The challenge here was we were given a PCAP with a TON of DNS queries, and somewhere in there is some exfil.
Keeping with the trend for most of the other challenges I did, I’m going to do this one in ZSH so I can get quickly get the data out.
First thing I noticed when running tshark, the “stealthy” domain for exfil, was “stealthy-exfil.com”. I’ve dealt with how DNS exfiltration works, so I knew to look for a ton of requests to a subdomain of it, potentially the nameserver.
And what do you know, some weird looking requests, both A and TXT requests going to various subdomains.
After some trial and error, I came up with the following one liner:
tshark -r DNSExfil.pcap | grep -oE "(TXT|A).*ns.stealthy" | cut -d' ' -f2 | grep -oE "[A-Z]+.*" | sort -V | uniq | cut -d'.' -f2
Let’s break this down a bit, in terms of the regex outputs.
tshark -r DNSExfil.pcap | grep -oE "(TXT|A).*ns.stealthy"
This query gets me all the DNS queries that were either a TXT or an A record check, giving me this data (snippet):
A 1961965559.CMD19.696F6E206F6E6C696E6521200D0A0D0A466C6167203D204E6F.ns.stealthy
A 327424414.CMD20.626F647954686F75676874546F436865636B546865444E530D.ns.stealthy
A 327424414.CMD20.626F647954686F75676874546F436865636B546865444E530D.ns.stealthy
A 327424414.CMD20.626F647954686F75676874546F436865636B546865444E530D.ns.stealthy
A 327424414.CMD20.626F647954686F75676874546F436865636B546865444E530D.ns.stealthy
A 558891167.CMD22.0A.ns.stealthy
A 558891167.CMD22.0A.ns.stealthy
A 558891167.CMD22.0A.ns.stealthy
A 558891167.CMD22.0A.ns.stealthy
A 588653764.END.ns.stealthy
A 588653764.END.ns.stealthy
A 588653764.END.ns.stealthy
A 588653764.END.ns.stealthy
A 588653764.END.ns.stealthy
A 588653764.END.ns.stealthy
TXT 2125188144.ns.stealthy
TXT 2125188144.ns.stealthy
TXT 2125188144.ns.stealthy
TXT 2125188144.ns.stealthy
Huh, that subdomain of CMD[0-9]+ seems like it’s a sequence number. That should be useful in the future.
Next, I don’t care what type of request it was, so lets cut out the request type. I only want the domain queried.
cut -d' ' -f2
Great. Now I want to get everything from the CMD ordering variable, to the end of the domain. This is convenient since all the subdomains are numerial, and seems to be gibberish.
grep -oE "[A-Z]+.*"
From here, it seems like we’ve got quite a few duplicates. Let’s sort, but specifically we need to include “natural” sorting. If we just used sort, it’d sort 10 before 2.
sort -V
Now that it’s sorted, lets make sure we only have unique lines.
uniq
Awesome. Now this looks a bit more managable.
Since we’ve got clean decimal delimited lines now, lets split this out by decimal, and only keep the long what looks like hex string.
cut -d'.' -f2
Cool. Now what?
Well, we know this is hex, ish, so lets toss it into a hex->ascii converter.
This gets us what looks to be a directory listing output from some server.
Directory: C:\UseDomain Name Service (DNS)rs\Administrator
Mod is used to find the domains you are looking for we LastWrithen you are searching theeTime Length Name internet or on private n etworks with DNS servers.
---- ------------- -- Its used to translate th---- ---- e IP address with the domain names of servers, did
d-r--- you ever try to reach a 2/28/2020 1:13 AM website through an ip and Contacts the domain name?
But
d-r--- 2/29/2020 did you know malicious ac2:10 PM Detors have been known to esktop xfiltrate data from your network in order to get y
d-r--- 2/2our secrets out? There ar8/2020 1:13 AM e cool tools that allow f Documents or this type of exfiltrat
d-r--- ion online!
Flag = No 2/28/2020 1:13 AMbodyThoughtToCheckTheDNS
Downloads
d-r--- 2/28/2020 1:13 AM Favorites
d-r--- 2/28/2020 1:13 AM Links
d-r--- 2/28/2020 1:13 AM Music
d-r--- 2/28/2020 1:13 AM Pictures
d-r--- 2/28/2020 1:13 AM Saved Games
d-r--- 2/28/2020 1:13 AM Searches
d-r--- 2/28/2020 1:13 AM Videos
-a---- 2/29/2020 4:26 PM 524 flag.txt
Seems like the info is a bit jumbled here. But I can see that Flag= NobodyThoughtToCheckTheDNS.
First thing I wanted to do, is isolate