安全牛学习笔记DNS协议隧道-iodineNCAT

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记DNS协议隧道-iodineNCAT相关的知识,希望对你有一定的参考价值。

DNS协议隧道-----iodine                            

基于DNS查询的隧道工具                             

与同类工具相比的优点                              

    - 对下行数据不进行编码,因此性能优            

    - 支持多平台:linuxBSDMac OSWindows     

    - 最大16个并发连接                            

    - 强制密码支持                                

    - 支持同网段隧道IP(不同于服务器、客户端网段)

    - 主持多种DNS记录类型                         

    - 丰富的隧道质量检测措施

DNS协议隧道-----iodine                    

运行服务器端                              

    - iodined -f -c 10.0.0.1 test.lab.com

    - -f:前段显示(可选)                

    - -c:不检查客户端IP地址              

    - IP:服务器端的隧道IP地址

[email protected]:~# iodined -f 10.0.0.1 test.lab.com

Enter password: 123

Openend dns0

Setting IP of dns0 10.0.0.1

Setting MTU of dns to 1130

Opened  IPv4 UDP socket

Listening to dns for domain test.lab.com

DNS协议隧道-----iodine                                          

运行客户端                                                     

    - iodined -f test.lab.com                                  

    - curl --socks5-hostname 127.0.0.1:7001 http://www.sina.com

隧道网络接口                                                   

    - 不基于资源的通用隧道,如同本网段内两台相邻的主机          

    - 服务器端和客户端分别生成隧道网络接口dns0                  

    - 隧道两端接口的IP地址应不同于客户端和服务器端网段          

    - 基于此隧道可嵌套其他隧道技术                              

      ssh -CfNg -D 7001 [email protected]

[email protected]:~$ sudo iodine -f test.lab.com

[sudo] password for yuanfh:

Enter password: 123

Opened dns0

OPened socket

Sending DNS queries for test.lab.com to 1.1.1.11

Autodetecting DNS query type (use -T to verride).

Using DNS type NULL queries

Version ok, both using protocol v 0x00000502. You are user #0

Setting IP of dns0 to 10.0.0.2

Autodetecting DNS query type (use -T to verride).

Using DNS type NULL queries

Version ok,both using protocol v 0x00000502. You are user #0

Setting IP of dns0 to 10.0.0.2

Setting MTU of dns0 to 1130

Server tunnel IP is 10.0.0.1

Testing rau UDP data to the server (skip with -r)

Server is at 192.168.1.110, trying raw login: ...falied

Using EDNS0 extension

Retrying upstream codec test...

Retrying upstream codec test...

Switching upstream to codec Base64

Server switched upstream to codec Base64

No alternative downstream codec available, using defaul (Raw)

Switching to lazy mode for low-latency

Server suitched to lazy mode

Autoptobing max downstream fragment size... (skip with -m fragsize)

...768 not ok.. ...384 not ok,, 192 ok.. ...238 not ok.. ...240not ok.. ...216 not ok..

252 not ok.. ...234 not ok.. ...231 not ok.. ...230 not ok.. ...will use 228-2=226

Setting downstream fragment size to max 226...

Connection setup complete, transmitting data.

iodine: Got SERVFAIL as reply: server failed or recursion timeout

iodine: Hmm, that‘s 1.your data should still go through...

iodine: Got SERVFAIL as reply: server failed or recursion timeout

iodine: Hmm, that‘s 2.your data should still go through...

iodine: Got SERVFAIL as reply: server failed or recursion timeout

iodine: Hmm, that‘s 3.your data should still go through...

iodine: Got SERVFAIL as reply: server failed or recursion timeout

iodine: Hmm, that‘s 4.your data should still go through...

iodine: Got SERVFAIL as reply: server failed or recursion timeout

iodine: I think 5 is too many. Setting interval to 1 to hopefully reduce SERVFAILs.

 But just ignore them if data still comes through. (Use -l1 next time on this network.)

iodine: Got SERVFAIL as reply: server failed or recursion timeout+2

[email protected]:~$ ssh [email protected]

The authenticity of host ‘10.0.0.1 (10.0.0.1)‘ can‘t be established

ECDSA key fingerpring is 6f:bf:fc:e5:d0:96:65:34:90:7d:81:06:b6:0e:4d:50

Are you sure want to continue connecting (yes/no)? yes

Warning: Premanetly added ‘10.0.0.1‘ (ECDSA) to the list of known hosts.

[email protected]‘s password:

The programs included with the Kali GNU/Linux system are freee software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright/

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

[email protected]:~# exit

logout

Connection to 10.0.0.1 closed.

