Domain Name System (DNS) ili ngati buku lamafoni lomwe limamasulira mayina osavuta kugwiritsa ntchito ngati "ussc.ru" kukhala ma adilesi a IP. Popeza ntchito ya DNS ilipo pafupifupi magawo onse olankhulirana, mosasamala kanthu za protocol. Chifukwa chake, kudula mitengo ya DNS ndi gwero lofunikira la chidziwitso kwa katswiri wachitetezo chazidziwitso, kuwalola kuti azindikire zolakwika kapena kupeza zina zowonjezera pa dongosolo lomwe likufufuzidwa.
Mu 2004, Florian Weimer adakonza njira yodula mitengo yotchedwa Passive DNS, yomwe imakupatsani mwayi wobwezeretsa mbiri yakusintha kwa data ya DNS ndikutha kuloza ndikufufuza, zomwe zitha kukupatsani mwayi wopeza izi:
- Dzina la domain
- Adilesi ya IP ya dzina lomwe mwafunsidwa
- Tsiku ndi nthawi yoyankha
- Mtundu wamayankhidwe
- ndi zina zotero.
Deta ya Passive DNS imasonkhanitsidwa kuchokera ku maseva a DNS obwereza ndi ma module omwe adamangidwa kapena kuyankha mayankho kuchokera kumaseva a DNS omwe ali ndi gawo.
Chithunzi 1. Passive DNS (yotengedwa kuchokera patsamba )
Chodabwitsa cha Passive DNS ndikuti palibe chifukwa cholembetsa adilesi ya IP ya kasitomala, zomwe zimathandiza kuteteza zinsinsi za ogwiritsa ntchito.
Pakadali pano, pali mautumiki ambiri omwe amapereka mwayi wopeza Passive DNS data:
Kampaniyo
Farsight Security
VirusTotal
Zowopsa
Chitetezo
njira zachitetezo
Cisco
Kufikira
Pa pempho
Sikutanthauza kulembetsa
Kulembetsa ndi kwaulere
Pa pempho
Sikutanthauza kulembetsa
Pa pempho
API
Perekani
Perekani
Perekani
Perekani
Perekani
Perekani
Kupezeka kwamakasitomala
Perekani
Perekani
Perekani
No
No
No
Kuyamba kwa kusonkhanitsa deta
Chaka cha 2010
Chaka cha 2013
Chaka cha 2009
Imawonetsa miyezi itatu yokha
Chaka cha 2008
Chaka cha 2006
Table 1. Ntchito zokhala ndi data ya Passive DNS
Gwiritsani ntchito zochitika za Passive DNS
Pogwiritsa ntchito Passive DNS, mutha kupanga maubwenzi pakati pa mayina a mayina, ma seva a NS ndi ma adilesi a IP. Izi zimakupatsani mwayi wopanga mamapu amayendedwe omwe akuphunziridwa ndikuwona kusintha kwamapu oterowo kuyambira pomwe adapezeka koyamba mpaka pano.
Passive DNS imapangitsanso kukhala kosavuta kuzindikira zovuta zamagalimoto. Mwachitsanzo, kutsatira kusintha kwa NS zone ndi zolemba za mtundu A ndi AAAA kumakupatsani mwayi wodziwa malo oyipa pogwiritsa ntchito njira yofulumira, yopangidwira kubisa C&C kuti isazindikire ndikutsekereza. Chifukwa mayina ovomerezeka (kupatula omwe amagwiritsidwa ntchito potengera katundu) sangasinthe ma adilesi awo a IP nthawi zambiri, ndipo madera ambiri ovomerezeka sasintha ma seva awo a NS.
Passive DNS, mosiyana ndi kuwerengetsa kwachindunji kwa ma subdomain pogwiritsa ntchito mtanthauzira mawu, kumakupatsani mwayi wopeza mayina achilendo kwambiri, mwachitsanzo, "222qmxacaiqaaaaazibq4aaidhmbqaaa0undefined7140c0.p.hoff.ru". Zimakupatsaninso mwayi kuti mupeze madera oyesa (ndi omwe ali pachiwopsezo) patsamba, zida zamapulogalamu, ndi zina zambiri.
Kuwunika ulalo wa imelo pogwiritsa ntchito Passive DNS
Pakali pano, sipamu ndi imodzi mwa njira zazikulu zomwe woukira amalowera pakompyuta ya wozunzidwa kapena kuba zinsinsi. Tiyeni tiyese kufufuza ulalo wa imelo yotere pogwiritsa ntchito Passive DNS kuti tiwone momwe njirayi imathandizira.
