This was one of the exciting challenges that I solved lately. I’d even recommend this challenge to everyone who is interested in learning Network Forensics and more about the scapy module of python. So enough talk, let us get on with the challenge.
“Found this packet capture. Pretty sure there’s a flag in here. Can you find it!?”
Challenge File: dnscap.pcap
The description doesn’t give out any clues as to what the challenge is. So let us start analyzing. Opening the pcap, we find that there is a lot of DNS traffic. The data/payload in each of the packets is clearly some “hex” encoded text. Let us try to carve out all the hex data in the packets and see if we can make anything out of this.
from scapy.all import * r = rdpcap("dnscap.pcap") a = "" b = "" for i in range(0,len(r)): a = r[i][DNSQR].qname b = a.replace(".skullseclabs.org.","") print (b.replace(".","")).decode("hex")
This gave some interesting output. Let us see.
So, this traffic was generated using dnscat2. To read more about “dnscat2”, click on this link.
In the output, I also found IEND. So there was PNG file which was transmitted. So let us try to extract it out. So let us try to find where the PNG header starts.
Going through the dump, I found that the bytes related to the image start after skipping 9 bytes and also the extraction becomes tricky because there are a lot of re-transmits in between. So we need to put a check on that as well. Let us write a script for that now.
from scapy.all import * r = rdpcap("dnscap.pcap") a = "" b = "" c = "" new = "" f = open("flag.png","w") for i in range (0,len(r)): if r[i].haslayer(DNSQR) and not r[i].haslayer(DNSRR): a = r[i][DNSQR].qname b = a.replace(".skullseclabs.org.","") b = b.replace(".","").decode("hex")[9:] if b == c: continue c = b if 6 < i <365: new = new + b f.write(new) f.close()
So let us run this and see how it goes.
There are some junk bytes at the beginning, so let us remove that. And Woah! we get the flag! (I know that there are junk bytes at the end too because I carved out the entire packets but it doesn’t matter because PNG ends after IEND…lol)
The flag is: b91011fc
That was a good challenge man! Good for everyone who wants to learn on DNS and scapy.
Please share and like it if it has helped you.