Skip to content

Instantly share code, notes, and snippets.

@Mister2Tone

Mister2Tone/dns_exfiltration_decryptor.py

Created August 21, 2019 18:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Mister2Tone/3327c76b702f1e2d1e5cc53bc41052dc to your computer and use it in GitHub Desktop.
Save Mister2Tone/3327c76b702f1e2d1e5cc53bc41052dc to your computer and use it in GitHub Desktop.
Download ZIP
DNS Exfiltration RC4 Decryptor
Raw
dns_exfiltration_decryptor.py
#!/usr/bin/python2.7
# -*- coding: utf8 -*-
from base64 import b64decode, b32decode
#========================================================================================================#
# Modify DNSExfiltrator.py (ref:https://github.com/Arno0x/DNSExfiltrator/blob/master/dnsexfiltrator.py) #
#========================================================================================================#
#------------------------------------------------------------------------
# Class providing RC4 encryption/decryption functions
#------------------------------------------------------------------------
class RC4:
def __init__(self, key = None):
self.state = range(256) # initialisation de la table de permutation
self.x = self.y = 0 # les index x et y, au lieu de i et j
if key is not None:
self.key = key
self.init(key)
# Key schedule
def init(self, key):
for i in range(256):
self.x = (ord(key[i % len(key)]) + self.state[i] + self.x) & 0xFF
self.state[i], self.state[self.x] = self.state[self.x], self.state[i]
self.x = 0
# Decrypt binary input data
def binaryDecrypt(self, data):
output = [None]*len(data)
for i in xrange(len(data)):
self.x = (self.x + 1) & 0xFF
self.y = (self.state[self.x] + self.y) & 0xFF
self.state[self.x], self.state[self.y] = self.state[self.y], self.state[self.x]
output[i] = (data[i] ^ self.state[(self.state[self.x] + self.state[self.y]) & 0xFF])
return bytearray(output)
#------------------------------------------------------------------------
def fromBase64URL(msg):
msg = msg.replace('_','/').replace('-','+')
msg += "=" * ((4 - len(msg) % 4) % 4)
return bytearray(b64decode(msg))
# if len(msg)%4 == 3:
# return b64decode(msg + '=')
# elif len(msg)%4 == 2:
# return b64decode(msg + '==')
# else:
# return b64decode(msg)
#======================================================================================================
# MAIN FUNCTION
#======================================================================================================
if __name__ == '__main__':
domainName="<domain>"
qname="<dns_encrypted_payload>.<TopLevelDomain>"
password="<password>"
dataChunk = []
fileData = ''
msg = qname[0:-(len(domainName))] # Remove the top level domain name
print 'Remove the TLD : msg=[\n' + msg +'\n]\n'
chunkNumber, data = msg.split('.',1)
print 'split .(dot) : data=[\n' + data +'\n]\n'
dataChunk.append(data.replace('.',''))
for x in range(len(dataChunk)):
print 'append text in array after remove whitespace : dataChunk#'+str(x)+'=[\n' + dataChunk[x] + '\n]\n'
fileData = ''.join(dataChunk)
print 'join every index from array to fileData=' +fileData +'\n'
# Create and initialize the RC4 decryptor object
rc4Decryptor = RC4(password)
# Save data to a file
outputFileName = "secret.zip"
print "[+] Decrypting using password [{}] and saving to output file [{}]".format(password,outputFileName)
with open('./'+outputFileName, 'wb+') as fileHandle:
fileHandle.write(rc4Decryptor.binaryDecrypt(fromBase64URL(fileData)))
fileHandle.close()
print "[+] Output file [{}] saved successfully".format(outputFileName)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment