202312_QQ_DNS流量

Tags:流量分析,DNS流量,pyshark

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：202312_QQ_packet1.zip

小张发现公司某台服务器被入侵，经过在服务器上抓包后得到流量文件，请帮忙分析流量，获取木马程序通信中隐藏的flag，flag请以everflag{}的格式提交。

0x01. WP1

1. 过滤流量未在http流请求中发现异常，却发现有大量DNS协议请求，初步怀疑为DNS信息外带。

2. 尝试对请求域名进行解码，得到敏感信息

3. 在前置请求中发现疑似Base64编码

Base64decode:whoami

4. 尝试分析较短的数据包，得到flag第一部分

5a6d78685a3373784d7a49354e445a6a5a6d526b4e4445355a6a6869
ZmxhZ3sxMzI5NDZjZmRkNDE5Zjhi
flag{132946cfdd419f8b

5. 在后续请求中找到flag第二部分

WldOb2J5QWlNekE0WldZM1pXVTRaVFkwTlRkaE5YMGlJRDRnWm14aFp6SXVkSGgw
ZWNobyAiMzA4ZWY3ZWU4ZTY0NTdhNX0iID4gZmxhZzIudHh0
echo "308ef7ee8e6457a5}" > flag2.txt

最终flag为flag{132946cfdd419f8b308ef7ee8e6457a5}

0x02. WP2

使用python调取pyshark自动化解析

exp.py

# -*- coding: utf-8 -*-
import pyshark
import base64strTsharkPath = "C:\\Program Files\\Wireshark"
strCapPath = ".\\pcapngs\\dns.pcapng"cap= pyshark.FileCapture(strCapPath, display_filter="dns && ip.src==192.168.158.1",tshark_path=strTsharkPath)# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[1].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
# 协议结构分析结束print("=" * 16)
print("DNS数据分析开始...")
strProtocal=""
intIndex=0
strCMD=""
strResponse=""
strResonseDecode=""
intTime=""for pkt in cap:strProtocal=pkt.layers[1].get_field_value("proto")intIndex=pkt.layers[2].get_field_value("Stream")try:strQryName = pkt.layers[3].get_field_value("qry_name")if (strQryName=="bnh0.com") :strResonseDecode=base64.b64decode(bytes.fromhex(strResponse)).decode("gb2312")if len(strResonseDecode)!=0:print("回显内容:\n",strResonseDecode)print("="*16)strResponse = ""else:strResponse=strResponse+strQryName.replace(".com", "")if pkt.layers[3].get_field_value("TXT")!=None:strCMD=pkt.layers[3].get_field_value("TXT")strCMD=base64.b64decode(base64.b64decode(strCMD)).decode("utf-8")print("Protocal:",strProtocal)print("Index:",intIndex)print("CMD:",strCMD)except:passif strResonseDecode:strResonseDecode = base64.b64decode(bytes.fromhex(strResponse)).decode("gb2312")print("回显内容:\n", strResonseDecode)print("=" * 16)

