mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 13:43:24 +00:00
29 lines
928 B
Markdown
29 lines
928 B
Markdown
|
# DNSCat pcap analysis
|
||
|
|
|
||
|
|
If you have pcap with data being **exfiltrated by DNSCat** \(without using encryption\), you can find the exfiltrated content.
|
||
|
|
|
||
|
|
You only need to know that the **first 9 bytes** are not real data but are related to the **C&C communication**:
|
||
|
|
|
||
|
|
```python
|
||
|
|
from scapy.all import rdpcap, DNSQR, DNSRR
|
||
|
|
import struct
|
||
|
|
|
||
|
|
f = ""
|
||
|
|
last = ""
|
||
|
|
for p in rdpcap('ch21.pcap'):
|
||
|
|
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
|
||
|
|
|
||
|
|
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
|
||
|
|
qry = ''.join(_.decode('hex') for _ in qry)[9:]
|
||
|
|
if last != qry:
|
||
|
|
print(qry)
|
||
|
|
f += qry
|
||
|
|
last = qry
|
||
|
|
|
||
|
|
#print(f)
|
||
|
|
```
|
||
|
|
|
||
|
|
For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)
|
||
|
|
[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md)
|
||
|
|
|