- 115e0ba3c3d72647fcb9a53ae90e47a6.jpg
- __MACOSX/._115e0ba3c3d72647fcb9a53ae90e47a6.jpg
The second file tells us that the jpeg comes from http://ircimages.com/ircimages/1/1/115e0ba3c3d72647fcb9a53ae90e47a6.jpg
When diffing the original file with the gb200 one, we can note that 84 bytes were added to the end of the image:
00000000 cc ef 48 00 01 02 00 50 56 00 01 02 08 00 45 00 |..H....PV.....E.|
00000010 00 46 e0 63 00 00 40 11 84 8f 4b 94 64 05 8c c5 |.F.c..@...K.d...|
00000020 d9 55 7a 69 00 35 00 32 e1 2f 1c f7 01 00 00 01 |.Uzi.5.2./......|
00000030 00 00 00 00 00 00 02 31 33 02 31 32 02 31 31 02 |.......13.12.11.|
00000040 31 30 07 69 6e 2d 61 64 64 72 04 61 72 70 61 00 |10.in-addr.arpa.|
00000050 00 0c 00 01 |....|
This is in fact a DNS query packet, which can be translated as:
cc ef 48 00 01 02 CISCO mac address
00 50 56 00 01 02 VMWARE mac address
08 00 Type: IP
45 IP 4, header len 20
00 Fields
00 46 Total length: 70
e0 63 ID
00 00 Flags
40 TTL
11 Proto: UDP
84 8f Header checksum
4b 94 64 05 Source IP: 75.148.100.5
8c c5 d9 55 Destination IP: 140.197.217.85
7a 69 Source port: 31337
00 35 Destination port: 53
00 32 Length: 50
e1 2f Checksum
1c f7 Transaction ID
01 00 Flags
00 01 Questions: 1
00 00 Answer RRs: 0
00 00 Authority RRs: 0
00 00 Additional RRs: 0
02 31 33 02 31 32 02 31 31 02 31 30 07 69 6e 2d 61 64 64 72 04 61 72 70 61 00
13.12.11.10.in-addr.arpa
00 0c Type PTR
00 01 Class IN
We have to send a DNS request to 140.197.217.85, asking for the 10.11.12.13 PTR record, with 31337 as source port. Scapy can help us:
dnsQuery = DNSQR(qname="13.12.11.10.in-addr.arpa", qtype="PTR")
dnsPacket = DNS(rd=1,qd=dnsQuery)
ipPacket = IP(dst="140.197.217.85")
udpPacket = UDP(sport=31337, dport=53)
packet = ipPacket/udpPacket/dnsPacket
dnsAnswer = sr1(packet)
dnsAnswer.summary()
'IP / UDP / DNS Ans "dan.kaminsky.kung.fu." '
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.