From c054128d954c6267ca5c6d6c04594ae46c9493a7 Mon Sep 17 00:00:00 2001 From: RedToor Date: Thu, 21 Jul 2016 13:05:44 -0500 Subject: [PATCH] new build --- README.md | 2 +- core/Information.py | 4 +- core/modules.xml | 7 + core/version.json | 2 +- files/dnschef/dnschef.ini | 40 +++ files/dnschef/dnschef.py | 612 ++++++++++++++++++++++++++++++++++++++ modules/net/dns_fake.py | 50 ++++ 7 files changed, 713 insertions(+), 4 deletions(-) create mode 100644 files/dnschef/dnschef.ini create mode 100644 files/dnschef/dnschef.py create mode 100644 modules/net/dns_fake.py diff --git a/README.md b/README.md index bfb939a..9a743cb 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -[![Gitter chat](https://badges.gitter.im/totaljs/framework.png)](https://gitter.im/PowerScript/KatanaFramework) ![Supported OS](https://img.shields.io/badge/Supported%20OS-Linux-yellow.svg) ![License](https://img.shields.io/badge/license-GPLv3-blue.svg) ![CORE](https://img.shields.io/badge/core-0.0.1.0-green.svg)![Build](https://img.shields.io/badge/BUILD-0060-red.svg) +[![Gitter chat](https://badges.gitter.im/totaljs/framework.png)](https://gitter.im/PowerScript/KatanaFramework) ![Supported OS](https://img.shields.io/badge/Supported%20OS-Linux-yellow.svg) ![License](https://img.shields.io/badge/license-GPLv3-blue.svg) ![CORE](https://img.shields.io/badge/core-0.0.1.0-green.svg)![Build](https://img.shields.io/badge/BUILD-0061-red.svg) --- # ABOUT. diff --git a/core/Information.py b/core/Information.py index 9f2fb9a..51a719a 100644 --- a/core/Information.py +++ b/core/Information.py @@ -8,6 +8,6 @@ version="0.0.1.0" -date="01/06/16:14/06/16" -build="0060" +date="14/06/16:21/07/16" +build="0061" Type="FREE" diff --git a/core/modules.xml b/core/modules.xml index 60c7fbb..1e895ec 100644 --- a/core/modules.xml +++ b/core/modules.xml @@ -76,6 +76,13 @@ net arp_denegation_of_service ARP D.O.S Attack. + + + 1.0 + Dimitrios Kanellopoulos | Adated by RedToor + net + dns_fake + DNS fake Server Spoof. 1.0 diff --git a/core/version.json b/core/version.json index 76ac3f0..18eb21a 100644 --- a/core/version.json +++ b/core/version.json @@ -1 +1 @@ -{"Katana":{"Description":"Katana Updates information","Author": "Redtoor","Version":"0.2","Update":{"Core":"0.0.1.0","Build":"0060","Date":"14/06/16","Modules":"28"}}} +{"Katana":{"Description":"Katana Updates information","Author": "Redtoor","Version":"0.2","Update":{"Core":"0.0.1.0","Build":"0061","Date":"21/07/16","Modules":"30"}}} diff --git a/files/dnschef/dnschef.ini b/files/dnschef/dnschef.ini new file mode 100644 index 0000000..5004c60 --- /dev/null +++ b/files/dnschef/dnschef.ini @@ -0,0 +1,40 @@ +[A] # Queries for IPv4 address records +*.thesprawl.org=192.0.2.1 + +[AAAA] # Queries for IPv6 address records +*.thesprawl.org=2001:db8::1 + +[MX] # Queries for mail server records +*.thesprawl.org=mail.fake.com + +[NS] # Queries for mail server records +*.thesprawl.org=ns.fake.com + +[CNAME] # Queries for alias records +*.thesprawl.org=www.fake.com + +[TXT] # Queries for text records +*.thesprawl.org=fake message + +[PTR] +*.2.0.192.in-addr.arpa=fake.com + +[SOA] +; FORMAT: mname rname t1 t2 t3 t4 t5 +*.thesprawl.org=ns.fake.com. hostmaster.fake.com. 1 10800 3600 604800 3600 + +[NAPTR] +; FORMAT: order preference flags service regexp replacement +*.thesprawl.org=100 10 U E2U+sip !^.*$!sip:customer-service@fake.com! . + +[SRV] +; FORMAT: priority weight port target +*.*.thesprawl.org=0 5 5060 sipserver.fake.com + +[DNSKEY] +; FORMAT: flags protocol algorithm base64(key) +*.thesprawl.org=256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Cbl+BBZH4b/0PY1kxkmvHjcZc8nokfzj31GajIQKY+5CptLr3buXA10hWqTkF7H6RfoRqXQeogmMHfpftf6zMv1LyBUgia7za6ZEzOJBOztyvhjL742iU/TpPSEDhm2SNKLijfUppn1UaNvv4w== + +[RRSIG] +; FORMAT: covered algorithm labels labels orig_ttl sig_exp sig_inc key_tag name base64(sig) +*.thesprawl.org=A 5 3 86400 20030322173103 20030220173103 2642 thesprawl.org. