# dns-cyber-range **Repository Path**: duguxt/dns-cyber-range ## Basic Information - **Project Name**: dns-cyber-range - **Description**: dns网络安全靶场,containerlab实现,完全由docker容器组网 - **Primary Language**: Shell - **License**: GPL-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 2 - **Forks**: 0 - **Created**: 2023-02-26 - **Last Updated**: 2025-01-14 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # DNS网络安全靶场(dns-cyber-range) ## 介绍 dns网络安全靶场,containerlab实现,完全由docker容器组网。 特点:轻量化、自动化、易扩展、开箱即用 ## 安装教程 Containerlab can be installed using the [installation script](https://github.com/srl-labs/containerlab/blob/main/get.sh) which detects the operating system type and installs the relevant package: ```bash # download and install the latest release (may require sudo) bash -c "$(curl -sL https://get.containerlab.dev)" # download a specific version - 0.10.3 (may require sudo) bash -c "$(curl -sL https://get.containerlab.dev)" -- -v 0.10.3 # with wget bash -c "$(wget -qO - https://get.containerlab.dev)" ``` It is possible to install official containerlab releases via public APT/YUM repository. debian/ubuntu: ```bash echo "deb [trusted=yes] https://apt.fury.io/netdevops/ /" | \ sudo tee -a /etc/apt/sources.list.d/netdevops.list sudo apt update && sudo apt install containerlab ``` redhat/centos: ```bash yum-config-manager --add-repo=https://yum.fury.io/netdevops/ && \ echo "gpgcheck=0" | sudo tee -a /etc/yum.repos.d/yum.fury.io_netdevops_.repo sudo yum install containerlab ``` ## 部署教程 1. 拉取仓库 ```bash git clone https://gitee.com/duguxt/dns-cyber-range.git cd dns-cyber-range ``` 2. 部署仓库(以部署dnssec靶场环境为例) 靶场拓扑图: ![image-20230723123538185](https://picgo-1300248484.cos.ap-nanjing.myqcloud.com/typora/image-20230723123538185.png) 部署命令: ```bash ./deploy.sh dnssec ``` 3. 配置host网络环境,该拓扑需要使用,因为添加了从host到容器的veth-pair ```bash ./configure_host.sh ``` 4. 进入容器 ```bash ./runNode.sh resolver ``` 5. 删除部署 ```bash ./destroy.sh dnssec ``` 6. 重新部署 ``` ./redeploy.sh dnssec ``` ### macOS配置 注意,如果在mac系统运行,请先运行 ```bash ./mac.sh ``` 进入容器环境,再进行操作。 ## 自定义靶场环境 ### 基础镜像 目前靶场基础镜像有: * client:客户端镜像,模拟受害机,内置dig、curl、tcpdump等常用工具 * attacker:攻击者镜像,一般在拓扑文件中作为中间人,监听和篡改流量,内置dig、curl、tcpdump等工具,除此之外,还有python、golang环境用于执行恶意代码。 * resolver:普通dns递归解析器,运行bind9.16,监听53端口,用作普通场景下的递归解析器 * doh-resolver:doh递归解析器,运行bind9.18,监听53/443端口,配置好了服务端证书,doh链接为:https://dns.xxt.asia/dns-query,用作doh环境下的递归解析器。 * 使用该递归解析器需要拷贝/etc/bind/certs下的ca.crt到客户端并信任该ca证书,默认情况下client镜像中该ca证书已经存放于/usr/share/ca-certificates/certs文件夹下。 * dnssec-resolver:dnssec递归解析器,同时继承了doh-resovler,支持doh功能,运行bind9.18,监听53/443端口,需配合dnssec-root-server,dnssec-name-server1,dnssec-name-server2使用 * name-server1:顶级域权威服务器,内置hit.顶级域 ```zone $ORIGIN hit. @ 0 IN SOA ns lxt.com. 1 604800 86400 2419200 604800 @ 0 IN NS ns ns 0 IN A 192.168.1.1 root 0 IN NS ns.root ns.root 0 IN A 192.168.1.1 ``` * name-server2:二级权威服务器,内置root.hit.二级域 ```zone $ORIGIN root.hit. @ 0 IN SOA ns lxt.com. 1 604800 86400 2419200 604800 @ 0 IN NS ns ns 0 IN A 192.168.1.1 lxt 0 IN A 192.168.1.1 test 0 IN A 123.222.123.222 ``` * root-server:内置根区文件,用于模拟根服务器,所有resolver镜像都需配合该镜像使用。 * dnssec-name-server1:继承name-server1,支持dnssec * dnssec-name-server2:继承name-server2,支持dnssec ### 创建模板文件 在clab文件夹中新建xxx.clab.yml文件,例如dnssec模板如下: ```yaml # This file defines a MITM topology # =============================================================== # # # # # # Client <------> Attacker <-----------> Resolver # # (Victim) (Attacker) (Authoritive Server) # # 192.168.0.1 <--> 192.168.0.2 # # 192.168.1.2 <--> 192.168.1.1 # # # # =============================================================== # name: CyberRange prefix: "" mgmt: network: fixedips ipv4-subnet: 172.10.10.0/24 ipv6-subnet: 2001:172:10:10::/80 topology: nodes: client: kind: linux