[email protected]:~$ ssh -CfNg -D 7001 [email protected]

[email protected] password:

[email protected]:~$ netstat -pantu | grep 7001

(Not all processes could be identified,non-owned process info

 will not be shown, you would have to be root to see it all.)

tcp        0      0 127.0.0.1:7001        0.0.0.0:*           LISTEN      2748/ssh

tcp6       0      0 ::1:7001              :::*                LISTEN      2748/ssh

DNS协议隧道-----iodine                                        

安装TAP网卡驱动                                              

    - https://openvpn.net/index.php/open-source/downloads.html

    - 只安装TAP Virtual Ethernet Adapter 和所有依赖包         

Windows客户端                                                

    - http://code.kryo.se/iodine/                             

    - iodine -f test.lab.com                                  

建立SSH隧道

Openvpn 2.3.11-I001-i686.exe

只安装TAP Virtual Ethernet Adapter和Dependencies(Advanced)

NEXT

仍然继续

finish

http://code.kryo.se/iodine/

iodine 32bit

C:\>cd iodine

C:\iodine>iodine.exe -f test.lab.com

Enter password: 123

Opening device 本地连接 2

Opened IPv4 UDP socket

Opened IPv4 UDP socket

Sending DNS queries for test.lab.com to 127.0.0.1

Autodetectng DNS query type <use -T to override>.Opened IPv4 UDP socket

Using DNS type NULL queries

Version ok, both using protocol v x00000502. You are user #0

Enabling interface ‘本地连接 2‘

Setting IP of interface ‘本地连接 2‘ to 10.0.0.2 <can take a few seconds>...

确定。

Server tunnel IP is 10.0.0.1

Testing raw UDP data to the server <skip with -r>

Server is at 192.168.1.110, trying raw login:...failed

Retrying upstream codec test...

Retrying upstream codec test...

Retrying upstream codec test...

Switching upstream to codec Base64

Server switched upstream to codec Base64

No alternative downstream codec available, using defualt <Raw>

PuTTY Configuration

Connection/Session----->Host Name (or IP adress):10.0.0.1 , Port:22----->Connection/SSH/Tunnels----->Source port:7001 Add, Destjnation:10.0.0.1 , IPv4 , Dynamic ,Location port accept connections from other hosts , Remote ports do the same(SSH-2 only)----->Open

login as: root

[email protected]‘s password:

The programs included with the Kali GNU/Linux system are free softwere;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLVTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Thu May 26 19:13:04 2016 from 10.0.0.2

NCAT                                                       

被称为众多NC衍生版软件中最优的选择                          

代理功能                                                   

    - ncat -l 8080 --proxy-type http --proxy-auth user:pass

Broker中介功能                                             

    - AB不同但ACBC互通                                    

    - 服务器:ncat -l 3333 --broker                         

    - 客户端之间发送任何信息都会被hub到其他客户端           

    - 批量执行命令:ncat 1.1.1.1 --sh-exec "echo ‘pwd‘"     

    - 批量传文件:ncat --send-only 1.1.1.1 < inputfile

[email protected]:~# ncat -l 8080 --proxy-type http --proxy-auth user:pass

[email protected]:~# netstat -pantu | grep ncat

(Not all processes could be identified,non-owned process info

 will not be shown, you would have to be root to see it all.)

tcp        0      0 127.0.0.1:31337        0.0.0.0:*           LISTEN      2724/ncat

tcp6       0      0 ::1:31337              :::*                LISTEN      2724/ncat

[email protected]:~# netstat -pantu | grep 8080

(Not all processes could be identified,non-owned process info

 will not be shown, you would have to be root to see it all.)

tcp        0      0 127.0.0.1:8080        0.0.0.0:*           LISTEN      2734/ncat

tcp6       0      0 ::1:8080              :::*                LISTEN      2734/ncat

[email protected]:~# ncat

Ncat: You must specify a host to connect to. QUITING

[email protected]:~# ncat -l 333 --broker

A机器:[email protected]:~# ncat 127.0.0.1 333

B机器:[email protected]:~# ncat localhost 333

[email protected]:~# ncat 127.0.0.1 333 --sh-exec "echo ‘pwd‘"

[email protected]:~# ncat 127.0.0.1 333 --sh-exec "echo ‘mkdir a‘"

[email protected]:~# ncat 127.0.0.1 333 --sh-exec "echo ‘rm -fr a‘"

[email protected]:~# ncat --send-only 127.0.0.1 < inputfile

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证?


      牛妹先给大家介绍一下Security+


        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?  

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。

       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。

        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。

本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1971821

以上是关于安全牛学习笔记DNS协议隧道-iodineNCAT的主要内容,如果未能解决你的问题,请参考以下文章

安全牛学习笔记DNS信息收集-DIG

安全牛学习笔记DNS区域传输DNS字典爆破DNS注册信息

安全牛学习笔记DNS放大攻击

安全牛学习笔记DNS信息收集

安全牛学习笔记ptunnle

安全牛学习笔记HTTP协议