jiva/dns_cap.py

## dns_cap.py
#!/usr/bin/env python

# dns_cap.py for VERT interview
#   by jiva
#
# CHALLENGE NOTES
# - Build a tool that will capture dns packets. [dns_cap.py]
#     - MUST dump the answer to an 'A' type query in a human readable format
#     - MUST identify the source and destination systems of all queries
#     - MUST report the query type of all queries
#     - MUST use a python pcap library.
#
# REFERENCES
#   -http://www.secdev.org/projects/scapy/files/scapydoc.pdf
#
# TIME TO IMPLEMENT THINGS
#   -Few hours. Mostly spent checking out Scapy's documentation.
#
# OTHER NOTES
#   -Below are sample outputs of dns_cap.py for each query sent with dns_client.py
#   -Scapy is awesome, therefore, I felt kinda cheap using it's awesomeness for this challenge.
#       Needless to say, if I had to actually do the heavy-lifting, I would have used something like python-dpkt.

from scapy.all import *

rrtypes = {1: 'A', 2: 'NS', 12: 'PTR', 28: 'AAAA', 33: 'SRV', 99: 'SPF', 16: 'TXT', 6: 'SOA', 252: 'AXFR', 15: 'MX', 17: 'RP', 5: 'CNAME'}

def parse(pkt):
    if pkt.haslayer('DNS'):
        # Get interesting layers from pkt
        ip = pkt.getlayer('IP')
        dns = pkt.getlayer('DNS')

        # Check if query or response
        if dns.qr == 0:
            print '[*] DNS query captured (%s -> %s) [%s] | Type: %s | Name: %s' % (ip.src, ip.dst, dns.id, rrtypes[dns.qd.qtype] if dns.qd.qtype in rrtypes else dns.qd.qtype, dns.qd.qname)
        elif dns.qr == 1:
            for i in xrange(dns.ancount):
                vals = (ip.src, ip.dst, dns.id, rrtypes[dns.an[i].type] if dns.an[i].type in rrtypes else dns.an[i].type, dns.an[i].rrname, dns.an[i].ttl, dns.an[i].rdata)
                print '[*] DNS answer captured (%s -> %s) [%s] | Type: %s | Name: %s | TTL: %s | RDATA: %s' % vals

def main():
    # Start sniffing. Packet handling done in real time by parse()
    sniff(iface='wlan0', prn=parse)

if __name__ == '__main__':
    main()


'''
python dns_client.py jiva.io A
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: A | Name: jiva.io.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: A | Name: jiva.io. | TTL: 299 | RDATA: 204.232.175.78


python dns_client.py google.com AAAA
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: AAAA | Name: google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: AAAA | Name: google.com. | TTL: 299 | RDATA: 2607:f8b0:4002:c06::8a


python dns_client.py google.com NS
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: NS | Name: google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns2.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns1.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns3.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns4.google.com.


python dns_client.py jiva.io PTR
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: PTR | Name: jiva.io.


python dns_client.py jiva.io TXT
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: TXT | Name: jiva.io.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 299 | RDATA: Dgoogle-site-verification=EjXoF3FENLMLEdh3943f_KuAtYTTADxPqL5C42u0NdU
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 3599 | RDATA: #v=spf1 include:_spf.google.com ~all


python dns_client.py tripwire.com SPF
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SPF | Name: tripwire.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SPF | Name: tripwire.com. | TTL: 1573 | RDATA: v=spf1 include:spf.messaging.microsoft.com include:mktomail.com include:mailgun.org ip4:76.247.119.150 ip4:76.247.119.164 ip4:174.47.84.215 ip4:69.80.198.8 ip4:64.112.227.240 ip4:69.80.198.126 -all


python dns_client.py _sip._tls.franklin.uga.edu SRV
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu. | TTL: 21131 | RDATA: dsipdironlinelynccom


python dns_client.py cs.uga.edu axfr
not able to test at the moment

'''
	#!/usr/bin/env python

	# dns_cap.py for VERT interview
	# by jiva
	#
	# CHALLENGE NOTES
	# - Build a tool that will capture dns packets. [dns_cap.py]
	# - MUST dump the answer to an 'A' type query in a human readable format
	# - MUST identify the source and destination systems of all queries
	# - MUST report the query type of all queries
	# - MUST use a python pcap library.
	#
	# REFERENCES
	# -http://www.secdev.org/projects/scapy/files/scapydoc.pdf
	#
	# TIME TO IMPLEMENT THINGS
	# -Few hours. Mostly spent checking out Scapy's documentation.
	#
	# OTHER NOTES
	# -Below are sample outputs of dns_cap.py for each query sent with dns_client.py
	# -Scapy is awesome, therefore, I felt kinda cheap using it's awesomeness for this challenge.
	# Needless to say, if I had to actually do the heavy-lifting, I would have used something like python-dpkt.

	from scapy.all import *

	rrtypes = {1: 'A', 2: 'NS', 12: 'PTR', 28: 'AAAA', 33: 'SRV', 99: 'SPF', 16: 'TXT', 6: 'SOA', 252: 'AXFR', 15: 'MX', 17: 'RP', 5: 'CNAME'}

	def parse(pkt):
	if pkt.haslayer('DNS'):
	# Get interesting layers from pkt
	ip = pkt.getlayer('IP')
	dns = pkt.getlayer('DNS')

	# Check if query or response
	if dns.qr == 0:
	print '[*] DNS query captured (%s -> %s) [%s] \| Type: %s \| Name: %s' % (ip.src, ip.dst, dns.id, rrtypes[dns.qd.qtype] if dns.qd.qtype in rrtypes else dns.qd.qtype, dns.qd.qname)
	elif dns.qr == 1:
	for i in xrange(dns.ancount):
	vals = (ip.src, ip.dst, dns.id, rrtypes[dns.an[i].type] if dns.an[i].type in rrtypes else dns.an[i].type, dns.an[i].rrname, dns.an[i].ttl, dns.an[i].rdata)
	print '[*] DNS answer captured (%s -> %s) [%s] \| Type: %s \| Name: %s \| TTL: %s \| RDATA: %s' % vals

	def main():
	# Start sniffing. Packet handling done in real time by parse()
	sniff(iface='wlan0', prn=parse)

	if __name__ == '__main__':
	main()


	'''
	python dns_client.py jiva.io A
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: A \| Name: jiva.io.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: A \| Name: jiva.io. \| TTL: 299 \| RDATA: 204.232.175.78


	python dns_client.py google.com AAAA
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: AAAA \| Name: google.com.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: AAAA \| Name: google.com. \| TTL: 299 \| RDATA: 2607:f8b0:4002:c06::8a


	python dns_client.py google.com NS
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: NS \| Name: google.com.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: NS \| Name: google.com. \| TTL: 21164 \| RDATA: ns2.google.com.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: NS \| Name: google.com. \| TTL: 21164 \| RDATA: ns1.google.com.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: NS \| Name: google.com. \| TTL: 21164 \| RDATA: ns3.google.com.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: NS \| Name: google.com. \| TTL: 21164 \| RDATA: ns4.google.com.


	python dns_client.py jiva.io PTR
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: PTR \| Name: jiva.io.


	python dns_client.py jiva.io TXT
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: TXT \| Name: jiva.io.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: TXT \| Name: jiva.io. \| TTL: 299 \| RDATA: Dgoogle-site-verification=EjXoF3FENLMLEdh3943f_KuAtYTTADxPqL5C42u0NdU
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: TXT \| Name: jiva.io. \| TTL: 3599 \| RDATA: #v=spf1 include:_spf.google.com ~all


	python dns_client.py tripwire.com SPF
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: SPF \| Name: tripwire.com.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: SPF \| Name: tripwire.com. \| TTL: 1573 \| RDATA: v=spf1 include:spf.messaging.microsoft.com include:mktomail.com include:mailgun.org ip4:76.247.119.150 ip4:76.247.119.164 ip4:174.47.84.215 ip4:69.80.198.8 ip4:64.112.227.240 ip4:69.80.198.126 -all


	python dns_client.py _sip._tls.franklin.uga.edu SRV
	[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] \| Type: SRV \| Name: _sip._tls.franklin.uga.edu.
	[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] \| Type: SRV \| Name: _sip._tls.franklin.uga.edu. \| TTL: 21131 \| RDATA: dsipdironlinelynccom


	python dns_client.py cs.uga.edu axfr
	not able to test at the moment

	'''