server.rs 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441
  1. use std::net::UdpSocket;
  2. use crate::dns::*;
  3. use std::str;
  4. use crate::utilities::*;
  5. pub struct DnsServer {
  6. }
  7. impl DnsServer {
  8. pub fn serve(port: u16) {
  9. let socket = UdpSocket::bind(("0.0.0.0", port)).unwrap();
  10. // starting main loop
  11. loop {
  12. DnsServer::handle_query(&socket);
  13. }
  14. }
  15. fn handle_query(socket: &UdpSocket) {
  16. let mut response_buffer = BytePacketBuffer::new();
  17. // receive into response buffer
  18. let (_, src) = socket.recv_from(&mut response_buffer.buf).unwrap();
  19. let mut packet = DnsPacket::from_bytes(&mut response_buffer);
  20. // create the response packet
  21. let mut resp_packet = DnsPacket::empty();
  22. resp_packet.header.id = packet.header.id;
  23. resp_packet.header.recursion_desired = packet.header.recursion_desired;
  24. resp_packet.header.recursion_available = true;
  25. resp_packet.header.query_response = true;
  26. // if there is exactly one question
  27. if let Some(question) = packet.questions.pop() {
  28. println!("[*] Received query: {:?}", question);
  29. if let Ok(result) = DnsServer::lookup(&question.name, &question.qtype) {
  30. for rec in result.answers {
  31. println!("-> Answer: {:?}", rec);
  32. resp_packet.answers.push(rec);
  33. }
  34. for rec in result.authorities {
  35. println!("-> Authority: {:?}", rec);
  36. resp_packet.authorities.push(rec);
  37. }
  38. for rec in result.resources {
  39. println!("-> Resource: {:?}", rec);
  40. resp_packet.resources.push(rec);
  41. }
  42. // if the lookup was successfull
  43. // push the original question
  44. resp_packet.questions.push(question);
  45. } else {
  46. resp_packet.header.result_code = ResultCode::SERVFAIL;
  47. }
  48. } else {
  49. resp_packet.header.result_code = ResultCode::FORMERR;
  50. }
  51. // write the packet to a buffer and send via socket
  52. let mut res_buffer = BytePacketBuffer::new();
  53. resp_packet.write(&mut res_buffer).unwrap();
  54. socket.send_to(res_buffer.get_range(0, res_buffer.pos()).unwrap(), src).unwrap();
  55. }
  56. fn lookup(qname: &str, qtype: &QueryType) -> Result<DnsPacket, &'static str> {
  57. // use googles DNS mainly as primary DNS
  58. let server = ("8.8.8.8", 53);
  59. let mut pkt = DnsPacket::new(*qtype, qname);
  60. let mut req_buffer = BytePacketBuffer::new();
  61. pkt.write(&mut req_buffer).unwrap();
  62. let socket = UdpSocket::bind(("0.0.0.0", 43210)).unwrap();
  63. socket.send_to(&req_buffer.buf[0..req_buffer.pos], server).unwrap();
  64. let mut rec_buffer = BytePacketBuffer::new();
  65. socket.recv_from(&mut rec_buffer.buf).unwrap();
  66. let response = DnsPacket::from_bytes(&mut rec_buffer);
  67. return Ok(response);
  68. }
  69. }
  70. pub struct DnsTunnel {
  71. server: String,
  72. domain: String,
  73. port: u16,
  74. server_buffer: String
  75. }
  76. impl<'a> DnsTunnel {
  77. /// Craft a new instance of a DNS Tunnel
  78. /// ip: IP of the DNS tunnel server
  79. /// port: port of the DNS tunnel server
  80. pub fn new(domain: String, server: String, port: u16) -> DnsTunnel {
  81. DnsTunnel { server, port, domain, server_buffer: String::new() }
  82. }
  83. /// keeps open a listener to transfer data via DNS tunneling
  84. pub fn new_server(domain: String, port: u16) -> DnsTunnel {
  85. DnsTunnel { server: String::new(), port, domain, server_buffer: String::new() }
  86. }
  87. pub fn connect(&self) -> Result<(), &str> {
  88. if !self.check_connection() {
  89. println!("[-] DNS Tunnel not reachable");
  90. return Err("");
  91. }
  92. println!("[+] Successfully connected to DNS Tunnel");
  93. Ok(())
  94. }
  95. /// A function that can be called from the server side and lets the server send arbitrary
  96. /// strings
  97. pub fn server_send(&mut self, data: String) {
  98. self.server_buffer.push_str(&data);
  99. }
  100. pub fn send_string(&self, data: String) -> Result<(), &str> {
  101. if !self.init_send() {
  102. return Err("Failed to initialize data transfer");
  103. }
  104. // At this point, split the data in chunks of XX bytes and send each
  105. // chunk to the server until all the data is finished.
