I hijack your DNS

This article divides the DNS into two kinds, one is the host or the embedded device DNS, one is the website domain name DNS, to tell the DNS after the fall the harm that brings.

One: Router DNS hijacking

Your local network connection DNS is obtained through the router, if one day your home route was hacked, the intruder modified the DNS of your home router, then he can be very clear about your access records, such as tied to files, traffic records. Since parsing is through DNS, we can completely build our own DNS to attack.

1. How the router fell

Attack method: CSRF Router Vulnerability

CSRF

IE out of a security patch, prohibit HTTP authentication Url, using this method under IE attack is invalid perfect compatible with FF Chrome. https://support.microsoft.com/zh-cn/kb/834489

</img>

Device Vulnerability

Beacon Communication A router has been exploded with a vulnerability-can remotely modify DNS

Http://www.exploit-db.com/exploits/28450/

2. Self-built DNS (window)

Here I use Microsoft Self-family, (can be completely replaced by other products, personal habits problems)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/77/EE/wKioL1ZxVCfDmzBCAABDds_fMBg567.png "title=" 12.png "alt=" Wkiol1zxvcfdmzbcaabdds_fmbg567.png "/>

Configuring hijacked domain Names

myhack58.com

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/EE/wKioL1ZxVFaRrRCUAAAkNCrr8pk332.png "title=" 2.png " alt= "Wkiol1zxvfarrrcuaaakncrr8pk332.png"/>

Forwarder Configuration

Forwarders to resolve this server does not answer the DNS query request, such as this host only myhack58.com, baidu.com, etc. is not present, this situation will baidu.com request forwarded to your configured DNS to parse. DNS I configured to parse is 8.8.8.8

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/EE/wKioL1ZxVJPjc6OVAAAlqIu2ruY558.png "title=" 3.png " alt= "Wkiol1zxvjpjc6ovaaalqiu2ruy558.png"/>

configuring hijacked Domain A records

Just now the DNS is filled in with the domain, this time need to parse a record, such as I hijacked www.myhack58.com to local 127.0.0.1.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/77/EF/wKiom1ZxVP6QDPxnAAAyy247UR8307.png "title=" 4.png " alt= "Wkiom1zxvp6qdpxnaaayy247ur8307.png"/>

I this parsing is the IP of the VPS, the test can write 127.0.0.1. But to use you to parse the public IP address, or else the resolution is 127.0.0.1,127.0.0.1 is your local, can not find the address, there is no way to cooperate with the reverse proxy agent.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/77/EF/wKiom1ZxVSnDbwfRAAA0pfsG_MQ893.png "title=" 5.png " alt= "Wkiom1zxvsndbwfraaa0pfsg_mq893.png"/>

To test if DNS is configured successfully

You can use DNSLookup ping and so on to test

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/77/EE/wKioL1ZxVXOhgTVrAAAnyfn9jO0629.png "title=" 6.png " alt= "Wkiol1zxvxohgtvraaanyfn9jo0629.png"/>

DNS has been configured successfully, although now parsing the local, I can only hang a local black page? Of course not, My goal is to replace the content of the page. For example, insert JS, modify a text, and so on.

Configuration of the Client

Because I do not have a router in the company, directly use the client to do the test, the client's DNS gets the source or the router .

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/EE/wKioL1ZxVbqSehVZAAAfc5KpWQY299.png "title=" 8.png " alt= "Wkiol1zxvbqsehvzaaafc5kpwqy299.png"/>

This time the configuration succeeds, you can open baidu.com to test, whether can parse, open normally.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/77/EE/wKioL1ZxVcjR4-EvAAEiLeIK4Ew281.png "title=" 9.png " alt= "Wkiol1zxvcjr4-evaaeileik4ew281.png"/>

3. Reverse Proxy setup

The reverse proxy comes here to function is to put the DNS resolution www.myhack58.com the VPS of this request agent to the real parsing.

What we want to do is to insert a section of JS into the page.

Openresty Introduction

Here we use Openresty,openresty is based on Nginx, it packaged the standard Nginx core, a lot of commonly used third-party modules, Nginx third-party modules are required to compile, under window more disgusting I directly find a openresty_for _windows, packaged what I want is a third-party module Http_sub_module.

:

Https://github.com/LomoX-Offical/nginx-openresty-windows

Using NGINX-V to view supported third-party modules

Http_sub_module Disadvantages

1. Only one rule can be used

2. Chinese is not supported

Reverse proxy configuration

Listen to port 80 on the public IP of the VPS. When the DNS query request resolves to the local 80, 80 just listens to the VPS public IP, the reverse proxy is myhack58.com. In fact, the VPS public IP is myhack58.com

Open the/conf/nginx.conf file for configuration

Using the Http_sub_module, replaced the contents of the

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/EE/wKioL1ZxVsOhpA7kAAAcoCiQ0i8280.png "title=" 2.png " alt= "Wkiol1zxvsohpa7kaaacociq0i8280.png"/>

whether the test was successful

The DNS has already been set past, and now can ping, then we see if the source code to replace the content of the page. 650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/EF/wKiom1ZxVwOB3LuuAADs50t9Tz0802.png "title=" 3.png " alt= "Wkiom1zxvwob3luuaads50t9tz0802.png"/>

Configure additional features

Now that the DNS plus reverse proxy configuration is complete, you can replace his page.

