π The Vacuum a DNS Amplification Scanner & The Masquerade a DNS Amplification Masker.
β οΈ DISCLAIMER: This tool is for educational and authorized penetration testing purposes only. Use only on systems you own or have explicit permission to test.
π Table of Contents
- Overview
- Features
- Architecture
- Installation
- Quick Start
- Usage Examples
- Configuration
- Advanced Features
- Detection Evasion
- Contributing
- Legal Notice
π― Overview
DNS Amplification Masker is an advanced penetration testing framework that uses DNS amplification attacks to mask legitimate security scanning activities. By generating massive volumes of amplified DNS traffic directed at the target, it creates a "noise screen" that helps security tools like nmap, hydra, and dirsearch operate undetected.
π¬ How It Works
graph TD
A[Masker] -->|1. Load vulnerable DNS servers| B[DNS Report]
A -->|2. Start amplification| C[DNS Reflectors]
A -->|3. Launch security scan| D[Target Systems]
C -->|Amplified traffic| E[Target Network]
D -->|Scan traffic| E
E -->|Mixed traffic| F[IDS/IPS/WAF]
F -->|Difficult to detect| G[Legitimate scan traffic hidden]
style A fill:#ff6b6b
style C fill:#4ecdc4
style E fill:#ffe66d
style F fill:#ff8b94
β¨ Features
π οΈ Supported Security Tools
- π‘ Nmap - Port scanning and service detection
- βοΈ Hydra - Brute force authentication attacks
- π Dirsearch - Directory and file enumeration
- π― Multi-target - Bulk scanning capabilities
- π Web Scanning - Comprehensive web application testing
π Masking Capabilities
-
4 Intensity Levels:
light,medium,heavy,extreme - Weighted DNS Selection: Prioritizes high-amplification servers
- Dynamic Boost: Increases masking when successful attacks detected
- Burst Mode: Short-term intensive amplification for critical moments
- Background Masking: Long-duration stealth coverage
π Intelligence Features
- Real-time Statistics: Live monitoring of amplification volume
- Smart Detection: Automatically identifies successful attacks
- Result Logging: Timestamped output files
- Graceful Shutdown: Clean termination on interruption
- Resource Management: Automatic cleanup of temporary files
ποΈ Architecture
π Project Structure
/vacuum_and_masquerade/
βββ π masquerade.py # Main masking framework
βββ π vacuum.py # DNS vulnerability scanner
βββ π README.md # This file
π§ Core Components
class DNSAmplificationMasker:
βββ ποΈ DNS Server Management
β βββ load_vulnerable_dns_servers()
β βββ weighted_dns_choice()
β βββ create_amplified_packet()
β
βββ π Masking Operations
β βββ start_masking()
β βββ amplification_worker()
β βββ boost_masking()
β βββ stop_masking()
β
βββ π οΈ Tool Integration
β βββ masked_nmap_scan()
β βββ masked_hydra_attack()
β βββ masked_dirsearch()
β βββ masked_comprehensive_web_scan()
β
βββ π Monitoring & Stats
βββ stats_monitor()
βββ signal_handler()
π Installation
π Prerequisites
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install python3 python3-pip nmap hydra git
# Install dirsearch
pip3 install dirsearch
# OR
git clone https://github.com/maurosoria/dirsearch.git
β¬οΈ Install DNS Amplification Masker
# Clone repository
git clone https://github.com/toxy4ny/vacuum_and_masquerade.git
cd vacuum_and_masquerade
chmod +x masquerade.py vacuum.py
π Find Vulnerable DNS Servers
# Scan for vulnerable DNS servers first
sudo python3 vacuum.py --output dns_report.json --threads 50 --timeout 5
# This creates the required DNS amplification report
π Quick Start
1οΈβ£ Basic Nmap Scan with Masking
sudo python3 masquerade.py --dns-report dns_report.json nmap \
--target 192.168.1.0/24 \
--args "-p 22,80,443 -sV" \
--intensity medium
2οΈβ£ Web Directory Enumeration
python3 masquerade.py --dns-report dns_report.json dirsearch \
--url https://example.com \
--extensions "php,html,js,txt" \
--intensity heavy
3οΈβ£ SSH Brute Force Attack
python3 masquerade.py --dns-report dns_report.json hydra \
--target ssh://192.168.1.100 \
--service ssh \
--userlist examples/users.txt \
--passlist examples/passwords.txt \
--intensity extreme
π Usage Examples
π Comprehensive Web Application Testing
