Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to bypass the firewall through DNS history. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Today, we introduce a scripting tool that helps you use DNS history to achieve firewall bypass. The script can search DNS's A record (history) and determine whether the server can respond to the domain name. For the vast number of vulnerabilities Hunter, this is definitely a very useful tool.

The script will try to find:

1. Look for server IP addresses behind firewalls such as Cloudflare, Incapsula, SUCURI, etc.

two。 An old server running the same site, but does not receive active traffic because the DNS record does not point to it. Because such servers generally host outdated or unmaintained older websites, there are likely to be known security vulnerabilities, and it is much easier to find vulnerabilities such as SQL injection and access databases in such sites.

In addition, the script can also get the IP address of the subdomain, because the developer thinks that at some point, the IP of the subdomain will also point to the primary domain name.

Tool use

The script is used as follows:

Bash bypass-firewalls-by-DNS-history.sh-d example.com

-d--domain: the target domain name to be bypassed

-o--outputfile: output IP address

-l--listsubdomains: list additional subdomain names

-a--checkall: detect the firewall bypass status of all sub-domain names

Dependency requirements (optional)

If necessary, you can use jq to parse the output results and automatically collect sub-domain names. The installation command for this tool is as follows:

Apt install jq background Web Application Firewall Bypass Technology

To demonstrate the Web application firewall bypass we defined, please take a look at the machine diagram shown below:

When the user connects to the site, an initial DNS request is sent to query the IP address of the site so that the browser client knows where to send the HTTP request. For sites protected by Cloudflare or other WAF, the response message will include the IP address of the WAF itself, because the user's HTTP traffic needs to go through the firewall to reach the source Web server. At this point, WAF blocks malicious requests to prevent DDoS attacks. However, if the attacker knows the IP address of the source Web server, and the source Web server can receive HTTP traffic from the whole network, the attacker can perform WAF bypass: that is, let the HTTP traffic go directly to the source Web server without going through the WAF.

The script attempts to find the IP address of the source Web server and successfully executes attacks such as SQL injection or SSRF.

Further infiltration

After successfully bypassing WAF, you will have two options:

1. Edit your host-file to / etc/hosts (Linux/Mac) or c:\ Windows\ System32\ Drivers\ etc\ hosts (Windows). Then add the following entries:

80.40.10.22 vincentcox.com

2.Burp Suite:

At this point, your HTTP traffic will go directly to the source Web server, you can follow the usual method of penetration testing, and your request will not be blocked by the Web application firewall.

The appropriate audience for this script

-Security auditors

-Web administrator

-vulnerability Hunter

-Black Hat hacker

Web service used by the script

The script uses the following Web services:

-SecurityTrails

-CrimeFlare

-certspotter

-DNSDumpster

-IPinfo

-ViewDNS

On how to bypass the firewall through the DNS history to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.