Tsarin Sunan Domain (DNS) kamar littafin waya ne wanda ke fassara sunayen masu amfani kamar "ussc.ru" zuwa adiresoshin IP. Tunda ayyukan DNS yana nan a kusan duk zaman sadarwa, ba tare da la'akari da ƙa'idar ba. Don haka, shigar da DNS shine tushen mahimman bayanai ga ƙwararrun tsaro na bayanai, yana ba su damar gano abubuwan da ba su da kyau ko samun ƙarin bayanai game da tsarin da ake bincike.
A cikin 2004, Florian Weimer ya ba da shawarar hanyar shiga da ake kira Passive DNS, wanda ke ba ku damar dawo da tarihin canje-canjen bayanan DNS tare da ikon yin ƙididdigewa da bincika, wanda zai iya ba da damar yin amfani da waɗannan bayanan:
- Оменное имя
- Adireshin IP na sunan yankin da aka nema
- Kwanan wata da lokacin amsawa
- Nau'in amsawa
- da sauransu.
Ana tattara bayanai don DNS mai wucewa daga sabar DNS mai maimaitawa ta hanyar ginanniyar kayan aiki ko ta hanyar satar amsa daga sabar DNS da ke da alhakin yankin.
Hoto 1. DNS mai wucewa (wanda aka ɗauka daga shafin )
Mahimmancin Passive DNS shine cewa babu buƙatar yin rajistar adireshin IP na abokin ciniki, wanda ke taimakawa kare sirrin mai amfani.
A halin yanzu, akwai ayyuka da yawa waɗanda ke ba da damar shiga bayanan DNS mai wucewa:
M
Tsaro na Farsight
VirusTotal
Riskik
SafeDNS
hanyoyin tsaro
Cisco
Samun dama
Akan bukata
Baya buƙatar rajista
Yin rajista kyauta ne
Akan bukata
Baya buƙatar rajista
Akan bukata
API
Yanzu
Yanzu
Yanzu
Yanzu
Yanzu
Yanzu
Samuwar abokin ciniki
Yanzu
Yanzu
Yanzu
Babu
Babu
Babu
Fara tattara bayanai
2010 shekara
2013 shekara
2009 shekara
Nuna watanni 3 na ƙarshe kawai
2008 shekara
2006 shekara
Tebur 1. Ayyuka tare da samun dama ga bayanan DNS masu wucewa
Yi amfani da lokuta don Passive DNS
Amfani da DNS mai wucewa, zaku iya gina alaƙa tsakanin sunayen yanki, sabar NS da adiresoshin IP. Wannan yana ba ku damar gina taswirorin tsarin da ake nazari da kuma bin diddigin canje-canje a cikin irin wannan taswira daga farkon ganowa zuwa yanzu.
DNS mai wucewa kuma yana sauƙaƙa gano abubuwan da ba su da kyau a cikin zirga-zirga. Misali, bin diddigin canje-canje a cikin yankunan NS da bayanan nau'in A da AAAA yana ba ku damar gano wuraren da ba daidai ba ta amfani da hanyar saurin saurin gudu, wanda aka ƙera don ɓoye C&C daga ganowa da toshewa. Saboda halaltattun sunayen yanki (ban da waɗanda aka yi amfani da su don daidaita kaya) ba za su canza adireshin IP sau da yawa ba, kuma galibin halaltattun yankuna da wuya su canza sabar NS ɗin su.
DNS mai wucewa, ya bambanta da ƙididdigewa kai tsaye na ƙananan yanki ta amfani da ƙamus, yana ba ku damar nemo ma fitattun sunayen yanki, misali, "222qmxacaiqaaaaazibq4aaidhmbqaaa0undefined7140c0.p.hoff.ru". Har ila yau, wani lokacin yana ba ku damar nemo wuraren gwaji (da kuma masu rauni) na gidan yanar gizon, kayan haɓakawa, da sauransu.
Binciken hanyar haɗi daga imel ta amfani da DNS Passive
A halin yanzu, spam na ɗaya daga cikin manyan hanyoyin da maharin ke shiga cikin kwamfutar wanda aka azabtar ko kuma ya saci bayanan sirri. Bari mu yi ƙoƙari mu bincika hanyar haɗin kai daga irin wannan imel ta amfani da Passive DNS don kimanta tasirin wannan hanyar.
Hoto 2. Saƙon imel
Hanyar haɗin kai daga wannan wasiƙar ta haifar da shafin magnit-boss.rocks, wanda ya ba da damar karɓar kari ta atomatik da karɓar kuɗi:
Hoto 3. Shafi da aka shirya akan yankin magnit-boss.rocks
An yi amfani da binciken wannan rukunin yanar gizon , wanda ya riga yana da abokan ciniki 3 da aka shirya akan , и .
Da farko, za mu gano duk tarihin wannan sunan yankin, don wannan za mu yi amfani da umarnin:
pt-client pdns — tambaya magnet-boss.rocks
Wannan umarnin zai dawo da bayani game da duk shawarwarin DNS masu alaƙa da wannan sunan yankin.
Hoto 4. Amsa daga Riskiq API
Bari mu kawo martani daga API zuwa mafi kyawun tsari:
Hoto 5. Duk shigarwar daga amsa
Don ƙarin bincike, mun ɗauki adiresoshin IP waɗanda wannan sunan yankin ya warware a lokacin da aka karɓi wasiƙar a ranar 01.08.2019/92.119.113.112/85.143.219.65, waɗannan adiresoshin IP sune kamar haka adiresoshin XNUMX da XNUMX.
Amfani da umarnin:
pt-client pdns - tambaya
za ka iya samun duk sunayen yankin da ke da alaƙa da adiresoshin IP da aka ba su.
Adireshin IP 92.119.113.112 yana da sunaye na musamman guda 42 waɗanda suka warware zuwa wannan adireshin IP, daga cikinsu akwai sunaye masu zuwa:
- magnet-boss.club
- igrovie-automaty.me
- pro-x-audit.xyz
- zep3-www.xyz
- da sauransu
Adireshin IP 85.143.219.65 yana da sunaye na musamman guda 44 waɗanda suka warware zuwa wannan adireshin IP, daga cikinsu akwai sunaye masu zuwa:
- cvv2.name (shafin yanar gizon siyar da bayanan katin kiredit)
- emails.duniya
- www.mailru.space
- da sauransu
Haɗin kai tare da waɗannan sunayen yanki suna haifar da phishing, amma mun yi imani da mutane masu kirki, don haka bari mu yi ƙoƙarin samun kari na 332 rubles? Bayan danna maɓallin "YES", shafin yana buƙatar mu canja wurin 501.72 rubles daga katin don buɗe asusun kuma aika mu zuwa shafin as-torpay.info don shigar da bayanai.
Hoto 6. Babban shafi na shafin ac-pay2day.net
Yana kama da shafin doka, akwai takardar shaidar https, kuma babban shafin yana ba da damar haɗa wannan tsarin biyan kuɗi zuwa rukunin yanar gizon ku, amma, kash, duk hanyoyin haɗin yanar gizon ba sa aiki. Wannan sunan yankin yana warwarewa zuwa adireshin IP na 1 kawai - 190.115.19.74. Ita, bi da bi, tana da keɓaɓɓen sunayen yanki guda 1475 waɗanda ke warware wannan adireshin IP, gami da sunaye kamar:
- ac-pay2day.net
- ac-payfit.com
- as-manypay.com
- fletkass.net
- as-magicpay.com
- da sauransu
Kamar yadda muke iya gani, Passive DNS yana ba ku damar tattara bayanai cikin sauri da inganci game da albarkatun da ake nazarin har ma da gina wani nau'in tambarin da ke ba ku damar buɗe duk tsarin satar bayanan sirri, daga rasidin sa har zuwa yiwuwar siyarwa.
Hoto 7. Taswirar tsarin da ake nazari
Ba duk abin da yake da ja kamar yadda muke so ba. Misali, irin waɗannan binciken na iya karya cikin sauƙi akan CloudFlare ko ayyuka makamantan su. Kuma tasirin bayanan da aka tattara ya dogara sosai kan adadin tambayoyin DNS da ke wucewa ta tsarin tattara bayanan DNS masu wucewa. Duk da haka, Passive DNS shine tushen ƙarin bayani ga mai binciken.
Mawallafi: Kwararre na Cibiyar Ural don Tsarin Tsaro
source: www.habr.com