-
Notifications
You must be signed in to change notification settings - Fork 10
/
dns.py
131 lines (114 loc) · 5.24 KB
/
dns.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/usr/bin/env python
# Copyright (C) 2014 Alessandro Tanasi (@jekil)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
import sys
import argparse
from datetime import datetime
try:
from twisted.internet.protocol import Factory, Protocol
from twisted.internet import reactor
from twisted.names import dns
from twisted.names import client, server
except ImportError as e:
print("Twisted requirement is missing, please install it with `pip install twisted`. Error: %s" % e)
sys.exit()
try:
from sqlalchemy import create_engine
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy import Column, Integer, String, DateTime
from sqlalchemy.orm import Session
Base = declarative_base()
except ImportError as e:
print("SQLAlchemy requirement is missing, please install it with `pip install sqlalchemy`. Error: %s" % e)
sys.exit()
class Dns(Base):
"""Log table for DNS entries."""
__tablename__ = "dns"
id = Column(Integer, primary_key=True)
transport = Column(String)
src = Column(String)
src_port = Column(Integer)
dns_name = Column(String)
dns_type = Column(String)
dns_cls = Column(String)
created_at = Column(DateTime, default=datetime.now)
class HoneyDNSServerFactory(server.DNSServerFactory):
"""DNS honeypot.
@see: https://notmysock.org/blog/hacks/a-twisted-dns-story.html
@see: https://blog.inneoin.org/2009/11/i-used-twisted-to-create-dns-server.html
"""
# Stores who is sending request.
request_log = {}
# CLI options.
opts = None
def messageReceived(self, message, proto, address=None):
# Log info.
entry = {}
if address != None:
entry["transport"] = "UDP"
entry["src_ip"] = address[0]
entry["src_port"] = address[1]
else:
entry["transport"] = "TCP"
entry["src_ip"] = proto.transport.getPeer().host
entry["src_port"] = proto.transport.getPeer().port
entry["dns_name"] = message.queries[0].name.name
entry["dns_type"] = dns.QUERY_TYPES.get(message.queries[0].type, dns.EXT_QUERIES.get(message.queries[0].type, "UNKNOWN (%d)" % message.queries[0].type))
entry["dns_cls"] = dns.QUERY_CLASSES.get(message.queries[0].cls, "UNKNOWN (%d)" % message.queries[0].cls)
self.log(entry)
# Forward the request to the DNS server only if match set conditions,
# otherwise act as honeypot.
if entry["src_ip"] in self.request_log and (datetime.now() - self.request_log[entry["src_ip"]]["last_seen"]).total_seconds() < self.opts.req_timeout:
if self.request_log[entry["src_ip"]]["count"] < self.opts.req_count:
self.request_log[entry["src_ip"]]["count"] += 1
self.request_log[entry["src_ip"]]["last_seen"] = datetime.now()
return server.DNSServerFactory.messageReceived(self, message, proto, address)
else:
self.request_log[entry["src_ip"]]["last_seen"] = datetime.now()
return
else:
self.request_log[entry["src_ip"]] = {"count": 1, "last_seen": 0, "last_seen": datetime.now()}
return server.DNSServerFactory.messageReceived(self, message, proto, address)
def log(self, data):
if opts.verbose:
print(data)
record = Dns(transport=data["transport"], src=data["src_ip"], src_port=data["src_port"], dns_name=data["dns_name"], dns_type=data["dns_type"], dns_cls=data["dns_cls"])
session.add(record)
session.commit()
parser = argparse.ArgumentParser()
parser.add_argument("server", type=str, help="DNS server IP address")
parser.add_argument("-p", "--dns-port", type=int, default=5053, help="DNS honeypot port")
parser.add_argument("-c", "--req-count", type=int, default=3, help="how many request to resolve")
parser.add_argument("-t", "--req-timeout", type=int, default=86400, help="timeout to re-start resolving requests")
parser.add_argument("-s", "--sql", type=str, default="sqlite:https:///db.sqlite3", help="database connection string")
parser.add_argument("-v", "--verbose", action="store_true", help="print each request")
opts = parser.parse_args()
# DB setup.
engine = create_engine(opts.sql, echo=False)
global session
session = Session(engine)
# Create db.
Base.metadata.create_all(engine)
verbosity = 3
# Create DNS honeypot.
resolver = client.Resolver(servers=[(opts.server, 53)])
factory = HoneyDNSServerFactory(clients=[resolver], verbose=verbosity)
factory.opts = opts
protocol = dns.DNSDatagramProtocol(factory)
factory.noisy = protocol.noisy = verbosity
# Bind and run on UDP and TCP.
reactor.listenUDP(opts.dns_port, protocol)
reactor.listenTCP(opts.dns_port, factory)
reactor.run()