DNSCat pcap analysis
WhiteIntel is a dark-web fueled search engine that offers free functionalities to check if a company or its customers have been compromised by stealer malwares.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for free at:
If you have pcap with data being exfiltrated by DNSCat (without using encryption), you can find the exfiltrated content.
You only need to know that the first 9 bytes are not real data but are related to the C&C communication:
For more information: https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md
There is a script that works with Python3: https://github.com/josemlwdf/DNScat-Decoder
Last updated