DNS Amp Scanner Source

1. #include <pthread.h>
2. #include <unistd.h>
3. #include <stdio.h>
4. #include <stdlib.h>
5. #include <string.h>
6. #include <sys/socket.h>
7. #include <netinet/in.h>
8. #include <signal.h>
9. #include <sys/time.h>
10. #include <sys/types.h>
11. #include <math.h>
12. #include <stropts.h>
13. #include <ctype.h>
14. #include <errno.h>
15. #include <arpa/inet.h>
16. #include <netinet/ip.h>
17. #include <netinet/udp.h>
18.  
19. struct DNS_HEADER
20. {
21.     unsigned short id; // identification number
22.  
23.     unsigned char rd :1; // recursion desired
24.     unsigned char tc :1; // truncated message
25.     unsigned char aa :1; // authoritive answer
26.     unsigned char opcode :4; // purpose of message
27.     unsigned char qr :1; // query/response flag
28.  
29.     unsigned char rcode :4; // response code
30.     unsigned char cd :1; // checking disabled
31.     unsigned char ad :1; // authenticated data
32.     unsigned char z :1; // its z! reserved
33.     unsigned char ra :1; // recursion available
34.  
35.     unsigned short q_count; // number of question entries
36.     unsigned short ans_count; // number of answer entries
37.     unsigned short auth_count; // number of authority entries
38.     unsigned short add_count; // number of resource entries
39. };
40.  
41. struct QUESTION
42. {
43.     unsigned short qtype;
44.     unsigned short qclass;
45. };
46.  
47. #pragma pack(push, 1)
48. struct R_DATA
49. {
50.     unsigned short type;
51.     unsigned short _class;
52.     unsigned int ttl;
53.     unsigned short data_len;
54. };
55. #pragma pack(pop)
56.  
57. struct RES_RECORD
58. {
59.     unsigned char *name;
60.     struct R_DATA *resource;
61.     unsigned char *rdata;
62. };
63.  
64. typedef struct
65. {
66.     unsigned char *name;
67.     struct QUESTION *ques;
68. } QUERY;
69.  
70. volatile int running_threads = 0;
71. volatile int found_srvs = 0;
72. volatile unsigned long per_thread = 0;
73. volatile unsigned long start = 0;
74. volatile unsigned long scanned = 0;
75. volatile int sleep_between = 0;
76. volatile int bytes_sent = 0;
77. volatile unsigned long hosts_done = 0;
78. FILE *fd;
79.  
80. void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)
81. {
82.     int lock = 0 , i;
83.     strcat((char*)host,".");
84.  
85.     for(i = 0 ; i < strlen((char*)host) ; i++)
86.     {
87.         if(host[i]=='.')
88.         {
89.             *dns++ = i-lock;
90.             for(;lock<i;lock++)
91.             {
92.                 *dns++=host[lock];
93.             }
94.             lock++;
95.         }
96.     }
97.     *dns++='\0';
98. }
99.  
100. void *flood(void *par1)
101. {
102.     running_threads++;
103.     int thread_id = (int)par1;
104.     unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
105.     unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
106.     unsigned long w;
107.     int y;
108.     unsigned char *host = (unsigned char *)malloc(50);
109.     strcpy((char *)host, ".");
110.     unsigned char buf[65536],*qname;
111.     struct DNS_HEADER *dns = NULL;
112.     struct QUESTION *qinfo = NULL;
113.     dns = (struct DNS_HEADER *)&buf;
114.  
115.     dns->id = (unsigned short) htons(rand());
116.     dns->qr = 0;
117.     dns->opcode = 0;
118.     dns->aa = 0;
119.     dns->tc = 0;
120.     dns->rd = 1;
121.     dns->ra = 0;
122.     dns->z = 0;
123.     dns->ad = 0;
124.     dns->cd = 0;
125.     dns->rcode = 0;
126.     dns->q_count = htons(1);
127.     dns->ans_count = 0;
128.     dns->auth_count = 0;
129.     dns->add_count = htons(1);
130.     qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];
131.  
132.     ChangetoDnsNameFormat(qname , host);
133.     qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)];
134.  
135.     qinfo->qtype = htons( 255 );
136.     qinfo->qclass = htons(1);
137.  
138.     void *edns = (void *)qinfo + sizeof(struct QUESTION)+1;
139.     memset(edns, 0x00, 1);
140.     memset(edns+1, 0x29, 1);
141.     memset(edns+2, 0xFF, 2);
142.     memset(edns+4, 0x00, 7);
143.  
144.     int sizeofpayload = sizeof(struct DNS_HEADER) + (strlen((const char *)qname)+1) + sizeof(struct QUESTION) + 11;
145.     int sock;
146.     if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
147.         perror("cant open socket");
148.         exit(-1);
149.     }
150.     for(w=ntohl(start_ip);w<htonl(end);w++)
151.     {
152.         struct sockaddr_in servaddr;
153.         bzero(&servaddr, sizeof(servaddr));
154.         servaddr.sin_family = AF_INET;
155.         servaddr.sin_addr.s_addr=htonl(w);
156.         servaddr.sin_port=htons(53);
157.         sendto(sock,(char *)buf,sizeofpayload,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
158.         bytes_sent+=24;
159.         scanned++;
160.         hosts_done++;
161.         usleep(sleep_between*1000);
162.     }
163.     close(sock);
164.     running_threads--;
165.     return;
166. }
167.  
168. void sighandler(int sig)
169. {
170.     fclose(fd);
171.     printf("\n");
172.     exit(0);
173. }
174.  
175. void recievethread()
176. {
177.     printf("Started Listening Thread\n");
178.     int saddr_size, data_size, sock_raw;
179.     struct sockaddr_in saddr;
180.     struct in_addr in;
181.  
182.     unsigned char *buffer = (unsigned char *)malloc(65536);
183.     sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
184.     if(sock_raw < 0)
185.     {
186.         printf("Socket Error\n");
187.         exit(1);
188.     }
189.     while(1)
190.     {
191.         saddr_size = sizeof saddr;
192.         data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
193.         if(data_size <0 )
194.         {
195.             printf("Recvfrom error , failed to get packets\n");
196.             exit(1);
197.         }
198.         struct iphdr *iph = (struct iphdr*)buffer;
199.         if(iph->protocol == 17)
200.         {
201.             unsigned short iphdrlen = iph->ihl*4;
202.             struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
203.             unsigned char* payload = buffer + iphdrlen + 8;
204.             if(ntohs(udph->source) == 53)
205.             {
206.                 int body_length = data_size - iphdrlen - 8;
207.                 struct DNS_HEADER *dns = (struct DNS_HEADER*) payload;
208.                 if(dns->ra == 1)
209.                 {
210.                     found_srvs++;
211.                     fprintf(fd,"%s . %d\n",inet_ntoa(saddr.sin_addr),body_length);
212.                     fflush(fd);
213.                 }
214.             }
215.         }
216.  
217.     }
218.     close(sock_raw);
219.  
220. }
221.  
222. int main(int argc, char *argv[ ])
223. {
224.  
225.     if(argc < 6){
226.         fprintf(stderr, "Invalid parameters!\n");
227.         fprintf(stdout, "Usage: %s <class a start> <class a end> <outfile> <threads> <scan delay in ms>\n", argv[0]);
228.         exit(-1);
229.     }
230.     fd = fopen(argv[3], "a");
231.     sleep_between = atoi(argv[5]);
232.  
233.     signal(SIGINT, &sighandler);
234.  
235.     int threads = atoi(argv[4]);
236.     pthread_t thread;
237.  
238.     pthread_t listenthread;
239.     pthread_create( &listenthread, NULL, &recievethread, NULL);
240.  
241.     char *str_start = malloc(18);
242.     memset(str_start, 0, 18);
243.     str_start = strcat(str_start,argv[1]);
244.     str_start = strcat(str_start,".0.0.0");
245.     char *str_end = malloc(18);
246.     memset(str_end, 0, 18);
247.     str_end = strcat(str_end,argv[2]);
248.     str_end = strcat(str_end,".255.255.255");
249.     start = inet_addr(str_start);
250.     per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
251.     unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
252.     int i;
253.     for(i = 0;i<threads;i++){
254.         pthread_create( &thread, NULL, &flood, (void *) i);
255.     }
256.     sleep(1);
257.     printf("Starting Scan...\n");
258.     char *temp = (char *)malloc(17);
259.     memset(temp, 0, 17);
260.     sprintf(temp, "Found");
261.     printf("%-16s", temp);
262.     memset(temp, 0, 17);
263.     sprintf(temp, "Host/s");
264.     printf("%-16s", temp);
265.     memset(temp, 0, 17);
266.     sprintf(temp, "B/s");
267.     printf("%-16s", temp);
268.     memset(temp, 0, 17);
269.     sprintf(temp, "Running Thrds");
270.     printf("%-16s", temp);
271.     memset(temp, 0, 17);
272.     sprintf(temp, "Done");
273.     printf("%s", temp);
274.     printf("\n");
275.  
276.     char *new;
277.     new = (char *)malloc(16*6);
278.     while (running_threads > 0)
279.     {
280.         printf("\r");
281.         memset(new, '\0', 16*6);
282.         sprintf(new, "%s|%-15lu", new, found_srvs);
283.         sprintf(new, "%s|%-15d", new, scanned);
284.         sprintf(new, "%s|%-15d", new, bytes_sent);
285.         sprintf(new, "%s|%-15d", new, running_threads);
286.         memset(temp, 0, 17);
287.         int percent_done=((double)(hosts_done)/(double)(toscan))*100;
288.         sprintf(temp, "%d%%", percent_done);
289.         sprintf(new, "%s|%s", new, temp);
290.         printf("%s", new);
291.         fflush(stdout);
292.         bytes_sent=0;
293.         scanned = 0;
294.         sleep(1);
295.     }
296.     printf("\n");
297.     fclose(fd);
298.     return 0;
299. }