Purple Shiva Tools Docs

Reconnaissance

• arpscan → Scan active hosts on the local network
• arpspoof mitm → ARP spoofing for Man-in-the-Middle attacks
• pingsweep → ICMP ping sweep to map live hosts
• portscan → Discover open ports on target systems
• smbenum → Enumerate SMB shares and services
• vulnservices → Identify vulnerable services on discovered hosts

Denial of Service (DoS)

• arppoison → ARP cache poisoning attack
• dhcpstarvation → Exhaust DHCP pool to deny IP allocation
• dnsflood → Flood a DNS server with requests

Other Features

• Search → Search for tools by name in an interactive shell
• Manual → Detailed manual for all tools included
• Terminal Mode → Run tools directly from the Linux shell

Cloning the repository:

git clone --branch alpha https://github.com/PurpleShivaTeam/purpleshivatools.git

Accessing the files main directory:

cd /purpleshivatools/src/alpha/v0_3/

Installing the requirements:

pip install -r requirements.txt --break-system-packages

Running the toolkit:

python3 bootstrap.py

Python Version: 3.13.2 (required)

Before using Purple Shiva Tools, ensure the following modules are installed:

• scapy - For network scanning and crafting packets.
• reportlab - To generate PDF reports of results or logs.
• setuptools - Standard Python packaging tool for managing dependencies.
• pyperclip - Enables copying text to the clipboard.
• paramiko - Handles SSH connections for remote network testing.
• rich ≥13.0.0 - Enhances console output with colors, tables, and formatting.
• ipaddress - Utilities to manipulate and validate IP addresses.
• keyboard - Allows interactive keyboard input for tools.

Note: All of these modules are standard Python libraries used for networking, reporting, and usability. They do not contain malware and are safe to install from PyPI.

DNS Basics

The Domain Name System (DNS) maps domain names (e.g. example.com) to IP addresses (e.g. 93.184.216.34). DNS servers receive queries and return responses; some query types (for example ANY or TXT) often produce much larger responses than a simple A record request.

Two properties are important for understanding amplification attacks:

• Response size: Some queries yield much larger payloads (more bytes).
• Caching: If a server has the answer cached it won't generate extra upstream traffic — cache-busting (random subdomains) forces fresh responses.

DNS Flood Tool

This tool is an educational simulator that sends many DNS queries to configured servers. It supports

• amplification techniques (use of ANY/TXT and larger-response domains),
• random subdomains to bypass caching, and
• optional IP spoofing (root required) where the tool forges source IPs.

How the spoofing option works (LAN-focused)

When --spoof TARGET_IP is enabled the tool attempts to forge source IPs that look like they're from the same local networks (LAN subnets) related to the DNS servers you target. It does this because:

• Practicality: Responses are more likely to be routed/accepted if the source IP is plausible for that network segment.
• Realistic simulation: Using LAN subnets simulates attackers who forge addresses within victim/neighbor ranges.

Implementation notes (what the code does):

• The tool derives common LAN subnets from the DNS server IPs (e.g. 192.168.x.0/24, 10.0.0.0/8, 172.16.0.0/12).
• It randomly generates source IPs inside those subnets and uses them when building spoofed IP/UDP packets.
• This is a simulation mechanism and still requires raw sockets (root) to send forged IP packets.

What "amplification" actually affects

“Amplification” here refers to the ratio between response size and request size — i.e., how many bytes the server returns for each query. Important clarifications:

• Amplification increases bandwidth (bytes/sec): If a single query generates a 2,000-byte reply instead of a 60-byte reply, the victim receives far more traffic in bytes even if the number of packets is similar.
• Packet count vs bytes: amplification often increases the average response size (bytes), not necessarily the number of UDP packets per response. A few large responses can saturate bandwidth as effectively (or more) than many small packets.
• Cache-busting increases responses: Using random subdomains causes the DNS server to perform a fresh resolution and return a response instead of replying from cache — that increases the *number* of responses the server sends (and therefore to the victim when spoofing), multiplying the bandwidth effect further.

How it works (step-by-step)

1. Select one or more DNS servers as targets.
2. Generate query domain (optionally random subdomain + known large-response domain).
3. Choose query type (A, TXT, ANY) — weighted selection used for greater amplification when enabled.
4. Create DNS query packet and send it (either normal UDP or raw spoofed packet if --spoof is used).
5. Track progress (packets sent, failures) and periodically update the progress display.

Parameters

• dns_servers: List of target DNS server IPs (e.g., 192.168.0.1 192.168.0.2).
• -d, --duration: Duration in seconds (default: 120).
• -r, --rate: Queries per second per thread (default: 1000).
• -t, --threads: Number of worker threads (default: 10).
• --no-amplification: Disable amplification (only A queries).
• --spoof TARGET_IP: Enable source IP spoofing simulation (requires root). Spoofed source IPs are generated within LAN subnets derived from the target DNS server addresses.
• --no-any: Disable ANY queries.
• --no-txt: Disable TXT queries.
• --no-random: Disable random subdomains (use fixed domains).
• -v, --verbose: Show debugging information.
• -s, --silent: Minimal output (progress suppressed).

Example command:

python3 dnsflood.py 192.168.0.1 192.168.0.2 -d 60 -r 1000 -t 10 --verbose