-
Notifications
You must be signed in to change notification settings - Fork 3
/
09-scapy-and-dns.html
142 lines (121 loc) · 6.97 KB
/
09-scapy-and-dns.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<title>Scapy and DNS</title>
<link rel="stylesheet" href="stylesheets/styles.css">
<link rel="stylesheet" href="stylesheets/pygment_trac.css">
<link href="stylesheets/font-awesome.min.css" rel="stylesheet">
<script src="javascripts/scale.fix.js"></script>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<!--[if lt IE 9]>
<script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body>
<div class="wrapper">
<header>
<h1 class="header"><a href="index.html">Scapy for Network Tools</a></h1>
<p class="header">Using the power of Python + Scapy to build network tools</p>
<ul>
<li class="download"><a class="buttons" href="https://github.com/thepacketgeek/building-network-tools-with-scapy/zipball/master">Download ZIP</a></li>
<li class="download"><a class="buttons" href="https://github.com/thepacketgeek/building-network-tools-with-scapy/tarball/master">Download TAR</a></li>
<li><a class="buttons github" href="https://github.com/thepacketgeek/building-network-tools-with-scapy">View On GitHub</a></li>
</ul>
<p class="header">This project is maintained by <a class="header name" href="https://github.com/thepacketgeek">thepacketgeek</a></p>
</header>
<section>
<h3 id="01">
09 - Scapy and DNS
</h3>
<p>We've been able to work with Ethernet, ARP, IP, ICMP, and TCP pretty easily so far thanks to Scapy's built in protocol support. Next on our list of protocols to work with are UDP and DNS. </p>
<h4>DNS Request and Response</h4>
<p>Using the <code>sr1()</code> function, we can craft a DNS request and capture the returned DNS response. Since DNS runs over IP and UDP, we will need to use those in our packet:</p>
<script type="text/javascript" src="https://gist.github.com/thepacketgeek/6928674.js"></script>
<pre><code>============================Console Output:===========================
Begin emission:
..Finished to send 1 packets.
..*
Received 5 packets, got 1 answers, remaining 0 packets
DNS Ans "198.71.55.197"</code></pre>
<p class="caption">The DNS layer summary is printed showing the IP address of the hostname requested</p>
<p>Without too much work we were able to write a short script to query some DNS name to IP address resolutions. Just think about what this means; we could read in a list of hostnames to resolve and send the IP addresses off to some function to do some more tests such as ping or TCP scans.</p>
<h4>DNS Forwarding and Spoofing</h4>
<p>Ok, so sending a DNS query was fun, but let's build on that. How about hand building a DNS service that can handle DNS forwarding, but with the added functionality of handing out a custom IP address for a certain domain name. This is similar to how the DNS server part of the <a target = "_blank" href="https://github.com/iBaa/PlexConnect">PlexConnect</a> utility works to hijack some communications from the AppleTV. This is going to jump up in complexity quite a bit from our previous example but the process is still pretty simple:</p>
<ul>
<li>Sniff with Scapy to listen for incoming DNS requests
<ul>
<li>Filtering for UDP port 53 destined to the server's IP address</li>
</ul>
</li>
<li>If the request is for our special domain name, send a spoofed DNS response
<ul>
<li>Swap source/dest UDP ports and IP addresses</li>
<li>Match DNS request ID</li>
</ul>
</li>
<li>Otherwise, make a new DNS request and send the response back to the requesting host
<ul>
<li>Make a new request, and save the DNS Response</li>
<li>Send a response back to the client matching the same fields as above</li>
</ul>
</li>
</ul>
<p>We're doing a lot of field replacements, especially on the handcrafted spoof response. All I did to figure out all those fields is capture a DNS response from a request I made and used the <code>show()</code> function to figure out what fields are expected in the DNS response.</p>
<script type="text/javascript" src="https://gist.github.com/thepacketgeek/6926872.js"></script>
With this running on a host, I used the DNS <code>dig</code> utility to make some DNS requests:
<pre><code>localhost:~ packetgeek$ dig @172.16.20.40 www.thepacketgeek.com
; <<>> DiG 9.8.5-P1 <<>> @172.16.20.40 www.thepacketgeek.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29980
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.thepacketgeek.com. IN A
;; ANSWER SECTION:
www.thepacketgeek.com. 20411 IN A 198.71.55.197
;; Query time: 90 msec
;; SERVER: 172.16.20.40#53(172.16.20.40)
;; WHEN: Thu Oct 10 19:39:38 PDT 2013
;; MSG SIZE rcvd: 76
localhost:~ packetgeek$ dig @172.16.20.40 trailers.apple.com
; <<>> DiG 9.8.5-P1 <<>> @172.16.20.40 trailers.apple.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12688
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Messages has 34 extra bytes at end
;; QUESTION SECTION:
;trailers.apple.com. IN A
;; ANSWER SECTION:
trailers.apple.com. 20 IN A 172.16.20.40
;; Query time: 561 msec
;; SERVER: 172.16.20.40#53(172.16.20.40)
;; WHEN: Thu Oct 10 19:39:45 PDT 2013
;; MSG SIZE rcvd: 104</code></pre>
<p>This example uses a lot of Python, so if you're not familiar with that take some time to look at the code and look up anything you don't know in the <a target = "_blank" href="http://docs.python.org/2.7/">Python Docs</a>.</p>
<nav>
<p class="previous"><a href="08-making-xmas-tree-packet.html"><i class="icon-arrow-left"></i> Previous</a></p>
<p class="next"><a href="10-emulating-nmap.html">Next <i class="icon-arrow-right"></i></a></p>
</nav>
</section>
</div>
<footer>
<p>Hosted on GitHub Pages — Theme by <a href="https://github.com/orderedlist">orderedlist</a></p>
</footer>
<!--[if !IE]><script>fixScale(document);</script><![endif]-->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-44238008-3");
pageTracker._trackPageview();
} catch(err) {}
</script>
</body>
</html>