  106. // Close the connection by sending an `END` packet.
  107. if data.len() > 63 {
  108. // split the data in chunks of 63 bytes
  109. let chunks = data.as_bytes()
  110. .chunks(63)
  111. .map(str::from_utf8)
  112. .collect::<Result<Vec<&str>, _>>()
  113. .unwrap();
  114. for chunk in chunks {
  115. // Send the actual DATA after the tunnel is established
  116. println!("[DBG]: Sending Chunk: {}", chunk);
  117. // send the chunk
  118. self.send_chunk(chunk);
  119. }
  120. } else {
  121. self.send_chunk(&data);
  122. }
  123. // Close the data transfer by sending a `END` message
  124. if !self.close_send() {
  125. return Err("Failed to finish data transfer");
  126. }
  127. Ok(())
  128. }
  129. pub fn serve(&mut self) {
  130. let mut full_data: String = String::new();
  131. println!("[+] Started DNS tunnel, ready to receive data...");
  132. let socket = UdpSocket::bind(("0.0.0.0", self.port)).unwrap();
  133. // starting main loop
  134. let mut poll_status = PollStatus::NONE;
  135. let mut message = String::new();
  136. // UFF
  137. loop {
  138. let mut response_buffer = BytePacketBuffer::new();
  139. // receive into response buffer
  140. let (_, src) = socket.recv_from(&mut response_buffer.buf).unwrap();
  141. // decode the response as DNS packet
  142. let mut packet = DnsPacket::from_bytes(&mut response_buffer);
  143. // if there is at least one question of the type TXT
  144. if packet.questions.len() >= 1 && packet.questions[0].qtype == QueryType::TXT {
  145. let quest = &packet.questions[0];
  146. // Exfiltrate the Data
  147. let data = &packet.questions[0].name;
  148. let mut data: Vec<&str> = data.split(".").collect();
  149. let data = data[0];
  150. // Decode/Decrypt the data
  151. let data = b64decode(data);
  152. let data = String::from_utf8_lossy(&xor(&data, 0xF5)).to_string();
  153. // Return DNS Packet
  154. let mut return_packet = DnsPacket::empty();
  155. match &data[..] {
  156. "INIT" => {
  157. return_packet = DnsTunnel::get_txt_response(&packet, "ACK".to_string());
  158. },
  159. "START" => {
  160. return_packet = DnsTunnel::get_txt_response(&packet, "ACK".to_string());
  161. },
  162. "END" => {
  163. println!("Full Message {}", message);
  164. message = String::new();
  165. return_packet = DnsTunnel::get_txt_response(&packet, "ACK".to_string());
  166. },
  167. "POLL" => {
  168. match poll_status {
  169. PollStatus::NONE => {
  170. // Enter Polling Mode
  171. println!("[*] Polling Recieved");
  172. return_packet = DnsTunnel::get_txt_response(&packet, "START".to_string());
  173. poll_status = PollStatus::STARTED;
  174. },
  175. PollStatus::STARTED => {
  176. let mut chunk = String::new();
  177. if self.server_buffer.len() >= 63 {
  178. chunk = self.server_buffer[..63].to_string();
  179. self.server_buffer = self.server_buffer[63..].to_string();
  180. } else {
  181. chunk.push_str(&self.server_buffer);
  182. self.server_buffer = String::new();
  183. }
  184. return_packet = DnsTunnel::get_txt_response(&packet, chunk);
  185. if self.server_buffer.len() == 0 {
  186. poll_status = PollStatus::FINISHED;
  187. }
  188. },
  189. PollStatus::FINISHED => {
  190. // Send STOP message
  191. return_packet = DnsTunnel::get_txt_response(&packet, "END".to_string());
  192. poll_status = PollStatus::NONE;
  193. }
  194. }
  195. },
  196. _ => {
  197. message.push_str(&data);
  198. }
  199. }
  200. // return the response Packet
  201. let res_buffer = DnsTunnel::get_buffer(&mut return_packet);
  202. socket.send_to(res_buffer.get_range(0, res_buffer.pos()).unwrap(), src).unwrap();
  203. }
  204. }
  205. }
  206. /// this is not only checking for an `ACK` as answer, but gets the returned
  207. /// data
  208. fn send_recv(&self, message: &str) -> Result<String, ()> {
  209. // Take care of the encoding
  210. let bytes = xor(message.as_bytes(), 0xF5);
  211. let message = &b64encode(bytes);
  212. // Craft new request with `INIT`
  213. let mut pkt = self.get_txt_request(&self.domain, message.to_string());
  214. let resp = pkt.send((&self.server, self.port));
  215. // Check the answers
  216. if resp.answers.len() < 1 {
  217. return Err(());
  218. }
  219. let record = match &resp.answers[0] {
  220. DnsRecord::TXT {
  221. ref domain,
  222. len,
  223. ref txt,
  224. ttl
  225. } => {
  226. return Ok(txt.to_string())
  227. }
  228. _ => {
  229. return Err(());
  230. }
  231. };
  232. return Err(());
  233. }
  234. /// Check if the remote server answers a simple `TUN` message with the
  235. /// answer `ACK`, this means that the server is available and can
  236. /// send back data.
