mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 18:11:37 +01:00
Added Simulate-DNSTunnel.ps1
This commit is contained in:
parent
899ceee361
commit
089710422d
@ -22,4 +22,6 @@
|
|||||||
|
|
||||||
- **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9))
|
- **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9))
|
||||||
|
|
||||||
|
- **`Simulate-DNSTunnel.ps1`** - Performs DNS Tunnelling simulation for purpose of triggering installed Network IPS and IDS systems, generating SIEM offenses and picking up Blue Teams.
|
||||||
|
|
||||||
- **`win-clean-logs.bat`** - Batch script to hide malware execution from Windows box. Source: Mandiant M-Trends 2017. ([gist](https://gist.github.com/mgeeky/3561be7e697c62f543910851c0a26d00))
|
- **`win-clean-logs.bat`** - Batch script to hide malware execution from Windows box. Source: Mandiant M-Trends 2017. ([gist](https://gist.github.com/mgeeky/3561be7e697c62f543910851c0a26d00))
|
||||||
|
134
windows/Simulate-DNSTunnel.ps1
Normal file
134
windows/Simulate-DNSTunnel.ps1
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
<#
|
||||||
|
Simulate-DNSTunnel.ps1
|
||||||
|
|
||||||
|
Author: Mariusz Banach (@mgeeky)
|
||||||
|
License: GPL
|
||||||
|
Required Dependencies: None
|
||||||
|
Optional Dependencies: None
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
$MaxQueryLength = 253
|
||||||
|
$MaxDnsLabelLength = 63
|
||||||
|
|
||||||
|
# Although it can get even up to 127, keeping it lower value may seem more genuine
|
||||||
|
$MaxNumberOfLevels = 5
|
||||||
|
|
||||||
|
|
||||||
|
function Simulate-DNSTunnel
|
||||||
|
{
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
|
||||||
|
Performs DNS Tunnelling simulation.
|
||||||
|
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
|
||||||
|
This function performs DNS tunelling simulation for purpose
|
||||||
|
of triggering installed Network IPS and IDS systems. By issuing
|
||||||
|
DNS queries over system's default resolver, will introduce peak
|
||||||
|
in high-entropy anomalous queries to be picked up by blue teams.
|
||||||
|
|
||||||
|
.PARAMETER Domain
|
||||||
|
|
||||||
|
Domain to be queried against randomly generated anomalous-looking long subdomain.
|
||||||
|
This domain should have a '*' type A record pointing to some IP address
|
||||||
|
for every wildcard subdomain queried, to avoid subsequent DNS failures.
|
||||||
|
Also, obviously the domain should be resolveable.
|
||||||
|
|
||||||
|
.PARAMETER Interval
|
||||||
|
|
||||||
|
This parameter introduces delay between subsequent queries (in seconds). When unset,
|
||||||
|
every query will be triggered sequentially one after another. Otherwise,
|
||||||
|
a sleep will be introduced between queries, simulating thus DNS beaconing.
|
||||||
|
|
||||||
|
.PARAMETER QueriesNumber
|
||||||
|
|
||||||
|
Number of DNS queries to perform. If unset, script will perform inifinite number
|
||||||
|
of DNS queries. In such case, it can be terminated by CTRL+C.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
Simulate-DNSTunnel -Domain google.com
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[String]
|
||||||
|
$Domain,
|
||||||
|
|
||||||
|
[Double]
|
||||||
|
$Interval = 0.0,
|
||||||
|
|
||||||
|
[Int]
|
||||||
|
$QueriesNumber = 0
|
||||||
|
)
|
||||||
|
|
||||||
|
$Num = 0
|
||||||
|
|
||||||
|
While ( ($Num -lt $QueriesNumber) -or ($QueriesNumber -eq 0))
|
||||||
|
{
|
||||||
|
$Num += 1
|
||||||
|
$Query = Generate-AnomalousQuery -Domain $Domain
|
||||||
|
|
||||||
|
If ($Interval -ne 0.0 )
|
||||||
|
{
|
||||||
|
Start-Sleep -m ($Interval * 1000)
|
||||||
|
}
|
||||||
|
|
||||||
|
Try
|
||||||
|
{
|
||||||
|
Write-Host "[+] $Num. Querying: $Query"
|
||||||
|
[System.Net.Dns]::GetHostByName($Query).Hostname
|
||||||
|
}
|
||||||
|
Catch
|
||||||
|
{
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-RandomString
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[int]
|
||||||
|
$Count
|
||||||
|
)
|
||||||
|
return -join ((65..90) + (97..122) | Get-Random -Count $Count | %{[char]$_})
|
||||||
|
}
|
||||||
|
|
||||||
|
function Generate-AnomalousQuery
|
||||||
|
{
|
||||||
|
Param(
|
||||||
|
[String]
|
||||||
|
$Domain
|
||||||
|
)
|
||||||
|
|
||||||
|
$QueryToGenerateLen = (Get-Random) % ($MaxQueryLength - $Domain.Length - 1)
|
||||||
|
$PartLen = [math]::Min($MaxDnsLabelLength, $QueryToGenerateLen)
|
||||||
|
$NumberOfParts = (Get-Random) % $MaxNumberOfLevels
|
||||||
|
|
||||||
|
$Query = ""
|
||||||
|
|
||||||
|
For ($i = 0; $i -lt $NumberOfParts; $i++ )
|
||||||
|
{
|
||||||
|
$Query += Get-RandomString -Count ($PartLen / $NumberOfParts)
|
||||||
|
$Query += "."
|
||||||
|
}
|
||||||
|
|
||||||
|
While ($Query.Length -lt $QueryToGenerateLen )
|
||||||
|
{
|
||||||
|
$Query += Get-RandomString -Count 1
|
||||||
|
}
|
||||||
|
|
||||||
|
If (($Query.Length + $Domain.Length) -ge ($MaxQueryLength + 1) )
|
||||||
|
{
|
||||||
|
$Query = $Query.Substring(0, $MaxQueryLength - $Domain.Length - 1)
|
||||||
|
}
|
||||||
|
|
||||||
|
$Query = $Query -replace "\.\.", "."
|
||||||
|
|
||||||
|
$Query += ".$Domain"
|
||||||
|
return $Query
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user