dns欺骗与替罪羊客户端提示

Question

考虑一下这个简单的python欺骗程序：

#!/usr/bin/python3
import socket
from scapy.all import *
port = 53

def handle(payload):
    data = payload[0]
    src_ip = payload[1][0]
    src_port = payload[1][1]
    print("-" * 10 + " Incoming "  + "-" * 10)
    a = DNS(data)
    a.show2()
    output = IP(dst=src_ip,  chksum = 0)/ UDP(sport=53, dport=src_port) / DNS(id=a.id, qr=1, opcode=a.opcode, aa=1, tc=0, rd=1, ra=1, z=0, ad=0, cd=0, rcode=0, qdcount=1, ancount=1, nscount=0, arcount=0,qd=DNSQR(qname=a[DNS].qd.qname, qtype=a[DNS].qd.qtype, qclass=a[DNS].qd.qclass), an=DNSRR(rrname='cnn.com', rdata='192.168.1.100'), )
    print("-" * 10 + " Output "  + "-" * 10)
    output.show2()
    send(output)

if __name__ == "__main__":
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # create a socket object
    s.bind(("", port)) 
    while True:
        payload = s.recvfrom(1024)
        handle(payload)

我将从sudo运行它(这样我就可以绑定到udp端口53)：

$ sudo python3 -i ./dns_python.py

不过，我向它提出的要求是超时的：

$ host cnn.com 127.0.0.1
;; connection timed out; no servers could be reached

我需要帮助找出如何成功地欺骗：

更多细节：

$ sudo python3 -i ./dns_python.py 
---------- Incoming ----------
###[ DNS ]### 
  id        = 59652
  qr        = 0
  opcode    = QUERY
  aa        = 0
  tc        = 0
  rd        = 1
  ra        = 0
  z         = 0
  ad        = 0
  cd        = 0
  rcode     = ok
  qdcount   = 1
  ancount   = 0
  nscount   = 0
  arcount   = 0
  \qd        \
   |###[ DNS Question Record ]### 
   |  qname     = 'cnn.com.'
   |  qtype     = A
   |  qclass    = IN
  an        = None
  ns        = None
  ar        = None

---------- Output ----------
###[ IP ]### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 76
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = udp
  chksum    = 0x0
  src       = 127.0.0.1
  dst       = 127.0.0.1
  \options   \
###[ UDP ]### 
     sport     = domain
     dport     = 36774
     len       = 56
     chksum    = 0xb87f
###[ DNS ]### 
        id        = 59652
        qr        = 1
        opcode    = QUERY
        aa        = 1
        tc        = 0
        rd        = 1
        ra        = 1
        z         = 0
        ad        = 0
        cd        = 0
        rcode     = ok
        qdcount   = 1
        ancount   = 1
        nscount   = 0
        arcount   = 0
        \qd        \
         |###[ DNS Question Record ]### 
         |  qname     = 'cnn.com.'
         |  qtype     = A
         |  qclass    = IN
        \an        \
         |###[ DNS Resource Record ]### 
         |  rrname    = 'cnn.com.'
         |  type      = A
         |  rclass    = IN
         |  ttl       = 0
         |  rdlen     = 4
         |  rdata     = '192.168.1.100'
        ns        = None
        ar        = None

.
Sent 1 packets.

当我从ngrep -d lo '‘src或dst端口53窗口观看时，我会看到数据包。任何帮助都将不胜感激！

Answer 1

Scapy不适用于127.0.0.1或环回接口

http://scapy.readthedocs.io/en/latest/troubleshooting.html

回环接口是一个非常特殊的接口。通过它的数据包并不是真正的组装和拆卸。内核将数据包路由到目的地，而它仍然被存储在内部结构中。您在tcpdump -i lo中看到的只是一个让您认为一切都是正常的假的。内核不知道Scapy在背后做什么，所以你在回环界面上看到的也是假的。但这次不是来自当地的建筑。因此，内核将永远不会收到它。

为了与本地应用程序对话，需要在上层构建数据包，使用PF_INET/SOCK_RAW套接字，而不是PF_PACKET/SOCK_RAW (或在Linux以外的其他系统上等效)：