#! /usr/bin/env python
# Source: Adaped from https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration
from scapy.all import rdpcap, DNSQR, DNSRR, DNS
# Parameters
pcap_filename = 'ch21.pcap'
top_domain = ".jz-n-bs.local."
output_filename = "exploit.bin"
# Output
f:bytes = b""
last:bytes = b""
dns_pkts = rdpcap(pcap_filename)[DNS]
for p in dns_pkts:
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
# Remove top domain and split by dot
query = p[DNSQR].qname.decode().replace(top_domain,"").strip().split(".")
# Convert hex to bytes and remove first 9 bytes
query = b''.join(bytes.fromhex(q) for q in query)[9:]
# Avoid duplicates
if last != query:
f += query
last = query
# Write to file
with open(output_filename, "wb") as file:
file.write(f)