lost and found ( for me ? )

lost and found ( for me ? )

↑ Grab this Headline Animator

Python scapy: craft DNS packets with scapy

Here is a sample script of how to send DNS queries to multiple IPs from one IP address with Python scapy.
# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 13.10"

# apt-get install python-scapy
# cat send_queries_03.py -n
    1  #!/usr/bin/env python
    2
    3  from scapy.all import *
    4
    5  
    6
    7
    8  def send_ip50(counter):
    9      packet = (IP(src="192.168.10.15",dst="192.168.10.50")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="a%s.foo.com" % counter)))
   10      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   11
   12  def send_ip51(counter):
   13      packet = (IP(src="192.168.10.15",dst="192.168.10.51")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="b%s.foo.com" % counter)))
   14      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   15
   16  def send_ip52(counter):
   17      packet = (IP(src="192.168.10.15",dst="192.168.10.52")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="c%s.foo.com" % counter)))
   18      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   19
   20  def send_ip53(counter):
   21      packet = (IP(src="192.168.10.15",dst="192.168.10.53")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,id=RandShort(),qd=DNSQR(qname="d%s.foo.com" % counter)))
   22      sr1(packet, verbose=0, timeout=0.000001, retry=0)
   23
   24  if __name__ == '__main__':
   25      for i in range(0,100000):
   26          send_ip50(i)
   27          send_ip51(i)
   28          send_ip52(i)
   29          send_ip53(i)
capture data
# tcpdump -i br0 -n udp and dst port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:45:04.042689 IP 192.168.10.15.13123 > 192.168.10.53.domain: 60431+ A? d828.foo.com. (30)
23:45:04.042845 IP 192.168.10.11.62606 > 192.168.10.15.domain: 12062+ [1au] A? d828.foo.com. (41)
23:45:04.098405 IP 192.168.10.15.12479 > 192.168.10.50.domain: 36773+ A? a829.foo.com. (30)
23:45:04.098554 IP 192.168.10.11.26948 > 192.168.10.15.domain: 32326+ [1au] A? a829.foo.com. (41)
23:45:04.154371 IP 192.168.10.15.37971 > 192.168.10.51.domain: 47661+ A? b829.foo.com. (30)
23:45:04.154524 IP 192.168.10.11.22917 > 192.168.10.15.domain: 55193+ [1au] A? b829.foo.com. (41)
23:45:04.218333 IP 192.168.10.15.48133 > 192.168.10.52.domain: 7299+ A? c829.foo.com. (30)
a830.foo.com. (41)
23:45:04.430456 IP 192.168.10.15.36751 > 192.168.10.51.domain: 49019+ A? b830.foo.com. (30)
23:45:04.430602 IP 192.168.10.11.61530 > 192.168.10.15.domain: 21721+ [1au] A? b830.foo.com. (41)
23:45:04.486421 IP 192.168.10.15.12881 > 192.168.10.52.domain: 23496+ A? c830.foo.com. (30)
23:45:04.486567 IP 192.168.10.11.40049 > 192.168.10.15.domain: 15839+ [1au] A? c830.foo.com. (41)
23:45:04.546634 IP 192.168.10.15.4886 > 192.168.10.53.domain: 57954+ A? d830.foo.com. (30)
23:45:04.546786 IP 192.168.10.11.30473 > 192.168.10.15.domain: 32175+ [1au] A? d830.foo.com. (41)

Labels: , , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)