Home Explore Help
Sign In
emmanouil.vasilomano
/
PREPARE
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
PREPARE
/
zmap
/
src
/
probe_modules
/
module_dns_mx.c

module_dns_mx.c 13 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341 
  1. /*
    2. 

  2.   ZMap Copyright 2013 Regents of the University of Michigan
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
    5. 

  5.  * use this file except in compliance with the License. You may obtain a copy
    6. 

  6.  * of the License at http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7.  */
    8. 

  8. 

  9. // send module for performing massive UDP DNS OpenResolver scans
    10. 

  10. 

  11. #include <stdlib.h>
    12. 

  12. #include <stdio.h>
    13. 

  13. #include <stdint.h>
    14. 

  14. #include <unistd.h>
    15. 

  15. #include <string.h>
    16. 

  16. #include <string.h>
    17. 

  17. #include <assert.h>
    18. 

  18. #include <sys/types.h>
    19. 

  19. #include <sys/socket.h>
    20. 

  20. #include <netdb.h>
    21. 

  21. #include <netinet/in.h>
    22. 

  22. #include <arpa/inet.h>
    23. 

  23. 

  24. #include "../../lib/includes.h"
    25. 

  25. #include "../../lib/random.h"
    26. 

  26. #include "probe_modules.h"
    27. 

  27. #include "packet.h"
    28. 

  28. #include "logger.h"
    29. 

  29. #include "module_udp.h"
    30. 

  30. #include "module_dns_mx.h"
    31. 

  31. 

  32. #define MAX_UDP_PAYLOAD_LEN 1472
    33. 

  33. #define UNUSED __attribute__((unused))
    34. 

  34. #define DNS_HEAD_LEN 12
    35. 

  35. #define DNS_TAIL_LEN 4
    36. 

  36. 

  37. //static char *udp_send_msg = NULL;
    38. 

  38. //static int udp_send_msg_len = 0;
    39. 

  39. //static int udp_send_substitutions = 0;
    40. 

  40. 

  41. // std query recursive for www.google.com type A
    42. 

  42. // HEADER 12 bytes
    43. 

  43. // \random -> TransactionID
    44. 

  44. // \x01\x20 -> Flags: 0x Standard query (0100?)
    45. 

  45. // \x00\x01 -> Questions: 1
    46. 

  46. // \x00\x00 -> Answer RRs: 0
    47. 

  47. // \x00\x00 -> Authority RRs: 0
    48. 

  48. // \x00\x00 -> Additional RRs: 0
    49. 

  49. // DOMAIN NAME 16 bytes
    50. 

  50. // default will be replaced by passed in argument
    51. 

  51. // \x05\x67\x6d\x61\x69\x6c\x03\x63\x6f\x6d\x00
    52. 

  52. // TAILER 4 bytes
    53. 

  53. // \x00\x0f -> Type: MX (Mail Exchange)
    54. 

  54. // \x00\x01 -> Class: IN (0x0001)
    55. 

  55. 

  56. //default sends to gmail.com
    57. 

  57. //static const char dns_msg_default[] = {0xd2,0x8c,0x01,0x20,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x05,0x67,0x6d,0x61,0x69,0x6c,0x03,0x63,0x6f,0x6d,0x00,0x00,0x0f,0x00,0x01,0x00,0x00,0x29,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
    58. 

  58. 

  59. // ;; alt1
    60. 

  60. static const unsigned char dns_msg_default[] = {0xb9, 0x58, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x61, 0x6c, 0x74, 0x34, 0x0d, 0x67, 0x6d, 0x61, 0x69, 0x6c, 0x2d, 0x73, 0x6d, 0x74, 0x70, 0x2d, 0x69, 0x6e, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01};
    61. 

  61. 

  62. const char *dns_response_strings[] = {
    63. 

  63.     "DNS no error",
    64. 

  64.     "DNS format error",
    65. 

  65.     "DNS server failure",
    66. 

  66.     "DNS domain name error",
    67. 

  67.     "DNS query type not implemented",
    68. 

  68.     "DNS query refused",
    69. 

  69.     "DNS Reserved 6",
    70. 

  70.     "DNS Reserved 7",
    71. 

  71.     "DNS Reserved 8",
    72. 

  72.     "DNS Reserved 9",
    73. 

  73.     "DNS Reserved 10",
    74. 

  74.     "DNS Reserved 11",
    75. 

  75.     "DNS Resevered 12",
    76. 

  76.     "DNS Resevered 13",
    77. 

