DNS TUNNELING

analysts can identify dns anomalies by investigating the DNS packet lengths and target addresses

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dns-icmp/dns.pcap

#step 1: get an overview 
WireShark
 Filter: dns
 
#anomalous
WireShark
 Filter: dns.qry.name.len > 15 and !mdns

 * this detects DNS queries with a name length greater than 15 characters, e
   xcluding multicast DNS (mDNS).
   
#pin-point
WireShark > Packet list > Packet Details > DNS > Queries > ... > right-click Name > Apply as Filter > ...And not selected
 ((((dns.qry.name.len > 15 and !mdns) && !(dns.qry.name == "v10.events.data.microsoft.com")) && !(dns.qry.name == "connectivity-check.ubuntu.com")) && !(dns.qry.name == "131.94.168.192.in-addr.arpa")) && !(dns.qry.name == "8.8.8.8.in-addr.arpa")
  A8D603B0DE000000009AF29E902AB216780EAFD10AA3E4A376A2D9165E7809E.2030742EDA1B513BF68DFD675E855A2AA61B2BCE0A7889811D12B34806B9A18.441119E94628EA35FFF9.dataexfil.com
  
  * keep filtering out non pertinent query names

PreviousICMP TUNNELING NextENCRYPTED PROTOCOLS

Last updated 1 month ago