python dig trace 功能实现——通过Querying name server IP来判定是否为dns tunnel
dns tunnel确认方法,查询子域名最终的解析地址:
使用方法:python dig_trace.py "<7cf1e56b 67fc90f8 caaae86e 0787e907>.nsconcreteblock.info" any
Selected root name server: 192.203.230.10
['.', 'info.', 'nsconcreteblock.info.', '<7cf1e56b 67fc90f8 caaae86e 0787e907>.nsconcreteblock.info.']
Random NS: 199.254.31.1
Random NS: 199.249.121.1
Querying name server: 199.249.121.1
到微步查询 https://x.threatbook.cn/ip/199.249.121.1 可以看到 199.249.121.1 是钓鱼IP。
dig_trace.py 脚本内容:
from:https://github.com/danasmera/Python_scripts/blob/master/dig-trace.py
#!/usr/bin/env python
''' Similar to dig +trace except this script does not reply on name servers set on localhost '''
__author__ = "Daniel T."
__license__ = "GPL"
__version__ = "0.1.0"
__maintainer__ = "danasmera"
__email__ = "daniel@danasmera.com" import sys
from random import choice
import re
import signal try:
import dns.name
import dns.message
import dns.query
except ImportError:
print 'Module dns import error.'
sys.exit(1) def signal_handler(signal, frame):
print 'Ctrl+C pressed...exiting...'
sys.exit(0) signal.signal(signal.SIGINT, signal_handler) def Usage():
print sys.argv[0] + ' FQDN RecordType[A|MX|TXT|NS|ANY]'
print "Ex. " + sys.argv[0] + ' gmail.com mx'
sys.exit(1) mydict={'A':1 ,'NS':2,'MX':15,'TXT':16,'ANY':255} ARGC=len(sys.argv) if ARGC < 2:
Usage() RRTYPE='A' if ARGC<=2 else sys.argv[2].strip()
RRTYPE=RRTYPE.upper()
if RRTYPE in mydict: RRTYPE=mydict[RRTYPE]
else: sys.exit(1) #IPv4 pattern
ippat=r'\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}' #rootns=[chr(i)+'.root-servers.net' for i in range(ord('a'),ord('n'))]
rootns=( '198.41.0.4' , '192.228.79.201' , '192.33.4.12' , '199.7.91.13' , '192.203.230.10' , '192.5.5.241' , '192.112.36.4' , '128.63.2.53' , '192.36.148.20' ,'192.58.128.30' , '193.0.14.129' , '199.7.83.42' , '202.12.27.33' )
rootns = ('192.203.230.10',) # very useful and always no timeout
srootns=choice(rootns) print "Selected root name server: " , srootns def only_ip(rrdata):
match=re.search(ippat, rrdata)
if match: return match.group() #we will accept input such as google.com www.google.com. etc
myhost=sys.argv[1]
cleaned_myhost=myhost.split('.')
if not cleaned_myhost[-1].endswith('.'):
cleaned_myhost.extend('.') #flip list into format ['.','com','google' ,'www' ]
cleaned_myhost.reverse()
if '' in cleaned_myhost: cleaned_myhost.remove('') #Split into parts in reverse for easier querying ['.','com.', 'google.com.', www.google.com.']
i=1
while i < len(cleaned_myhost):
if i==1:
cleaned_myhost[i]=cleaned_myhost[i]+cleaned_myhost[i-1]
else:
cleaned_myhost[i]=cleaned_myhost[i]+'.'+cleaned_myhost[i-1]
i+=1 print cleaned_myhost
additional_ns=[] ##Step over reach domain part and query the NS in the glue record on parent domain for domain in cleaned_myhost[1:]:
name_server=srootns
ndomain = dns.name.from_text(domain)
request = dns.message.make_query(ndomain, dns.rdatatype.NS)
if additional_ns : name_server=choice(additional_ns)
try:
response = dns.query.udp(request, name_server, timeout=10)
except dns.exception.Timeout:
print 'Dns query timed out.'
sys.exit(1) additional_ns=[]
#Skip IPv6
for item in response.additional:
if not 'IN AAAA' in item.to_text():
ip_ns=only_ip(item.to_text())
if ip_ns: additional_ns.append(only_ip(ip_ns))
# name_server=choice(additional_ns)
if additional_ns:
LNS=choice(additional_ns)
print "Random NS: ", LNS print
print "Querying name server: ", LNS
#request = dns.message.make_query(myhost, dns.rdatatype.A)
request = dns.message.make_query(myhost, int(RRTYPE))
try:
response = dns.query.udp(request, LNS, timeout=10)
except dns.exception.Timeout:
print 'Dns query timed out.'
sys.exit(1) for rrset in response.answer:
print rrset
示例:
$python dig_trace.py www.baidu.com a
Selected root name server: 192.203.230.10
['.', 'com.', 'baidu.com.', 'www.baidu.com.']
