Created
April 21, 2025 09:44
-
-
Save GuillaumeMorini/6d2cb14b3d56c723f670591e23983845 to your computer and use it in GitHub Desktop.
fcsc2022-forensics-a-l-ancienne
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from scapy.all import * | |
| import base64 | |
| files={} | |
| scapy_cap = rdpcap('test.pcap') | |
| for packet in scapy_cap: | |
| if packet.haslayer(DNS): | |
| dns_layer = packet[DNS] | |
| if dns_layer.qr == 0 and dns_layer.qd: # It's a query and has a question section | |
| query = dns_layer.qd # Get the question record (usually just one) | |
| try: | |
| qname = str(str(query.qname.decode()[:-11]).replace('*','+').replace('-.','')) | |
| filename=query.qname.decode()[-9:][:8] | |
| f=base64.b64decode(filename) | |
| #print(qname,len(qname)) | |
| #print(filename,f) | |
| if f not in files: | |
| files[f]="" | |
| files[f]+=qname | |
| except UnicodeDecodeError: | |
| print(f"[+] DNS Query: Requested '{query.qname}' (Type: {get_type_name(query.qtype)}) - Could not decode name") | |
| except AttributeError: | |
| print(f"[!] DNS Query: Error parsing question section: {query.summary()}") | |
| for fi in files: | |
| with open(str(fi.decode())+".gz", "wb") as f: | |
| f.write(base64.b64decode(files[fi])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment