-
Notifications
You must be signed in to change notification settings - Fork 0
/
dns_scan.c
330 lines (267 loc) · 10.4 KB
/
dns_scan.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <pthread.h>
#include <getopt.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <time.h>
#include "dns.h"
typedef struct range {
unsigned long start;
unsigned long amount;
in_addr_t spoof_ip;
unsigned char *host;
} Thread_Data;
unsigned short checksum(const void *buffer, int numWords) {
//Store sum in long, so that carry bits are not lost.
unsigned long sum = 0;
const unsigned short *data = buffer;
for(int i = 0; i < numWords; i++)
sum += *data++;
//Adding the carry digits from the csum may produce more carry bits.
while(sum > 0xFFFF)
sum = (sum >> 16) + (sum & 0xFFFF);
//return the compliment of the sum
return (unsigned short) ~sum;
}
unsigned char *encapsulateUDP(unsigned char *buffer, int *payloadSize, int dst_port) {
unsigned char *tmp = NULL;
tmp = realloc(buffer, *payloadSize + sizeof(struct udphdr));
if(!tmp) {
perror("encapsulateUDP :: Couldn't reallocate buffer");
exit(EXIT_FAILURE);
}
memcpy(&tmp[sizeof(struct udphdr)], buffer, *payloadSize);
struct udphdr *udph = (struct udphdr *) tmp;
udph -> source = htons(rand());
udph -> dest = htons(dst_port);
udph -> check = 0; //UDP checksum 0 means checksum unused!
udph -> len = htons((*payloadSize) + 8);
*payloadSize += sizeof(struct udphdr);
return tmp;
}
unsigned char *encapsulateIP(unsigned char *buffer, int *payloadSize, in_addr_t sourceIP, in_addr_t destIP) {
unsigned char *tmp = NULL;
tmp = realloc(buffer, *payloadSize + sizeof(struct iphdr));
if(!tmp) {
perror("encapsulateUDP :: Couldn't reallocate buffer");
exit(EXIT_FAILURE);
}
memcpy(&tmp[sizeof(struct iphdr)], buffer, *payloadSize);
struct iphdr *iph = (struct iphdr *) buffer;
iph -> version = 4;
iph -> ihl = 5; //minimum number of octets
iph -> tos = 0;
iph -> tot_len = htons(*payloadSize + sizeof(struct iphdr)); //len = data + header
iph -> id = htons(4321);
iph -> frag_off = 0;
iph -> ttl = MAXTTL;
iph -> protocol = IPPROTO_UDP;
iph -> check = 0;
iph -> saddr = sourceIP;
iph -> daddr = destIP;
iph -> check = checksum(tmp, iph -> ihl * 2); //ip header length is the number of 32-bit words, but csum uses 16 bit words
*payloadSize += sizeof(struct iphdr);
return tmp;
}
void *scan_thread(void *args) {
//TO-DO: Remove scanning special purpose IP ranges (private IPs)
//as per https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
Thread_Data *td = (Thread_Data *) args;
unsigned char *buff = NULL;
int payloadSize = 0;
int socket_type = SOCK_DGRAM;
int socket_protocol = IPPROTO_UDP;
//add the record
buff = addRecord(buff, td -> host, &payloadSize);
//add the record details
buff = addQuestion(buff, &payloadSize);
//add extended DNS
buff = addEDNS(buff, &payloadSize);
//add DNS header around data
buff = encapsulateDNS(buff, &payloadSize);
if(td->spoof_ip) {
socket_type = SOCK_RAW;
socket_protocol = IPPROTO_RAW;
//add UDP header
buff = encapsulateUDP(buff, &payloadSize, 53); //port 53 default dns
buff = encapsulateIP(buff, &payloadSize, td -> spoof_ip, 0);
}
int sockfd = socket(AF_INET, socket_type, socket_protocol);
if(sockfd < 0) {
perror("Coudn't create socket");
exit(-1);
}
struct sockaddr_in server_addr;
for(uint32_t ip = td -> start; ip < td -> start + td -> amount + 1; ip++) {
memset(&server_addr, 0, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_addr.s_addr = htonl(ip);
if(td -> spoof_ip) {
//add IP header with spoofed source IP
struct iphdr *iph = (struct iphdr *)buff;
iph -> daddr = htonl(ip);
iph -> check = checksum(iph, iph -> ihl *2);
server_addr.sin_port = 0;
}
else
server_addr.sin_port = htons(53);
int sent = sendto(sockfd, (char *) buff, payloadSize, 0, (struct sockaddr *) &server_addr, sizeof(server_addr));
}
}
int start_scanning(int numThreads, in_addr_t start_ip, in_addr_t end_ip, unsigned char *spoof_ip, unsigned char *host) {
unsigned long ips_per_thread = (ntohl(end_ip) - ntohl(start_ip))/numThreads;
pthread_t threads[numThreads];
printf("IPs per thread: %ld\n", ips_per_thread);
for(int i = 0; i < numThreads; i++) {
Thread_Data *new_td = (Thread_Data *) malloc(sizeof(Thread_Data));
new_td -> host = malloc(strlen(host) + 1);
strcpy(new_td -> host, host);
new_td -> start = (ntohl(start_ip) + i*ips_per_thread);
new_td -> amount = ips_per_thread;
if(spoof_ip)
