ipk1/bsidessf_ctf_dnscat2.py

## bsidessf_ctf_dnscat2.py
from scapy.all import *
from scapy.utils import rdpcap
import sys
import struct
from pwn import *

MESSAGE_TYPE_SYN = 0x00
MESSAGE_TYPE_MSG = 0x1
MESSAGE_TYPE_PING = 0xFF

class Decoder:
    def __init__(self, outfile):
        try:
            self.fd = open(outfile, "w")
        except Exception as e:
            print "Could not open output file: %s" % outfile
            print "Reason: %s" % e
            quit(1)

       self.lastdata = []

       def decode(self, data):

       try:
            # Remove additional '.' as per the spec
            data = data.replace(".","").decode("hex")
       except:
            # Throw away any corrupted data
            pass

        # Decode our packet header to identify the packet type
        (id, type) = struct.unpack(">Hb", data[0:3])

        if type == MESSAGE_TYPE_MSG:
            print "MSG PACKET"
            (id, type, session_id, seq, ack) = struct.unpack(">HbHHH", data[:9])
            bytes = data[9:]
            if self.lastdata != bytes and session_id == 65013:
                self.fd.write(bytes)
                self.lastdata = bytes

                #print "Session [%d] Data Hash [%s]" % (session_id, enhex(md5sum(data[9:])))

            elif type == MESSAGE_TYPE_SYN:
                print "SYN PACKET"
            elif type == MESSAGE_TYPE_PING:
                print "PING PACKET"
            elif type == MESSAGE_TYPE_FIN:
                print "FIN PACKET"

if len(sys.argv) != 3:
    print "Usage: %s pcap output" % (sys.argv[0])
    quit(2)

pkts=rdpcap(sys.argv[1])
d = Decoder(sys.argv[2])

for pkt in pkts:
    if pkt[UDP].dport == 53 and pkt[IP].dst == "4.2.2.4":
        if pkt.haslayer(DNS) and pkt.qdcount > 0 and isinstance(pkt.qd, DNSQR):
            try:
                d.decode(pkt.qd.qname.split('.skull')[0])
            except Exception as e:
                print "Exception occured decoding: %s" % e

print "Data extracted to %s" % sys.argv[2]
	from scapy.all import *
	from scapy.utils import rdpcap
	import sys
	import struct
	from pwn import *

	MESSAGE_TYPE_SYN = 0x00
	MESSAGE_TYPE_MSG = 0x1
	MESSAGE_TYPE_PING = 0xFF

	class Decoder:
	def __init__(self, outfile):
	try:
	self.fd = open(outfile, "w")
	except Exception as e:
	print "Could not open output file: %s" % outfile
	print "Reason: %s" % e
	quit(1)

	self.lastdata = []

	def decode(self, data):

	try:
	# Remove additional '.' as per the spec
	data = data.replace(".","").decode("hex")
	except:
	# Throw away any corrupted data
	pass

	# Decode our packet header to identify the packet type
	(id, type) = struct.unpack(">Hb", data[0:3])

	if type == MESSAGE_TYPE_MSG:
	print "MSG PACKET"
	(id, type, session_id, seq, ack) = struct.unpack(">HbHHH", data[:9])
	bytes = data[9:]
	if self.lastdata != bytes and session_id == 65013:
	self.fd.write(bytes)
	self.lastdata = bytes

	#print "Session [%d] Data Hash [%s]" % (session_id, enhex(md5sum(data[9:])))

	elif type == MESSAGE_TYPE_SYN:
	print "SYN PACKET"
	elif type == MESSAGE_TYPE_PING:
	print "PING PACKET"
	elif type == MESSAGE_TYPE_FIN:
	print "FIN PACKET"

	if len(sys.argv) != 3:
	print "Usage: %s pcap output" % (sys.argv[0])
	quit(2)

	pkts=rdpcap(sys.argv[1])
	d = Decoder(sys.argv[2])

	for pkt in pkts:
	if pkt[UDP].dport == 53 and pkt[IP].dst == "4.2.2.4":
	if pkt.haslayer(DNS) and pkt.qdcount > 0 and isinstance(pkt.qd, DNSQR):
	try:
	d.decode(pkt.qd.qname.split('.skull')[0])
	except Exception as e:
	print "Exception occured decoding: %s" % e

	print "Data extracted to %s" % sys.argv[2]