  77.     "DNS Resevered 14",
    78. 

  78.     "DNS Resevered 15"
    79. 

  79. };
    80. 

  80. 

  81. probe_module_t module_dns_mx;
    82. 

  82. static int num_ports;
    83. 

  83. 

  84. int dns_make_packet(void *buf, ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
    85. 

  85.         uint32_t *validation, int probe_num, __attribute__((unused)) void *arg) {
    86. 

  86. 

  87.     struct ether_header *eth_header = (struct ether_header *) buf;
    88. 

  88.     struct ip *ip_header = (struct ip*) (&eth_header[1]);
    89. 

  89.     struct udphdr *udp_header= (struct udphdr *) &ip_header[1];
    90. 

  90. 

  91.     ip_header->ip_src.s_addr = src_ip;
    92. 

  92.     ip_header->ip_dst.s_addr = dst_ip;
    93. 

  93.     udp_header->uh_sport = htons(get_src_port(num_ports, probe_num, validation));
    94. 

  94.     
    95. 

  95.     ip_header->ip_sum = 0;
    96. 

  96.     ip_header->ip_sum = zmap_ip_checksum((unsigned short *) ip_header);
    97. 

  97. 

  98.     fprintf(stderr, "make packet finished\n");
    99. 

  99.     return EXIT_SUCCESS;
    100. 

  100. }
    101. 

  101. 

  102. int dns_init_perthread(void* buf, macaddr_t *src,
    103. 

  103.         macaddr_t *gw, __attribute__((unused)) port_h_t dst_port,
    104. 

  104.         __attribute__((unused)) void **arg_ptr) {
    105. 

  105.     fprintf(stderr, "in init_perthread\n");
    106. 

  106.     memset(buf, 0, MAX_PACKET_SIZE);
    107. 

  107.     struct ether_header *eth_header = (struct ether_header *) buf;
    108. 

  108.     make_eth_header(eth_header, src, gw);
    109. 

  109.     struct ip *ip_header = (struct ip*)(&eth_header[1]);
    110. 

  110.     uint16_t len = htons(sizeof(struct ip) + sizeof(struct udphdr) + sizeof(dns_msg_default));
    111. 

  111.     make_ip_header(ip_header, IPPROTO_UDP, len);
    112. 

  112. 

  113.     struct udphdr *udp_header = (struct udphdr*)(&ip_header[1]);
    114. 

  114.     len = sizeof(struct udphdr) + sizeof(dns_msg_default);
    115. 

  115.     make_udp_header(udp_header, zconf.target_port, len);
    116. 

  116. 

  117.     char* payload = (char*)(&udp_header[1]);
    118. 

  118.     module_dns_mx.packet_length = sizeof(struct ether_header) + sizeof(struct ip)
    119. 

  119.                 + sizeof(struct udphdr) + sizeof(dns_msg_default);
    120. 

  120.     assert(module_dns_mx.packet_length <= MAX_PACKET_SIZE);
    121. 

  121.     
    122. 

  122.     memcpy(payload, dns_msg_default, sizeof(dns_msg_default));
    123. 

  123. 

  124.     uint32_t seed = aesrand_getword(zconf.aes);
    125. 

  125.     aesrand_t *aes = aesrand_init_from_seed(seed);
    126. 

  126.     *arg_ptr = aes;
    127. 

  127. 

  128.     return EXIT_SUCCESS;
    129. 

  129. }
    130. 

  130. 

  131. 

  132. void dns_print_packet(FILE *fp, void* packet) {
    133. 

  133.     struct ether_header *ethh = (struct ether_header *) packet;
    134. 

  134.     struct ip *iph = (struct ip *) &ethh[1];
    135. 

  135.     struct udphdr *udph  = (struct udphdr*) (iph + 4*iph->ip_hl);
    136. 

  136.     fprintf(fp, "udp_dns { source: %u | dest: %u | checksum: %u }\n",
    137. 

  137.         ntohs(udph->uh_sport),
    138. 

  138.         ntohs(udph->uh_dport),
    139. 

  139.         ntohl(udph->uh_sum));
    140. 

  140.     fprintf_ip_header(fp, iph);
    141. 

  141.     fprintf_eth_header(fp, ethh);
    142. 

  142.     fprintf(fp, "------------------------------------------------------\n");
    143. 

  143. }
    144. 

  144. 

  145. int dns_validate_packet(const struct ip *ip_hdr, uint32_t len,
    146. 

  146.         uint32_t *src_ip, uint32_t *validation)
    147. 

  147. {
    148. 

  148.     if (!udp_validate_packet(ip_hdr, len, src_ip, validation)) {
    149. 

  149.         return 0;
    150. 

  150.     }
    151. 

  151.     if (ip_hdr->ip_p == IPPROTO_UDP) {
    152. 

  152.         struct udphdr *udp = (struct udphdr *) ((char *) ip_hdr + ip_hdr->ip_hl * 4);
    153. 

  153.         uint16_t sport = ntohs(udp->uh_sport);
    154. 

  154.         if (sport != zconf.target_port) {
    155. 

  155.             return 0;
    156. 

  156.         }
    157. 

  157.     }
    158. 

  158.     return 1;
    159. 

  159. }
    160. 

  160. 

  161. //void remove_erroneous_characters(char* input, int length){
    162. 

  162. //    int i =0;
    163. 

  163. //    char[1] slash = "\\";
    164. 

  164. //    char* to_return;
    165. 

  165. //    to_return = malloc(sizeof(char)*length);
    166. 

  166. //    for(i; i < length; i++){
    167. 

  167. //        if strncmp(input[i], slash, 1){
    168. 

  168. //            
    169. 

  169. //        }
    170. 

  170. //    }
    171. 

  171. //}
    172. 

  172. 

  173. void dns_process_packet(const u_char *packet, UNUSED uint32_t len, fieldset_t *fs) {
    174. 

  174.     struct ip *ip_hdr = (struct ip *) &packet[sizeof(struct ether_header)];    
    175. 

  175.     //char char2[2];
    176. 

  176.     //char query_num[2];
    177. 

  177.     if(ip_hdr->ip_p == IPPROTO_UDP){
    178. 

  178.        struct udphdr *udp = (struct udphdr*) ((char*) ip_hdr+ip_hdr->ip_hl * 4);
    179. 

  179.         uint8_t *ptr = (uint8_t *) &udp[1];
    180. 

  180.         if(len >= 69){ 
    181. 

  181.         fs_add_string(fs, "classification", (char*) "dns_mx", 0);
    182. 

  182.         fs_add_uint64(fs, "success", 1);
    183. 

  183.         fs_add_uint64(fs, "sport", ntohs(udp->uh_sport));
    184. 

  184.         fs_add_uint64(fs, "dport", ntohs(udp->uh_dport));
    185. 

  185.         fs_add_null(fs, "icmp_responder");
    186. 

  186.         fs_add_null(fs, "icmp_type");
    187. 

  187.         fs_add_null(fs, "icmp_code");
    188. 

  188.         fs_add_null(fs, "icmp_unreach_str");
    189. 

  189. //        memcpy(char2, ptr, 2);
    190. 

  190. //        temp16 = ntohs(*((uint16_t *)ptr+1));
    191. 

  191. //        fs_add_uint64(fs, "query_response", temp16);
    192. 

  192. //        temp16 = ntohs(*((uint16_t *)ptr+2));
    193. 

  193. //        fs_add_uint64(fs, "query_num", temp16);
    194. 

  194. //        temp16 = ntohs(*((uint16_t *)ptr+3));
    195. 

  195. //        fs_add_uint64(fs, "answers_rrs", temp16);
    196. 

  196. //        temp16 = ntohs(*((uint16_t *)ptr+4));
    197. 

  197. //        fs_add_uint64(fs, "authority_rrs", temp16);
    198. 

  198. //        temp16 = ntohs(*((uint16_t *)ptr+5));
    199. 

  199. //        fs_add_uint64(fs, "additional_rrs", temp16);
    200. 

  200. //        //for(i; i<2; i++){
    201. 

  201. //        //    fprintf(stderr, "byte %i %02x", i, char2[i]);
    202. 

  202. //        //}
    203. 

  203. //        //fs_add_uint64(fs, "query_response", *char2); 
    204. 

  204. //        //memcpy(query_num, (ptr+2), 2);
    205. 

  205. //        //for(i=0; i<2; i++){
    206. 

  206. //        //    fprintf(stderr, "byte %i %02x", i, *query_num);
    207. 

  207. //        //}
    208. 

  208. //        //fs_add_uint64(fs, "query_num", *query_num);
    209. 

  209. //        //memcpy(answer_rrs, (ptr+4), 2);
    210. 

  210. //        //fs_add_uint64(fs, "answer_rrs", *answer_rrs); 
    211. 