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTrPYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6oB9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3tGNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkGJ5D6fwFm8nN+6pBzeDQfsS3Ap3o= \ No newline at end of file diff --git a/files/dnschef/dnschef.py b/files/dnschef/dnschef.py new file mode 100644 index 0000000..a15318f --- /dev/null +++ b/files/dnschef/dnschef.py @@ -0,0 +1,612 @@ +#!/usr/bin/env python +# +# DNSChef is a highly configurable DNS Proxy for Penetration Testers +# and Malware Analysts. Please visit http://thesprawl.org/projects/dnschef/ +# for the latest version and documentation. Please forward all issues and +# concerns to iphelix [at] thesprawl.org. + +DNSCHEF_VERSION = "0.3" + +# Copyright (C) 2014 Peter Kacherginsky +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors +# may be used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +from optparse import OptionParser,OptionGroup +from ConfigParser import ConfigParser + +from dnslib import * +from IPy import IP + +import threading, random, operator, time +import SocketServer, socket, sys, os +import binascii +import string +import base64 +import time + +# DNSHandler Mixin. The class contains generic functions to parse DNS requests and +# calculate an appropriate response based on user parameters. +class DNSHandler(): + + def parse(self,data): + response = "" + + try: + # Parse data as DNS + d = DNSRecord.parse(data) + + except Exception, e: + print " [%s] %s: ERROR: %s" % (time.strftime("%H:%M:%S"), self.client_address[0], "invalid DNS request") + if self.server.log: self.server.log.write("[%s] %s: ERROR: %s\n" % (time.strftime("%d/%b/%Y:%H:%M:%S %z"), self.client_address[0], "invalid DNS request")) + + else: + # Only Process DNS Queries + if QR[d.header.qr] == "QUERY": + + # Gather query parameters + # NOTE: Do not lowercase qname here, because we want to see + # any case request weirdness in the logs. + qname = str(d.q.qname) + + # Chop off the last period + if qname[-1] == '.': qname = qname[:-1] + + qtype = QTYPE[d.q.qtype] + + # Find all matching fake DNS records for the query name or get False + fake_records = dict() + + for record in self.server.nametodns: + + fake_records[record] = self.findnametodns(qname,self.server.nametodns[record]) + + # Check if there is a fake record for the current request qtype + if qtype in fake_records and fake_records[qtype]: + + fake_record = fake_records[qtype] + + # Create a custom response to the query + response = DNSRecord(DNSHeader(id=d.header.id, bitmap=d.header.bitmap, qr=1, aa=1, ra=1), q=d.q) + + print " [%s] %s: cooking the response of type '%s' for %s to %s" % (time.strftime("%H:%M:%S"), self.client_address[0], qtype, qname, fake_record) + if self.server.log: self.server.log.write( "[%s] %s: cooking the response of type '%s' for %s to %s\n" % (time.strftime("%d/%b/%Y:%H:%M:%S %z"), self.client_address[0], qtype, qname, fake_record) ) + + # IPv6 needs additional work before inclusion: + if qtype == "AAAA": + ipv6 = IP(fake_record) + ipv6_bin = ipv6.strBin() + ipv6_hex_tuple = [int(ipv6_bin[i:i+8],2) for i in xrange(0,len(ipv6_bin),8)] + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](ipv6_hex_tuple))) + + elif qtype == "SOA": + mname,rname,t1,t2,t3,t4,t5 = fake_record.split(" ") + times = tuple([int(t) for t in [t1,t2,t3,t4,t5]]) + + # dnslib doesn't like trailing dots + if mname[-1] == ".": mname = mname[:-1] + if rname[-1] == ".": rname = rname[:-1] + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](mname,rname,times))) + + elif qtype == "NAPTR": + order,preference,flags,service,regexp,replacement = fake_record.split(" ") + order = int(order) + preference = int(preference) + + # dnslib doesn't like trailing dots + if replacement[-1] == ".": replacement = replacement[:-1] + + response.add_answer( RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](order,preference,flags,service,regexp,DNSLabel(replacement))) ) + + elif qtype == "SRV": + priority, weight, port, target = fake_record.split(" ") + priority = int(priority) + weight = int(weight) + port = int(port) + if target[-1] == ".": target = target[:-1] + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](priority, weight, port, target) )) + + elif qtype == "DNSKEY": + flags, protocol, algorithm, key = fake_record.split(" ") + flags = int(flags) + protocol = int(protocol) + algorithm = int(algorithm) + key = base64.b64decode(("".join(key)).encode('ascii')) + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](flags, protocol, algorithm, key) )) + + elif qtype == "RRSIG": + covered, algorithm, labels, orig_ttl, sig_exp, sig_inc, key_tag, name, sig = fake_record.split(" ") + covered = getattr(QTYPE,covered) # NOTE: Covered QTYPE + algorithm = int(algorithm) + labels = int(labels) + orig_ttl = int(orig_ttl) + sig_exp = int(time.mktime(time.strptime(sig_exp +'GMT',"%Y%m%d%H%M%S%Z"))) + sig_inc = int(time.mktime(time.strptime(sig_inc +'GMT',"%Y%m%d%H%M%S%Z"))) + key_tag = int(key_tag) + if name[-1] == '.': name = name[:-1] + sig = base64.b64decode(("".join(sig)).encode('ascii')) + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](covered, algorithm, labels,orig_ttl, sig_exp, sig_inc, key_tag, name, sig) )) + + else: + # dnslib doesn't like trailing dots + if fake_record[-1] == ".": fake_record = fake_record[:-1] + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](fake_record))) + + response = response.pack() + + elif qtype == "*" and not None in fake_records.values(): + print " [%s] %s: cooking the response of type '%s' for %s with %s" % (time.strftime("%H:%M:%S"), self.client_address[0], "ANY", qname, "all known fake records.") + if self.server.log: self.server.log.write( "[%s] %s: cooking the response of type '%s' for %s with %s\n" % (time.strftime("%d/%b/%Y:%H:%M:%S %z"), self.client_address[0], "ANY", qname, "all known fake records.") ) + + response = DNSRecord(DNSHeader(id=d.header.id, bitmap=d.header.bitmap,qr=1, aa=1, ra=1), q=d.q) + + for qtype,fake_record in fake_records.items(): + if fake_record: + + # NOTE: RDMAP is a dictionary map of qtype strings to handling classses + # IPv6 needs additional work before inclusion: + if qtype == "AAAA": + ipv6 = IP(fake_record) + ipv6_bin = ipv6.strBin() + fake_record = [int(ipv6_bin[i:i+8],2) for i in xrange(0,len(ipv6_bin),8)] + + elif qtype == "SOA": + mname,rname,t1,t2,t3,t4,t5 = fake_record.split(" ") + times = tuple([int(t) for t in [t1,t2,t3,t4,t5]]) + + # dnslib doesn't like trailing dots + if mname[-1] == ".": mname = mname[:-1] + if rname[-1] == ".": rname = rname[:-1] + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](mname,rname,times))) + + elif qtype == "NAPTR": + order,preference,flags,service,regexp,replacement = fake_record.split(" ") + order = int(order) + preference = int(preference) + + # dnslib doesn't like trailing dots + if replacement and replacement[-1] == ".": replacement = replacement[:-1] + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](order,preference,flags,service,regexp,replacement))) + + elif qtype == "SRV": + priority, weight, port, target = fake_record.split(" ") + priority = int(priority) + weight = int(weight) + port = int(port) + if target[-1] == ".": target = target[:-1] + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](priority, weight, port, target) )) + + elif qtype == "DNSKEY": + flags, protocol, algorithm, key = fake_record.split(" ") + flags = int(flags) + protocol = int(protocol) + algorithm = int(algorithm) + key = base64.b64decode(("".join(key)).encode('ascii')) + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](flags, protocol, algorithm, key) )) + + elif qtype == "RRSIG": + covered, algorithm, labels, orig_ttl, sig_exp, sig_inc, key_tag, name, sig = fake_record.split(" ") + covered = getattr(QTYPE,covered) # NOTE: Covered QTYPE + algorithm = int(algorithm) + labels = int(labels) + orig_ttl = int(orig_ttl) + sig_exp = int(time.mktime(time.strptime(sig_exp +'GMT',"%Y%m%d%H%M%S%Z"))) + sig_inc = int(time.mktime(time.strptime(sig_inc +'GMT',"%Y%m%d%H%M%S%Z"))) + key_tag = int(key_tag) + if name[-1] == '.': name = name[:-1] + sig = base64.b64decode(("".join(sig)).encode('ascii')) + + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](covered, algorithm, labels,orig_ttl, sig_exp, sig_inc, key_tag, name, sig) )) + + else: + # dnslib doesn't like trailing dots + if fake_record[-1] == ".": fake_record = fake_record[:-1] + response.add_answer(RR(qname, getattr(QTYPE,qtype), rdata=RDMAP[qtype](fake_record))) + + response = response.pack() + + # Proxy the request + else: + print " [%s] %s: proxying the response of type '%s' for %s" % (time.strftime("%H:%M:%S"), self.client_address[0], qtype, qname) + if self.server.log: self.server.log.write( "[%s] %s: proxying the response of type '%s' for %s\n" % (time.strftime("%d/%b/%Y:%H:%M:%S %z"), self.client_address[0], qtype, qname) ) + + nameserver_tuple = random.choice(self.server.nameservers).split('#') + response = self.proxyrequest(data,*nameserver_tuple) + + return response + + + # Find appropriate ip address to use for a queried name. The function can + def findnametodns(self,qname,nametodns): + + # Make qname case insensitive + qname = qname.lower() + + # Split and reverse qname into components for matching. + qnamelist = qname.split('.') + qnamelist.reverse() + + # HACK: It is important to search the nametodns dictionary before iterating it so that + # global matching ['*.*.*.*.*.*.*.*.*.*'] will match last. Use sorting for that. + for domain,host in sorted(nametodns.iteritems(), key=operator.itemgetter(1)): + + # NOTE: It is assumed that domain name was already lowercased + # when it was loaded through --file, --fakedomains or --truedomains + # don't want to waste time lowercasing domains on every request. + + # Split and reverse domain into components for matching + domain = domain.split('.') + domain.reverse() + + # Compare domains in reverse. + for a,b in map(None,qnamelist,domain): + if a != b and b != "*": + break + else: + # Could be a real IP or False if we are doing reverse matching with 'truedomains' + return host + else: + return False + + # Obtain a response from a real DNS server. + def proxyrequest(self, request, host, port="53", protocol="udp"): + reply = None + try: + if self.server.ipv6: + + if protocol == "udp": + sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + elif protocol == "tcp": + sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) + + else: + if protocol == "udp": + sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + elif protocol == "tcp": + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + + sock.settimeout(3.0) + + # Send the proxy request to a randomly chosen DNS server + + if protocol == "udp": + sock.sendto(request, (host, int(port))) + reply = sock.recv(1024) + sock.close() + + elif protocol == "tcp": + sock.connect((host, int(port))) + + # Add length for the TCP request + length = binascii.unhexlify("%04x" % len(request)) + sock.sendall(length+request) + + # Strip length from the response + reply = sock.recv(1024) + reply = reply[2:] + + sock.close() + + except Exception, e: + print " [!] Could not proxy request: %s" % e + else: + return reply + +# UDP DNS Handler for incoming requests +class UDPHandler(DNSHandler, SocketServer.BaseRequestHandler): + + def handle(self): + (data,socket) = self.request + response = self.parse(data) + + if response: + socket.sendto(response, self.client_address) + +# TCP DNS Handler for incoming requests +class TCPHandler(DNSHandler, SocketServer.BaseRequestHandler): + + def handle(self): + data = self.request.recv(1024) + + # Remove the addition "length" parameter used in the + # TCP DNS protocol + data = data[2:] + response = self.parse(data) + + if response: + # Calculate and add the additional "length" parameter + # used in TCP DNS protocol + length = binascii.unhexlify("%04x" % len(response)) + self.request.sendall(length+response) + +class ThreadedUDPServer(SocketServer.ThreadingMixIn, SocketServer.UDPServer): + + # Override SocketServer.UDPServer to add extra parameters + def __init__(self, server_address, RequestHandlerClass, nametodns, nameservers, ipv6, log): + self.nametodns = nametodns + self.nameservers = nameservers + self.ipv6 = ipv6 + self.address_family = socket.AF_INET6 if self.ipv6 else socket.AF_INET + self.log = log + + SocketServer.UDPServer.__init__(self,server_address,RequestHandlerClass) + +class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): + + # Override default value + allow_reuse_address = True + + # Override SocketServer.TCPServer to add extra parameters + def __init__(self, server_address, RequestHandlerClass, nametodns, nameservers, ipv6, log): + self.nametodns = nametodns + self.nameservers = nameservers + self.ipv6 = ipv6 + self.address_family = socket.AF_INET6 if self.ipv6 else socket.AF_INET + self.log = log + + SocketServer.TCPServer.__init__(self,server_address,RequestHandlerClass) + +# Initialize and start the DNS Server +def start_cooking(interface, nametodns, nameservers, tcp=False, ipv6=False, port="53", logfile=None): + try: + + if logfile: + log = open(logfile,'a',0) + log.write("[%s] DNSChef is active.\n" % (time.strftime("%d/%b/%Y:%H:%M:%S %z")) ) + else: + log = None + + if tcp: + print " | DNSChef is running in TCP mode" + server = ThreadedTCPServer((interface, int(port)), TCPHandler, nametodns, nameservers, ipv6, log) + else: + server = ThreadedUDPServer((interface, int(port)), UDPHandler, nametodns, nameservers, ipv6, log) + + # Start a thread with the server -- that thread will then start + # more threads for each request + server_thread = threading.Thread(target=server.serve_forever) + + # Exit the server thread when the main thread terminates + server_thread.daemon = True + server_thread.start() + + # Loop in the main thread + while True: time.sleep(100) + + except (KeyboardInterrupt, SystemExit): + + if log: + log.write("[%s] DNSChef is shutting down.\n" % (time.strftime("%d/%b/%Y:%H:%M:%S %z")) ) + log.close() + + server.shutdown() + print " | DNSChef is shutting down." + sys.exit() + + except IOError: + print " [!] Failed to open log file for writing." + + except Exception, e: + print " [!] Failed to start the server: %s" % e + +if __name__ == "__main__": + + header = " _ _ __ \n" + header += " | | version %s | | / _| \n" % DNSCHEF_VERSION + header += " __| |_ __ ___ ___| |__ ___| |_ \n" + header += " / _` | '_ \/ __|/ __| '_ \ / _ \ _|\n" + header += " | (_| | | | \__ \ (__| | | | __/ | \n" + header += " \__,_|_| |_|___/\___|_| |_|\___|_| \n" + header += " iphelix@thesprawl.org \n" + + # Parse command line arguments + parser = OptionParser(usage = "dnschef.py [options]:\n" + header, description="DNSChef is a highly configurable DNS Proxy for Penetration Testers and Malware Analysts. It is capable of fine configuration of which DNS replies to modify or to simply proxy with real responses. In order to take advantage of the tool you must either manually configure or poison DNS server entry to point to DNSChef. The tool requires root privileges to run on privileged ports." ) + + fakegroup = OptionGroup(parser, "Fake DNS records:") + fakegroup.add_option('--fakeip', metavar="192.0.2.1", action="store", help='IP address to use for matching DNS queries. If you use this parameter without specifying domain names, then all \'A\' queries will be spoofed. Consider using --file argument if you need to define more than one IP address.') + fakegroup.add_option('--fakeipv6', metavar="2001:db8::1", action="store", help='IPv6 address to use for matching DNS queries. If you use this parameter without specifying domain names, then all \'AAAA\' queries will be spoofed. Consider using --file argument if you need to define more than one IPv6 address.') + fakegroup.add_option('--fakemail', metavar="mail.fake.com", action="store", help='MX name to use for matching DNS queries. If you use this parameter without specifying domain names, then all \'MX\' queries will be spoofed. Consider using --file argument if you need to define more than one MX record.') + fakegroup.add_option('--fakealias', metavar="www.fake.com", action="store", help='CNAME name to use for matching DNS queries. If you use this parameter without specifying domain names, then all \'CNAME\' queries will be spoofed. Consider using --file argument if you need to define more than one CNAME record.') + fakegroup.add_option('--fakens', metavar="ns.fake.com", action="store", help='NS name to use for matching DNS queries. If you use this parameter without specifying domain names, then all \'NS\' queries will be spoofed. Consider using --file argument if you need to define more than one NS record.') + fakegroup.add_option('--file', action="store", help="Specify a file containing a list of DOMAIN=IP pairs (one pair per line) used for DNS responses. For example: google.com=1.1.1.1 will force all queries to 'google.com' to be resolved to '1.1.1.1'. IPv6 addresses will be automatically detected. You can be even more specific by combining --file with other arguments. However, data obtained from the file will take precedence over others.") + parser.add_option_group(fakegroup) + + parser.add_option('--fakedomains', metavar="thesprawl.org,google.com", action="store", help='A comma separated list of domain names which will be resolved to FAKE values specified in the the above parameters. All other domain names will be resolved to their true values.') + parser.add_option('--truedomains', metavar="thesprawl.org,google.com", action="store", help='A comma separated list of domain names which will be resolved to their TRUE values. All other domain names will be resolved to fake values specified in the above parameters.') + + rungroup = OptionGroup(parser,"Optional runtime parameters.") + rungroup.add_option("--logfile", action="store", help="Specify a log file to record all activity") + rungroup.add_option("--nameservers", metavar="8.8.8.8#53 or 4.2.2.1#53#tcp or 2001:4860:4860::8888", default='8.8.8.8', action="store", help='A comma separated list of alternative DNS servers to use with proxied requests. Nameservers can have either IP or IP#PORT format. A randomly selected server from the list will be used for proxy requests when provided with multiple servers. By default, the tool uses Google\'s public DNS server 8.8.8.8 when running in IPv4 mode and 2001:4860:4860::8888 when running in IPv6 mode.') + rungroup.add_option("-i","--interface", metavar="127.0.0.1 or ::1", default="127.0.0.1", action="store", help='Define an interface to use for the DNS listener. By default, the tool uses 127.0.0.1 for IPv4 mode and ::1 for IPv6 mode.') + rungroup.add_option("-t","--tcp", action="store_true", default=False, help="Use TCP DNS proxy instead of the default UDP.") + rungroup.add_option("-6","--ipv6", action="store_true", default=False, help="Run in IPv6 mode.") + rungroup.add_option("-p","--port", action="store", metavar="53", default="53", help='Port