How to Build a DNS Packet Sniffer with Scapy and Python
In my last how-to, we built a man-in-the-middle tool. The aforementioned script only established a man-in-the-middle. Today we'll be building a tool to utilize it. We'll be building a DNS packet sniffer. In a nutshell, this listens for DNS queries from the victim and shows them to us. This allows us to track the victims activity and perform some useful recon.
In my previous tutorials, I used the "python FILENAME.py" execution method. I've moved to using the shebang ("#!") method of execution. The reason for this is because I feel it looks more professional and requires less typing to execute. If you are unfamiliar with this, I suggest you read steps one and two of this tutorial, by our beloved admin, OTW. Simply apply those steps to our script and we're good to go!
The first line is the aforementioned "shebang". This line essentially tells the script where the interpreter to use is located. We then import our lovely scapy module along with sys.
This is a very simple input, we're only asking for the interface as that is the only thing that matters in this script, the rest has been taken care of my the MitM script. We've added a keyboard interrupt exception just in case the user decides to quit.
The above function is what gets the needed information from the sniffed packet and presents it to us. It finds the source and destination IP addresses, and tests for DNS queries. The single print statement is what presents us with the information we seek. It starts by printing the source IP to the destination IP. The arrow is to help clarify the source going to the destination. This is followed by the DNS query incased in parentheses. This insures that all information is presented in a neat and easily readable format.
Here we use scapy's sniff() function to begin sniffing. We've set the iface value equal to the interface provided by the user in the beginning of the script. We set the filter to port 53, this is because port 53 is for DNS. We set prn to the function we defined earlier, this makes every sniffed packet that meets our criteria go through our function. Finally we set the store field to zero. This tells scapy not to save any of the sniffed packets as we won't be manipulating them any further. The user will have to interrupt the sniffing with a keyboard interrupt, which will print that the script is shutting down.
First, we have to establish our man-in-the-middle...
Alright! We've established our MitM! Now we simply have to run our new script (Pastebin Here) and watch the magic happen...
Now when we run this script we will get A LOT of results. This is because it prints ALL DNS requests, not only the ones manually made by the victim. This includes queries for things such as google ads. After sifting through our results for a small time I came across what we're after...
It worked! We can see here that the user requested to access the one and only Null Byte!
Let me know what you think! If you have any questions leave them in the comments and I'm sure they'll be answered! For those of who missed it earlier here is the Pastebin.
Thank you for reading!