奇安信攻防社区-利用不实名域名加CDN实现隐藏C2

利用不实名域名加CDN实现隐藏C2

0x01
====

在freenom注册申请一个免费域名，注意需要美国身份。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-8c6330cd88ad1980778be9373537d6ed2792732a.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-8c6330cd88ad1980778be9373537d6ed2792732a.jpg)  
检查是否可用  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-63d1e90e2fc6e1fc53da7a66db13d143c699c62f.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-63d1e90e2fc6e1fc53da7a66db13d143c699c62f.jpg)  
看到是免费的  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a3ceab8788179e5ea71c649adcad721f181046f6.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a3ceab8788179e5ea71c649adcad721f181046f6.jpg)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6492f1dc09f9baea2c7a03dbc7b6b3b6cd1b4440.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6492f1dc09f9baea2c7a03dbc7b6b3b6cd1b4440.jpg)  
完成之后我们就申请到一个一年的免费域名  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-3972ce765e830a6eb98c2d42362704820b28848b.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-3972ce765e830a6eb98c2d42362704820b28848b.jpg)  
如果显示的是ACTIVE就说明可用  
现在就去到cloudflare去白嫖CDN加速  
也是需要注册  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-bf2147ef3112378483cadf1006b346ddfc45a826.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-bf2147ef3112378483cadf1006b346ddfc45a826.jpg)  
然后添加域名解析  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ed340311765089f728e2c94f77d83eb012aabc59.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ed340311765089f728e2c94f77d83eb012aabc59.jpg)  
关闭加密  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-c8ca077b7098b2b298f24cde8b128941a1a9745b.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-c8ca077b7098b2b298f24cde8b128941a1a9745b.jpg)  
添加规则  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-183919a8199565d10e6f2b6dd6eeae7abb08262e.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-183919a8199565d10e6f2b6dd6eeae7abb08262e.jpg)  
然后开启开发者模式，就可以实时收到返回的结果  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-847341a4271a4567c8cb0d86c238dac724912d46.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-847341a4271a4567c8cb0d86c238dac724912d46.jpg)  
然后去freenom添加nameservers  
现在就完成了大部分了  
开始启动CS

0x02
====

[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-1d76b55be080eb4c28894da247cdea59d1d98691.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-1d76b55be080eb4c28894da247cdea59d1d98691.jpg)  
开启之前我们现在服务器上开启策略，打开2095 50050端口（因为国内的服务器可能会禁止80 443这些端口的CDN加速，导致木马死活不上线）  
然后开启CS  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-47256723665cef1746170fd24fcfa181ae839157.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-47256723665cef1746170fd24fcfa181ae839157.jpg)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6d6b619c565764fe5b07becca57179d1a14bed30.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6d6b619c565764fe5b07becca57179d1a14bed30.jpg)  
创建监听器  
生成木马后运行  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-356349891207dca7987c908e8cc41a78bc670e90.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-356349891207dca7987c908e8cc41a78bc670e90.jpg)  
已上线，可以看到ip是CDN节点ip  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-41a2f442de98760b0afedac82450bf46c161915d.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-41a2f442de98760b0afedac82450bf46c161915d.jpg)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-9c2c8ca613bfbf097bbd827c4a0c6a641f56d685.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-9c2c8ca613bfbf097bbd827c4a0c6a641f56d685.jpg)  
wireshark抓包看  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-70278b79262afa7031f247d5a3c84194d8520686.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-70278b79262afa7031f247d5a3c84194d8520686.jpg)  
即使能看到域名，但不是实名域名。  
对于溯源增加了一些难度

发表于 2021-06-30 19:09:05
阅读 ( 5612 )
分类：渗透测试

利用不实名域名加CDN实现隐藏C2

0 条评论