number to listen for DNS requests.') + rungroup.add_option("-q", "--quiet", action="store_false", dest="verbose", default=True, help="Don't show headers.") + parser.add_option_group(rungroup) + + (options,args) = parser.parse_args() + + # Print program header + if options.verbose: + print header + + # Main storage of domain filters + # NOTE: RDMAP is a dictionary map of qtype strings to handling classes + nametodns = dict() + for qtype in RDMAP.keys(): + nametodns[qtype] = dict() + + # Incorrect or incomplete command line arguments + if options.fakedomains and options.truedomains: + print " [!] You can not specify both 'fakedomains' and 'truedomains' parameters." + sys.exit(0) + + elif not (options.fakeip or options.fakeipv6) and (options.fakedomains or options.truedomains): + print " [!] You have forgotten to specify which IP to use for fake responses" + sys.exit(0) + + # Notify user about alternative listening port + if options.port != "53": + print " | Listening on an alternative port %s" % options.port + + # Adjust defaults for IPv6 + if options.ipv6: + print " | Using IPv6 mode." + if options.interface == "127.0.0.1": + options.interface = "::1" + + if options.nameservers == "8.8.8.8": + options.nameservers = "2001:4860:4860::8888" + + print " | DNSChef started on interface: %s " % options.interface + + # Use alternative DNS servers + if options.nameservers: + nameservers = options.nameservers.split(',') + print " | Using the following nameservers: %s" % ", ".join(nameservers) + + # External file definitions + if options.file: + config = ConfigParser() + config.read(options.file) + for section in config.sections(): + + if section in nametodns: + for domain,record in config.items(section): + + # Make domain case insensitive + domain = domain.lower() + + nametodns[section][domain] = record + print " [+] Cooking %s replies for domain %s with '%s'" % (section,domain,record) + else: + print " [!] DNS Record '%s' is not supported. Ignoring section contents." % section + + # DNS Record and Domain Name definitions + # NOTE: '*.*.*.*.*.*.*.*.*.*' domain is used to match all possible queries. + if options.fakeip or options.fakeipv6 or options.fakemail or options.fakealias or options.fakens: + fakeip = options.fakeip + fakeipv6 = options.fakeipv6 + fakemail = options.fakemail + fakealias = options.fakealias + fakens = options.fakens + + if options.fakedomains: + for domain in options.fakedomains.split(','): + + # Make domain case insensitive + domain = domain.lower() + domain = domain.strip() + + if fakeip: + nametodns["A"][domain] = fakeip + print " | Cooking A replies to point to %s matching: %s" % (options.fakeip, domain) + + if fakeipv6: + nametodns["AAAA"][domain] = fakeipv6 + print " | Cooking AAAA replies to point to %s matching: %s" % (options.fakeipv6, domain) + + if fakemail: + nametodns["MX"][domain] = fakemail + print " | Cooking MX replies to point to %s matching: %s" % (options.fakemail, domain) + + if fakealias: + nametodns["CNAME"][domain] = fakealias + print " | Cooking CNAME replies to point to %s matching: %s" % (options.fakealias, domain) + + if fakens: + nametodns["NS"][domain] = fakens + print " | Cooking NS replies to point to %s matching: %s" % (options.fakens, domain) + + elif options.truedomains: + for domain in options.truedomains.split(','): + + # Make domain case insensitive + domain = domain.lower() + domain = domain.strip() + + if fakeip: + nametodns["A"][domain] = False + print " | Cooking A replies to point to %s not matching: %s" % (options.fakeip, domain) + nametodns["A"]['*.*.*.*.*.*.*.*.*.*'] = fakeip + + if fakeipv6: + nametodns["AAAA"][domain] = False + print " | Cooking AAAA replies to point to %s not matching: %s" % (options.fakeipv6, domain) + nametodns["AAAA"]['*.*.*.*.*.*.*.*.*.