DNSCat pcap analysis
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:
HackTricks Training GCP Red Team Expert (GRTE)
If you have pcap with data being exfiltrated by DNSCat (without using encryption), you can find the exfiltrated content.
You only need to know that the first 9 bytes are not real data but are related to the C&C communication:
from scapy.all import rdpcap, DNSQR, DNSRR
import struct
f = ""
last = ""
for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry
#print(f)
For more information: https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md
There is a script that works with Python3: https://github.com/josemlwdf/DNScat-Decoder
python3 dnscat_decoder.py sample.pcap bad_domain
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:
HackTricks Training GCP Red Team Expert (GRTE)
Last updated