In the class "FOR558: Network Forensics" (SANS London 2012) we got a sample PCAP of a custom DNS tunneling in action.
Because I wanted to continue learning Python and digging deeper into network protocols I decided to create a Python script to analyse this custom DNS tunneling.
- only use tools available on SNIFT (slightly outdated Python version, no additional libs, …)
- focus on this custom DNS tunneling method found in the PCAP
After first programming progress in London I've recently completed the script (as if a script could be "complete" …). You can find it below – use or modify it as you like. But if you do please mention the origin of the source. Dropping me a note would be nice 🙂
The code is provided as-is, use it at your own risk, if it breaks something it's not my problem…
Update 2013-04-07: The assumption mentioned in the script that terminating dns names with 0x00 is an oddity of the tunnel software is wrong. It seems that it's dns client / resolver specific. Nevertheless IMHO it's unecessary because the string length is lined out in a field of the protocol – despite of terminating the string with 0x00.