输出内容如下：

协议结构分析开始...
第 1 层: eth
['dst', 'dst_resolved', 'dst_oui', 'dst_oui_resolved', 'addr', 'addr_resolved', 'addr_oui', 'addr_oui_resolved', 'dst_lg', 'lg', 'dst_ig', 'ig', 'src', 'src_resolved', 'src_oui', 'src_oui_resolved', 'src_lg', 'src_ig', 'type']
第 2 层: ip
['version', 'hdr_len', 'dsfield', 'dsfield_dscp', 'dsfield_ecn', 'len', 'id', 'flags', 'flags_rb', 'flags_df', 'flags_mf', 'frag_offset', 'ttl', 'proto', 'checksum', 'checksum_status', 'src', 'addr', 'src_host', 'host', 'dst', 'dst_host']
第 3 层: udp
['srcport', 'dstport', 'port', 'length', 'checksum', 'checksum_status', 'stream', '', 'time_relative', 'time_delta', 'payload']
第 4 层: dns
['id', 'flags', 'flags_response', 'flags_opcode', 'flags_authoritative', 'flags_truncated', 'flags_recdesired', 'flags_recavail', 'flags_z', 'flags_authenticated', 'flags_checkdisable', 'flags_rcode', 'count_queries', 'count_answers', 'count_auth_rr', 'count_add_rr', '', 'qry_name', 'qry_name_len', 'count_labels', 'qry_type', 'qry_class', 'response_to', 'time']
协议结构分析完成。
================
DNS数据分析开始...
Protocal: 17
Index: 60
CMD: whoami
回显内容:admin-pc\admin================
Protocal: 17
Index: 62
CMD: dir
回显内容:驱动器 C 中的卷是 Windows卷的序列号是 CC6A-60ADC:\Users\Admin\Desktop\aa 的目录2021/07/18  21:37    <DIR>          .
2021/07/18  21:37    <DIR>          ..
2021/07/17  23:43                21 flag.txt
2021/07/18  21:34             4,644 shell.py2 个文件          4,665 字节2 个目录 32,699,531,264 可用字节================
Protocal: 17
Index: 80
CMD: tasklist
回显内容:映像名称                       PID 会话名              会话#       内存使用 
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0         24 K
System                           4 Services                   0        244 K
smss.exe                       268 Services                   0        136 K
csrss.exe                      412 Services                   0      1,836 K
wininit.exe                    464 Services                   0        292 K
csrss.exe                      472 Console                    1     14,056 K
winlogon.exe                   528 Console                    1      2,360 K
services.exe                   564 Services                   0      5,924 K
lsass.exe                      580 Services                   0      6,624 K
lsm.exe                        588 Services                   0      2,124 K
svchost.exe                    680 Services                   0      4,848 K
vm3dservice.exe                748 Services                   0      1,240 K
svchost.exe                    788 Services                   0      6,112 K
svchost.exe                    876 Services                   0     11,520 K
svchost.exe                    912 Services                   0      7,176 K
svchost.exe                    936 Services                   0     11,632 K
svchost.exe                    964 Services                   0     25,100 K
svchost.exe                    456 Services                   0      4,060 K
svchost.exe                   1036 Services                   0     14,868 K
spoolsv.exe                   1152 Services                   0      4,064 K
svchost.exe                   1200 Services                   0     12,412 K
Everything.exe                1356 Services                   0      1,536 K
svchost.exe                   1400 Services                   0      5,192 K
VGAuthService.exe             1460 Services                   0      1,852 K
vmtoolsd.exe                  1560 Services                   0      8,952 K
WmiPrvSE.exe                  1952 Services                   0     14,500 K
msdtc.exe                     1432 Services                   0      1,312 K
taskhost.exe                  2216 Console                    1      7,848 K
dwm.exe                       2296 Console                    1      3,836 K
explorer.exe                  2364 Console                    1     62,052 K
vm3dservice.exe               2580 Console                    1        652 K
vmtoolsd.exe                  2588 Console                    1     21,832 K
QQPYUserCenter.exe            2604 Console                    1     14,324 K
VCDDaemon.exe                 2700 Console                    1      1,288 K
Everything.exe                2804 Console                    1     20,524 K
SearchIndexer.exe             2996 Services                   0     20,968 K
wmpnetwk.exe                  1300 Services                   0      7,664 K
svchost.exe                   1828 Services                   0     21,564 K
taskhost.exe                  3440 Console                    1     11,072 K
svchost.exe                   2932 Services                   0      3,660 K
QQPYUserCenter.exe            3660 Console                    1        120 K
chrome.exe                     484 Console                    1    138,316 K
chrome.exe                    3688 Console                    1      5,488 K
chrome.exe                    4980 Console                    1    176,080 K
chrome.exe                    5112 Console                    1     35,812 K
chrome.exe                    3216 Console                    1     15,732 K
chrome.exe                    1996 Console                    1     56,464 K
chrome.exe                    2548 Console                    1     75,912 K
chrome.exe                    2728 Console                    1    119,332 K
chrome.exe                    1060 Console                    1    132,592 K
chrome.exe                    1136 Console                    1    101,928 K
chrome.exe                    4256 Console                    1     45,536 K
chrome.exe                    1276 Console                    1     86,652 K
chrome.exe                    4332 Console                    1     36,380 K
chrome.exe                    3480 Console                    1    100,268 K
sublime_text.exe              4184 Console                    1     64,256 K
plugin_host-3.3.exe           5072 Console                    1     17,120 K
plugin_host-3.8.exe            812 Console                    1     26,336 K
ConEmu64.exe                  3704 Console                    1     35,292 K
ConEmuC64.exe                 4108 Console                    1      5,940 K
conhost.exe                   2560 Console                    1      4,368 K
cmd.exe                       2500 Console                    1      8,928 K
Wireshark.exe                 1848 Console                    1    151,448 K
dumpcap.exe                   2408 Console                    1      8,152 K
conhost.exe                   4064 Console                    1      3,700 K
py.exe                        4376 Console                    1      5,008 K
python.exe                    1376 Console                    1     15,544 K
cmd.exe                       4008 Console                    1      4,108 K
tasklist.exe                  1592 Console                    1      7,632 K================
Protocal: 17
Index: 336
CMD: type flag.txt
回显内容:flag{132946cfdd419f8b
================
Protocal: 17
Index: 341
CMD: echo "308ef7ee8e6457a5}" > flag2.txt
Protocal: 17
Index: 370
CMD: whoami
回显内容:admin-pc\admin================
Protocal: 17
Index: 372
CMD: dir
回显内容:驱动器 C 中的卷是 Windows卷的序列号是 CC6A-60ADC:\Users\Admin\Desktop\aa 的目录2021/07/18  21:38    <DIR>          .
2021/07/18  21:38    <DIR>          ..
2021/07/17  23:43                21 flag.txt
2021/07/18  21:38                22 flag2.txt
2021/07/18  21:34             4,644 shell.py3 个文件          4,687 字节2 个目录 32,694,652,928 可用字节================