crypt0s / fakedns Goto Github PK
View Code? Open in Web Editor NEWA regular-expression based python MITM DNS server with support for DNS Rebinding attacks
License: MIT License
A regular-expression based python MITM DNS server with support for DNS Rebinding attacks
License: MIT License
Is it possible to have a Docker container and a manual for dummies on how to configure the DNS?
If there's enough interest I will make a script for this or a docker image which will be pushed to the docker community hub.
Thank you very much!
It seems to me, given my limited experience with this tool and combing through the source, that the configuration of both the "round robin" and "dns rebind" behavior is "global". By that I mean that any client will trigger the DNS server to respond with it's next response IP address, rather than having programmed DNS responses maintained separately for separate client. E.g. If my dns.conf
looks like this:
A some.website 192.168.200,192.168.1.1
And I make one DNS request from client A, with IP 170.30.28.50, I will receive a response of 192.168.200. If client B, with IP 180.33.250.79 then makes a request it would receive a response of 192.168.1.1.
If, however, I want to do a DNS rebind/round robin attack against multiple client IP addresses at once, it would be useful to "save program state" for each client. For instance, if I delivered a payload that sent one request to my server to GET the payload contents of an HTML file that contained JavaScript that made a second request (using the same domain name, but expecting it to resolve to an IP on the victim's local network), I would want to be able to deliver that payload to two separate clients/victims at the same time without worrying that their activity would interfere with each other. Does that make sense?
Essentially, I'd like the round robin and dns rebind functionality to be local to requesting IPs. If IP A requests once, I'd like it to return 192.168.200, and if IP B requests immediately after, I'd like it to also receive 192.168.200. The next time both of them make a DNS lookup it should resolve to 192.168.1.1 to both of them. Am I correct in assuming this is not how the tool currently works?
The reason I bring this up is that I would be happy to add this functionality, but wanted to first propose it here and discuss it. This is something that would be very useful to me in my research as it allows the tool to be used in a "production" scenario, where many different clients can be attacked at once without stepping on each other's toes so to speak.
Great tool!
It would be useful to be able to add an option to return 'no such domain' NX DOMAIN return type for a regex. So that hosts lookup can succeed for some lookups and fail for others.
Thanks
Can we get some more verbosity on this? Thanks.
C:\Tools\FakeDNS>fakedns.py --dns 8.8.8.8 -c C:\Tools\FakeDNS\dns.conf -i 192.168.0.228
>> Parsed 15 rules from C:\Tools\FakeDNS\dns.conf
>> Error was handled by sending NONEFOUND
>> Error was handled by sending NONEFOUND
timed out
timed out
>> Built NONEFOUND response
>> Built NONEFOUND response
>> Error was handled by sending NONEFOUND
shoud encode return record with 'latin', eg:'220'.encode() will get '\xc3\x9c'
class A(DNSResponse):
def __init__(self, query, record):
super(A, self).__init__(query)
self.type = b"\x00\x01"
self.length = b"\x00\x04"
self.data = self.get_ip(record).encode('latin') <----
It would be awesome if FakeDns allowed you to configure multiple A records for the same domain name (for load balancing).
I tried putting multiple IPs in the conf file, but it always just uses the first one instead of cycling through them.
Thanks
Allow users to utilize DNS as a data exfiltration tool using various record formats and tun/tap to create virtual tunnel interfaces on the server.
In certain situations (only tested on windows) the server can become bogged down with requests and not respond to the client before the client closes it's UDP response port. On windows this causes a strange-looking error to bomb out.
Fix may be to streamline the threading in the fakedns service.
I'm trying to set up FakeDns to use with LANcache, and whenever I try to add "*.cs.steampowered.com" as a rule, it throws this:
>> Parse rules...
>> cs.steampowered.com -> 192.168.1.33
Traceback (most recent call last):
File "./fakedns.py", line 103, in <module>
rules = ruleEngine(path)
File "./fakedns.py", line 78, in __init__
self.re_list.append([re.compile(splitrule[0]),splitrule[1]])
File "/usr/lib/python2.7/re.py", line 190, in compile
return _compile(pattern, flags)
File "/usr/lib/python2.7/re.py", line 244, in _compile
raise error, v # invalid expression
sre_constants.error: nothing to repeat
Prepending with a hash (my horrible attempt at commenting out) seems to make it work fine.
I think the README file should mention that this program: requires python 2.7 and is not compatible with python 3.
In the class A, the method get_ip was returning an incorrect result for the IP "192.168.1.172". The conversion to hex is faulty.
Hi !
I want know, how is it possible to pass CNAME in FakeDNS config file and run FakeDNS with CNAME mode .
Thanks.
In using FakeDNS in production, i've found that other DNS servers will often times request records for test.website
multiple times like so:
TeST.weBsiTE
tESt.WEbSIte
test.WEBSITE
TEST.website
TeSt.WeBsItE
In transferring my domain's DNS to my custom server running FakeDNS, i saw many such lookups being made, presumably by my domain name provider. All but test.website
failed because the re.match()
in fakedns.py
doesn't ignore case. This RFC states that DNS records should be case insensitive.
Hi! I am trying to run the python file over repl.it but I keep getting this error.
"ERROR: Could not start server, is another program on udp:53?"
just like what he wanted to do in the to do list in this article
https://sinister.ly/Thread-DNS-Rebinding-Attack
I need to make a tunnel (using JavaScript) to gain more control!
Allow special DNS requests to indicate that FakeDNS should handle them with a rule system embedded within the request itself -- automatically mangling the request based on the request itself.
Line 9 in 842dc5d
Rules should allow user to define expire-time for initial rule upon which FakeDNS begins serving the second set of ip addresses.
guess this minimal patch would do
diff --git a/fakedns.py b/fakedns.py
index db720ef..e8c5a54 100755
--- a/fakedns.py
+++ b/fakedns.py
@@ -419,6 +419,9 @@ class RuleEngine2:
if rule_type.upper() == "AAAA":
tmp_ip_array = []
for ip in ips:
+ if ip.lower() == 'none':
+ tmp_ip_array.append(ip)
+ continue
if _is_shorthand_ip(ip):
ip = _explode_shorthand_ip_string(ip)
Currently
Line 5 in 2123879
1.1.1.1
and 2.2.2.2
. This should be a ,
.
While experimenting locally with the python script, I found that issuing a request with nslookup for rebind.com
returns 1.1.1.1
as expected. However, future requests of rebind.com
return ;; Warning: Message parser reports malformed message packet.
While watching the output of fakedns.py
, I found that every request after the first generated this exception:
----------------------------------------
Exception happened during processing of request from ('10.244.0.8', 37657)
Traceback (most recent call last):
File "/usr/lib/python3.8/socketserver.py", line 650, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python3.8/socketserver.py", line 720, in __init__
self.handle()
File "fakedns.py", line 35, in handle
respond(data, self.client_address, s)
File "fakedns.py", line 632, in respond
response = rules.match(p, addr[0])
File "fakedns.py", line 600, in match
response = CASE[query.type](query, response_data)
File "fakedns.py", line 220, in __init__
self.data = self.get_ip(record)
File "fakedns.py", line 226, in get_ip
return b''.join(int(x).to_bytes(1, 'little') for x in ip.split('.'))
File "fakedns.py", line 226, in <genexpr>
return b''.join(int(x).to_bytes(1, 'little') for x in ip.split('.'))
ValueError: invalid literal for int() with base 10: ''
----------------------------------------
After inserting a print(ip)
immediately above the offending return
statement, I found that 1.1.1.1
is printed while processing the first DNS request, but all future ones just print 2
. After updating the conf file to use the correct syntax, the issue stopped happening. At first I thought this was a problem in the script, but it appears to be an issue with the example conf.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.