new_td -> spoof_ip = inet_addr(spoof_ip);
else
new_td -> spoof_ip = 0;
pthread_create(&threads[i], NULL, &scan_thread, new_td);
}
for(int j = 0; j < numThreads; j++) pthread_join(threads[j], NULL);
}
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Error: Invalid argument length\n");
printf("Options:\n\t-h DNS Server IP (single scan)\n\t-d Domain to resolve\n\t-S IP of server with DNS Listener (spoof scan)\n\t-s Start IP (DNS scan range)\n\t-e End IP (DNS scan range)\n\t-t Thread count (optional default = 1)\n\t-l Listener output file (Optional default = 'dns_outfile')(Not for spoof scanning)\n");
printf("Usage:\n\t%s -h <DNS Server> - Test single server\n\t%s -h <DNS Server> -d <Domain> - Test single domain on single server\n\t%s -h <DNS Server> -d <Domain> -S <Server IP> - Test Single Domain on spoofed listener\n\t%s -s <Start IP> -e <End IP> (-S <Server IP>) - Scan range of IP's (Can also be spoofed)\n", argv[0], argv[0], argv[0], argv[0]);
return -1;
}
int opt;
int payloadSize = 0;
int thread_count = 1;
int socket_type = SOCK_DGRAM;
int socket_protocol = IPPROTO_UDP;
char *dns_server = NULL, *listen_file = "dns_outfile";
unsigned char *host = NULL,
*req_ip = NULL,
*start_ip = NULL,
*end_ip = NULL,
*buff = NULL;
while((opt = getopt(argc, argv,"h:S:s:e:d:t:l:")) > 0) {
switch (opt)
{
case 'h': //specifies dns server
printf("Host was specified: %s\n", optarg);
dns_server = (char *) malloc(strlen(optarg) + 1);
strcpy((char *) dns_server, optarg);
break;
case 'S':
printf("Spoofing enabled. Responses will go to: %s\n", optarg);
req_ip = (unsigned char *) malloc(strlen(optarg) + 1);
strcpy((char *) req_ip, optarg);
break;
case 's':
printf("Start IP: %s\n", optarg);
start_ip = (unsigned char *) malloc(strlen(optarg) + 1);
strcpy((char *) start_ip, optarg);
break;
case 'e':
printf("End IP: %s\n", optarg);
end_ip = (unsigned char *) malloc(strlen(optarg) + 1);
strcpy((char *) end_ip, optarg);
break;
case 'd':
printf("Domain name: %s\n", optarg);
host = (unsigned char *) malloc(strlen(optarg) + 1);
strcpy((char *) host, optarg);
break;
case 't':
printf("Using %d Threads\n", atoi(optarg));
thread_count = atoi(optarg);
break;
case 'l':
listen_file = malloc(strlen(optarg) + 1);
strcpy(listen_file, optarg);
default:
break;
}
}
srand(time(NULL));
if(host == NULL) {
printf("Using default domain\n");
host = (unsigned char *) malloc(50);
strcpy((char *) host, "..");
}
if(host == NULL) {
perror("Couldn't allocate host");
return -1;
}
if(req_ip == NULL) { //spoofing scanning was not selected
pthread_t listen_id;
pthread_create(&listen_id, NULL, &dns_listen_thread, (void *) listen_file);
sleep(2); //wait for thread to init
}
if(start_ip && end_ip) {
in_addr_t start, end;
inet_pton(AF_INET, start_ip, &start);
inet_pton(AF_INET, end_ip, &end); //for ip 255.255.255.255 this returns -1
start_scanning(thread_count, start, end, req_ip, host);
}
else {
if(!dns_server) {
perror("Invalid DNS server!");
return -1;
}
//add the record
buff = addRecord(buff, host, &payloadSize);
//add the record details
buff = addQuestion(buff, &payloadSize);
//add extended DNS
buff = addEDNS(buff, &payloadSize);
//add DNS header around data
buff = encapsulateDNS(buff, &payloadSize);
struct sockaddr_in server_addr;
memset(&server_addr, 0, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(53);
inet_pton(AF_INET, dns_server, &server_addr.sin_addr);
if(req_ip) {
socket_type = SOCK_RAW;
socket_protocol = IPPROTO_RAW;
//add UDP header
buff = encapsulateUDP(buff, &payloadSize, 53); //port 53 default dns
//add IP header with spoofed source IP
buff = encapsulateIP(buff, &payloadSize, inet_addr((const char *) req_ip), inet_addr((const char *) dns_server));
server_addr.sin_port = htons(0);
}
int sockfd = socket(AF_INET, socket_type, socket_protocol);
if(sockfd < 0) {
perror("Coudn't create socket");
return -1;
}
int sent = sendto(sockfd, (char *) buff, payloadSize, 0, (struct sockaddr *) &server_addr, sizeof(server_addr));
printf("Sending: %d bytes\n", sent);
if(sent < 0) {
printf("Error sending packet!\n");
return -1;
}
for(int i = 0; i < payloadSize; i++) {
if(i%8 == 0) printf("\n");
printf("%02X ", buff[i]);
}
printf("\n");
close(sockfd);
}
sleep(2); //let the last couple of responses roll in
if(host) free(host);
if(dns_server) free(dns_server);
if(req_ip) free(req_ip);
if(buff) free(buff);
if(start_ip) free(start_ip);
if(end_ip) free(end_ip);
return 0;
}