Openresty Configure the reverse proxy, you can also set many parameters, such as Proxy_cache Proxy_header proxy_send_timeout proxy_read_timeout, if you need additional configuration. Depends on its own use.

Second: DNS hijacking of website domain name

When you get a domain right through social work, but your goal is to Getshell, you can do the reverse proxy, you can do it in two ways.

A record hijacking demo

Directly modify the domain name hijacked to a record of your malicious reverse proxy, but this time the reverse proxy must have configuration upstream, upstream specify the IP address of the original domain name resolution, router hijacking DNS is not configured upstream is because the upper-level DNS can also resolve to the real IP hijacking domain name, and you this time the opinion of a record resolution modified to your malicious reverse proxy machine, not to specify the address of the resolution, the upper layer to find the address or malicious reverse proxy, forming a dead loop, never open the site.

Domain A record hijacking

Www.sanr.org 192.168.182.128

Reverse proxy 192.168.182.129

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/F0/wKiom1ZxV_iQfIouAAAWKXi2OZs330.png "title=" 4.png " alt= "Wkiom1zxv_iqfiouaaawkxi2ozs330.png"/>

why hijack a record ?

If you have access to the domain name control through social work, you will need to do so if you want to get his back office address, or a cookie.

currently I have control sanr.org domain name resolution permission, now we have to do is to www.sanr.org a record to 192.168.182.129. Let the reverse proxy to access the real IP (that is, 192.168.182.128), in the reverse proxy when we hands, insert a JS code in.

Before I change the A record

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/77/F0/wKiom1ZxWEmCYkZmAAF0J8BjQ0Q968.png "title=" 5.png " alt= "Wkiom1zxwemcykzmaaf0j8bjq0q968.png"/>

Modify the Domain A record

Modify the domain name to the reverse proxy server 192.168.182.129

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/77/EE/wKioL1ZxWIrDMJ43AAATAFB1rHk556.png "title=" 6.png " alt= "Wkiol1zxwirdmj43aaatafb1rhk556.png"/>

Reverse proxy Server Setup (192.168.182.129)

Bind the domain name to www.sanr.org port 80, and specify that the upstream (upstream) address is 192.168.182.128, you must specify an upstream address (upstream), and only Proxy_ Pass no upstream he will automatically request the resolution of a record.

Router DNS hijacking that block is not used upstream because the IP address of the a record of the domain name you can get through Proxy_pass.

And now the domain A records resolution is the reverse proxy machine is the machine (192.168.182.129), if you do not use Upstrema to specify the real IP address, Proxy_pass directly to the resolution is the local IP, then will cause a dead loop, has been resolved by the machine.

The following is a reverse proxy configuration file.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/EE/wKioL1ZxWNWQkBOKAAA6QVHP1ZM659.png "title=" 7.png " alt= "Wkiol1zxwnwqkbokaaa6qvhp1zm659.png"/>

Hijacking Success

Successful implantation of the Safe.js code to sanr.org

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/F0/wKiom1ZxWQDSvk1JAALBDmQnwQM723.png "title=" 8.png " alt= "Wkiom1zxwqdsvk1jaalbdmqnwqm723.png"/>

DNS Hijacking

As with the router hijacking DNS, the self-built DNS, then the DNS resolution configuration of the domain name A records to the malicious reverse proxy, reverse proxy or to specify upstream, as a record hijacking, or cause a dead loop.

The DNS service reverse proxy software has a lot of, completely depends on their habits, with their favorite.

Dns win

Winmydns

Microsoft Home

Dns Linux

Dnschef "Msfconsole Auxiliary/server/fakedns"

Too many Linux open source projects such as Powerdns bind

Reverse Proxy

Squid Varnish Nginx or Nginx derivative version (Tengine openresty)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/F0/wKiom1ZxWffjbySJAASyBJESYFE665.png "title=" 9.png " alt= "Wkiom1zxwffjbysjaasybjesyfe665.png"/>

Attack method is not only to replace the Web content inserted JS, such as hijacking your router's DNS, connection 3389 is also the input domain name also through DNS resolution, I can completely put a record hijack my local, connect 3389 is my machine, after installation Winlogonhack, To record the password, thewinlogonhack needs to be changed to even the wrong password to be recorded , otherwise it will not be recorded.

Resolve www.baidu.com to my VPS host IP

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/EE/wKioL1ZxWnrSNHZmAAA0KhGwnOs810.png "title=" 10.png "alt=" wkiol1zxwnrsnhzmaaa0khgwnos810.png "/> DNS is in effect, resolution Baidu.com also returns the IP of the VPS host

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/F0/wKiom1ZxWpnzToK8AAAgXYtopxY427.png "title=" 11.png "alt=" Wkiom1zxwpnztok8aaagxytopxy427.png "/>

Connection 3389 (In fact this time is my VPS IP)

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/77/EE/wKioL1ZxWsPh8RQvAACQeQDHVpc930.png "title=" 12.png "alt=" Wkiol1zxwsph8rqvaacqeqdhvpc930.png "/>

As long as the local host DNS router DNS, which involves domain name resolution, can be hijacked in such a way that the attack technique varies and depends on what you are doing.

Doc docs GitHub download

This article is from the "Sanr" blog, make sure to keep this source http://0x007.blog.51cto.com/6330498/1725392

I hijack your DNS