Extracting the C&C commands / responses. To analyse these responses, I wrote the following Python script which performs the steps of: By decoding a few of the smaller packet responses we quickly conclude, this is suspicious and likely to be our control channel. When we inspect the contents of the query response we see obviously base64 encoded responses in the dns.txt field. One particular host (10.40.0.18) is sending regular DNS TXT record requests to an external server (52.2.229.189): What image appears in the photo the Gnome sent across the channel from the Dosis home.įirstly, we analyse the PCAP by hand using Wireshark, we can quickly spot some unusual DNS traffic. What commands are seen in the Gnome C&C channel?. The challenge asks us to solve the following: Josh gives us a PCAP as well as many other tips about the contents of the PCAP. In this challenge we had to analyse a PCAP file given to us by Josh Dosis who we find in his home in the Dosis Neighborhood. I’ll add links to these in my writeup below. 
This challenge lead me down a path where I was exposed to a lot of great reading material on these topics.
#Not find the gnomeconf sh file that is generated by how to#
The challenge was perfect for me as I was really looking at a way on how to learn a little more about node.js and mongodb security.
I focused on it until about 5am the next morning and wrapped up all the challenges. I got started one afternoon after learning about the challenge. Wanted to wait until after the winners announcements to post this, here’s my writeups for the SANS Holiday Hack Challenge 2015! The challenge was a really fun one day sprint for me.
0 kommentar(er)
