Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

DNSCat pcap analysis

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

WhiteIntel

WhiteIntel ni injini ya utaftaji inayotumiwa na dark-web inayotoa huduma za bure kuchunguza ikiwa kampuni au wateja wake wame vamiwa na malware za wizi.

Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za wizi wa habari.

Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:

Ikiwa una pcap na data inayotolewa na DNSCat (bila kutumia encryption), unaweza kupata yaliyomo yaliyotolewa.

Unahitaji kujua kuwa baiti 9 za kwanza sio data halisi lakini zinahusiana na mawasiliano ya C&C:

from scapy.all import rdpcap, DNSQR, DNSRR
import struct

f = ""
last = ""
for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):

qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry

#print(f)

Kwa habari zaidi: https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md

Kuna script inayofanya kazi na Python3: https://github.com/josemlwdf/DNScat-Decoder

python3 dnscat_decoder.py sample.pcap bad_domain
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousPcap InspectionNextSuricata & Iptables cheatsheet

Last updated