Intranet penetration series: dns2tcp of intranet tunnel

foreword

This article studies a tool for DNS tunneling, dns2tcp

github：https://github.com/alex-sector/dns2tcp

I. Overview

1 Introduction

Last updated in 2017, written in C

TCP over DNS, that is, forwarding TCP connections through DNS tunnels without encryption. Direct connection is adopted, but the speed is not particularly optimistic. The advantage is that kali directly integrates this tool, and some linux distributions can also be downloaded directly through the package tool, which is relatively convenient

• DNS Tunneling Using Legal DNS Servers
• C/S (dns2tcpc/dns2tcpd) structure
• By default, data is transmitted through TXT record encryption (base64) (A record has a limited length)
• After the tunnel is established, the connection is maintained, and a data packet is sent out in about 0.6s, and the maximum is 3s can be set
• Need to cooperate with other proxy tools

2. Principle

See the principle of DNS: One article to understand DNS and domain name resolution

This tool is to put the data in the TXT record base64 encrypted transmission, DNS data packets through the NS record and A record provided by the authoritative DNS server to the DNS server of the server to complete the traffic proxy

3. Usage

Common commands:

-c   大流量压缩
-F   前台运行
-f   指定配置文件
-r   指定使用的资源
-z   指定DNS域名
-k   设置传输密码
-l   侦听本地端口
-d   编译水平(1 | 2 |3 )   

(1) Server

Modify the /etc/dns2tcpd.confconfiguration file
and establish a tunneldns2tcpd -F -d 1 -f /etc/dns2tcpd.conf

(2) Client

Test whether it can be connected: dns2tcpc -z xxx.xx.xxx
establish a tunnel and use the ssh service: dns2tcpc -c -k password -d 1 -l 7002 -r ssh -z xxx.xx.xxx
then throw the corresponding service into the locally set port

2. Practice

1. Test scenario

(1) Attack aircraft

Kali2021 192.168.10.128

(2) DNS server

windows server 2008 ：192.168.10.200

Set static IP, see https://blog.csdn.net/pockeyfan/article/details/42063683

Create a new A record, point to the server kali

Create a new delegate (ie NS record) to point to the domain name of the A record just set

Create another A record to point to the windows server itself

(3) Target machine

Ubuntu 18.04 192.168.10.129

Since the simulated DNS server is a real authoritative server, that is, the target machine should be able to resolve DNS to the DNS server, so the DNS resolution of the target machine should be changed.

nslookup detection

2. Establish a tunnel

(1) Server

start the apache service

Modify the configuration file

after modification

start listening

(2) Client

test for connectivity

start up

Then you can access the http service

Similarly, there are various proxy methods such as ssh, nc, and smtp, which can be proxy through the tunnel
. Note: ssh will occasionally prompt to reset peer, and it may take a few more tries.

3. Take a look at the package

In the handshake phase

, the heartbeat packets are all legitimate domain names

. When using the tunnel, a large number of TXT record packets are stored in the domain name after base64 encryption.

3. Explore

1. Source code and analysis

ALL

2. Detection and bypass

(1) The number of abnormal DNS packets

As shown in the figure above, when using the DNS tunnel, there will be nearly 200 DNS packets within 1s, and they all come from the same DNS server

Bypass method: add interval in the middle, but this will lead to very slow speed

(2) Special record type TXT

Usually only the mail server/gateway will send TXT records, and there will not be such a large number. In normal DNS network traffic, the proportion of TXT records may only be 1%-2%

Bypass method: Mixed use of A, AAAA, TXT, MX, CNAME and other records

(3) Abnormal domain name

There are strings similar to base64 in the domain name, which can be detected by methods such as information entropy

Bypass method: maintain a dictionary of common domain names, and then split, but this will greatly increase the number of packets

比如现在要把一个文件名 finalexamanswer.doc 传出去
base64 一下 -> ZmluYWxleGFtYW5zd2VyLmRvYw
然后编码常用域名，变成 Zm -> zone.music.domain，lu -> login.user.domain，YW``yun.web.domain …

(4) Heartbeat package

The interval and number of heartbeat packets are both problems

Bypass method: The interval can be adjusted to be longer, or even random, and the number can be changed to UDP socket to re-establish the tunnel

(5) Command features

Some characteristic strings of commands

Bypass method: change the string

Epilogue

Heartbeat packets are good for normal domain name requests, but there is still some room for improvement