Showing posts with label DNS. Show all posts
Showing posts with label DNS. Show all posts

Sunday, April 13, 2014

FakeNet - Windows Network Simulation tool for Malware Analysis


FakeNet is a tool that aids in the dynamic analysis of malicious software.  The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.  The goal of the project is to:
  1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
  2. Support the most common protocols used by malware
  3. Perform all activity on the local machine to avoid the need for a second virtual machine
  4. Provide python extensions for adding new or custom protocols
  5. Keep the malware running so that you can observe as much of its functionality as possible
  6. Have a flexible configuration, but no required configuration
The tool is in its infancy of development.  We started working on the tool in January 2012 and we intend to maintain the tool and add new and useful features.  If you find a bug or have a cool feature you think would improve the tool please contact us.

Features
  • Supports DNS, HTTP, and SSL
  • HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc.  The files being served are user configurable.
  • Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
  • Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
  • Built in ability to create a capture file (.pcap) for packets on localhost.
  • Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.
Demo Video
Click here to watch a demo of version 0.9 of the tool in action.

How it works
FakeNet uses a variety of Windows and third party libraries.  It uses a custom HTTP and DNS server to respond to those request.  It uses OpenSSL to wrap any connection with SSL.  It uses a Winsock Layered Service Provider (LSP) to redirect traffic to the localhost and to listen for traffic on new ports.  It uses python 2.7 for the python extensions.  And, it creates the .pcap file by reconstructing a packet header based on the traffic from send/recv calls.

Posted by at No comments:
Labels: , , , , , , ,

Monday, March 31, 2014

DNSCrypt - A tool for securing communications between a client and a DNS resolver


dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server.

The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.

While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.


Posted by at No comments:
Labels: , , , , ,

Thursday, March 27, 2014

DNSQuerySniffer - DNS Queries Sniffer


DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. 


You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application.



Posted by at No comments:
Labels: , , , , , ,

Wednesday, March 12, 2014

[QuickSetDNS] Quickly change DNS servers of your Internet connection


QuickSetDNS is a simple tool that allows you to easily change the DNS servers that are used for your Internet connection. You can set the desired DNS servers from the user interface, by choosing from a list of DNS servers that you defined, or from command-line, without displaying any user interface.

System Requirements
This utility works on any version of Windows, starting from Windows 2000 and up to Windows 8. Both 32-bit and 64-bit systems are supported.

Versions History
  • Version 1.01:
    • Added 'Router DNS' item, which allows you to choose the internal DNS server of your router.
  • Version 1.00 - First release.

Start Using QuickSetDNS

QuickSetDNS doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - QuickSetDNS.exe


After running QuickSetDNS, the main window allows you to easily choose the desired DNS servers to use on your Internet connection, by using the 'Set Active DNS' option (F2). By default, QuickSetDNS provides only one alternative: the public DNS servers of Google - 8.8.8.8 and 8.8.4.4 

You can easily add more DNS servers to the list by using the 'New DNS Server' option (Ctrl+N).


If the 'Automatic DNS' option is selected, then the DNS server information is received from your router automatically, using DHCP.

If you have multiple network adapters, you may need to choose the correct network adapter from the combo-box located just below the toolbar of QuickSetDNS. 


Posted by at No comments:
Labels: , , , ,

Tuesday, February 25, 2014

[DomainHostingView] Show domain hosting information


DomainHostingView is a utility for Windows that collects extensive information about a domain by using a series of DNS and WHOIS queries, and generates HTML report that can be displayed in any Web browser. 

The information displayed by the report of DomainHostingView includes: the hosting company or data center that hosts the Web server, mail server, and domain name server (DNS) of the specified domain, the created/changed/expire date of the domain, domain owner, domain registrar that registered the domain, list of all DNS records, and more...

