Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md

3.9 KiB
Raw Blame History

Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

WhiteIntel

WhiteIntel ni injini ya utaftaji inayotumia dark-web ambayo inatoa huduma za bure kuchunguza ikiwa kampuni au wateja wake wame vamiwa na malware za wizi.

Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za wizi wa habari.

Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:

{% embed url="https://whiteintel.io" %}

Ikiwa una pcap na data inayotolewa na DNSCat (bila kutumia encryption), unaweza kupata yaliyomo yaliyotolewa.

Unahitaji kujua kuwa baiti 9 za kwanza sio data halisi lakini zinahusiana na mawasiliano ya C&C:

from scapy.all import rdpcap, DNSQR, DNSRR
import struct

f = ""
last = ""
for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):

qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry

#print(f)

Kwa maelezo zaidi: https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap
https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md

Kuna script inayofanya kazi na Python3: https://github.com/josemlwdf/DNScat-Decoder

python3 dnscat_decoder.py sample.pcap bad_domain
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: