使用 scapy 客户端超时进行 dns 欺骗

Question

考虑一下这个简单的 python dns 欺骗器：

#!/usr/bin/python3
import socket
from scapy.all import *
port = 53

def handle(payload):
    data = payload[0]
    src_ip = payload[1][0]
    src_port = payload[1][1]
    print("-" * 10 + " Incoming "  + "-" * 10)
    a = DNS(data)
    a.show2()
    output = IP(dst=src_ip,  chksum = 0)/ UDP(sport=53, dport=src_port) / DNS(id=a.id, qr=1, opcode=a.opcode, aa=1, tc=0, rd=1, ra=1, z=0, ad=0, cd=0, rcode=0, qdcount=1, ancount=1, nscount=0, arcount=0,qd=DNSQR(qname=a[DNS].qd.qname, qtype=a[DNS].qd.qtype, qclass=a[DNS].qd.qclass), an=DNSRR(rrname='cnn.com', rdata='192.168.1.100'), )
    print("-" * 10 + " Output "  + "-" * 10)
    output.show2()
    send(output)

if __name__ == "__main__":
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # create a socket object
    s.bind(("", port)) 
    while True:
        payload = s.recvfrom(1024)
        handle(payload)

我会从 sudo 运行它（这样我就可以绑定到 udp 端口​​ 53）：

$ sudo python3 -i ./dns_python.py

但是我对它的请求超时了：

$ host cnn.com 127.0.0.1
;; connection timed out; no servers could be reached

我需要帮助来弄清楚如何成功地进行欺骗：

更多细节：

$ sudo python3 -i ./dns_python.py 
---------- Incoming ----------
###[ DNS ]### 
  id        = 59652
  qr        = 0
  opcode    = QUERY
  aa        = 0
  tc        = 0
  rd        = 1
  ra        = 0
  z         = 0
  ad        = 0
  cd        = 0
  rcode     = ok
  qdcount   = 1
  ancount   = 0
  nscount   = 0
  arcount   = 0
  \qd        \
   |###[ DNS Question Record ]### 
   |  qname     = 'cnn.com.'
   |  qtype     = A
   |  qclass    = IN
  an        = None
  ns        = None
  ar        = None

---------- Output ----------
###[ IP ]### 
  version   = 4
  ihl       = 5
  tos       = 0x0
  len       = 76
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 64
  proto     = udp
  chksum    = 0x0
  src       = 127.0.0.1
  dst       = 127.0.0.1
  \options   \
###[ UDP ]### 
     sport     = domain
     dport     = 36774
     len       = 56
     chksum    = 0xb87f
###[ DNS ]### 
        id        = 59652
        qr        = 1
        opcode    = QUERY
        aa        = 1
        tc        = 0
        rd        = 1
        ra        = 1
        z         = 0
        ad        = 0
        cd        = 0
        rcode     = ok
        qdcount   = 1
        ancount   = 1
        nscount   = 0
        arcount   = 0
        \qd        \
         |###[ DNS Question Record ]### 
         |  qname     = 'cnn.com.'
         |  qtype     = A
         |  qclass    = IN
        \an        \
         |###[ DNS Resource Record ]### 
         |  rrname    = 'cnn.com.'
         |  type      = A
         |  rclass    = IN
         |  ttl       = 0
         |  rdlen     = 4
         |  rdata     = '192.168.1.100'
        ns        = None
        ar        = None

.
Sent 1 packets.

当我从 ngrep -d lo '' src 或 dst 端口 53 窗口观看时，我看到了数据包。任何帮助将不胜感激！

Answer 1

Scapy 不适用于 127.0.0.1 或环回接口

http://scapy.readthedocs.io/en/latest/troubleshooting.html

loopback接口是一个非常特殊的接口。通过它的数据包并没有真正组装和拆卸。内核将数据包路由到其目的地，同时仍存储内部结构。你用 tcpdump -i lo 看到的只是假的，让你觉得一切正常。内核不知道 Scapy 在背后做什么，所以你在 loopback 接口上看到的也是假的。除了这个不是来自本地结构。因此内核永远不会收到它。

为了与本地应用程序通信，您需要在上一层构建数据包，使用 PF_INET/SOCK_RAW 套接字而不是 PF_PACKET/SOCK_RAW（或 Linux 以外的其他系统上的等效项）：