This forensic task came in the form of a pcap-ng caputure file.

After analysing the traffic for some time we discovered a huge amount of DNS requests for subdomains with unusual names on asis.io. Obviously, some kind of DNS tunneling is going on here.

We tracked down the first suspicious DNS request which was for “89504e470d0a1a.asis.io” - the subdomain name is equal to the hex-presentation of the png magic number! Thus, it looks like the transmitted data are given in hex-representation as subdomain name.

So, we wrote a scapy script to extract the according byte and got a first png. Unfortunately, we werent able to open it. We used pngcheck (http://www.libpng.org/pub/png/apps/pngcheck.html) to check what kind of problems we have:

$ ./pngcheck -v -f a.png 

File: a.png (4466 bytes)
  chunk IHDR at offset 0x0000c, length 13
    266 x 13 image, 8-bit palette, non-interlaced
  chunk PLTE at offset 0x00025, length 105: 35 palette entries
  CRC error in chunk PLTE (computed c215dfd7, expected 10000000)
    invalid chunk name "?" (ffffff90 ffffffd4 06 02)
    chunk ? at offset 0x0009a, length 17:  illegal (unless recently approved) unknown, public chunk
  invalid chunk name "x?" (14 78 ffffff8f ffffffb0)
    chunk x? at offset 0x000b7, length 5206:  EOF while reading
data
ERRORS DETECTED in a.png

Okay, that looks seriously broken. We went back to analysis and tried different stuff, for instance different kind of sorting the query bytes. After some time we figured out that the most requests are getting a response with ‘87.107.124.13’ as server address. On the other hand, a few responses had the flags for “no such name” set. We thought this could be the filter, modified our scapy script and …

$ ./pngcheck -f -v a.png 

File: a.png (1358 bytes)
  chunk IHDR at offset 0x0000c, length 13
    266 x 13 image, 8-bit palette, non-interlaced
   chunk PLTE at offset 0x00025, length 105: 35 palette entries
   CRC error in chunk PLTE (computed bcb8fc04, expected 276cf28d)
   chunk tRNS at offset 0x0009a, length 34: 34 transparency
entries
   chunk IDAT at offset 0x000c8, length 1138
      zlib: deflated, 32K window, fast compression
   chunk IEND at offset 0x00546, length 0
ERRORS DETECTED in a.png

Woohoo. Only a CRC-Error left. We patched it by hand and were able to open the png file containing the flag. :)

$ cat for_175.py

from scapy.all import *
import sys
p = rdpcap(sys.argv[1])
res = []
for i in range(len(p)):
  if not p[i].haslayer(DNS):
    continue
  if DNSQR in p[i]:
    if DNSRR in p[i] and p[i][DNSQR].qname:
      data = p[i][DNSQR].qname
      #if '.asis.io' in data: #Results in corrupted PNG 
      if '.asis.io' in data and p[i][DNSRR].rdata =='87.107.124.13': 
        data = data[:-len('.asis.io.')].strip()
        try:
          int(data,16)
          res.append((p[i][DNSRR].time, data))
        except ValueError:
          pass

data = ''
for k, v in sorted(res):
  data += v
open(sys.argv[2], 'wb').write(data.decode('hex'))

-nsr & ccm

PS: There was even a DNS request for tasteless.se \o/