Skip to content

Instantly share code, notes, and snippets.

@jiva jiva/dns_cap.py Secret
Created Aug 26, 2014

Embed
What would you like to do?
Capture DNS traffic using dns_client.py - for VERT interview - by jiva
#!/usr/bin/env python
# dns_cap.py for VERT interview
# by jiva
#
# CHALLENGE NOTES
# - Build a tool that will capture dns packets. [dns_cap.py]
# - MUST dump the answer to an 'A' type query in a human readable format
# - MUST identify the source and destination systems of all queries
# - MUST report the query type of all queries
# - MUST use a python pcap library.
#
# REFERENCES
# -http://www.secdev.org/projects/scapy/files/scapydoc.pdf
#
# TIME TO IMPLEMENT THINGS
# -Few hours. Mostly spent checking out Scapy's documentation.
#
# OTHER NOTES
# -Below are sample outputs of dns_cap.py for each query sent with dns_client.py
# -Scapy is awesome, therefore, I felt kinda cheap using it's awesomeness for this challenge.
# Needless to say, if I had to actually do the heavy-lifting, I would have used something like python-dpkt.
from scapy.all import *
rrtypes = {1: 'A', 2: 'NS', 12: 'PTR', 28: 'AAAA', 33: 'SRV', 99: 'SPF', 16: 'TXT', 6: 'SOA', 252: 'AXFR', 15: 'MX', 17: 'RP', 5: 'CNAME'}
def parse(pkt):
if pkt.haslayer('DNS'):
# Get interesting layers from pkt
ip = pkt.getlayer('IP')
dns = pkt.getlayer('DNS')
# Check if query or response
if dns.qr == 0:
print '[*] DNS query captured (%s -> %s) [%s] | Type: %s | Name: %s' % (ip.src, ip.dst, dns.id, rrtypes[dns.qd.qtype] if dns.qd.qtype in rrtypes else dns.qd.qtype, dns.qd.qname)
elif dns.qr == 1:
for i in xrange(dns.ancount):
vals = (ip.src, ip.dst, dns.id, rrtypes[dns.an[i].type] if dns.an[i].type in rrtypes else dns.an[i].type, dns.an[i].rrname, dns.an[i].ttl, dns.an[i].rdata)
print '[*] DNS answer captured (%s -> %s) [%s] | Type: %s | Name: %s | TTL: %s | RDATA: %s' % vals
def main():
# Start sniffing. Packet handling done in real time by parse()
sniff(iface='wlan0', prn=parse)
if __name__ == '__main__':
main()
'''
python dns_client.py jiva.io A
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: A | Name: jiva.io.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: A | Name: jiva.io. | TTL: 299 | RDATA: 204.232.175.78
python dns_client.py google.com AAAA
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: AAAA | Name: google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: AAAA | Name: google.com. | TTL: 299 | RDATA: 2607:f8b0:4002:c06::8a
python dns_client.py google.com NS
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: NS | Name: google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns2.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns1.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns3.google.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: NS | Name: google.com. | TTL: 21164 | RDATA: ns4.google.com.
python dns_client.py jiva.io PTR
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: PTR | Name: jiva.io.
python dns_client.py jiva.io TXT
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: TXT | Name: jiva.io.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 299 | RDATA: Dgoogle-site-verification=EjXoF3FENLMLEdh3943f_KuAtYTTADxPqL5C42u0NdU
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: TXT | Name: jiva.io. | TTL: 3599 | RDATA: #v=spf1 include:_spf.google.com ~all
python dns_client.py tripwire.com SPF
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SPF | Name: tripwire.com.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SPF | Name: tripwire.com. | TTL: 1573 | RDATA: v=spf1 include:spf.messaging.microsoft.com include:mktomail.com include:mailgun.org ip4:76.247.119.150 ip4:76.247.119.164 ip4:174.47.84.215 ip4:69.80.198.8 ip4:64.112.227.240 ip4:69.80.198.126 -all
python dns_client.py _sip._tls.franklin.uga.edu SRV
[*] DNS query captured (10.0.1.9 -> 8.8.8.8) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu.
[*] DNS answer captured (8.8.8.8 -> 10.0.1.9) [17994] | Type: SRV | Name: _sip._tls.franklin.uga.edu. | TTL: 21131 | RDATA: dsipdironlinelynccom
python dns_client.py cs.uga.edu axfr
not able to test at the moment
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.