Commit c619cd54 authored by Francois's avatar Francois
Browse files

first steps on the DNS parsing

parents
#!/usr/bin/env python
from base64 import b32decode, b64decode
from scapy.all import *
from scapy.layers.dns import DNSRR, DNS, DNSQR
import struct
import re
pcap = '/home/fser/ctfs/33c3/exfil/dump.pcap'
pkts = rdpcap(pcap)
data_cli = {}
data_srv = {}
def decode_b32(s):
s = s.upper()
for i in range(10):
try:
return base64.b32decode(s)
except:
s += b'='
raise ValueError('Invalid base32')
for p in pkts:
ipsrc = p[IP].src
packet = p[UDP].payload
if ipsrc == '192.168.0.1':
print "serv: ",
packet = packet[DNS].an.rdata
elif ipsrc == '192.168.0.121':
print "client: ",
packet = packet[DNS].qd.qname
else:
print "faut pas se foutre de moi"
conn_id, seq, ack = struct.unpack('<HHH', packet[:6])
data = packet[6:].replace('.', '').replace('eat-sleep-pwn-repeatde','')
# server
if ipsrc == '192.168.0.1':
if not seq in data_srv:
data_srv[seq] = data
else:
if not seq in data_cli:
data_cli[seq] = data
print "id %d seq %d ack %d" % (conn_id, seq, ack)
print "Client:"
print len(data_cli)
print "Server:"
print len(data_srv)
# print '[%d] %s' % (len(data), data)
# if p.time < lasttime:
# print 'oops'
# lasttime = p.time
# if p.haslayer(DNS):
# if p.qdcount > 0 and isinstance(p.qd, DNSQR):
# name = p.qd.qname
# print '[-] query -> osef'
# elif p.ancount > 0 and isinstance(p.an, DNSRR):
# name = p.an.rdata
# name = name.replace('.', '').replace('eat-sleep-pwn-repeatde','')
# print name
# else:
# print "wut"
# continue
# for p in pkts:
# if p.haslayer(DNS):
# if p.ancount > 0 and isinstance(p.an, DNSRR):
# truc = ''
# truc2 = ''
# try:
# truc = b32decode(p.an.rdata.replace('.eat-sleep-pwn-repeat.de.', '').replace('.',''))
# truc2 = b64decode(truc)
# if '33C3' in truc or '33C3' in truc2:
# print '\n\n\n\nBAAAAAA\n\n\n'
# except TypeError:
# if '33C3' in truc or '33C3' in truc2:
# print '\n\n\n\nBAAAAAA\n\n\n'
# pass
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment