Fork me on GitHub

用node来DNS抓包

1
这是崔斯特的第七十四篇原创文章

用node来DNS抓包 (๑• . •๑)

前提准备

安装node,并安装依赖,去server.js同级目录下安装

1
2
npm install native-dns
npm install async

保存以下文件为server.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
let dns = require('native-dns');
let server = dns.createServer();
let authority = { address: '114.114.114.114', port: 53, type: 'udp' };
server.on('listening', () => console.log('server listening on', server.address()));
server.on('close', () => console.log('server closed', server.address()));
server.on('error', (err, buff, req, res) => console.error(err.stack));
server.on('socketError', (err, socket) => console.error(err));
function proxy(question, response, cb) {
console.log('proxying', question.name);
var request = dns.Request({
question: question, // forwarding the question
server: authority, // this is the DNS server we are asking
timeout: 1000
});
// when we get answers, append them to the response
request.on('message', (err, msg) => {
msg.answer.forEach(a => response.answer.push(a));
});
request.on('end', cb);
request.send();
}
let async = require('async');
let entries = [
{
domain: "^weixin.keruyun.com*",
records: [
{ type: "A", address: "10.10.10.90", ttl: 1800 }
]
}
];
function handleRequest(request, response) {
console.log('request from', request.address.address, 'for', request.question[0].name);
let f = [];
request.question.forEach(question => {
let entry = entries.filter(r => new RegExp(r.domain, 'i').exec(question.name));
if (entry.length) {
entry[0].records.forEach(record => {
record.name = question.name;
record.ttl = record.ttl || 1800;
response.answer.push(dns[record.type](record));
});
} else {
f.push(cb => proxy(question, response, cb));
}
});
async.parallel(f, function() { response.send(); });
}
server.on('request', handleRequest);
server.serve(53);

手机wifi设置如下:

在DNS1和DNS2,都设置为电脑端地址

找到域名

使用命名node server.js运行js文件,手机打开飞行模式,再关闭飞行模式,关闭手机所有应用后,打开目标应用,查看输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
request from 10.10.10.30 for api.huoshan.com
proxying api.huoshan.com
request from 10.10.10.30 for api.huoshan.com
proxying api.huoshan.com
request from 10.10.10.30 for sf3-ttcdn-tos.pstatp.com
proxying sf3-ttcdn-tos.pstatp.com
request from 10.10.10.30 for nbsdk-baichuan.alicdn.com
proxying nbsdk-baichuan.alicdn.com
request from 10.10.10.30 for sf1-hscdn-tos.pstatp.com
proxying sf1-hscdn-tos.pstatp.com
request from 10.10.10.30 for wgo.mmstat.com
proxying wgo.mmstat.com
request from 10.10.10.30 for v7.pstatp.com
proxying v7.pstatp.com
request from 10.10.10.30 for sf1-ttcdn-tos.pstatp.com
proxying sf1-ttcdn-tos.pstatp.com

找到自己想要抓取的域名,假设现在我们想抓取的域名是superapp.kiwa-tech.com,修改server.js文件,如下

1
2
3
4
5
6
7
8
let entries = [
{
domain: "^superapp.kiwa-tech.com*",
records: [
{ type: "A", address: "10.10.10.90", ttl: 1800 }
]
}
];

配置Charles

打开Charles,注意,要使用sudo打开,sudo /Applications/Charles.app/Contents/MacOS/Charles

  1. 安装证书,手机端也要安装
  2. 打开ssl proxying
  3. Reverse Proxies,设置如下

最后

最后就大功告成了,此时在手机端打开该App,即可查看相关DNS抓包数据。

这种方法叫做DNS抓包