lost and found ( for me ? )

generate DNS queries with python scapy

small tips

root@ubuntu:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 13.04"

root@ubuntu:~# uname -ri
3.8.0-25-generic x86_64
root@ubuntu:~#

# apt-get install python-scapy

With scapy, you can generate a wide variety of packets.

# cat -n dns_send_quereis.py
    1
    2
    3 #!/usr/bin/env python
    4 from scapy.all import *
    5
    6 domain = "foo.bar"
    7
    8 for i in range(0,10):
    9        s = RandString(RandNum(1,10))
   10        s1 = s.lower()
   11        q = s1 + "." + domain
   12        packet = (IP(src="192.168.11.5",dst="192.168.11.1")/UDP(sport=RandShort())/DNS(id=1000,rd=1,qd=DNSQR(qname=q)))
   13        res = sr(packet)

The following is capture data when generating DNS queries.
# tshark -r aa.pcap -R '(ip.dst==192.168.11.1)'
 1 0.000000000 192.168.11.5 -> 192.168.11.1 DNS 78 Standard query 0x03e8  A t1kf9c2sb8.foo.bar
 3 0.048929000 192.168.11.5 -> 192.168.11.1 DNS 74 Standard query 0x03e8  A p5hpfp.foo.bar
 5 0.201269000 192.168.11.5 -> 192.168.11.1 DNS 78 Standard query 0x03e8  A 3icf8bavow.foo.bar
 7 0.270188000 192.168.11.5 -> 192.168.11.1 DNS 76 Standard query 0x03e8  A ajjpm3s9.foo.bar
 9 0.307058000 192.168.11.5 -> 192.168.11.1 DNS 71 Standard query 0x03e8  A ljs.foo.bar
11 0.404297000 192.168.11.5 -> 192.168.11.1 DNS 76 Standard query 0x03e8  A brqoaf8p.foo.bar
13 0.461205000 192.168.11.5 -> 192.168.11.1 DNS 74 Standard query 0x03e8  A xtr5js.foo.bar



send malformed DNS queries
# cat -n dns_send_quereis_02.py
    1 #!/usr/bin/env python
    2
    3 from scapy.all import *
    4
    5 domain = "foo.bar"
    6
    7 for i in range(0,10):
    8        s = RandString(RandNum(1,10))
    9        s1 = s.lower()
   10        q = s1 + "." + domain
   11        packet = (IP(src="192.168.11.5",dst="192.168.11.1")/UDP(sport=RandShort())/DNS(id=1,rd=1,tc=1,ra=1,z=1,qdcount=1,ancount=1,nscount=1,arcount=1,qd=DNSQR(qname=q,qtype="A",qclass="IN")))
   12        res = sr(packet)

cap data.
Domain Name System (query)
   Transaction ID: 0x0001
   Flags: 0x0390 Standard query
       0... .... .... .... = Response: Message is a query
       .000 0... .... .... = Opcode: Standard query (0)
       .... ..1. .... .... = Truncated: Message is truncated
       .... ...1 .... .... = Recursion desired: Do query recursively
       .... .... .0.. .... = Z: reserved (0)
       .... .... ...1 .... = Non-authenticated data: Acceptable
   Questions: 1
   Answer RRs: 1
   Authority RRs: 1
   Additional RRs: 1
   Queries
       50ese2.foo.bar: type A, class IN
           Name: 50ese2.foo.bar
           Type: A (Host address)
           Class: IN (0x0001)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.