hacktricks/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
2024-05-05 17:56:05 +00:00

3.9 KiB

DNSCat pcap analysis

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

WhiteIntel

WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for free at:

{% embed url="https://whiteintel.io" %}


If you have pcap with data being exfiltrated by DNSCat (without using encryption), you can find the exfiltrated content.

You only need to know that the first 9 bytes are not real data but are related to the C&C communication:

from scapy.all import rdpcap, DNSQR, DNSRR
import struct 

f = ""
last = ""
for p in rdpcap('ch21.pcap'):
	if p.haslayer(DNSQR) and not p.haslayer(DNSRR):

		qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
		qry = ''.join(_.decode('hex') for _ in qry)[9:]
		if last != qry:
			print(qry)
			f += qry
		last = qry

#print(f)

For more information: https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap
https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md

There is a script that works with Python3: https://github.com/josemlwdf/DNScat-Decoder

python3 dnscat_decoder.py sample.pcap bad_domain
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: