VP 220: DNS (95 pts)

Purpose

Understand DNS and monitor it with Python, to detect botnet traffic.

Understanding DNS

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220.php

Open Wireshark and start sniffing traffic. In the Filter bar, enter

dns
You see a series of DNS requests scroll by, as shown below.

Notice the servernames, outlined in red in the image below.

This is how traffic looks when a machine is infected by remote control malware, and "beaconing" or sending stolen data back to a Command & Control server. It makes a series of requests to the server over DNS, HTTP, or another protocol containing obfuscated data.

In this project, you'll write scripts to harvest the DNS traffic and find the concealed data in it.

Using Scapy

Scapy is a Python library that processes network packets.

Execute this command to download and install the Scapy library:

python3 -m pip install scapy
In a text editor, create a file named dns1.py containing this code, as shown below:
from scapy.all import *

def findDNS(p):
  if p.haslayer(DNS):
    print(p.summary())
    print(p.display())

sniff(prn=findDNS)
Run the program. Make sure the "VP220.php" page is open.

You see a lot of data about the DNS requests scroll by, as shown below.

Press Ctrl+C to stop the program.

A Cleaner DNS Monitor

In a text editor, create a file named dns2.py containing this code, as shown below:
from scapy.all import *

def findDNS(p):
  if p.haslayer(DNS):
    print(p[IP].src, p[DNS].summary())

sniff(prn=findDNS)
Run the program. The output is much cleaner, as shown below.

Press Ctrl+C to stop the program.

Flag VP 220.1: DNS Server Name (5 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-1.php

Monitor the DNS requests. After a while you'll find the flag, as shown below.

Flag VP 220.2: DNS Server Name (5 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-2.php

Monitor the DNS requests. After a while you'll find the flag.

Flag VP 220.3: DNS Server Name (10 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-3.php

Monitor the DNS requests. Some of the requests are different from the others, and they contain the flag.

Flag VP 220.4: Special Names (15 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-4.php

Monitor the DNS requests. Some of the requests are different from the others, and they contain the flag.

Hints

  • Write a script that prints out only the server names, as shown below.
  • Find the names that are different and remove all the others.
  • You can open multiple copies of the page to get more requests faster.
  • Compare the special server names.

Flag VP 220.5: Hex Encoding (15 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-5.php

Monitor the DNS requests. Some of the requests contain the flag, but they are encoded.

Hints

Flag VP 220.6: Binary Encoding (15 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-6.php

Monitor the DNS requests. Some of the requests contain the flag, but they are encoded.

Flag VP 220.7: Base32 Encoding (30 pts)

In a Web browser, open this page:

https://samsclass.info/124/proj14/VP220-7.php

Monitor the DNS requests. Some of the requests contain the flag, but they are encoded.

The Dark Side of the DNS


Updated to Python 3 6-30-2020