2020-07-15 15:43:14 +00:00
# DNSCat pcap analysis
2021-10-18 11:21:18 +00:00
If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
You only need to know that the **first 9 bytes** are not real data but are related to the** C\&C communication**:
2020-07-15 15:43:14 +00:00
```python
from scapy.all import rdpcap, DNSQR, DNSRR
import struct
f = ""
last = ""
for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry
#print(f)
```
2021-10-18 11:21:18 +00:00
For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap ](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap )\
2020-07-15 15:43:14 +00:00
[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md ](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md )