dns tunnel确认方法,查询子域名最终的解析地址:
使用方法:python dig_trace.py "<7cf1e56b 67fc90f8 caaae86e 0787e907>.nsconcreteblock.info" any
Selected root name server: 192.203.230.10
['.', 'info.', 'nsconcreteblock.info.', '<7cf1e56b 67fc90f8 caaae86e 0787e907>.nsconcreteblock.info.']
Random NS: 199.254.31.1
Random NS: 199.249.121.1
Querying name server: 199.249.121.1
到微步查询 https://x.threatbook.cn/ip/199.249.121.1 可以看到 199.249.121.1 是钓鱼IP。
dig_trace.py 脚本内容:
from:https://github.com/danasmera/Python_scripts/blob/master/dig-trace.py
#!/usr/bin/env python ''' Similar to dig +trace except this script does not reply on name servers set on localhost ''' __author__ = "Daniel T." __license__ = "GPL" __version__ = "0.1.0" __maintainer__ = "danasmera" __email__ = "daniel@danasmera.com" import sys from random import choice import re import signal try: import dns.name import dns.message import dns.query except ImportError: print 'Module dns import error.' sys.exit(1) def signal_handler(signal, frame): print 'Ctrl+C pressed...exiting...' sys.exit(0) signal.signal(signal.SIGINT, signal_handler) def Usage(): print sys.argv[0] + ' FQDN RecordType[A|MX|TXT|NS|ANY]' print "Ex. " + sys.argv[0] + ' gmail.com mx' sys.exit(1) mydict={'A':1 ,'NS':2,'MX':15,'TXT':16,'ANY':255} ARGC=len(sys.argv) if ARGC < 2: Usage() RRTYPE='A' if ARGC<=2 else sys.argv[2].strip() RRTYPE=RRTYPE.upper() if RRTYPE in mydict: RRTYPE=mydict[RRTYPE] else: sys.exit(1) #IPv4 pattern ippat=r'd{1,3}.d{1,3}.d{1,3}.d{1,3}' #rootns=[chr(i)+'.root-servers.net' for i in range(ord('a'),ord('n'))] rootns=( '198.41.0.4' , '192.228.79.201' , '192.33.4.12' , '199.7.91.13' , '192.203.230.10' , '192.5.5.241' , '192.112.36.4' , '128.63.2.53' , '192.36.148.20' ,'192.58.128.30' , '193.0.14.129' , '199.7.83.42' , '202.12.27.33' ) rootns = ('192.203.230.10',) # very useful and always no timeout srootns=choice(rootns) print "Selected root name server: " , srootns def only_ip(rrdata): match=re.search(ippat, rrdata) if match: return match.group() #we will accept input such as google.com www.google.com. etc myhost=sys.argv[1] cleaned_myhost=myhost.split('.') if not cleaned_myhost[-1].endswith('.'): cleaned_myhost.extend('.') #flip list into format ['.','com','google' ,'www' ] cleaned_myhost.reverse() if '' in cleaned_myhost: cleaned_myhost.remove('') #Split into parts in reverse for easier querying ['.','com.', 'google.com.', www.google.com.'] i=1 while i < len(cleaned_myhost): if i==1: cleaned_myhost[i]=cleaned_myhost[i]+cleaned_myhost[i-1] else: cleaned_myhost[i]=cleaned_myhost[i]+'.'+cleaned_myhost[i-1] i+=1 print cleaned_myhost additional_ns=[] ##Step over reach domain part and query the NS in the glue record on parent domain for domain in cleaned_myhost[1:]: name_server=srootns ndomain = dns.name.from_text(domain) request = dns.message.make_query(ndomain, dns.rdatatype.NS) if additional_ns : name_server=choice(additional_ns) try: response = dns.query.udp(request, name_server, timeout=10) except dns.exception.Timeout: print 'Dns query timed out.' sys.exit(1) additional_ns=[] #Skip IPv6 for item in response.additional: if not 'IN AAAA' in item.to_text(): ip_ns=only_ip(item.to_text()) if ip_ns: additional_ns.append(only_ip(ip_ns)) # name_server=choice(additional_ns) if additional_ns: LNS=choice(additional_ns) print "Random NS: ", LNS print print "Querying name server: ", LNS #request = dns.message.make_query(myhost, dns.rdatatype.A) request = dns.message.make_query(myhost, int(RRTYPE)) try: response = dns.query.udp(request, LNS, timeout=10) except dns.exception.Timeout: print 'Dns query timed out.' sys.exit(1) for rrset in response.answer: print rrset
示例:
$python dig_trace.py www.baidu.com a Selected root name server: 192.203.230.10 ['.', 'com.', 'baidu.com.', 'www.baidu.com.'] Random NS: 192.48.79.30 Random NS: 220.181.37.10 Random NS: 180.149.133.241 Querying name server: 180.149.133.241 $ python dig_trace.py xxx.a.friendskaka.com any Selected root name server: 192.203.230.10 ['.', 'com.', 'friendskaka.com.', 'a.friendskaka.com.', 'xxx.a.friendskaka.com.'] Random NS: 192.43.172.30 Random NS: 106.11.141.113 Random NS: 45.77.39.243 Random NS: 45.77.39.243 Querying name server: 45.77.39.243 Dns query timed out.
