Cyberlympics 2018 — DNS covert channel

I was fortunate enough to participate in the Cyberlympics this year with the TSS CTF team. There was some tough competition and after placing second in the qualifying round we ended up taking third place at the global finals in Atlanta. This post is about one specific challenge from the CyberLympics that required the dissection of a packet capture that contained evidence of malicious activity.

During the challenge, TSS was given a .pcap that I would usually open in WireShark but I had recently come across a tool called Network Miner and decided to try it out. I have to say that I really like the simplicity of the Network Miner interface. One of the things that stood out was the number of DNS queries (923) and having a look at the DNS tab showed some unusual entries.

Unfortunately, I was using the free version of Network Miner, so I wasn’t able to export all of the DNS entries to further analyse them. Instead, WireShark has a command line tool that will extract all of the DNS queries in cases such as these.

The command below will extract the source IP and DNS queries from the pcap and store it in a file called allDnsQuery.txt

tshark -r CapsCapsCaps.pcap -T fields -e ip.src -e dns.qry.name  > allDnsQuery.txt

The interesting lines looked like this:

34.205.75.67 88a301e6f93bb0560cc045b4a2b26b9bb9f66cf7aced3249fe352fd043d9.40587b6bf5ffa23f5c54269ce37e803ed065b317b9e9d417a1c2e8e0e359.7e027453a788d249937ab62ca0b1be6aa3df6828c0a4b6ff974e2fc23f24.c25a58a8087a09a567769c.torrabot.enterprises

The 88a301... part looks like it could be HEX encoded ASCII so I decoded the file with some simple AHK…

And noticed some interesting ASCII in the output…

Obviously there is a lot of noise here so I used this script to clean it up.

After running the script above we have two files asciiHex.txt and decoded.txt. Looking at decoded.txt and I’m sure that we are on the right track.

It looked like there were binary files embedded in the decoded DNS queries so I used binwalk to checkout what files are in there. My little asciiHexToStr function doesn’t work properly (not sure why…) so binwalk on decoded.txt didn’t work properly…

Although you can use AHK to decode ASCII HEX to binary properly, the function is too big for a blog post, so instead I used xxd to decode asciiHex.txt then binwalk shows us the correct list of files.

xxd -r asciiHex.txt properDecoded.txt
binwalk properdecoded.txt

Each line in the screenshot above corresponds to a potential file embedded inside properDecoded.txt. The first five entries refer to possible image files where the last entry shows a potential .zip file. We can use binwalk’s -e parameter to attempt to extract these files. Running the command successfully extracts a zip file called 235CA.zip which contains Elite_hacking_group_structure.pdf (it is password protected and we were given the password in another challenge - but I lost that password sorry). but doesn’t extract the images for some reason.

Fortunately binwalk gives us the offsets of the file in the decoded binary. So we were able to extract the relevant data and write it to file ourselves. I used this to extract the image files:

and

I previously hadn’t played around with DNS covert channels before, so the entire challenge was a bit of fun for me. If you want to play around with the DNS covert channel text yourself, you can grab the allDnsQuery.txt file here (the pcap file is too big for github to host).

Enjoy :-)