 0.0.0.0

port = 53

user = nobody

chroot = /tmp

key = password123

domain = test.lab.com

resources = ssh:127.0.0.1:22 , smtp:127.0.0.1:25 , socks:127.0.0.1:1082,

https:127.0.0.1:8087 , http:127.0.0.1:3128

---

root@K:~# vi /etc/dns2tcpd.conf

listen = 0.0.0.0

port = 53

user = nobody

chroot = /tmp

domain = test.lab.com

resources = ssh:127.0.0.1:22 , smtp:127.0.0.1:25 , socks:127.0.0.1:1082,

http:127.0.0.1:3128 , https:127.0.0.1:8087

root@K:~# vi /etc/ssh/sshd_config

PermitRootlogin yes

PasswordAuthentication yes

root@K:~# service ssh start

root@K:~# dns2tcpd -F -d 1 -f /etc/dns2tcpd/conf

19:22:22 : Debug options.c:97 Add resource ssh:127.0.0.1 port 22

19:22:22 : Debug options.c:97 Add resource smtp:127.0.0.1 port 25

19:22:22 : Debug options.c:97 Add resource socks:127.0.0.1 port 1080

19:22:22 : Debug options.c:97 Add resource http:127.0.0.1 port 3128

19:22:22 : Debug options.c:97 Add resource https:127.0.0.1 port 8087

19:22:22 : Debug options.c:55 Listening on 0.0.0.0:53 for domain test.lab.com

Starting Server v0.5.2…

19:22:22 : Debug mian.c:132 Chroot to /tmp

19:22:24 : Debug main.c:142 Change to user nobody

root@K:~# service ssh start

root@K:~# vi /etc/sshd_config

listen = 0.0.0.0

port = 53

user = nobody

chroot = /tmp

domain = test.lab.com

key = pass123

resources = ssh:127.0.0.1:22 , smtp:127.0.0.1:25 , socks:127.0.0.1:1082,

http:192.168.1.1:80 , https:127.0.0.1:8087

root@K:~# dns2tcpd -F -d 1 -f /etc/dns2tcpd/conf

19:22:42 : Debug options.c:97 Add resource ssh:127.0.0.1 port 22

19:22:42 : Debug options.c:97 Add resource smtp:127.0.0.1 port 25

19:22:42 : Debug options.c:97 Add resource socks:127.0.0.1 port 1080

19:22:42 : Debug options.c:97 Add resource http:192.168.1.1 port 3128

19:22:42 : Debug options.c:97 Add resource https:127.0.0.1 port 8087

19:22:242 : Debug options.c:55 Listening on 0.0.0.0:53 for domain test.lab.com

Starting Server v0.5.2…

19:22:42 : Debug mian.c:132 Chroot to /tmp

19:22:42 : Debug main.c:142 Change to user nobody

yuanfh@Bodhi:~$ dns2tcpc -c -k pass123 -d 1 -l 2222 -r ssh -z test.lab.com

No DNS given, using 192.168.1.124 (first entry found in resolv.conf)

debug level 1

Listening on port : 2222

No response from DNS 192.168.1.124

19:46:26 : Debug session.c:54 Session created (0xd97d)

19:46:26 : Debug auth.c:94 Connect to resource “ssh”

19:46:26 : Debug client.c:141 Adding client auth OK:0xd97d

19:46:26 : Debug requests.c:274 send desauth

19:46:26 : Debug client.c:69 free client

^C

yuanfh@Bodhi:~$ sudo wireshark

[sudo] password for yuanfh:

(!(ipv6.version == 6)&&!(ip.src == 192.168.56.1)

yuanfh@Bodhi:~$ ssh [email protected] -p 2222

The authenticity of host ‘[127.0.0.1]:2222 ([127.0.0.1]:2222)’ can’t be established.

ECDSA key fingerprint is 6f:bf:fc:e5:d0:96:65:34:99:7d:81:06:b6:5e:44:50.

Are you sure want to continue connectione (yes\no)? yes

Warning: Permanently added ‘[127.0.0.1]:2222’ (ECDSA) to the list of known hosts.

[email protected]’s password:

The programs included with the Kali GHU/Linux system are free softwere:

the exact distribution terms for each program are described in the indicidual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY. to the extent

permitted by applicable law.

yuanfh@Bodhi:~$ dns2tcpc -c -k pass123 -d 1 -l 2222 -r http -z test.lab.com

No DNS given, using 192.168.1.124 (first entry found in resolv.conf)

debug level 1

Listening on port : 2222

yuanfh@Bodhi:~$ dns2tcpc -c -k pass123 -d 1 -l 7001 -r https -z test.lab.com

No DNS given, using 192.168.1.124 (first entry found in resolv.conf)

debug level 1

Listening on port : 7001

root@K:~# whois 107.178.195.142

root@K:~# apt-get install squid

squid squidclient squid-deb-proxy squidguard-doc squidtaild

squid3 squid-common squid-deb-proxy-client squid-langpack squidview

squid-cql squid-dbg squidguard squid-purge

root@K:~# apt-get install squid3

DNS协议隧道—–dns2tcp

资源访问

- 本地SSH资源                                    

- 远程http资源                                   

- http资源（squid）                              

  apt-get install squid3                          

- http代理                                       

- 隧道嵌套                                       

  基于SSH资源将SSH动态端口转发隧道嵌套与DNS隧道中

  ssh -CFNg [email protected] -p 2222 -D 7001        

  XP IE、Firefox使用嵌套的Socks代理上网           

抓包分析DNS隧道通信

yuanfh@Bodhi:~$ netstat -pantu | grep 7001

(Not all processes could be identified, non-owned process info

will not be shown, you would have to be root to see it all.)

tcp 0 0 127.0.0.1:7001 0.0.0.0:* LISTEN 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55888 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55716 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55724 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:55714 127.0.0.1:7001 TIME_WAIT -

tcp 0 0 127.0.0.1:7001 127.0.0.1:55768 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55766 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55718 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55720 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55712 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55722 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:55730 127.0.0.1:7001 TIME_WAIT -

tcp 0 0 127.0.0.1:55888 127.0.0.1:7001 FIN_WAIT2 -

tcp 0 0 127.0.0.1:7001 127.0.0.1:55770 CLOSE_WAIT 2588/dns2tcpc

tcp 0 0 127.0.0.1:7001 127.0.0.1:55736 CLOSE_WAIT 2588/dns2tcpc

yuanfh@Bodhi:~$ dns2tcpc -k pass123 -d 1 -l 2222 -r ssh -z test.lab.com

No DNS given, using 192.168.1.124 (first entry found in resolv.conf)

debug level 1

Listening on port : 2222

yuanfh@Bodhi:~$ ssh -CFNg [email protected] -p 2222 -D 7002

[email protected] password:

yuanfh@Bodhi:~$ netstat -pantu | grep 7002

(Not all processes could be indentified, non-owned process info

will not be shown, you would have to be root to se it all.)

tcp 0 0 127.0.0.1:7002 0.0.0.0:* LISTEN 2692/sshd

tcp6 0 0 ::1:7002 :::* LISTEN 2692/sshd