In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to build the DNSLOG platform, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
1 preface
DNSLOG is an echo mechanism, which is often used to take out data when some vulnerabilities cannot be echoed but can initiate DNS requests, so as to solve the problem that some vulnerabilities are difficult to exploit due to lack of echo. The main use of the scene is SQL blind injection, no echo command execution, no echo SSRF. This paper introduces a method of building DNSLOG platform, which aims to provide some help for penetration testing.
2 preparation in advance
One domain name, one vps
This article uses the domain name and CVM ECS purchased by Aliyun.
Domain name: example.icu
Vps ip:100.100.100.100
3 Experimental process 3.1 add DNS parsing
Add an A record and a NS record at the cloud resolution DNS, as shown in the figure:
3.2 Open port 53
Add the rule of developing port 53 to the ECS security group rule of CVM. The protocol is udp.
3.3Cod DNSLOG
Dnslog.py
Running under python2, there is no need to install dependency packages.
#! / usr/bin/env python
#-*-coding: utf-8-*-
Import SocketServer
Import struct
Import socket as socketlib
# DNS Query
Class SinDNSQuery:
Def _ _ init__ (self, data):
I = 1
Self.name =''
While True:
D = ord (data [I])
If d = = 0:
Break
If d
< 32: self.name =self.name + '.' else: self.name =self.name + chr(d) i = i + 1 self.querybytes =data[0:i + 1] (self.type,self.classify) = struct.unpack('>HH', data [I + 1VR I + 5])
Self.len = I + 5
Def getbytes (self):
Return self.querybytes+ struct.pack ('> HH', self.type, self.classify)
# DNS Answer RRS
Class SinDNSAnswer:
Def _ _ init__ (self, ip):
Self.name = 49164
Self.type = 1
Self.classify = 1
Self.timetolive = 190
Self.datalength = 4
Self.ip = ip
Def getbytes (self):
Res = struct.pack ('> HHHLH', self.name, self.type, self.classify, self.timetolive,self.datalength)
S = self.ip.split ('.')
Res = res + struct.pack ('BBBB', int (s [0]), int (s [1]), int (s [2]), int (s [3])
Return res
# DNS frame
Class SinDNSFrame:
Def _ _ init__ (self, data):
(self.id, self.flags,self.quests, self.answers, self.author, self.addition) = struct.unpack ('> HHHHHH', data [0:12])
Self.query = SinDNSQuery (data [12:])
Def getname (self):
Return self.query.name
Def setip (self, ip):
Self.answer = SinDNSAnswer (ip)
Self.answers = 1
Self.flags = 33152
Def getbytes (self):
Res = struct.pack ('> HHHHHH', self.id, self.flags, self.quests, self.answers,self.author, self.addition)
Res = res + self.query.getbytes ()
If self.answers! = 0:
Res = res + self.answer.getbytes ()
Return res
# A UDPHandler to handle DNS query
Class SinDNSUDPHandler (SocketServer.BaseRequestHandler):
Def handle (self):
Data = self.request [0] .strip ()
Dns = SinDNSFrame (data)
Socket = self.request [1]
Namemap = SinDNSServer.namemap
If (dns.query.type==1):
# If this is query an A record, thenresponse it
Name = dns.getname ()
Toip = namemap ['*']
Dns.setip (toip)
Print'% svv% s toip->% s% (self.client_address [0], name, toip)
Socket.sendto (dns.getbytes (), self.client_address)
Else:
# If this is notquery an A record, ignore it
Socket.sendto (data, self.client_address)
# DNS Server
Class SinDNSServer:
Def _ init__ (self,port=53):
SinDNSServer.namemap = {}
Self.port = port
Def addname (self, name,ip):
SinDNSServer.namemap [name] = ip
Def start (self):
HOST, PORT = "0.0.0.0", self.port
Server = SocketServer.UDPServer ((HOST, PORT), SinDNSUDPHandler)
Server.serve_forever ()
If _ name__ = = "_ _ main__":
Sev = SinDNSServer ()
Sev.addname ('*', '127.0.0.1') # default address
Sev.start () # start DNSserver
Run dnslog.py directly on vps, and a simple DNSLOG platform is built.
The running effect is as follows: the echoed ip address can be customized through sev.addname ('*', '127.0.0.1').
4 WEB interface
Write a web interface using the tornado framework.
The project has been uploaded to github: https://github.com/sa1tor/dnslog
Pip can run server.py directly after installing tornado, of course, you can also use Nginx+Tornado+Supervisor for deployment.
Pip install tornado
Python server.py
The default is port 8000, and the browser can access http://ip:8000/ to see the web interface.
I specified port 6002, python server.py-- port=6002.
The interface is relatively simple, with only three buttons, the getsubdomain button is used to get the random subdomain name, the refresh button is used to refresh the page, and the delete all button is used to delete all records.
5 postscript
Most of the related experiments on the Internet are carried out using two domain names, one domain name modifies the DNS server, and the other domain name modifies the NS record. But in fact, it is possible to use only one domain name.
Modify the DNS server as shown below:
After reading the above, have you mastered the method of how to build the DNSLOG platform? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.