hex to scapy dns- for Sharing Code and Text.

TEXT 26

hex to scapy dns

Guest on 16th March 2023 01:28:16 PM

firefly:~ user$ cut -c10- pkt.hex
4500 0073 8276 0000 3e11 10dd 81aa 1104
81aa d4ce 0035 fcb1 005f d5bb 6d0f 8180
0001 0000 0001 0000 0574 6168 6f65 0263
7309 6461 7274 6d6f 7574 6803 6564 7500
001c 0001 c012 0006 0001 0000 0b70 0023
c012 0a70 6f73 746d 6173 7465 72c0 1200
0500 4300 0012 c000 000e 1000 000e 1000
000e 10
firefly:~ user$ cut -c10- pkt.hex | xxd -rp > pkt.bin
// Check that it worked as intended:
firefly:~ user$ xxd pkt.bin
0000000: 4500 0073 8276 0000 3e11 10dd 81aa 1104 E..s.v..>.......
0000010: 81aa d4ce 0035 fcb1 005f d5bb 6d0f 8180 .....5..._..m...
0000020: 0001 0000 0001 0000 0574 6168 6f65 0263 .........tahoe.c
0000030: 7309 6461 7274 6d6f 7574 6803 6564 7500 s.dartmouth.edu.
0000040: 001c 0001 c012 0006 0001 0000 0b70 0023 .............p.#
0000050: c012 0a70 6f73 746d 6173 7465 72c0 1200 ...postmaster...
0000060: 0500 4300 0012 c000 000e 1000 000e 1000 ..C.............
0000070: 000e 10
// Now to feed it to scapy:
firefly:~ user$ scapy
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.3.1)
>>> f = open("pkt.bin", "r")
>>> buff = f.read()
>>> len(buff)
115
>>> hexdump(buff)
0000 45 00 00 73 82 76 00 00 3E 11 10 DD 81 AA 11 04 E..s.v..>.......
0010 81 AA D4 CE 00 35 FC B1 00 5F D5 BB 6D 0F 81 80 .....5..._..m...
0020 00 01 00 00 00 01 00 00 05 74 61 68 6F 65 02 63 .........tahoe.c
0030 73 09 64 61 72 74 6D 6F 75 74 68 03 65 64 75 00 s.dartmouth...
0040 00 1C 00 01 C0 12 00 06 00 01 00 00 0B 70 00 23 .............p.#
0050 C0 12 0A 70 6F 73 74 6D 61 73 74 65 72 C0 12 00 ...postmaster...
0060 05 00 43 00 00 12 C0 00 00 0E 10 00 00 0E 10 00 ..C.............
0070 00 0E 10 ...
>>> IP(buff).show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 115
id= 33398
flags=
frag= 0L
ttl= 62
proto= udp
chksum= 0x10dd
src= 129.170.17.4
dst= 129.170.212.206
\options\
###[ UDP ]###
sport= domain
dport= 64689
len= 95
chksum= 0xd5bb
###[ DNS ]###
id= 27919
qr= 1L
opcode= QUERY
aa= 0L
tc= 0L
rd= 1L
ra= 1L
z= 0L
ad= 0L
cd= 0L
rcode= ok
qdcount= 1
ancount= 0
nscount= 1
arcount= 0
\qd\
|###[ DNS Question Record ]###
| qname= '...cs.dartmouth...'
| qtype= AAAA
| qclass= IN
an= None
\ns\
|###[ DNS Resource Record ]###
| rrname= '...dartmouth...'
| type= SOA
| rclass= IN
| ttl= 2928
| rdlen= 35
| rdata= '\xc0\x12\npostmaster\xc0\x12\x00\x05\x00C\x00\x00\x12\xc0\x00\x00\x0e\x10\x00\x00\x0e\x10\x00\x00\x0e\x10'
ar= None
>>>
[1]+ Stopped scapy
// OK, so this is a SOA record, which I got for asking 129.170.17.4 for the
// AAAA record of
129.170.17.4 doesn't know, but
// delegates to
// Do I get the same when I ask for that record?
firefly:~ user$ dig @129.170.17.4 aaaa ..dartmouth...
; <<>> DiG 9.8.3-P1 <<>> @129.170.17.4 aaaa
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
// Too bad 129.170.17.4 will not answer to my home network! So I run the same
// command on tahoe:
firefly:~ user$ ssh tahoe dig @129.170.17.4 aaaa
; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> @129.170.17.4 aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51302
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;
. IN AAAA
;; AUTHORITY SECTION:
cs.dartmouth.edu. 3600 IN SOA ...dartmouth...
postmaster...
327747 4800 3600 3600 3600
;; Query time: 1 msec
;; SERVER: 129.170.17.4#53(129.170.17.4)
;; WHEN: Thu Jun 01 19:30:23 EDT 2017
;; MSG SIZE rcvd: 98

Raw Paste

firefly:~ user$ cut -c10-  pkt.hex
4500 0073 8276 0000 3e11 10dd 81aa 1104
81aa d4ce 0035 fcb1 005f d5bb 6d0f 8180
0001 0000 0001 0000 0574 6168 6f65 0263
7309 6461 7274 6d6f 7574 6803 6564 7500
001c 0001 c012 0006 0001 0000 0b70 0023
c012 0a70 6f73 746d 6173 7465 72c0 1200
0500 4300 0012 c000 000e 1000 000e 1000
000e 10

firefly:~ user$ cut -c10-  pkt.hex | xxd -rp > pkt.bin

// Check that it worked as intended:

firefly:~ user$ xxd pkt.bin
0000000: 4500 0073 8276 0000 3e11 10dd 81aa 1104  E..s.v..>.......
0000010: 81aa d4ce 0035 fcb1 005f d5bb 6d0f 8180  .....5..._..m...
0000020: 0001 0000 0001 0000 0574 6168 6f65 0263  .........tahoe.c
0000030: 7309 6461 7274 6d6f 7574 6803 6564 7500  s.dartmouth.edu.
0000040: 001c 0001 c012 0006 0001 0000 0b70 0023  .............p.#
0000050: c012 0a70 6f73 746d 6173 7465 72c0 1200  ...postmaster...
0000060: 0500 4300 0012 c000 000e 1000 000e 1000  ..C.............
0000070: 000e 10

// Now to feed it to scapy:

firefly:~ user$ scapy
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.3.1)
>>> f = open("pkt.bin", "r")
>>> buff = f.read() 
>>> len(buff)
115
>>> hexdump(buff)
0000   45 00 00 73 82 76 00 00  3E 11 10 DD 81 AA 11 04   E..s.v..>.......
0010   81 AA D4 CE 00 35 FC B1  00 5F D5 BB 6D 0F 81 80   .....5..._..m...
0020   00 01 00 00 00 01 00 00  05 74 61 68 6F 65 02 63   .........tahoe.c
0030   73 09 64 61 72 74 6D 6F  75 74 68 03 65 64 75 00   s.dartmouth...
0040   00 1C 00 01 C0 12 00 06  00 01 00 00 0B 70 00 23   .............p.#
0050   C0 12 0A 70 6F 73 74 6D  61 73 74 65 72 C0 12 00   ...postmaster...
0060   05 00 43 00 00 12 C0 00  00 0E 10 00 00 0E 10 00   ..C.............
0070   00 0E 10                                           ...

>>> IP(buff).show()
###[ IP ]###
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 115
  id= 33398
  flags= 
  frag= 0L
  ttl= 62
  proto= udp
  chksum= 0x10dd
  src= 129.170.17.4
  dst= 129.170.212.206
  \options\
###[ UDP ]###
     sport= domain
     dport= 64689
     len= 95
     chksum= 0xd5bb
###[ DNS ]###
        id= 27919
        qr= 1L
        opcode= QUERY
        aa= 0L
        tc= 0L
        rd= 1L
        ra= 1L
        z= 0L
        ad= 0L
        cd= 0L
        rcode= ok
        qdcount= 1
        ancount= 0
        nscount= 1
        arcount= 0
        \qd\
         |###[ DNS Question Record ]###
         |  qname= '...cs.dartmouth...'
         |  qtype= AAAA
         |  qclass= IN
        an= None
        \ns\
         |###[ DNS Resource Record ]###
         |  rrname= '...dartmouth...'
         |  type= SOA
         |  rclass= IN
         |  ttl= 2928
         |  rdlen= 35
         |  rdata= '\xc0\x12\npostmaster\xc0\x12\x00\x05\x00C\x00\x00\x12\xc0\x00\x00\x0e\x10\x00\x00\x0e\x10\x00\x00\x0e\x10'
        ar= None
>>> 
[1]+  Stopped                 scapy

// OK, so this is a SOA record, which I got for asking 129.170.17.4 for the 
//    AAAA record of 
129.170.17.4 doesn't know, but
//    delegates to

// Do I get the same when I ask for that record?

firefly:~ user$ dig @129.170.17.4 aaaa ..dartmouth...

; <<>> DiG 9.8.3-P1 <<>> @129.170.17.4 aaaa 
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

// Too bad 129.170.17.4 will not answer to my home network! So I run the same
//   command on tahoe:

firefly:~ user$ ssh tahoe dig @129.170.17.4 aaaa

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> @129.170.17.4 aaaa 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51302
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;
.		IN	AAAA

;; AUTHORITY SECTION:
cs.dartmouth.edu.	3600	IN	SOA ...dartmouth... 
postmaster... 
327747 4800 3600 3600 3600

;; Query time: 1 msec
;; SERVER: 129.170.17.4#53(129.170.17.4)
;; WHEN: Thu Jun 01 19:30:23 EDT 2017
;; MSG SIZE  rcvd: 98