dnshunter module is a python based module that is written for MercenaryHuntFramework & Mercenary-Linux. Currently it reads in .pcap files and extracts the DNS Queries and Answers. In addition, it also performs a geo-lookup of the domains & the associated IP's. This makes it easy to catch attacks such as DNS Cache Poisoning and DNSBeacons. This tutorial was written with execution of
dnshunter on Mercenary-Linux. If it is used on another platform additional dependencies may be required.
Download and Prepare
sudo apt-get install libgeoip-dev && sudo pip install geoip scapy
git clone https://github.com/slacker007/DNShunter
Ensure that the neo4j service is running (see "Custom Modules")
Open a terminal and type:
python dnshunter.py --help to view the available options
dnshunter against a PCAP
python dnshunter.py -f filename
dnshunter against a PCAP and pipe to
grep looking for queries [Q] that contain the keyword "jeffjumps".
./dnshunter.py -f filenmae | grep '[Q]' | grep 'jeffjumps'