Friday, May 8, 2009

DoJoSec and dnssnarf

One of our IT guys, (total security geek Christopher McBee) found some interesting information from last nights DoJoSec meeting. Here's what he has to say:

During Sean Wilkerson's talk at last nights DojoSec meeting (http://www.dojosec.com), Sean discussed some simple open source monitoring tools included in the dsniff suite including urlsnarf, mailsnarf, etc used for validating assumptions about your security infrastructure and products. One of the questions during the talk was for a tool similar to these for DNS snarfing. Twenty minutes and 6 lines of python later. The output is in bind query log format so you should be able to throw it into your favorite query log parsing tool.

from scapy import *

def dns_callback(pkt):
if DNS in pkt and pkt[UDP].dport == 53:
print pkt.sprintf("client %IP.src%#%UDP.sport%: query: ") + \
pkt[DNSQR].qname + " " + pkt[DNSQR].sprintf("%qclass% %qtype% +")

iface = (sys.argv[1] if (len(sys.argv) > 1) else 'eth0')
sniff(iface=iface, prn=dns_callback, filter="udp and port 53", store=0)

No comments:

Post a Comment