After getting the pcap from Josh Dosis, opening it up in Wireshark gives us:
Going to Statistics>Protocol Hierarchy show that many of the packets are DNS.
Filtering the pcap to only show DNS reveals that it is all TXT requests. DNS TXT records are used to store extra information about a host, but they are also a covert way to transfer data-eg DNS tunneling. One of the more popular tools to do this is iodine.
Inspecting the hex dump of the packet, it seems that the part of the TXT record we're interested in is Base64 decoded, as shown by the double =.
SANS provides a python script which you are intended to modify to pull out the payload, but tshark will do it easily:
tshark -T fields -Y dns -e dns.txt -r gnome.pcap | while read txt; do echo $txt | base64 -d; done
The first question was "what commands were sent across the gnomes C&C channel." The answer to that is evident in the first several lines of the output here: The commands executed were "iwconfig" and "cat /tmp/iwlistscan.txt"
Farther down, the output dissolves into unprintable characters. But just before that it says that the file "/root/Pictures/snapshot_CURRENT.jpg" was being transferred. So now we need to carve the jpg out. A simple "binwalk -e output" extracts the jpg giving us:
Which is the answer to the second question, "What image appears in the file sent across the C&C by the Dosis gnome."
f3n3s7ra
No comments:
Post a Comment