Chithunzi 2. Imelo ya sipamu
Ulalo wa kalatayi unatsogolera ku tsamba la magnit-boss.rocks, lomwe lidadzipereka kuti litolere mabonasi ndikulandila ndalama:
Chithunzi 3. Tsamba lomwe lili pa domain magnit-boss.rocks
Kuphunzira kwa tsamba ili kunagwiritsidwa ntchito , yomwe ili ndi makasitomala 3 okonzeka kale , ΠΈ .
Choyamba, tidzapeza mbiri yonse ya dzina lachidziwitso ichi, chifukwa ichi tidzagwiritsa ntchito lamulo:
pt-client pdns --query magnit-boss.rocks
Lamuloli libweza zambiri pazosankha zonse za DNS zokhudzana ndi dzina la domainli.
Chithunzi 4. Yankho kuchokera ku Riskiq API
Tiyeni tibweretse yankho kuchokera ku API kukhala mawonekedwe owoneka bwino:
Chithunzi 5. Zolemba zonse kuchokera ku mayankho
Kuti tifufuze zambiri, tidatenga ma adilesi a IP omwe dzina la domainli lidathetsedwa panthawi yomwe kalatayo idalandiridwa pa 01.08.2019/92.119.113.112/85.143.219.65, ma adilesi oterowo a IP ndi ma adilesi otsatirawa XNUMX ndi XNUMX.
Pogwiritsa ntchito lamulo:
pt-client pdns --query
mutha kupeza mayina amtundu uliwonse omwe amalumikizidwa ndi ma adilesi opatsidwa a IP.
Adilesi ya IP 92.119.113.112 ili ndi mayina 42 apadera omwe adakhazikika ku adilesi ya IP iyi, pakati pawo pali mayina awa:
- magnet-boss.club
- igrovie-automaty.me
- pro-x-audit.xyz
- zep3-www.xyz
- ndi zina
Adilesi ya IP 85.143.219.65 ili ndi mayina 44 apadera omwe asinthidwa ku adilesi ya IP iyi, pakati pawo pali mayina awa:
- cvv2.name (webusaiti yogulitsa data ya kirediti kadi)
- maimelo.world
- www.mailru.space
- ndi zina
Kulumikizana ndi mayina awa kumatsogolera ku phishing, koma timakhulupirira anthu okoma mtima, ndiye tiyeni tiyese kupeza bonasi ya 332 rubles? Pambuyo podina batani la "YES", tsambalo likutifunsa kuti titumize ma ruble 501.72 kuchokera pakhadi kuti titsegule akauntiyo ndikutumiza kutsamba la as-torpay.info kuti tilowetse deta.
Chithunzi 6. Tsamba lalikulu la malo ac-pay2day.net
Zikuwoneka ngati tsamba lovomerezeka, pali satifiketi ya https, ndipo tsamba lalikulu limapereka kulumikiza dongosolo lolipirali patsamba lanu, koma, tsoka, maulalo onse olumikizira sagwira ntchito. Dzina lachidziwitsoli limangokhala 1 IP adilesi - 190.115.19.74. Komanso, ili ndi mayina apadera a 1475 omwe amasankha ku adilesi iyi ya IP, kuphatikiza mayina monga:
- ac-pay2day.net
- ac-payfit.com
- monga-manypay.com
- fletkass.net
- monga-magicpay.com
- ndi zina
Monga tikuonera, Passive DNS imakupatsani mwayi wosonkhanitsa mwachangu komanso moyenera zambiri za zomwe mukuphunzira komanso kupanga mtundu wa chizindikiro chomwe chimakulolani kuwulula chiwembu chonse chobera zidziwitso zanu, kuchokera pa chiphaso chake kupita kumalo omwe mungagulitse.
Chithunzi 7. Mapu a dongosolo lomwe likuphunziridwa
Sikuti zonse zili bwino momwe timafunira. Mwachitsanzo, kufufuza koteroko kumatha kusweka mosavuta pa CloudFlare kapena ntchito zina zofananira. Ndipo mphamvu ya nkhokwe yosonkhanitsidwa imadalira kwambiri kuchuluka kwa zopempha za DNS zomwe zimadutsa mugawo lotolera data ya Passive DNS. Komabe, Passive DNS ndi gwero lachidziwitso chowonjezera kwa wofufuzayo.
Wolemba: Katswiri wa Ural Center for Security Systems
Source: www.habr.com