Tunneling na DNS yana juya tsarin sunan yankin zuwa makami don hackers. DNS shine ainihin babban littafin waya na Intanet. DNS kuma shine ƙa'idar ƙa'idar da ke ba masu gudanarwa damar bincika bayanan uwar garken DNS. Ya zuwa yanzu komai ya bayyana a sarari. Amma ’yan damfara masu wayo sun fahimci cewa za su iya sadarwa a asirce da kwamfutar da abin ya shafa ta hanyar shigar da umarnin sarrafawa da bayanai cikin ka’idar DNS. Wannan ra'ayin shine tushen tunneling DNS.
Yadda DNS tunneling ke aiki
Duk abin da ke Intanet yana da nasa ƙa'idar daban. Kuma tallafin DNS yana da sauƙi nau'in amsa buƙatun. Idan kuna son ganin yadda yake aiki, zaku iya gudanar da nslookup, babban kayan aiki don yin tambayoyin DNS. Kuna iya neman adireshi ta hanyar tantance sunan yankin da kuke sha'awar, misali:
A cikin yanayinmu, ƙa'idar ta amsa tare da adireshin IP na yanki. Dangane da ka'idar DNS, na yi buƙatar adireshin ko abin da ake kira buƙatar. "A" irin. Akwai wasu nau'ikan buƙatun, kuma ka'idar DNS za ta amsa da wani nau'in filayen bayanai, wanda, kamar yadda za mu gani daga baya, za a iya amfani da su ta hanyar hackers.
Wata hanya ko wata, a ainihin sa, ka'idar DNS ta damu da aikawa da buƙatun zuwa uwar garken da mayar da martani ga abokin ciniki. Idan maharin ya ƙara ɓoye ɓoye cikin buƙatun sunan yanki fa? Misali, maimakon shigar da cikakken halal URL, zai shigar da bayanan da yake son watsawa:
Bari mu ce maharin yana sarrafa uwar garken DNS. Sannan yana iya watsa bayanai — bayanan sirri, misali—ba tare da an gano su ba. Bayan haka, me yasa tambayar DNS ba zato ba tsammani ta zama wani abu marar doka?
Ta hanyar sarrafa uwar garken, hackers na iya ƙirƙira martani da aika bayanai zuwa tsarin da aka yi niyya. Wannan yana ba su damar aika saƙonnin da aka ɓoye a fagage daban-daban na martanin DNS ga malware akan na'urar da ta kamu da cutar, tare da umarni kamar bincika cikin takamaiman babban fayil.
Bangaren "tunneling" na wannan harin shine bayanai da umarni daga ganowa ta tsarin sa ido. Hackers na iya amfani da base32, base64, da sauransu. saitin halayen, ko ma ɓoye bayanan. Irin wannan rufaffiyar za ta wuce ba tare da an gano ta ta hanyar sauƙaƙe abubuwan gano barazanar barazana waɗanda ke bincika bayanan da aka bayyana ba.
Kuma wannan shine tunneling DNS!
Tarihin harin tunneling DNS
Komai yana da mafari, gami da ra'ayin sace ka'idar DNS don dalilai na hacking. Kamar yadda za mu iya fada, na farko Oskar Pearson ne ya kai wannan harin akan jerin wasikun Bugtraq a cikin Afrilu 1998.
A shekara ta 2004, an gabatar da ramin DNS a Black Hat a matsayin dabarar hacking a cikin gabatarwa ta Dan Kaminsky. Don haka, ra'ayin da sauri ya girma ya zama kayan aikin kai hari na gaske.
A yau, tunneling na DNS ya mamaye matsayi mai aminci akan taswira (kuma ana yawan tambayar masu rubutun ra'ayin yanar gizo na tsaro don bayyana shi).
Shin kun ji labarin ? Wannan kamfen ne na ci gaba da ƙungiyoyin masu aikata laifuka ta yanar gizo-mafi yuwuwar samun tallafi na jihohi-don sace halaltattun sabar DNS don tura buƙatun DNS zuwa sabobin nasu. Wannan yana nufin ƙungiyoyi za su karɓi adiresoshin IP na "mara kyau" masu nuni zuwa shafukan yanar gizo na karya waɗanda masu kutse ke gudanarwa, kamar Google ko FedEx. Haka kuma, maharan za su samu damar samun bayanan masu amfani da su da kuma kalmomin shiga, wadanda ba da saninsu ba za su shigar da su a irin wadannan shafuka na bogi. Wannan ba ramin DNS ba ne, amma kawai wani mummunan sakamako na masu satar bayanai da ke sarrafa sabar DNS.
Barazana tunneling DNS
Tunneling DNS kamar mai nuna farkon matakin mummunan labari ne. Wadanne? Mun riga mun yi magana game da da yawa, amma bari mu tsara su:
- Fitar bayanai (exfiltration) – dan gwanin kwamfuta a asirce yana watsa mahimman bayanai akan DNS. Wannan ba shakka ba ita ce hanya mafi inganci don canja wurin bayanai daga kwamfutar da aka azabtar ba - yin la'akari da duk farashi da ɓoyewa - amma yana aiki, kuma a lokaci guda - a asirce!
- Umurni da Sarrafa (wanda aka takaice C2) - hackers suna amfani da ka'idar DNS don aika umarni masu sauƙi ta hanyar, ka ce, (Trojan Nesa, gajeriyar RAT).
- Tunneling IP-Over-DNS - Wannan na iya zama kamar mahaukaci, amma akwai abubuwan amfani waɗanda ke aiwatar da tari na IP akan buƙatun yarjejeniya da martani na DNS. Yana yin canja wurin bayanai ta amfani da FTP, Netcat, ssh, da sauransu. aiki mai sauƙi. Matukar ban tsoro!
Gano rami na DNS
Akwai manyan hanyoyi guda biyu don gano cin zarafi na DNS: nazarin kaya da nazarin zirga-zirga.
a lodi bincike Ƙungiyoyin da ke kare suna neman abubuwan da ba su dace ba a cikin bayanan da aka aika da baya da baya waɗanda za a iya gano su ta hanyoyin ƙididdiga: sunaye masu kama da baƙi, nau'in rikodin DNS wanda ba a yi amfani da shi sau da yawa, ko ɓoyewa mara kyau.
a nazarin zirga-zirga An kiyasta adadin buƙatun DNS ga kowane yanki idan aka kwatanta da matsakaicin ƙididdiga. Maharan da ke amfani da tunneling na DNS za su haifar da babban adadin zirga-zirga zuwa uwar garken. A ka'idar, ya fi mahimmanci fiye da musayar saƙon DNS na al'ada. Kuma wannan yana buƙatar kulawa!
DNS tunneling utilities
Idan kuna son gudanar da naku pentest kuma ku ga yadda kamfanin ku zai iya ganowa da amsa irin wannan aikin, akwai abubuwan amfani da yawa don wannan. Dukansu suna iya yin rami a cikin yanayin IP-Over-DNS:
- - akwai akan dandamali da yawa (Linux, Mac OS, FreeBSD da Windows). Yana ba ku damar shigar da harsashi na SSH tsakanin kwamfutoci masu manufa da sarrafawa. Wannan yana da kyau a kan kafawa da amfani da Iodine.
- - Ayyukan tunneling DNS daga Dan Kaminsky, wanda aka rubuta a cikin Perl. Kuna iya haɗa shi ta hanyar SSH.
- - "Ramin DNS wanda baya sa ku rashin lafiya." Yana ƙirƙiri rufaffen tashar C2 don aikawa / zazzage fayiloli, ƙaddamar da harsashi, da sauransu.
DNS saka idanu utilities
A ƙasa akwai jerin abubuwan amfani da yawa waɗanda za su yi amfani don gano harin tunnel:
- - Tsarin Python wanda aka rubuta don MercenaryHuntFramework da Mercenary-Linux. Yana karanta fayilolin pcap, yana fitar da tambayoyin DNS kuma yana yin taswirar ƙasa don taimakawa cikin bincike.
- – mai amfani Python wanda ke karanta fayilolin .pcap kuma yana nazarin saƙonnin DNS.
Micro FAQ akan tunneling na DNS
Bayani mai amfani ta hanyar tambayoyi da amsoshi!
Tambaya: Menene tunneling?
Game da: Hanya ce kawai don canja wurin bayanai akan ƙa'idar data kasance. Ƙa'idar da ke ƙasa tana ba da keɓaɓɓen tashoshi ko rami, wanda ake amfani da shi don ɓoye bayanan da ake watsawa.
Tambaya: Yaushe aka kai harin tunnel na DNS na farko?
Game da: Ba mu sani ba! Idan kun sani, don Allah ku sanar da mu. A iyakar saninmu, Oscar Piersan ne ya fara tattaunawa ta farko game da harin a cikin jerin aikawasiku na Bugtraq a cikin Afrilu 1998.
Tambaya: Wadanne hare-hare ne suke kama da tunneling na DNS?
Game da: DNS ya yi nisa da kawai yarjejeniya da za a iya amfani da ita don tunneling. Misali, umarni da sarrafawa (C2) malware suna yawan amfani da HTTP don rufe tashar sadarwa. Kamar yadda yake tare da tunnel na DNS, dan gwanin kwamfuta yana ɓoye bayanansa, amma a wannan yanayin yana kama da zirga-zirga daga mai binciken gidan yanar gizo na yau da kullum yana shiga wani wuri mai nisa (wanda maharin ke sarrafawa). Ana iya lura da wannan ta shirye-shiryen saka idanu idan ba a saita su don ganewa ba cin zarafin ka'idar HTTP don dalilai na hacker.
Kuna so mu taimaka tare da gano rami na DNS? Duba tsarin mu kuma gwada shi kyauta !
source: www.habr.com