1
#include <pthread.h>
2
#include <unistd.h>
3
#include <stdio.h>
4
#include <stdlib.h>
5
#include <string.h>
6
#include <sys/socket.h>
7
#include <netinet/in.h>
8
#include <signal.h>
9
#include <sys/time.h>
10
#include <sys/types.h>
11
#include <math.h>
12
#include <stropts.h>
13
#include <ctype.h>
14
#include <errno.h>
15
#include <arpa/inet.h>
16
#include <netinet/ip.h>
17
#include <netinet/udp.h>
18

19
struct DNS_HEADER
20
{
21
	unsigned short id; // identification number
22

23
	unsigned char rd :1; // recursion desired
24
	unsigned char tc :1; // truncated message
25
	unsigned char aa :1; // authoritive answer
26
	unsigned char opcode :4; // purpose of message
27
	unsigned char qr :1; // query/response flag
28

29
	unsigned char rcode :4; // response code
30
	unsigned char cd :1; // checking disabled
31
	unsigned char ad :1; // authenticated data
32
	unsigned char z :1; // its z! reserved
33
	unsigned char ra :1; // recursion available
34

35
	unsigned short q_count; // number of question entries
36
	unsigned short ans_count; // number of answer entries
37
	unsigned short auth_count; // number of authority entries
38
	unsigned short add_count; // number of resource entries
39
};
40

41
struct QUESTION
42
{
43
	unsigned short qtype;
44
	unsigned short qclass;
45
};
46

47
#pragma pack(push, 1)
48
struct R_DATA
49
{
50
	unsigned short type;
51
	unsigned short _class;
52
	unsigned int ttl;
53
	unsigned short data_len;
54
};
55
#pragma pack(pop)
56

57
struct RES_RECORD
58
{
59
	unsigned char *name;
60
	struct R_DATA *resource;
61
	unsigned char *rdata;
62
};
63

64
typedef struct
65
{
66
	unsigned char *name;
67
	struct QUESTION *ques;
68
} QUERY;
69

70
volatile int running_threads = 0;
71
volatile int found_srvs = 0;
72
volatile unsigned long per_thread = 0;
73
volatile unsigned long start = 0;
74
volatile unsigned long scanned = 0;
75
volatile int sleep_between = 0;
76
volatile int bytes_sent = 0;
77
volatile unsigned long hosts_done = 0;
78
FILE *fd;
79

80
void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host)
81
{
82
	int lock = 0 , i;
83
	strcat((char*)host,".");
84

85
	for(i = 0 ; i < strlen((char*)host) ; i++)
86
	{
87
		if(host[i]=='.')
88
		{
89
			*dns++ = i-lock;
90
			for(;lock<i;lock++)
91
			{
92
				*dns++=host[lock];
93
			}
94
			lock++;
95
		}
96
	}
97
	*dns++='\0';
98
}
99

100
void *flood(void *par1)
101
{
102
	running_threads++;
103
	int thread_id = (int)par1;
104
	unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
105
	unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
106
	unsigned long w;
107
	int y;
108
	unsigned char *host = (unsigned char *)malloc(50);
109
	strcpy((char *)host, ".");
110
	unsigned char buf[65536],*qname;
111
	struct DNS_HEADER *dns = NULL;
112
	struct QUESTION *qinfo = NULL;
113
	dns = (struct DNS_HEADER *)&buf;
114

115
	dns->id = (unsigned short) htons(rand());
116
	dns->qr = 0;
117
	dns->opcode = 0;
118
	dns->aa = 0;
119
	dns->tc = 0;
120
	dns->rd = 1;
121
	dns->ra = 0;
122
	dns->z = 0;
123
	dns->ad = 0;
124
	dns->cd = 0;
125
	dns->rcode = 0;
126
	dns->q_count = htons(1);
127
	dns->ans_count = 0;
128
	dns->auth_count = 0;
129
	dns->add_count = htons(1);
130
	qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];
131

132
	ChangetoDnsNameFormat(qname , host);
133
	qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)];
134

135
	qinfo->qtype = htons( 255 );
136
	qinfo->qclass = htons(1);
137

138
	void *edns = (void *)qinfo + sizeof(struct QUESTION)+1;
139
	memset(edns, 0x00, 1);
140
	memset(edns+1, 0x29, 1);
141
	memset(edns+2, 0xFF, 2);
142
	memset(edns+4, 0x00, 7);
143

144
	int sizeofpayload = sizeof(struct DNS_HEADER) + (strlen((const char *)qname)+1) + sizeof(struct QUESTION) + 11;
145
	int sock;
146
	if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
147
		perror("cant open socket");
148
		exit(-1);
149
	}
150
	for(w=ntohl(start_ip);w<htonl(end);w++)
151
	{
152
		struct sockaddr_in servaddr;
153
		bzero(&servaddr, sizeof(servaddr));
154
		servaddr.sin_family = AF_INET;
155
		servaddr.sin_addr.s_addr=htonl(w);
156
		servaddr.sin_port=htons(53);
157
		sendto(sock,(char *)buf,sizeofpayload,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
158
		bytes_sent+=24;
159
		scanned++;
160
		hosts_done++;
161
		usleep(sleep_between*1000);
162
	}
163
	close(sock);
164
	running_threads--;
165
	return;
166
}
167

