This forensic task came in the form of a pcap-ng caputure file.
After analysing the traffic for some time we discovered a huge amount of DNS requests for subdomains with unusual names on asis.io. Obviously, some kind of DNS tunneling is going on here.
We tracked down the first suspicious DNS request which was for “89504e470d0a1a.asis.io” - the subdomain name is equal to the hex-presentation of the png magic number! Thus, it looks like the transmitted data are given in hex-representation as subdomain name.
So, we wrote a scapy script to extract the according byte and got a first png. Unfortunately, we werent able to open it. We used pngcheck (http://www.libpng.org/pub/png/apps/pngcheck.html) to check what kind of problems we have:
$ ./pngcheck -v -f a.png File: a.png (4466 bytes) chunk IHDR at offset 0x0000c, length 13 266 x 13 image, 8-bit palette, non-interlaced chunk PLTE at offset 0x00025, length 105: 35 palette entries CRC error in chunk PLTE (computed c215dfd7, expected 10000000) invalid chunk name "?" (ffffff90 ffffffd4 06 02) chunk ? at offset 0x0009a, length 17: illegal (unless recently approved) unknown, public chunk invalid chunk name "x?" (14 78 ffffff8f ffffffb0) chunk x? at offset 0x000b7, length 5206: EOF while reading data ERRORS DETECTED in a.png
Okay, that looks seriously broken. We went back to analysis and tried different stuff, for instance different kind of sorting the query bytes. After some time we figured out that the most requests are getting a response with ‘22.214.171.124’ as server address. On the other hand, a few responses had the flags for “no such name” set. We thought this could be the filter, modified our scapy script and …
$ ./pngcheck -f -v a.png File: a.png (1358 bytes) chunk IHDR at offset 0x0000c, length 13 266 x 13 image, 8-bit palette, non-interlaced chunk PLTE at offset 0x00025, length 105: 35 palette entries CRC error in chunk PLTE (computed bcb8fc04, expected 276cf28d) chunk tRNS at offset 0x0009a, length 34: 34 transparency entries chunk IDAT at offset 0x000c8, length 1138 zlib: deflated, 32K window, fast compression chunk IEND at offset 0x00546, length 0 ERRORS DETECTED in a.png
Woohoo. Only a CRC-Error left. We patched it by hand and were able to open the png file containing the flag. :)
$ cat for_175.py from scapy.all import * import sys p = rdpcap(sys.argv) res =  for i in range(len(p)): if not p[i].haslayer(DNS): continue if DNSQR in p[i]: if DNSRR in p[i] and p[i][DNSQR].qname: data = p[i][DNSQR].qname #if '.asis.io' in data: #Results in corrupted PNG if '.asis.io' in data and p[i][DNSRR].rdata =='126.96.36.199': data = data[:-len('.asis.io.')].strip() try: int(data,16) res.append((p[i][DNSRR].time, data)) except ValueError: pass data = '' for k, v in sorted(res): data += v open(sys.argv, 'wb').write(data.decode('hex'))
-nsr & ccm
PS: There was even a DNS request for tasteless.se \o/