*'] = fakeipv6 + + if fakemail: + nametodns["MX"][domain] = False + print " | Cooking MX replies to point to %s not matching: %s" % (options.fakemail, domain) + nametodns["MX"]['*.*.*.*.*.*.*.*.*.*'] = fakemail + + if fakealias: + nametodns["CNAME"][domain] = False + print " | Cooking CNAME replies to point to %s not matching: %s" % (options.fakealias, domain) + nametodns["CNAME"]['*.*.*.*.*.*.*.*.*.*'] = fakealias + + if fakens: + nametodns["NS"][domain] = False + print " | Cooking NS replies to point to %s not matching: %s" % (options.fakens, domain) + nametodns["NS"]['*.*.*.*.*.*.*.*.*.*'] = fakealias + + else: + + # NOTE: '*.*.*.*.*.*.*.*.*.*' domain is a special ANY domain + # which is compatible with the wildflag algorithm above. + + if fakeip: + nametodns["A"]['*.*.*.*.*.*.*.*.*.*'] = fakeip + print " | Cooking all A replies to point to %s" % fakeip + + if fakeipv6: + nametodns["AAAA"]['*.*.*.*.*.*.*.*.*.*'] = fakeipv6 + print " | Cooking all AAAA replies to point to %s" % fakeipv6 + + if fakemail: + nametodns["MX"]['*.*.*.*.*.*.*.*.*.*'] = fakemail + print " | Cooking all MX replies to point to %s" % fakemail + + if fakealias: + nametodns["CNAME"]['*.*.*.*.*.*.*.*.*.*'] = fakealias + print " | Cooking all CNAME replies to point to %s" % fakealias + + if fakens: + nametodns["NS"]['*.*.*.*.*.*.*.*.*.*'] = fakens + print " | Cooking all NS replies to point to %s" % fakens + + # Proxy all DNS requests + if not options.fakeip and not options.fakeipv6 and not options.fakemail and not options.fakealias and not options.fakens and not options.file: + print " | No parameters were specified. Running in full proxy mode" + + # Launch DNSChef + start_cooking(interface=options.interface, nametodns=nametodns, nameservers=nameservers, tcp=options.tcp, ipv6=options.ipv6, port=options.port, logfile=options.logfile) \ No newline at end of file diff --git a/modules/net/dns_fake.py b/modules/net/dns_fake.py new file mode 100644 index 0000000..a30f31c --- /dev/null +++ b/modules/net/dns_fake.py @@ -0,0 +1,50 @@ +# This module requires katana framework +# https://github.com/PowerScript/KatanaFramework + +# :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: # +# Katana Core import # +from core.KATANAFRAMEWORK import * # +# :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-: # + +# LIBRARIES +from core.Function import get_local_ip +import subprocess +# END LIBRARIES + +# INFORMATION MODULE +def init(): + init.Author ="RedToor" + init.Version ="1.0" + init.Description ="DNS fake Server Spoof." + init.CodeName ="net/dns.fake" + init.DateCreation ="21/07/2016" + init.LastModification ="21/07/2016" + init.References =None + init.License =KTF_LINCENSE + init.var ={} + + # DEFAULT OPTIONS MODULE + init.options = { + # NAME VALUE RQ DESCRIPTION + 'dnspoof' :[get_local_ip() ,False,'DNS/IP spoofed'], + 'dnstarget':["www.test.com" ,True ,'DNS Target\'s'] + } + # EXTRA OPTIONS MODULE + init.extra = { + # NAME VALUE RQ DESCRIPTION + 'ip_server':[get_local_ip() ,True ,'Ip Server'] + } + # AUX INFORMATION MODULE + init.aux = """ + dnstarget [Separate DNS with (,)] example : google.com, gmail.com + """ + return init +# END INFORMATION MODULE + +# CODE MODULE ############################################################################################ +def main(run): + printAlert(0,"Starting DNS Fake server [DNSchef]") + printAlert(0,"to stop the module press "+colors[11]+"[Ctrl+c]"+colors[0]) + subprocess.call("sudo fuser -kuv 53/udp >/dev/null 2>&1 ", shell=True) + subprocess.call("python files/dnschef/dnschef.py --fakeip "+init.var['dnspoof']+" --fakedomains "+init.var['dnstarget']+" --interface "+init.var['ip_server']+" -q", shell=True) +# END CODE MODULE ############################################################################################ \ No newline at end of file