image: lxtxiaotong/client group: client mgmt-ipv4: 172.10.10.6 dns: servers: - 192.168.1.1 exec: - ip addr add 192.168.0.1/24 brd + dev eth1 # - ip route add default via 192.168.0.2 dev eth1 # Configure routing across bridges to bind's subnet(192.168.1.0/24) - ip route add 192.168.1.0/24 via 192.168.0.2 dev eth1 - ip route add 192.168.2.0/24 via 192.168.0.2 dev eth1 - ip route add 192.168.3.0/24 via 192.168.0.2 dev eth1 - ip route add 192.168.4.0/24 via 192.168.0.2 dev eth1 - /bin/bash -c "echo \"nameserver 192.168.1.1\" > /etc/resolv.conf" attacker1: kind: linux image: lxtxiaotong/attacker group: client mgmt-ipv4: 172.10.10.7 dns: servers: - 192.168.1.1 exec: - ip addr add 192.168.0.2/24 brd + dev eth1 - ip addr add 192.168.1.2/24 brd + dev eth2 - ip addr add 192.168.10.2/24 brd + dev eth3 - ip route add 192.168.2.0/24 via 192.168.1.1 dev eth2 - ip route add 192.168.3.0/24 via 192.168.1.1 dev eth2 - ip route add 192.168.4.0/24 via 192.168.1.1 dev eth2 - /bin/bash -c "echo \"nameserver 192.168.1.1\" > /etc/resolv.conf" # Enable router function sysctls: net.ipv4.ip_forward: 1 rootServer: kind: linux image: shangzhq/dnssec-root-server mgmt-ipv4: 172.10.10.8 exec: - ip addr add 192.168.2.2/24 brd + dev eth1 # - ip route add default via 192.168.1.2 dev eth1 # Configure routing across bridges to client's subnet(192.168.0.0/24) # - ip route add 192.168.0.0/24 via 192.168.1.2 dev eth1 - ip route add 192.168.1.0/24 via 192.168.2.1 dev eth1 - ip route add 192.168.0.0/24 via 192.168.2.1 dev eth1 resolver: kind: linux image: shangzhq/dnssec-resolver mgmt-ipv4: 172.10.10.2 exec: - ip addr add 192.168.1.1/24 brd + dev eth1 - ip addr add 192.168.2.1/24 brd + dev eth2 - ip addr add 192.168.5.1/24 brd + dev eth3 # docker内客户端网段路由,通过attacker1中转 - ip route add 192.168.0.0/24 via 192.168.1.2 dev eth1 # host主机网段路由,通过attacker1中转 - ip route add 192.168.10.0/24 via 192.168.1.2 dev eth1 # nameServer1网段路由,通过attacker2中转 - ip route add 192.168.3.0/24 via 192.168.5.2 dev eth3 # nameServer2网段路由,通过attacker2中转 - ip route add 192.168.4.0/24 via 192.168.5.2 dev eth3 - /bin/bash -c "echo \"nameserver 192.168.1.1\" > /etc/resolv.conf" # 添加出端(客户端方向)网卡延迟 - tc qdisc add dev eth1 root netem delay 10ms - tc qdisc show dev eth1 # Enable router function sysctls: net.ipv4.ip_forward: 1 attacker2: kind: linux image: lxtxiaotong/attacker group: client mgmt-ipv4: 172.10.10.17 dns: servers: - 192.168.1.1 exec: - ip addr add 192.168.5.2/24 brd + dev eth1 - ip addr add 192.168.3.1/24 brd + dev eth2 - ip addr add 192.168.4.1/24 brd + dev eth3 # 使得attacker2可以访问resolver的192.168.1.1网卡 - ip route add 192.168.1.0/24 via 192.168.5.1 dev eth1 - /bin/bash -c "echo \"nameserver 192.168.1.1\" > /etc/resolv.conf" # Enable router function sysctls: net.ipv4.ip_forward: 1 nameServer1: kind: linux image: shangzhq/dnssec-name-server1 group: nameServer mgmt-ipv4: 172.10.10.3 exec: - ip addr add 192.168.3.2/24 brd + dev eth1 - ip route add 192.168.5.0/24 via 192.168.3.1 dev eth1 nameServer2: kind: linux image: shangzhq/dnssec-name-server2 group: nameServer mgmt-ipv4: 172.10.10.4 exec: - ip addr add 192.168.4.2/24 brd + dev eth1 - ip route add 192.168.5.0/24 via 192.168.4.1 dev eth1 nginx: kind: linux image: nginx mgmt-ipv4: 172.10.10.5 nginx2: kind: linux image: nginx mgmt-ipv4: 172.10.10.50 exec: # 修改静态html为攻击者的html - sed -i 's/nginx/attacker'"'"'s nginx/g' /usr/share/nginx/html/index.html links: - endpoints: ["client:eth1", "attacker1:eth1"] - endpoints: ["attacker1:eth2", "resolver:eth1"] - endpoints: ["attacker1:eth3", "host:eth1"] - endpoints: ["rootServer:eth1", "resolver:eth2"] - endpoints: ["resolver:eth3", "attacker2:eth1"] - endpoints: ["attacker2:eth2", "nameServer1:eth1"] - endpoints: ["attacker2:eth3", "nameServer2:eth1"] ```