How To: Build a DNS Packet Sniffer with Scapy and Python

Build a DNS Packet Sniffer with Scapy and Python

In my last how-to, we built a man-in-the-middle tool. The aforementioned script only established a man-in-the-middle. Today we'll be building a tool to utilize it. We'll be building a DNS packet sniffer. In a nutshell, this listens for DNS queries from the victim and shows them to us. This allows us to track the victims activity and perform some useful recon.

New Method of Execution

In my previous tutorials, I used the "python FILENAME.py" execution method. I've moved to using the shebang ("#!") method of execution. The reason for this is because I feel it looks more professional and requires less typing to execute. If you are unfamiliar with this, I suggest you read steps one and two of this tutorial, by our beloved admin, OTW. Simply apply those steps to our script and we're good to go!

Step 1: Setting the Interpreter Path and Importing Modules

The first line is the aforementioned "shebang". This line essentially tells the script where the interpreter to use is located. We then import our lovely scapy module along with sys.

Step 2: Getting Input

This is a very simple input, we're only asking for the interface as that is the only thing that matters in this script, the rest has been taken care of my the MitM script. We've added a keyboard interrupt exception just in case the user decides to quit.

Step 3: Manipulating the Packets

The above function is what gets the needed information from the sniffed packet and presents it to us. It finds the source and destination IP addresses, and tests for DNS queries. The single print statement is what presents us with the information we seek. It starts by printing the source IP to the destination IP. The arrow is to help clarify the source going to the destination. This is followed by the DNS query incased in parentheses. This insures that all information is presented in a neat and easily readable format.

Step 4: Start Sniffing

Here we use scapy's sniff() function to begin sniffing. We've set the iface value equal to the interface provided by the user in the beginning of the script. We set the filter to port 53, this is because port 53 is for DNS. We set prn to the function we defined earlier, this makes every sniffed packet that meets our criteria go through our function. Finally we set the store field to zero. This tells scapy not to save any of the sniffed packets as we won't be manipulating them any further. The user will have to interrupt the sniffing with a keyboard interrupt, which will print that the script is shutting down.

Step 5: Testing It Out

First, we have to establish our man-in-the-middle...

Alright! We've established our MitM! Now we simply have to run our new script (Pastebin Here) and watch the magic happen...

Now when we run this script we will get A LOT of results. This is because it prints ALL DNS requests, not only the ones manually made by the victim. This includes queries for things such as google ads. After sifting through our results for a small time I came across what we're after...

It worked! We can see here that the user requested to access the one and only Null Byte!

Step 6: Feedback!

Let me know what you think! If you have any questions leave them in the comments and I'm sure they'll be answered! For those of who missed it earlier here is the Pastebin.

Thank you for reading!

-Defalt

11 Comments

i really should start learning python, shouldn't i?

-Phoenix750

Yes.

ghost_

anyone knows a good place for me to start?

EDIT: no need to reply to this, made a thread on the forum about it.

-Phoenix750

Glorious Read. Awesome tutorial, +1

Its awesome and friendly. You will pick it faster than C#. Hit me up if you have any problem, Always willing to help.

# Sergeant

if i can pick it up faster than C#, and i am learning C# really fast, i think i will know python in just a week...

-Phoenix750

Hahha .... Ok, don't kill yourself yet.

Hey am getting an unexpected result. I want to sniff another machine's packet not my local machine but your code allows us to only sniff the local packets. From your screenshot:

Image via wonderhowto.com

There was an input for the victim ip and router ip but from the script you provided you didn't allow us to enter any ip. Am I doing something wrong here ?

Dark Net

That is a screenshot of my man in the middle script. I was using it route the traffic through my system. You can find the man in the middle script here.

Ok, thanks . I now get your scenario. +1

Share Your Thoughts

  • Hot
  • Latest