DNSCat pcap analysis

If you have pcap with data being exfiltrated by DNSCat (without using encryption), you can find the exfiltrated content.

You only need to know that the first 9 bytes are not real data but are related to the C&C communication:

from scapy.all import rdpcap, DNSQR, DNSRR
import struct 

f = ""
last = ""
for p in rdpcap('ch21.pcap'):
    if p.haslayer(DNSQR) and not p.haslayer(DNSRR):

        qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
        qry = ''.join(_.decode('hex') for _ in qry)[9:]
        if last != qry:
            print(qry)
            f += qry
        last = qry

#print(f)

For more information: https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md

Last updated