168
void sighandler(int sig)
169
{
170
	fclose(fd);
171
	printf("\n");
172
	exit(0);
173
}
174

175
void recievethread()
176
{
177
	printf("Started Listening Thread\n");
178
	int saddr_size, data_size, sock_raw;
179
	struct sockaddr_in saddr;
180
	struct in_addr in;
181

182
	unsigned char *buffer = (unsigned char *)malloc(65536);
183
	sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
184
	if(sock_raw < 0)
185
	{
186
		printf("Socket Error\n");
187
		exit(1);
188
	}
189
	while(1)
190
	{
191
		saddr_size = sizeof saddr;
192
		data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
193
		if(data_size <0 )
194
		{
195
			printf("Recvfrom error , failed to get packets\n");
196
			exit(1);
197
		}
198
		struct iphdr *iph = (struct iphdr*)buffer;
199
		if(iph->protocol == 17)
200
		{
201
			unsigned short iphdrlen = iph->ihl*4;
202
			struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
203
			unsigned char* payload = buffer + iphdrlen + 8;
204
			if(ntohs(udph->source) == 53)
205
			{
206
				int body_length = data_size - iphdrlen - 8;
207
				struct DNS_HEADER *dns = (struct DNS_HEADER*) payload;
208
				if(dns->ra == 1)
209
				{
210
					found_srvs++;
211
					fprintf(fd,"%s . %d\n",inet_ntoa(saddr.sin_addr),body_length);
212
					fflush(fd);
213
				}
214
			}
215
		}
216

217
	}
218
	close(sock_raw);
219

220
}
221

222
int main(int argc, char *argv[ ])
223
{
224

225
	if(argc < 6){
226
		fprintf(stderr, "Invalid parameters!\n");
227
		fprintf(stdout, "Usage: %s <class a start> <class a end> <outfile> <threads> <scan delay in ms>\n", argv[0]);
228
		exit(-1);
229
	}
230
	fd = fopen(argv[3], "a");
231
	sleep_between = atoi(argv[5]);
232

233
	signal(SIGINT, &sighandler);
234

235
	int threads = atoi(argv[4]);
236
	pthread_t thread;
237

238
	pthread_t listenthread;
239
	pthread_create( &listenthread, NULL, &recievethread, NULL);
240

241
	char *str_start = malloc(18);
242
	memset(str_start, 0, 18);
243
	str_start = strcat(str_start,argv[1]);
244
	str_start = strcat(str_start,".0.0.0");
245
	char *str_end = malloc(18);
246
	memset(str_end, 0, 18);
247
	str_end = strcat(str_end,argv[2]);
248
	str_end = strcat(str_end,".255.255.255");
249
	start = inet_addr(str_start);
250
	per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
251
	unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
252
	int i;
253
	for(i = 0;i<threads;i++){
254
		pthread_create( &thread, NULL, &flood, (void *) i);
255
	}
256
	sleep(1);
257
	printf("Starting Scan...\n");
258
	char *temp = (char *)malloc(17);
259
	memset(temp, 0, 17);
260
	sprintf(temp, "Found");
261
	printf("%-16s", temp);
262
	memset(temp, 0, 17);
263
	sprintf(temp, "Host/s");
264
	printf("%-16s", temp);
265
	memset(temp, 0, 17);
266
	sprintf(temp, "B/s");
267
	printf("%-16s", temp);
268
	memset(temp, 0, 17);
269
	sprintf(temp, "Running Thrds");
270
	printf("%-16s", temp);
271
	memset(temp, 0, 17);
272
	sprintf(temp, "Done");
273
	printf("%s", temp);
274
	printf("\n");
275

276
	char *new;
277
	new = (char *)malloc(16*6);
278
	while (running_threads > 0)
279
	{
280
		printf("\r");
281
		memset(new, '\0', 16*6);
282
		sprintf(new, "%s|%-15lu", new, found_srvs);
283
		sprintf(new, "%s|%-15d", new, scanned);
284
		sprintf(new, "%s|%-15d", new, bytes_sent);
285
		sprintf(new, "%s|%-15d", new, running_threads);
286
		memset(temp, 0, 17);
287
		int percent_done=((double)(hosts_done)/(double)(toscan))*100;
288
		sprintf(temp, "%d%%", percent_done);
289
		sprintf(new, "%s|%s", new, temp);
290
		printf("%s", new);
291
		fflush(stdout);
292
		bytes_sent=0;
293
		scanned = 0;
294
		sleep(1);
295
	}
296
	printf("\n");
297
	fclose(fd);
298
	return 0;
299
}
300