System Requirements And Limitations

  • This utility works on any version of Windows, starting from Windows XP and up to Windows 7/2008, including x64 versions of Windows. This utility also works on Windows 2000, but without the IDN support.
  • Firewall/router requirements: You should allow DomainHostingView to connect the following outgoing TCP/UDP ports: 43 (WHOIS), 53 (DNS), 80 (HTTP), and 25 (SMTP).
  • The report created by DomainHostingView is based on the information provided by public WHOIS servers. If WHOIS server is temporary down, some information won't be displayed in the report. Also, some WHOIS servers may block your IP address if you use DomainHostingView to get reports about many domains in short perion of time.

DomainHostingView Features

  • DomainHostingView is a Unicode application and this it can display properly WHOIS records containing non-English characters.
  • DomainHostingView supports Internationalized domain names (IDN). When you type a domain with non-English characters, DomainHostingView automatically converts it into a format that can be used in the WHOIS and DNS servers.
  • DomainHostingView parses the text returned by the WHOIS servers, extracts the important data, and displays it in easy-to-read summary.
  • DomainHostingView also displays the raw text returned by the WHOIS servers, with a small enhancement - every http link is displayed as clickable link that opens the Web page in a new window. 

Posted by at No comments:
Labels: , , , , ,

Tuesday, January 14, 2014

[DNSRecon v0.8.6] DNS Enumeration Script

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:
infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]SOA ns16.zoneedit.com 69.64.68.41
[*]NS ns12.zoneedit.com 209.62.64.46
[*]Bind Version for 209.62.64.46 8.4.X
[*]NS ns16.zoneedit.com 69.64.68.41
[*]Bind Version for 69.64.68.41 8.4.X
[*]MX ASPMX2.GOOGLEMAIL.COM 173.194.75.27
[*]MX ASPMX3.GOOGLEMAIL.COM 173.194.66.27
[*]MX ASPMX4.GOOGLEMAIL.COM 173.194.65.26
[*]MX ASPMX5.GOOGLEMAIL.COM 173.194.70.26
[*]MX ASPMX.L.GOOGLE.COM 74.125.140.27
[*]MX ALT1.ASPMX.L.GOOGLE.COM 173.194.75.26
[*]MX ALT2.ASPMX.L.GOOGLE.COM 173.194.66.27
[*]MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]A zonetransfer.me 217.147.180.162
[*]TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*]TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.180.162 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see:

infidel02:dnsrecon carlos$ cat zt.xml

<?xml version="1.0" ?> <records> <record address="69.64.68.41" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="209.62.64.46" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="69.64.68.41" target="ns16.zoneedit.com" type="NS"/> <record address="173.194.75.27" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.66.27" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.65.26" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.70.26" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="74.125.140.27" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.75.26" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.66.27" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="217.147.180.162" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="217.147.180.162" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n 192.168.1.80
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*] NSEC KSk RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC KSk RSASHA256 ...
[*]SOA labns1.acmelab.com 192.168.1.80
[*]NS labns1.acmelab.com 192.168.1.80
[-]Recursion enabled on NS Server 192.168.1.80
[*]MX mail1.acmelab.com 192.168.1.4
[*]A acmelab.com 192.168.1.2
[*]TXT acmelab.com v=spf1 192.168.1.0/24
[*]TXT _domainkey.acmelab.com o=~; r=postmaster@acmelab.com
[*] Enumerating SRV Records
[*]SRV _finger._tcp.acmelab.com web1.acmelab.com 192.168.1.2 79 0
[*]SRV _http._tcp.acmelab.com web2.acmelab.com 192.168.1.3 80 0
[*]SRV _http._tcp.acmelab.com web1.acmelab.com 192.168.1.2 80 0
[*]SRV _sip._tls.acmelab.com chat.acmelab.com 192.168.1.5 443 0
[*]SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 192.168.1.5 5061 0
[*]SRV _https._tcp.acmelab.com web1.acmelab.com 192.168.1.2 443 0
[*]SRV _https._tcp.acmelab.com web2.acmelab.com 192.168.1.3 443 0
[*] 7 Records Found

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)