lost and found ( for me ? )

lost and found ( for me ? )

↑ Grab this Headline Animator

Python scapy : dump DNS packets

Reference
http://danmcinerney.org/reliable-dns-spoofing-with-python-scapy-nfqueue/
I installed the latest scapy from the source.
You can install scapy via apt-get, by entering apt-get install python-scapy.
root@ubuntu:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"


# unzip scapy-2.3.1.zip
# cd scapy-2.3.1/
# python setup.py install


Here is an example of how to dump DNS packets.
# cat sniff_udp53.py
#!/usr/bin/env python

from scapy.all import *

def callback(pkt):
   if pkt.haslayer(UDP):
       #print pkt.summary()
       #print pkt.show()
return pkt[UDP].show()

if __name__ == '__main__':
   sniff(filter="udp port 53", prn=callback, store=0, iface="eth0")
# dig @8.8.8.8 www.google.com

You can see DNS requests and responses.
# python sniff_udp53.py
WARNING: No route found for IPv6 destination :: (no default route?)
###[ UDP ]###
 sport     = 55499
 dport     = domain
 len       = 51
 chksum    = 0x4b02
###[ DNS ]###
    id        = 21379
    qr        = 0L
    opcode    = QUERY
    aa        = 0L
    tc        = 0L
    rd        = 1L
    ra        = 0L
    z         = 0L
    ad        = 1L
    cd        = 0L
    rcode     = ok
    qdcount   = 1
    ancount   = 0
    nscount   = 0
    arcount   = 1
    \qd        \
     |###[ DNS Question Record ]###
     |  qname     = 'www.google.com.'
     |  qtype     = A
     |  qclass    = IN
    an        = None
    ns        = None
    \ar        \
     |###[ DNS OPT Resource Record ]###
     |  rrname    = '.'
     |  type      = OPT
     |  rclass    = 4096
     |  extrcode  = 0
     |  version   = 0
     |  z         = 0L
     |  rdlen     = 0
     |  \rdata     \
###[ UDP ]###
 sport     = domain
 dport     = 55499
 len       = 131
 chksum    = 0x643e
###[ DNS ]###
    id        = 21379
    qr        = 1L
    opcode    = QUERY
    aa        = 0L
    tc        = 0L
    rd        = 1L
    ra        = 1L
dump only DNS requests
# cat sniff_DNS_requests.py
#!/usr/bin/env python

from scapy.all import *

def callback(pkt):

   if pkt.dport == 53:
       #print pkt.summary()
       #print pkt.show()
return pkt[UDP].show()

if __name__ == '__main__':
   sniff(filter="udp port 53", prn=callback, store=0, iface="eth0")
If you replace pkt.dport == 53 with pkt.sport ==53, you can see only DNS responses.
# cat sniff_DNS_responses.py
#!/usr/bin/env python

from scapy.all import *

def callback(pkt):
   #if pkt.haslayer(DNSQR):
   if pkt.sport == 53:
       #print pkt.summary()
       #print pkt.show()
return pkt[UDP].show()

if __name__ == '__main__':
   sniff(filter="udp port 53", prn=callback, store=0, iface="eth0")
You can dump only DNS data if you modify

from
return pkt[UDP].show()
to
return pkt[DNS].show()
dump only qname
# grep -v '#' sniff_DNS_requests.py

from scapy.all import *

def callback(pkt):
   if pkt.dport == 53:
       return pkt[DNS].qd.qname

if __name__ == '__main__':
   sniff(filter="udp port 53", prn=callback, store=0, iface="eth0")


# ./sniff_DNS_requests.py
WARNING: No route found for IPv6 destination :: (no default route?)
www.google.com.
www.google.co.jp.

Labels: , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)