Random NS: 192.48.79.30
Random NS: 220.181.37.10
Random NS: 180.149.133.241 Querying name server: 180.149.133.241 $ python dig_trace.py xxx.a.friendskaka.com any
Selected root name server: 192.203.230.10
['.', 'com.', 'friendskaka.com.', 'a.friendskaka.com.', 'xxx.a.friendskaka.com.']
Random NS: 192.43.172.30
Random NS: 106.11.141.113
Random NS: 45.77.39.243
Random NS: 45.77.39.243 Querying name server: 45.77.39.243
Dns query timed out.
这个东西实在是太有用了!因为可以通过Querying name server IP来判定是否为dns tunnel!!!
相应的dig trace类似功能:
$ dig xxx.a.friendskaka.com +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> xxx.a.friendskaka.com +trace
;; global options: +cmd
. 251824 IN NS h.root-servers.net.
. 251824 IN NS k.root-servers.net.
. 251824 IN NS c.root-servers.net.
. 251824 IN NS i.root-servers.net.
. 251824 IN NS e.root-servers.net.
. 251824 IN NS g.root-servers.net.
. 251824 IN NS l.root-servers.net.
. 251824 IN NS f.root-servers.net.
. 251824 IN NS j.root-servers.net.
. 251824 IN NS d.root-servers.net.
. 251824 IN NS m.root-servers.net.
. 251824 IN NS b.root-servers.net.
. 251824 IN NS a.root-servers.net.
;; Received 228 bytes from 223.6.6.6#53(223.6.6.6) in 39 ms
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20180403170000 20180321160000 41824 . ROETRmN1GaacCAf834rGvPrUpWsGujhy9AHe9BAEs2l81pNmXLU2ftKo 2DCI+YWufP1kzvuIbIHaJi8gr3MFKzt92EA2fBQHXBrVznkMPK4xwsY/ vAciVIbc5SgFi5W+efDyjOvObXHjSxLm0JXaOAMenc+xCx/W/mBva7AI Fe8g/0skHdZoGaQuHCUUklKHluOksN8E0MbWZuU8jKOEWAiNXZyfzSCr xXsS5N66f/5iik0xFYKbfznzff70PDowOxnAsWr0KHeJvKv3afF9XYXl xcu5JtB1Z534X5A5SdDqadsZ0UydPMeaC6b725qoluALnSgsbpU5USHr xIxT9w==
;; Received 1181 bytes from 192.36.148.17#53(i.root-servers.net) in 231 ms
friendskaka.com. 172800 IN NS dns2.hichina.com.
friendskaka.com. 172800 IN NS dns1.hichina.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180329044627 20180322033627 46967 com. uvlOWKlub35L4vxf90cou126foZVxgd04uKGEk9118BgH0KReXWJNYTW tb8fpLuV+jPkL3tCjCjG5wxCWaI15J0Yeh0MSPQes2NFSNnxrxd09s6P Uo+7anhDgn4kJNIuDiAYp03B/e2j3rVNy0Ixnvz7FUE7r33pN0pW1M9n d68=
CO5FD8E5AURAOVOMCLOJRHU4BQPQO18S.com. 86400 IN NSEC3 1 1 0 - CO5GE18T10E6MHBQLNUH2P41UKL4V8R9 NS DS RRSIG
CO5FD8E5AURAOVOMCLOJRHU4BQPQO18S.com. 86400 IN RRSIG NSEC3 8 2 86400 20180327050411 20180320035411 46967 com. MQP16KcNpQJRi/HwBQGrHVYmV1zEQU15+hXslNaVl18hOCLZsKS3GAMz bdcLK03ygTV3Os+rGvvGjZaRIjNoFJukHAbJ5xuBe1pKnv00PlT/ZiF+ 2UJjEQzYzR3Scf1ni1TCSlCu8oLtrUanAVLqWz+o1pviZtHRGw8/Yff7 HGQ=
;; Received 837 bytes from 192.52.178.30#53(k.gtld-servers.net) in 171 ms
a.friendskaka.com. 600 IN NS ns.friendskaka.com.