这个东西实在是太有用了!因为可以通过Querying name server IP来判定是否为dns tunnel!!!
相应的dig trace类似功能:
$ dig xxx.a.friendskaka.com +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> xxx.a.friendskaka.com +trace
;; global options: +cmd
. 251824 IN NS h.root-servers.net.
. 251824 IN NS k.root-servers.net.
. 251824 IN NS c.root-servers.net.
. 251824 IN NS i.root-servers.net.
. 251824 IN NS e.root-servers.net.
. 251824 IN NS g.root-servers.net.
. 251824 IN NS l.root-servers.net.
. 251824 IN NS f.root-servers.net.
. 251824 IN NS j.root-servers.net.
. 251824 IN NS d.root-servers.net.
. 251824 IN NS m.root-servers.net.
. 251824 IN NS b.root-servers.net.
. 251824 IN NS a.root-servers.net.
;; Received 228 bytes from 223.6.6.6#53(223.6.6.6) in 39 ms
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20180403170000 20180321160000 41824 . ROETRmN1GaacCAf834rGvPrUpWsGujhy9AHe9BAEs2l81pNmXLU2ftKo 2DCI+YWufP1kzvuIbIHaJi8gr3MFKzt92EA2fBQHXBrVznkMPK4xwsY/ vAciVIbc5SgFi5W+efDyjOvObXHjSxLm0JXaOAMenc+xCx/W/mBva7AI Fe8g/0skHdZoGaQuHCUUklKHluOksN8E0MbWZuU8jKOEWAiNXZyfzSCr xXsS5N66f/5iik0xFYKbfznzff70PDowOxnAsWr0KHeJvKv3afF9XYXl xcu5JtB1Z534X5A5SdDqadsZ0UydPMeaC6b725qoluALnSgsbpU5USHr xIxT9w==
;; Received 1181 bytes from 192.36.148.17#53(i.root-servers.net) in 231 ms
friendskaka.com. 172800 IN NS dns2.hichina.com.
friendskaka.com. 172800 IN NS dns1.hichina.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180329044627 20180322033627 46967 com. uvlOWKlub35L4vxf90cou126foZVxgd04uKGEk9118BgH0KReXWJNYTW tb8fpLuV+jPkL3tCjCjG5wxCWaI15J0Yeh0MSPQes2NFSNnxrxd09s6P Uo+7anhDgn4kJNIuDiAYp03B/e2j3rVNy0Ixnvz7FUE7r33pN0pW1M9n d68=
CO5FD8E5AURAOVOMCLOJRHU4BQPQO18S.com. 86400 IN NSEC3 1 1 0 - CO5GE18T10E6MHBQLNUH2P41UKL4V8R9 NS DS RRSIG
CO5FD8E5AURAOVOMCLOJRHU4BQPQO18S.com. 86400 IN RRSIG NSEC3 8 2 86400 20180327050411 20180320035411 46967 com. MQP16KcNpQJRi/HwBQGrHVYmV1zEQU15+hXslNaVl18hOCLZsKS3GAMz bdcLK03ygTV3Os+rGvvGjZaRIjNoFJukHAbJ5xuBe1pKnv00PlT/ZiF+ 2UJjEQzYzR3Scf1ni1TCSlCu8oLtrUanAVLqWz+o1pviZtHRGw8/Yff7 HGQ=
;; Received 837 bytes from 192.52.178.30#53(k.gtld-servers.net) in 171 ms
a.friendskaka.com. 600 IN NS ns.friendskaka.com.
;; Received 98 bytes from 140.205.41.23#53(dns1.hichina.com) in 31 ms
;; connection timed out; no servers could be reached