  211. //        //memcpy(authority_rrs, (ptr+6), 2);
    212. 

  212. //        //fs_add_uint64(fs, "authority_rrs", *authority_rrs); 
    213. 

  213. //        //memcpy(additional_rrs, (ptr+8), 2);
    214. 

  214. //        //fs_add_uint64(fs, "additional_rrs", *additional_rrs); 
    215. 

  215. //        //memcpy(char2, (ptr+10), 2);
    216. 

  216. //        
    217. 

  217. //        //27 bytes
    218. 

  218. //        data = malloc(sizeof(char)*(len - 69));
    219. 

  219. //        //fs_add_uint64(fs, "answers", data);
    220. 

  220.         fs_add_binary(fs, "answers", (len-42), (void *)&ptr[0], 0);
    221. 

  221.         //memcpy(data, (ptr+14), len-35);
    222. 

  222.         //fs_add_binary(fs, "answers", len-35, data, 0);
    223. 

  223. //        fs_add_null(fs, "query_num");
    224. 

  224. //        fs_add_null(fs, "answer_rrs");
    225. 

  225. //        fs_add_null(fs, "authority_rrs");
    226. 

  226. //        fs_add_null(fs, "additional_rrs");
    227. 

  227. //        fs_add_null(fs, "answers");
    228. 

  228. //        free(char2);
    229. 

  229. //        free(query_num);
    230. 

  230. //        free(answer_rrs);
    231. 

  231. //        free(authority_rrs);
    232. 

  232. //        free(additional_rrs);
    233. 

  233. //        free(data);
    234. 

  234.         }else{
    235. 

  235. 

  236.             fs_add_string(fs, "classification", (char*) "dns_mx", 0);
    237. 

  237.             fs_add_uint64(fs, "success", 0);
    238. 

  238.             fs_add_uint64(fs, "sport", ntohs(udp->uh_sport));
    239. 

  239.             fs_add_uint64(fs, "dport", ntohs(udp->uh_dport));
    240. 

  240.             fs_add_null(fs, "icmp_responder");
    241. 

  241.             fs_add_null(fs, "icmp_type");
    242. 

  242.             fs_add_null(fs, "icmp_code");
    243. 

  243.             fs_add_null(fs, "icmp_unreach_str");
    244. 

  244.             fs_add_null(fs, "answers");
    245. 

  245. //            fs_add_null(fs, "query_response");
    246. 

  246. //            fs_add_null(fs, "query_num");
    247. 

  247. //            fs_add_null(fs, "answer_rrs");
    248. 

  248. //            fs_add_null(fs, "authority_rrs");
    249. 

  249. //            fs_add_null(fs, "additional_rrs");
    250. 

  250. //            fs_add_null(fs, "answers");
    251. 

  251.         }
    252. 

  252. 

  253.     }else if (ip_hdr->ip_p == IPPROTO_ICMP){
    254. 

  254.         struct icmp *icmp = (struct icmp *) ((char *) ip_hdr + ip_hdr -> ip_hl *4); 
    255. 

  255.         struct ip *ip_inner = (struct ip *) &icmp[1];
    256. 

  256.         fs_modify_string(fs, "saddr", make_ip_str(ip_inner->ip_dst.s_addr), 1);
    257. 

  257.         fs_add_string(fs, "classification", (char*) "icmp-unreach", 0);
    258. 

  258.         fs_add_uint64(fs, "success", 0);
    259. 

  259.         fs_add_null(fs, "sport");
    260. 

  260.         fs_add_null(fs, "dport");
    261. 

  261.         fs_add_string(fs, "icmp_responder", make_ip_str(ip_hdr->ip_src.s_addr), 1);
    262. 

  262.         fs_add_uint64(fs, "icmp_type", icmp->icmp_type);
    263. 

  263.         fs_add_uint64(fs, "icmp_code", icmp->icmp_code);
    264. 

  264.         fs_add_null(fs, "icmp_unreach_str");
    265. 

  265.         
    266. 

  266. //        fs_add_null(fs, "query_response");
    267. 

  267. //        fs_add_null(fs, "query_num");
    268. 

  268. //        fs_add_null(fs, "answer_rrs");
    269. 

  269. //        fs_add_null(fs, "authority_rrs");
    270. 

  270. //        fs_add_null(fs, "additional_rrs");
    271. 

  271.         fs_add_null(fs, "answers");
    272. 

  272.         
    273. 

  273.     }else{
    274. 

  274.         fs_add_string(fs, "classification", (char*) "other", 0);
    275. 

  275.         fs_add_uint64(fs, "success", 0);
    276. 

  276.         fs_add_null(fs, "sport");
    277. 

  277.         fs_add_null(fs, "dport");
    278. 

  278.         fs_add_null(fs, "icmp_responder");
    279. 

  279.         fs_add_null(fs, "icmp_type");
    280. 

  280.         fs_add_null(fs, "icmp_code");
    281. 

  281.         fs_add_null(fs, "icmp_unreach_str");
    282. 

  282.         
    283. 

  283. //        fs_add_null(fs, "query_response");
    284. 

  284. //        fs_add_null(fs, "query_num");
    285. 

  285. //        fs_add_null(fs, "answer_rrs");
    286. 

  286. //        fs_add_null(fs, "authority_rrs");
    287. 

  287. //        fs_add_null(fs, "additional_rrs");
    288. 

  288.         fs_add_null(fs, "answers");
    289. 

  289. 

  290.     }
    291. 

  291. }
    292. 

  292. 

  293. static fielddef_t fields[] = {
    294. 

  294.     {.name = "classification", .type="string", .desc = "packet classification"},
    295. 

  295.     {.name = "success", .type="int", .desc = "is response considered success"},
    296. 

  296.     {.name = "sport",  .type = "int", .desc = "UDP source port"},
    297. 

  297.     {.name = "dport",  .type = "int", .desc = "UDP destination port"},
    298. 

  298.     {.name = "icmp_responder", .type = "string", .desc = "Source IP of ICMP_UNREACH message"},
    299. 

  299.     {.name = "icmp_type", .type = "int", .desc = "icmp message type"},
    300. 

  300.     {.name = "icmp_code", .type = "int", .desc = "icmp message sub type code"},
    301. 

  301.     {.name = "icmp_unreach_str", .type = "string", .desc = "for icmp_unreach responses, the string version of icmp_code (e.g. network-unreach)"},
    302. 

  302. //    {.name = "query_response", .type = "string", .desc = "for DNS responses, the response code meaning of dns answer pkt"},
    303. 

  303. //    {.name = "query_num", .type = "int", .desc ="query_num for packet"},
    304. 

  304. //    {.name = "answer_rrs", .type="int", .desc = "number of answer_rrs for packet"},
    305. 

  305. //    {.name = "authority_rrs", .type="int", .desc = "number of authority_rrs"},
    306. 

  306. //    {.name = "additional_rrs", .type="int", .desc = "number of additional_rrs"},
    307. 

  307.     {.name = "answers", .type="binary", .desc = "answers in binary format"},
    308. 

  308. };
    309. 

  309. 

  310. probe_module_t module_dns_mx = {
    311. 

  311.     .name = "dns_mx",
    312. 

  312.     .packet_length = 1,
    313. 

  313.     .pcap_filter = "udp || icmp",
    314. 

  314.     .pcap_snaplen = 1500,            // TO BE CHANGED FOR EXSTIMATE REFLECTION SIZE
    315. 

  315.     .port_args = 1,
    316. 

  316.     .thread_initialize = &dns_init_perthread,
    317. 

  317.     .global_initialize = &udp_global_initialize,
    318. 

  318.     .make_packet = &udp_make_packet,
    319. 

  319.     .print_packet = &dns_print_packet,
    320. 

  320.     .validate_packet = &dns_validate_packet,
    321. 

  321.     .process_packet = &dns_process_packet,
    322. 

  322.     .close = &udp_global_cleanup,
    323. 

  323.     .fields = fields,
    324. 

  324.     .numfields = sizeof(fields)/sizeof(fields[0])
    325. 

  325. };
    326. 

  326. 

  327. ////this will convert www.google.com to 
    328. 

  328. //void convert_to_dns_mx_name_format(unsigned char* dns,unsigned char* host) {
    329. 

  329. //    int lock = 0;
    330. 

  330. //    strcat((char*)host,".");
    331. 

  331. //    for(int i = 0; i < ((int) strlen((char*)host)); i++) {
    332. 

  332. //        if(host[i]=='.') {
    333. 

  333. //            *dns++=i-lock;
    334. 

  334. //            for(;lock<i;lock++) {
    335. 

  335. //                *dns++=host[lock];
    336. 

  336. //            }
    337. 

  337. //            lock++;
    338. 

  338. //        }
    339. 

  339. //    }
    340. 

  340. //    *dns++ = '\0';
    341. 

  341. //}
    342.