;; Received 98 bytes from 140.205.41.23#53(dns1.hichina.com) in 31 ms
;; connection timed out; no servers could be reached
python dig trace 功能实现——通过Querying name server IP来判定是否为dns tunnel的更多相关文章
- 发一个比trace功能更强大debug工具,MonterDebugger
经常看到兄弟说trace不出东西啊,这样给你调试会带来很多不便:加入说我们需要将运行时的debug信息和之前某个版本的进行比对:又加入说我们需要在运行时通过debug动态调整显示对象的属性:查看当前整 ...
- Python实现截图功能你肯定不会吧?【面试必学】
前言本文的文字及图片来源于网络,仅供学习.交流使用,不具有任何商业用途,版权归原作者所有,如有问题请及时联系我们以作处理.作者:CyborgLin python实现截图功能. windows环境下.需 ...
- 【python库模块】Python subprocess模块功能与常见用法实例详解
前言 这篇文章主要介绍了Python subprocess模块功能与常见用法,结合实例形式详细分析了subprocess模块功能.常用函数相关使用技巧. 参考 1. Python subprocess ...
- Python实现截图功能
Python实现截图功能 Windows环境下需要用到PIL库,使用pip安装PIL库: pip install Pillow 安装完成,截图方法代码: from PIL import ImageGr ...
- 使用java动态字节码技术简单实现arthas的trace功能。
参考资料 ASM 系列详细教程 编译时,找不到asm依赖 用过[Arthas]的都知道,Arthas是alibaba开源的一个非常强大的Java诊断工具. 不管是线上还是线下,我们都可以用Arthas ...
- 搭建带热更新功能的本地开发node server
引言 使用webpack有一段时间了,对其中的热更新的大概理解是:对某个模块做了修改,页面只做局部更新而不需要刷新整个页面来进行更新.这样就能节省因为整个页面刷新所产生开销的时间,模块热加载加快了开发 ...
- python实现curl功能
之前写过一篇文章关于python CURL模块的,在这里我们从urllib来实现同样的功能.具体代码如下: import urllib import urllib2 import json #发起请求 ...
- 利用PYTHON设计计算器功能
通过利用PYTHON 设计处理计算器的功能如: 1 - 2 * ( (60-30 +(-40/5) * (9-2*5/3 + 7 /3*99/4*2998 +10 * 568/14 ))- (-4*3 ...
- python专题-爬虫功能
在我们日常上网浏览网页的时候,经常会看到一些好看的图片,我们就希望把这些图片保存下载,或者用户用来做桌面壁纸,或者用来做设计的素材. 我们最常规的做法就是通过鼠标右键,选择另存为.但有些图片鼠标右键的 ...
随机推荐
- IDEA将Maven项目中src源代码下的xml配置文件编译进classes
遇到这样的情况,maven项目启动报错,src中某个包下面的xml文件找不到. eclipse编译项目会自动将xml配置文件编译进classes,IDEA却不行 在报错项目的pom.xml文件中添加: ...
- (一)java集合框架——Iterable
Iterable接口是java 集合框架的顶级接口,实现此接口使集合对象可以通过迭代器遍历自身元素,我们可以看下它的成员方法 修饰符和返回值 方法名 描述 Iterator<T> iter ...
- Relocation(状压DP)
Description Emma and Eric are moving to their new house they bought after returning from their honey ...
- 74. Spring Data JPA方法定义规范【从零开始学Spring Boot】
[从零开始学习Spirng Boot-常见异常汇总] 事情的起因:有人问过我们这个这个问题:为什么我利用Spring data jpa写的方法没有按照我想要的情况进行执行呢?我记得当时只是告诉他你你先 ...
- NYOJ760-See LCS again,有技巧的暴力!
See LCS again 时间限制:1000 ms | 内存限制:65535 KB 难度:3 描述 There are A, B two sequences, the number of ele ...
- ZOJ 2588 求割边问题
题目链接:http://vjudge.net/problem/viewProblem.action?id=14877 题目大意: 要尽可能多的烧毁桥,另外还要保证图的连通性,问哪些桥是绝对不能烧毁的 ...
- vim—基本命令1
---------------------------------------------------------------2015.07.27 :b 1 -> 切换到当前缓冲区 :2 4 ...
- iOS tableview上textView在编辑状态时,tableview自动上移的功能
在viewcognroller中,添加tableview时, tableview中cell上的textField如果吊起键盘时,tableview时可以自动上移,但是如果是textView吊起键盘,t ...
- 前端学习之-- DOM
Dom == document 1:查找 1:直接查找 document.getElementById('i1') # 根据ID获取一个标签(获取单个元素) document.getElementsB ...
- 没啥用,更换注册表信息使webbrower选择适合的版本
/// <summary> /// 修改注册表信息来兼容当前程序 /// /// </summary> ...