# Full web security assessment (nmap + dirsearch + hydra)
python3 masquerade.py --dns-report dns_report.json webscan \
--url https://target-webapp.com \
--intensity heavy
What this does:
- Phase 1: Port scan (80, 443, 8080, 8443) with service detection
- Phase 2: Directory enumeration with common web extensions
- Phase 3: HTTP authentication brute force on discovered endpoints
π― Multi-Target Directory Scanning
# Create target list
echo -e "https://site1.com\nhttps://site2.com\nhttps://api.site3.com" > targets.txt
# Bulk directory scanning with masking
python3 masquerade.py --dns-report dns_report.json multidirsearch \
--targets targets.txt \
--extensions "php,asp,jsp,json,xml" \
--intensity extreme
π§ Advanced Nmap with Custom Arguments
# Stealth SYN scan with OS detection and script scanning
sudo python3 masquerade.py --dns-report dns_report.json nmap \
--target 10.0.0.0/8 \
--args "-sS -O --script=vuln,exploit -T2" \
--scan-delay 200 \
--intensity heavy
βοΈ Multi-Service Brute Force
# SSH brute force
python3 masquerade.py --dns-report dns_report.json hydra \
--target 192.168.1.100 \
--service ssh \
--args "-t 1 -W 60" \
--intensity extreme
# HTTP basic auth
python3 masquerade.py --dns-report dns_report.json hydra \
--target http://192.168.1.100/admin \
--service http-get \
--args '"/admin"' \
--intensity heavy
# FTP brute force
python3 masquerade.py --dns-report dns_report.json hydra \
--target ftp://192.168.1.100 \
--service ftp \
--intensity medium
π Custom Dirsearch with Wordlists
# Using custom wordlist and recursive scanning
python3 masquerade.py --dns-report dns_report.json dirsearch \
--url https://target.com \
--wordlist wordlists/big.txt \
--args "--recursive --deep-recursive --random-user-agents" \
--extensions "php,asp,aspx,jsp,do,action" \
--intensity extreme
βοΈ Configuration
ποΈ Masking Intensity Levels
| Intensity | Threads | Rate (pps) | Burst Size | Use Case |
|---|---|---|---|---|
light |
3 | 10 | 5 | Basic stealth scanning |
medium |
5 | 50 | 10 | Standard penetration testing |
heavy |
8 | 100 | 20 | Advanced red team operations |
extreme |
12 | 200 | 30 | High-security environments |
π DNS Server Selection Logic
# Servers are weighted by amplification factor
Top 20% servers = High-amplification servers (1000x+)
Selection weight = amplification_factor * availability_score
# Example: Server with 5000x amplification gets 5000x selection probability
# vs server with 100x amplification
π― Target Parsing Examples
# Single IP
--target 192.168.1.100
# IP range (CIDR)
--target 192.168.1.0/24
# Domain name
--target example.com
# URL (for web tools)
--url https://example.com:8080/app
# Multiple targets file
echo -e "192.168.1.100\n10.0.0.50\nexample.com" > targets.txt
π¬ Advanced Features
π Dynamic Masking Boost
The masker automatically increases amplification when successful attacks are detected:
# Automatic boost triggers
β
Nmap discovers open ports β Boost masking
β
Hydra finds valid credentials β Extreme boost
β
Dirsearch finds resources β Burst amplification
β‘ Each boost adds 30-300 seconds of intense masking
π Real-Time Statistics
π Live stats during operation:
β±οΈ Runtime: 145.2 seconds
π¦ Packets sent: 12,450
π Average PPS: 85.6
π₯ Amplification: ~2.1 GB traffic generated
π― Active DNS servers: 15/87
π‘οΈ Stealth Configuration
# Nmap stealth settings (auto-applied)
-T2 # Polite timing
--scan-delay 100ms # Minimum delays
-sS # SYN stealth scan
# Hydra stealth settings
-t 1 # Single thread
-W 30 # 30s between attempts
-f # Stop at first success
# Dirsearch stealth settings
--delay 2 # 2s between requests
--max-rate 10 # Max 10 req/sec
--random-user-agents # Randomized headers
--threads 5 # Limited concurrency
π Automatic Result Saving
# Output files created automatically
dirsearch_example_com_20241201_143052.txt
nmap_scan_192_168_1_0_20241201_143105.xml
hydra_results_20241201_143200.txt
# Log files
masker.log # Detailed operation log
amplification_stats.json # Performance metrics
π΅οΈ Detection Evasion
π Traffic Mixing Strategy
graph LR
A[Legitimate Scan] --> B{IDS/IPS}
C[DNS Amplification x1000] --> B
D[Other Network Traffic] --> B
B --> E[Mixed Traffic Analysis]
E --> F[Difficult Detection]
