Skip to content

Instantly share code, notes, and snippets.

@jiva

jiva/dns_cap.py Secret

Created Aug 26, 2014
Embed
What would you like to do?
Capture DNS traffic using dns_client.py - for VERT interview - by jiva
#!/usr/bin/env python
# dns_cap.py for VERT interview
# by jiva
#
# CHALLENGE NOTES
# - Build a tool that will capture dns packets. [dns_cap.py]
# - MUST dump the answer to an 'A' type query in a human readable format
# - MUST identify the source and destination systems of all queries
# - MUST report the query type of all queries
# - MUST use a python pcap library.
#
# REFERENCES
# -http://www.secdev.org/projects/scapy/files/scapydoc.pdf
#
# TIME TO IMPLEMENT THINGS
# -Few hours. Mostly spent checking out Scapy's documentation.
#
# OTHER NOTES
# -Below are sample outputs of dns_cap.py for each query sent with dns_client.py
# -Scapy is awesome, therefore, I felt kinda cheap using it's awesomeness for this challenge.
# Needless to say, if I had to actually do the heavy-lifting, I would have used something like python-dpkt.
from scapy.all import *
rrtypes = {1: 'A', 2: 'NS', 12: 'PTR', 28: 'AAAA', 33: 'SRV', 99: 'SPF', 16: 'TXT', 6: 'SOA', 252: 'AXFR', 15: 'MX', 17: 'RP', 5: 'CNAME'}
def parse(pkt):
if pkt.haslayer('DNS'):
# Get interesting layers from pkt
ip = pkt.getlayer('IP')
dns = pkt.getlayer('DNS')
# Check if query or response
if dns.qr == 0:
print '[*] DNS query captured (%s -> %s) [%s] | Type: %s | Name: %s' % (ip.src, ip.dst, dns.id, rrtypes[dns.qd.qtype] if dns.qd.qtype in rrtypes else dns.qd.qtype, dns.qd.qname)
elif dns.qr == 1:
for i in xrange(dns.ancount):
vals = (ip.src, ip.dst, dns.id, rrtypes[dns.an[i].type] if dns.an[i].type in rrtypes else dns.an[i].type, dns.an[i].rrname, dns.an[i].ttl, dns.an[i].rdata)
print '[*] DNS answer captured (%s -> %s) [%s] | Type: %s | Name: %s | TTL: %s | RDATA: %s' % vals
def main():
# Start sniffing. Packet handling done in real time by parse()
sniff(iface='wlan0', prn=parse)
if __name__ == '__main__':
main()
'''
python dns_client.py jiva.io A
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: A | Name: jiva.io.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: A | Name: jiva.io. | TTL: 299 | RDATA: 204.232.175.78
python dns_client.py google.com AAAA
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: AAAA | Name: google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: AAAA | Name: google.com. | TTL: 299 | RDATA: 2607:f8b0:4002:c06::8a
python dns_client.py google.com NS
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: NS | Name: google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns2.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns1.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns3.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns4.google.com.
python dns_client.py jiva.io PTR
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: PTR | Name: jiva.io.
python dns_client.py jiva.io TXT
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: TXT | Name: jiva.io.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 299 | RDATA: Dgoogle-site-verification=EjXoF3FENLMLEdh3943f_KuAtYTTADxPqL5C42u0NdU
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 3599 | RDATA: #v=spf1 include:_spf.google.com ~all
python dns_client.py tripwire.com SPF
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SPF | Name: tripwire.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SPF | Name: tripwire.com. | TTL: 1573 | RDATA: v=spf1 include:spf.messaging.microsoft.com include:mktomail.com include:mailgun.org ip4:76.247.119.150 ip4:76.247.119.164 ip4:174.47.84.215 ip4:69.80.198.8 ip4:64.112.227.240 ip4:69.80.198.126 -all
python dns_client.py _sip._tls.franklin.uga.edu SRV
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu. | TTL: 21131 | RDATA: dsipdironlinelynccom
python dns_client.py cs.uga.edu axfr
not able to test at the moment
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment