HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
DNSCat pcap analysis
Support HackTricks and get benefits!
If you have pcap with data being exfiltrated by DNSCat (without using encryption), you can find the exfiltrated content.
You only need to know that the first 9 bytes are not real data but are related to the C&C communication:
from scapy.all import rdpcap, DNSQR, DNSRR
import struct
โ€‹
f = ""
last = ""
for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
โ€‹
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry
โ€‹
#print(f)
Support HackTricks and get benefits!
Copy link