style C fill:#ff6b6b
style F fill:#51cf66
β‘ Amplification Effectiveness
# Typical amplification results
DNS Query (64 bytes) β Response (4,096 bytes) = 64x amplification
Target receives: Your 1 packet + 64x amplified packets mix
# With 50 vulnerable DNS servers:
Your scan: 1 packet/sec
Background: 3,200 amplified packets/sec
Detection difficulty: 99.97% noise vs 0.03% signal
π― Timing Strategies
# Smart timing patterns
scan_timing = {
'burst_during_finds': True, # Amplify when finding results
'background_masking': True, # Constant low-level noise
'random_delays': True, # Unpredictable intervals
'distributed_sources': True # Multiple DNS reflectors
}
π§ Tool Integration Details
π‘ Nmap Integration
# Supported Nmap features
β
All scan types: -sS, -sT, -sU, -sA, -sW, -sM
β
Port specifications: -p 22,80,443 or -p 1-65535
β
Service detection: -sV, -sC, --script
β
OS detection: -O, -A
β
Timing controls: -T0 through -T5
β
Output formats: -oN, -oX, -oG, -oA
# Auto-applied stealth settings
--scan-delay 100ms # Minimum packet delay
-T2 # Polite timing template
--max-rate 50 # Max 50 packets/sec
βοΈ Hydra Integration
# Supported services
ssh, ftp, http-get, http-post-form, https-get, telnet,
smtp, pop3, imap, rdp, vnc, mysql, postgres, oracle,
mssql, mongodb, redis, snmp, ldap, smb
# Stealth optimizations
-t 1 # Single thread mode
-W 30 # 30 seconds between attempts
-f # Exit after first successful login
-v # Verbose output for monitoring
π Dirsearch Integration
# Key features enabled
β
Recursive directory scanning
β
Custom wordlists and extensions
β
Random User-Agent rotation
β
Response filtering and exclusions
β
Rate limiting and delays
β
HTTP/HTTPS support with custom ports
# Performance settings
--delay 2 # 2 seconds between requests
--timeout 10 # 10 second timeout
--max-rate 10 # Maximum 10 requests/second
--threads 5 # 5 concurrent threads maximum
π Troubleshooting
β Common Issues
# "Permission denied" when sending packets
Solution: Run with sudo privileges
sudo python3 masquerade.py ...
# "No vulnerable DNS servers found"
Solution: Run vacuum.py first to find amplifiers
sudo python3 vacuum.py --output dns_report.json
# "Tool not found" errors
Solution: Install missing tools
sudo apt-get install nmap hydra
pip3 install dirsearch
# Low amplification effectiveness
Solution: Use --intensity extreme and more DNS servers
python3 vacuum.py --timeout 10 --threads 100
π Performance Tuning
# For high-performance environments
--intensity extreme # Maximum threads and rate
--threads 100 # More DNS discovery threads (vacuum.py)
--timeout 3 # Faster DNS timeouts
# For stealth environments
--intensity light # Minimal footprint
--scan-delay 500 # Longer delays between packets
--max-rate 5 # Very low packet rate
π Debugging
# Enable verbose logging
export PYTHONPATH="${PYTHONPATH}:."
python3 -v masker.py ...
# Check log files
tail -f masquerade.log
tail -f /var/log/syslog # System-level networking
# Test amplification manually
sudo python3 masquerade.py --dns-report dns_report.json amplify \
--target 8.8.8.8 --intensity light --duration 60
π€ Contributing
We welcome contributions! Please follow these guidelines:
π§ Development Setup
# Fork and clone
git clone https://github.com/toxy4ny/vacuum_and_masquerade.git
cd vacuum_and_masquerade
# Create development environment
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt
# Install development dependencies
pip3 install pytest black flake8 mypy
π Code Standards
# Before submitting PR, run:
black masquerade.py # Code formatting
flake8 masquerade.py # Linting
mypy masquerade.py # Type checking
pytest tests/ # Unit tests
π― Contribution Areas
- π οΈ Tool Integration: Add support for new security tools
- π Detection Methods: Improve DNS server discovery
- β‘ Performance: Optimize amplification algorithms
- π Evasion: Enhance stealth techniques
- π Documentation: Improve guides and examples
- π§ͺ Testing: Add unit tests and integration tests
βοΈ Legal Notice
π¨ Important Legal Information
β οΈ DISCLAIMER: This tool is designed for authorized penetration testing,
security research, and educational purposes only.
β
AUTHORIZED USE:
β’ Your own systems and networks
β’ Systems with explicit written permission
β’ Authorized penetration testing engagements
β’ Educational labs and training environments
β UNAUTHORIZED USE:
β’ Any system without explicit permission
β’ Infrastructure you do not own or control
β’ Networks without proper authorization
β’ Any illegal or malicious activities
π RESPONSIBILITY:
Users are solely responsible for ensuring compliance with all
applicable laws, regulations, and policies in their jurisdiction.
π Compliance Guidelines
- π Always obtain written authorization before testing any system
- π Document all testing activities and maintain audit trails
- β° Respect scope and time limitations of authorized testing
- π Stop immediately if any unintended impact occurs
- π Report findings responsibly through proper channels
π Legal Considerations by Region
- πΊπΈ United States: Computer Fraud and Abuse Act (CFAA)
- πͺπΊ European Union: General Data Protection Regulation (GDPR)
- π¬π§ United Kingdom: Computer Misuse Act 1990
- π¦πΊ Australia: Telecommunications Act 1997
- π Other regions: Consult local cybersecurity and computer crime laws
π License
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License - Key Points:
β
Commercial use allowed
β
Modification allowed
β
Distribution allowed
β
Private use allowed
β οΈ Limitation of liability
β οΈ No warranty provided
π DNS Amplification Scanner & Masker - Advanced Penetration Testing Framework
Made with β€οΈ by the Security Research Community
"In the art of war, stealth is the ultimate weapon"
Top comments (8)
Appreciate this one ....the topic aligns with a lot of where my headβs at lately, especially around using whatβs already loud or trusted as cover. Different vector than what Iβve been working on, but the mindset overlaps.
Also respect the creative approach ...thereβs something artistic about finding ways to blend into the mess and flip it to your advantage
Tell me about your thoughts. It would be interesting to see your perspective on this issue.
to be blunt: a lot of the so-called OPSEC βbest practicesβ are not just outdated ,theyβre actively dangerous for anyone who actually cares about real world stealth. The βVPN over Torβ advice gets tossed around everywhere as if itβs gospel, but in practice, it can backfire. If youβre the only one in a noisy environment adding a VPN in front of Tor, your traffic immediately becomes the outlier. People think extra layers equal extra stealth, but the reality is that abnormal patterns are exactly what gets you flagged. Stealth isnβt about piling on tools itβs about blending in so well that nobody even remembers you were there.
I donβt buy for a second that this is the final word...OPSEC is a moving target, and whatβs smart today can burn you tomorrow. But as it stands right now, this is one of the most important lessons people are missing. If thatβs unpopular, so be it..iβd rather be real about what Iβm seeing than play it safe and regurgitate the same old checklist.
I think the infosec community needs more people willing to question the status quo instead of just following it blindly.
I completely agree with your last thesis! You are absolutely right, there is no real security and anonymity. The only option to remain under the protection of the shadows is to create tools that will behave absolutely legitimately and legitimately. For example, you can use the attack vector shellcode injections in DNS and traffic. I'm currently writing a program that will massage my own traffic into empty DNS TXT records. Since DNS packets are rarely blocked, they travel on almost any network and do not require authorization. Add to that: 64 kB of payload in each UDP packet is a dream come true for a steganographer. Caching: requests are easily disguised as "simple" authorization to subdomains. The complexity of the inspection: byte-by-byte parsing DNS names consumes resources, and NextGen firewalls often look past. To me, it's an interesting way to disguise yourself in plain sight.
Iβd honestly suggest we collaborate, but I feel like youβre probably way beyond my level in a lot of areas..Iβm still learning as I go and a lot of what I build is just me experimenting and seeing what breaks (or works). Iβm not always sure what value I bring compared to your experience, but I do have a bunch of frameworks and payload delivery ideas focused on automation, mutation, and βblending inβ instead of just hiding.
Either way, if you ever want to test new approaches or bounce ideas off someone coming from a different background, Iβm all in. Either way I respect your style.
I see no obstacles to our collaboration, I am always open to new ideas, solutions, thoughts. You are greatly exaggerating my knowledge)), but thank you for your high assessment. I am also constantly learning and learning something new, and I believe that any professional should learn constantly. Therefore, I would be honored to cooperate with you in your developments and ideas. I'll do what I can to help. I adhere to the old hacker codex of hackers from MIT, that all knowledge should be available to any user who needs it.
Got a spot you prefer for sharing ideas? I can plug in wherever. we can stay right here in your comments but I would like to be able to talk more freely....it's up to you
I put asterisks on your repositories in github. We can communicate there or we can correspond at the e-mail address toxy4ny@gtfcy37qyzor7kb6blz2buwuu5...