  237. fn send_chunk(&self, message: &str) -> bool {
  238. // Take care of the encoding
  239. let bytes = xor(message.as_bytes(), 0xF5);
  240. let message = &b64encode(bytes);
  241. // Craft new request with `INIT`
  242. let mut pkt = self.get_txt_request(&self.domain, message.to_string());
  243. let resp = pkt.send((&self.server, self.port));
  244. // Check the answers
  245. if resp.answers.len() < 1 {
  246. return false;
  247. }
  248. let record = match &resp.answers[0] {
  249. DnsRecord::TXT {
  250. ref domain,
  251. len,
  252. ref txt,
  253. ttl
  254. } => {
  255. if txt == "ACK" {
  256. return true;
  257. }
  258. }
  259. _ => {
  260. return false;
  261. }
  262. };
  263. return false;
  264. }
  265. fn check_connection(&self) -> bool {
  266. self.send_chunk("INIT")
  267. }
  268. // Init the data transfer by sending a `START` message
  269. fn init_send(&self) -> bool {
  270. self.send_chunk("START")
  271. }
  272. // Closea the data transfer by sending an `END` message
  273. fn close_send(&self) -> bool {
  274. self.send_chunk("END")
  275. }
  276. pub fn receive_msg(&self) -> Option<String> {
  277. let mut wait_for_data = false;
  278. let mut return_data = String::new();
  279. loop {
  280. if let Ok(data) = self.send_recv("POLL") {
  281. match &data[..] {
  282. "START" => {
  283. println!("Start");
  284. wait_for_data = true;
  285. },
  286. "END" => {
  287. wait_for_data = false;
  288. return Some(return_data);
  289. },
  290. "NONE" => {
  291. return None;
  292. },
  293. _ => {
  294. return_data.push_str(&data);
  295. }
  296. }
  297. }
  298. }
  299. return None;
  300. }
  301. fn get_txt_response(ref_pkt: &DnsPacket, data: String) -> DnsPacket {
  302. let mut packet = DnsPacket::empty();
  303. packet.header.id = ref_pkt.header.id;
  304. packet.header.recursion_desired = ref_pkt.header.recursion_desired;
  305. packet.header.recursion_available = true;
  306. packet.header.query_response = true;
  307. packet.header.result_code = ResultCode::NOERROR;
  308. let domain = &ref_pkt.questions[0].name;
  309. let answer = DnsRecord::TXT {
  310. domain: domain.to_string(),
  311. len: data.len() as u8,
  312. ttl: 7766,
  313. txt: data
  314. };
  315. packet.answers.push(answer);
  316. return packet;
  317. }
  318. fn get_txt_request(&self, domain: &str, data: String) -> DnsPacket {
  319. let mut packet = DnsPacket::empty();
  320. let full_domain = format!("{}.{}", data, domain);
  321. let question = DnsQuestion{ name: full_domain, qtype: QueryType::TXT};
  322. packet.questions.push(question);
  323. packet
  324. }
  325. fn get_buffer(pkt: &mut DnsPacket) -> BytePacketBuffer {
  326. let mut res_buffer = BytePacketBuffer::new();
  327. pkt.write(&mut res_buffer).unwrap();
  328. return res_buffer;
  329. }
  330. /// Function splits String ref into many chunks and returns a
  331. /// vector of those chunks
  332. fn split_data(&self, data: &'a String) -> Vec<&'a str> {
  333. if data.len() > 63 {
  334. // split the data in chunks of 63 bytes
  335. let chunks = data.as_bytes()
  336. .chunks(63)
  337. .map(str::from_utf8)
  338. .collect::<Result<Vec<&str>, _>>()
  339. .unwrap();
  340. return chunks;
  341. }
  342. let mut ret = Vec::new();
  343. ret.push(&data[..]);
  344. return ret;
  345. }
  346. }
  347. enum PollStatus {
  348. NONE,
  349. STARTED,
  350. FINISHED,
  351. }