-
-
Save thom-s/7b3fcdcb88c0670167ccdd6ebca3c924 to your computer and use it in GitHub Desktop.
# Imports | |
from scapy.all import * | |
from pprint import pprint | |
import operator | |
# Parameters | |
interface = "eth0" # Interface you want to use | |
dns_source = "local-ip" # IP of that interface | |
dns_destination = ["ip1","ip2","ip3"] # List of DNS Server IPs | |
time_to_live = 128 # IP TTL | |
query_name = "google.com" # DNS Query Name | |
query_type = ["ANY", "A","AAAA","CNAME","MX","NS","PTR","CERT","SRV","TXT", "SOA"] # DNS Query Types | |
# Initialise variables | |
results = [] | |
packet_number=0 | |
# Loop through all query types then all DNS servers | |
for i in range(0,len(query_type)): | |
for j in range(0, len(dns_destination)): | |
packet_number += 1 | |
# Craft the DNS query packet with scapy | |
packet = IP(src=dns_source, dst=dns_destination[j], ttl=time_to_live) / UDP() / DNS(rd=1, qd=DNSQR(qname=query_name, qtype=query_type[i])) | |
# Sending the packet | |
try: | |
query = sr1(packet,iface=interface,verbose=False, timeout=8) | |
print("Packet #{} sent!".format(packet_number)) | |
except: | |
print("Error sending packet #{}".format(packet_number)) | |
# Creating dictionary with received information | |
try: | |
result_dict = { | |
'dns_destination':dns_destination[j], | |
'query_type':query_type[i], | |
'query_size':len(packet), | |
'response_size':len(query), | |
'amplification_factor': ( len(query) / len(packet) ), | |
'packet_number':packet_number | |
} | |
results.append(result_dict) | |
except: | |
pass | |
# Sort dictionary by the amplification factor | |
results.sort(key=operator.itemgetter('amplification_factor'),reverse=True) | |
# Print results | |
pprint(results) |
Thanks bro! It really helped our workgroup ;)
Glad to hear it! Thanks
thanks for simple script
Hey this is a great write up, thanks for sharing! Code works great but I'm trying to reproduce the actual attack (on my machines).
When I set the src ip to be my target machine's IP I can see with wire shark that the packets are sent.. but when I sniff for the response on my target machine they never arrive? These packets are being dropped by the DNS server? It's my understanding if I set the src port in the packet as 1337 the DNS server will than attempt to respond with that port, so why am I not getting any response. Any idea what is happening? Thanks!
Hey this is a great write up, thanks for sharing! Code works great but I'm trying to reproduce the actual attack (on my machines).
When I set the src ip to be my target machine's IP I can see with wire shark that the packets are sent.. but when I sniff for the response on my target machine they never arrive? These packets are being dropped by the DNS server? It's my understanding if I set the src port in the packet as 1337 the DNS server will than attempt to respond with that port, so why am I not getting any response. Any idea what is happening? Thanks!
Hard to say without knowing more, what DNS server do you use in your lab? Perhaps the DNS server has some DNS amplification protection or drops packets with non-DNS ports (1337). What does the response look like when you have the same source IP as your machine's and what did you modify in the script? I'll be honest I haven't touched it in a while so I'm not too sure.
Hello, I need to write a scapy script for school that represents a DNS amplification attack. If i put your code in a loop and use the IP address of my friend he doesn't receive anything. As interface I set my WIFI interface and dns source, my friends IP address. I'm interpreting this wrong because my friend doesn't see anything of DNS responses. Could it be my network that blocks this traffic or would it be my code that isn't correct. Has anyone ideas on how to solve this problem?
Thanks bro! It really helped our workgroup ;)