一、背景:
在很多时候,应急会发现。卧槽,异常连接,只有一个域名或者IP。
怎么办?上防火墙看记录,查域名对应的记录累成狗,自己把之前的代码改了改,写了个小工具,一条命令查询DNS相关记录,也可以指定内网服务器查询。
二、分析思路:
1、首先排查一下流量通信情况,采集远端IP、域名、及其对应的解析记录。
2、国内推荐使用我们360,以及threatbook、还有老东家tianjipartner的的威胁情报源分析是否有关联威胁,如果有采取第一波止损措施,马上下策略隔绝断网。重要的机器可以直接先断了网或者会话。(大陆之外推荐使用passivetotal和virustotal)
3、如果没有,上主机查进程,可以写脚本监控。查看通信端口对应进程:
1 #sudo netstat -anop | grep a.b.c.d 查到pid 2 #sudo ps -ef | grep pid确定进程
4、疑似进程取样kill,正常进程先不要kill ,进一步可以做深层次的源代码分析等等。
三、使用的dnspythonlib库:
昨晚临时写的,把之前的代码改了改,其实可以好好重写一番,里面有部分实现逻辑其实挺垃圾的,求轻喷。
1 # -*- coding:utf-8 -*- 2 3 #import lib files 4 import sys 5 import dns.resolver 6 7 #global varites defines 8 checker = dns.resolver.Resolver() 9 nameserverlist = ["202.106.0.20","114.114.114.114","8.8.8.8","8.8.4.4"] 10 resultdict = {} 11 12 #global functions defines 13 def set_nameserver(nameserver): 14 global nameserverlist 15 if isinstance(nameserver,list): 16 nameserverlist = nameserver 17 return 0 18 else: 19 return 0 20 21 def check_a_record(domain): 22 global checker 23 global nameseverlist 24 global resultdict 25 alist = [] 26 for server in nameserverlist: 27 try: 28 checker.nameservers = [server] 29 record = checker.query(domain,"A") 30 except Exception,ex: 31 continue 32 for iprecord in record: 33 alist.append({"nameserver":server,"arecord":iprecord}) 34 resultdict["A-RECORD"] = alist 35 36 def check_cname_record(domain): 37 global checker 38 global nameserverlist 39 global resultdict 40 clist = [] 41 for server in nameserverlist: 42 try: 43 record = checker.query(domain,"A") 44 except Exception,ex: 45 continue 46 for value in record.response.answer: 47 for item in value.items: 48 try: 49 if isinstance(item,dns.rdtypes.ANY.CNAME.CNAME): 50 clist.append({"nameserver":server,"cname":str(item)}) 51 except Exception,ex: 52 continue 53 resultdict["CNAME"] = clist 54 55 56 57 if __name__ == "__main__": 58 testdomain = sys.argv[1] 59 check_a_record(testdomain) 60 check_cname_record(testdomain) 61 print resultdict
1 # -*- coding:utf-8 -*- 2 3 #import lib files 4 from optparse import OptionParser 5 from apilib import resultdict,set_nameserver,check_a_record,check_cname_record 6 7 if __name__ == "__main__": 8 parser = OptionParser() 9 parser.add_option("-d", "--domain", dest="domain",help="domian to check") 10 parser.add_option("-s", "--server", dest="server",help="nameserver to check") 11 (options, args) = parser.parse_args() 12 try: 13 checkdomain = options.domain.lower() 14 except Exception,ex: 15 checkdomain = options.domain 16 if checkdomain in [""," ",None,"null"]: 17 exit(0) 18 dnsserver = options.server 19 if dnsserver not in [""," ",None,"null"]: 20 dnsserver = [dnsserver] if dnsserver.find(",") < 0 else dnsserver.split(",") 21 set_nameserver(dnsserver) 22 check_a_record(checkdomain) 23 check_cname_record(checkdomain) 24 print resultdict
要是在windows下使用觉得麻烦,直接打包
1 #pyinstaller -F dnscheck.py 2 使用简介: 3 #dnscheck.exe -d www.baidu.com 4 #dnscheck.exe -d www.163.com -s 202.106.0.20,114.114.114.114
百度网盘下载地址:https://pan.baidu.com/s/1jJr2mPo
下载口令:k4f8