How To: Build a DNS Packet Sniffer with Scapy and Python

Build a DNS Packet Sniffer with Scapy and Python

In my last how-to, we built a man-in-the-middle tool. The aforementioned script only established a man-in-the-middle. Today we'll be building a tool to utilize it. We'll be building a DNS packet sniffer. In a nutshell, this listens for DNS queries from the victim and shows them to us. This allows us to track the victims activity and perform some useful recon.

New Method of Execution

In my previous tutorials, I used the "python FILENAME.py" execution method. I've moved to using the shebang ("#!") method of execution. The reason for this is because I feel it looks more professional and requires less typing to execute. If you are unfamiliar with this, I suggest you read steps one and two of this tutorial, by our beloved admin, OTW. Simply apply those steps to our script and we're good to go!

Step 1: Setting the Interpreter Path and Importing Modules

The first line is the aforementioned "shebang". This line essentially tells the script where the interpreter to use is located. We then import our lovely scapy module along with sys.

Step 2: Getting Input

This is a very simple input, we're only asking for the interface as that is the only thing that matters in this script, the rest has been taken care of my the MitM script. We've added a keyboard interrupt exception just in case the user decides to quit.

Step 3: Manipulating the Packets

The above function is what gets the needed information from the sniffed packet and presents it to us. It finds the source and destination IP addresses, and tests for DNS queries. The single print statement is what presents us with the information we seek. It starts by printing the source IP to the destination IP. The arrow is to help clarify the source going to the destination. This is followed by the DNS query incased in parentheses. This insures that all information is presented in a neat and easily readable format.

Step 4: Start Sniffing

Here we use scapy's sniff() function to begin sniffing. We've set the iface value equal to the interface provided by the user in the beginning of the script. We set the filter to port 53, this is because port 53 is for DNS. We set prn to the function we defined earlier, this makes every sniffed packet that meets our criteria go through our function. Finally we set the store field to zero. This tells scapy not to save any of the sniffed packets as we won't be manipulating them any further. The user will have to interrupt the sniffing with a keyboard interrupt, which will print that the script is shutting down.

Step 5: Testing It Out

First, we have to establish our man-in-the-middle...

Alright! We've established our MitM! Now we simply have to run our new script (Pastebin Here) and watch the magic happen...

Now when we run this script we will get A LOT of results. This is because it prints ALL DNS requests, not only the ones manually made by the victim. This includes queries for things such as google ads. After sifting through our results for a small time I came across what we're after...

It worked! We can see here that the user requested to access the one and only Null Byte!

Step 6: Feedback!

Let me know what you think! If you have any questions leave them in the comments and I'm sure they'll be answered! For those of who missed it earlier here is the Pastebin.

Thank you for reading!

-Defalt

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

6 Comments

Hey am getting an unexpected result. I want to sniff another machine's packet not my local machine but your code allows us to only sniff the local packets. From your screenshot:

Image via wonderhowto.com

There was an input for the victim ip and router ip but from the script you provided you didn't allow us to enter any ip. Am I doing something wrong here ?

Dark Net

That is a screenshot of my man in the middle script. I was using it route the traffic through my system. You can find the man in the middle script here.

Ok, thanks . I now get your scenario. +1

Thank you very these tutorials, i.e. part 1 and 2. However, when i tried both, the script was successful but it did not pick any log or data. I am trying to capture packets on a DNS server based on queries from a client test node. What is the best way i can capture any command made via this client node towards the internet is captured. I have configured the client to only use the DNSserver as its main DNS for traffic to the internet.

Thanks,
Can get cookies too?

I am trying to write the DNS packet sniffer in python to capture information whenever NXdomain packet is found e.g Response code, Querry, Transport Protocol used, dest port, Authorative Name server. First of all, I don't know where to start with. I watched some of the tutorials on youtube but most of them are sniffing ethernet frames and try to get information from (IP/ARP frame) within the ethernet frame but this information is useless for me as I want to capture DNS information by sniffing DNS packet.

Any help would be really appreciated.

Share Your Thoughts

  • Hot
  • Latest