Created
August 26, 2014 01:30
-
-
Save jiva/cbd677ee45cc775e79ac to your computer and use it in GitHub Desktop.
Capture DNS traffic using dns_client.py - for VERT interview - by jiva
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# dns_cap.py for VERT interview | |
# by jiva | |
# | |
# CHALLENGE NOTES | |
# - Build a tool that will capture dns packets. [dns_cap.py] | |
# - MUST dump the answer to an 'A' type query in a human readable format | |
# - MUST identify the source and destination systems of all queries | |
# - MUST report the query type of all queries | |
# - MUST use a python pcap library. | |
# | |
# REFERENCES | |
# -http://www.secdev.org/projects/scapy/files/scapydoc.pdf | |
# | |
# TIME TO IMPLEMENT THINGS | |
# -Few hours. Mostly spent checking out Scapy's documentation. | |
# | |
# OTHER NOTES | |
# -Below are sample outputs of dns_cap.py for each query sent with dns_client.py | |
# -Scapy is awesome, therefore, I felt kinda cheap using it's awesomeness for this challenge. | |
# Needless to say, if I had to actually do the heavy-lifting, I would have used something like python-dpkt. | |
from scapy.all import * | |
rrtypes = {1: 'A', 2: 'NS', 12: 'PTR', 28: 'AAAA', 33: 'SRV', 99: 'SPF', 16: 'TXT', 6: 'SOA', 252: 'AXFR', 15: 'MX', 17: 'RP', 5: 'CNAME'} | |
def parse(pkt): | |
if pkt.haslayer('DNS'): | |
# Get interesting layers from pkt | |
ip = pkt.getlayer('IP') | |
dns = pkt.getlayer('DNS') | |
# Check if query or response | |
if dns.qr == 0: | |
print '[*] DNS query captured (%s -> %s) [%s] | Type: %s | Name: %s' % (ip.src, ip.dst, dns.id, rrtypes[dns.qd.qtype] if dns.qd.qtype in rrtypes else dns.qd.qtype, dns.qd.qname) | |
elif dns.qr == 1: | |
for i in xrange(dns.ancount): | |
vals = (ip.src, ip.dst, dns.id, rrtypes[dns.an[i].type] if dns.an[i].type in rrtypes else dns.an[i].type, dns.an[i].rrname, dns.an[i].ttl, dns.an[i].rdata) | |
print '[*] DNS answer captured (%s -> %s) [%s] | Type: %s | Name: %s | TTL: %s | RDATA: %s' % vals | |
def main(): | |
# Start sniffing. Packet handling done in real time by parse() | |
sniff(iface='wlan0', prn=parse) | |
if __name__ == '__main__': | |
main() | |
''' | |
python dns_client.py jiva.io A | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: A | Name: jiva.io. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: A | Name: jiva.io. | TTL: 299 | RDATA: 204.232.175.78 | |
python dns_client.py google.com AAAA | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: AAAA | Name: google.com. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: AAAA | Name: google.com. | TTL: 299 | RDATA: 2607:f8b0:4002:c06::8a | |
python dns_client.py google.com NS | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: NS | Name: google.com. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns2.google.com. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns1.google.com. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns3.google.com. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns4.google.com. | |
python dns_client.py jiva.io PTR | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: PTR | Name: jiva.io. | |
python dns_client.py jiva.io TXT | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: TXT | Name: jiva.io. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 299 | RDATA: Dgoogle-site-verification=EjXoF3FENLMLEdh3943f_KuAtYTTADxPqL5C42u0NdU | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 3599 | RDATA: #v=spf1 include:_spf.google.com ~all | |
python dns_client.py tripwire.com SPF | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SPF | Name: tripwire.com. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SPF | Name: tripwire.com. | TTL: 1573 | RDATA: v=spf1 include:spf.messaging.microsoft.com include:mktomail.com include:mailgun.org ip4:76.247.119.150 ip4:76.247.119.164 ip4:174.47.84.215 ip4:69.80.198.8 ip4:64.112.227.240 ip4:69.80.198.126 -all | |
python dns_client.py _sip._tls.franklin.uga.edu SRV | |
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu. | |
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu. | TTL: 21131 | RDATA: dsipdironlinelynccom | |
python dns_client.py cs.uga.edu axfr | |
not able to test at the moment | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment