PyScript Domains > 72 Char.

Last night I was reading one of the go-to blue team compendiums, Blue Team Handbook, by Don Murdoch and it was going over the anomalies that one should look out for when it comes to analyzing DNS traffic. I've also been trying to get my novice python skills to a place where I can comfortably automate tasks for both ease and efficiency.

So I decided I'd try put together a script to extract domain names > 7s characters in length and another script where I extracted the domain names and do a whois lookup to see if they were created < 7 days ago. The whois script i've been having some issues with, but the script focusing on domain length I wanted to post here for anyone knew to python and infosec that man want to get some ideas for themselves.

I know all of this can be done with Tshark, Wireshark, Zeek or any other analyzer, but this was mostly for practice.

# DomainLength Script

import pyshark

def extractDomains(pcap_file):

domains = set()

cap = pyshark.FileCapture(pcap_file, display_filter='dns.qry.name')

for packet in cap:

try:

domain = packet.dns.qry_name.lower()

domains.add(domain)

except AttributeError:

pass

return domains

def main():

pcap_file = 'sample.pcap'

domains = extractDomains(pcap_file)

if not domains:

print("No domains found in the pcap!!")

return

bigDomains = [domain for domain in domains if len(domain) > 72]

if not bigDomains:

print("No domains > 72 characters!")

else:

print("Domains > 72 characters:")

for domain in bigDomains:

print(domain)

if __name__ == "__main__":

main()

Happy Hunting!