OS: Ubuntu 14.04.5 LTS
Language: Python 2.7.6
- dnsdetect.py
- dnsinject.py
- readme
- tracefile.pcap
- detection output for attached tracefile.pcap
- modifying rdata field of packet in spoofed packet
- all other fields are the same
- race condition: between spoofed packet and actual packet
- ideally to prevent race condition:
we must use scapy + nfqueue for packet blocking, modification, and forwarding
-> set up IP tables packet queue for all packets with dst port 53,
-> modify packet and send spoofed packet, drop original packet
-> however this method would prevent us from detecting spoofed packets in our dnsdetect,
hence the simple method is used
- check if all relevant fields match:
including same dst IP, same ports for dst and src, dns id and qname
- we check IP addresses as well:
to avoid false positives,
for instance with legitimate consecutive responses with different IP addresses
for same hostname which occur with dns round robin scheduling for example
- cases where this may not work:
two dns packets all have same fields, including TXID,
yet are not spoofed and are both not poisonous
possible reasons: NAT
- limitation: bpf filtering doesn't work in offline mode for scapy.
for dns packets: packets with dst port 53 as dns can be on both udp and tcp
invalid bpf filter:
- you get an exception
- depending on whether your system has Global name Scapy_Exception
not present:
- default eth0 used
present:
- valid interface used
- invalid interface: error messaeg displayed
not present:
- all requests forged with local machine IP in rdata as answer
present:
- qname in hostnames.txt file, only those are forged
augmented to "dst port 53" filter expression and given as bpf filter to sniff()
if invalid expression, Exception occurs and is shown on terminal
only dns A requests are forged and injected
all possible combinations for cmdline args
python dnsinject.py
python dnsinject.py -i eth0 -h hostnames.txt "udp"
python dnsinject.py -i eth0
python dnsinject.py -h hostnames.txt
python dnsinject.py "udp"
python dnsinject.py -h hostnames.txt "udp"
python dnsinject.py -i eth0 "udp"
python dnsinject.py -i eth0 -h hostnames.txtall possible combinations for cmdline args
python dnsdetect.py
python dnsdetect.py -i eth0
python dnsdetect.py -r tracefile.pcap
python dnsdetect.py -i eth0 "udp"
python dnsdetect.py -r tracefile.pcap "udp"
python dnsdetect.py "udp"victim guest VM
another guest VM runs dnsinject and dnsdetect and observes victim's traffic
- http://www.cs.dartmouth.edu/~sergey/netreads/local/reliable-dns-spoofing-with-python-scapy-nfqueue.html
- http://www.secdev.org/conf/scapy_lsm2003.pdf
- http://scapy.readthedocs.io/en/latest/functions.html
- https://pypi.python.org/pypi/netifaces
- https://stackoverflow.com/questions/3277503/how-do-i-read-a-file-line-by-line-into-a-list
- http://securitynik.blogspot.com/2014/05/building-your-own-tools-with-scapy.html
- https://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib
- https://stackoverflow.com/questions/19124304/what-does-metavar-and-action-mean-in-argparse-in-python