We are given a PCAP file that we can view in Wireshark, this contains a lot of packets, but none of these seem to contain much actual information. Giving it a closer look, it appears to be exfiltrating each bit of a character of various fields at a time.
It will sleep for three seconds if the bit is a
1, or return immediately if it is a
0. After some trial and error, we can select only the relevent packets by using the packet filter
mysql.packet_length == 1, we can then save these and export these into a PCAP of their own.
We can then use a script to determine if the time between each request and response pair is either immediate or not. Python time!
from scapy.all import * pcap = rdpcap(<file>) m = "" for i in range(0, len(p), 2): if p[i+1].time - p[i].time < 1: m += "0" else: m += "1"
We can then print
m, which is the series of bits making up the exfiltrated information
>>> m '0110010001100010010111110110110100110011001100010011010000111001011100110110001101110010011001010110010101101110011100110110100001101111011101000111001100101100011101010111001101100101011100100111001101101001011001000010110001110101011100110110010101110010001011000111000001100001011100110111001101110111011011110111001001100100011000010110010001101101011010010110111001001000010101000100001001111011011000100011000101110100010111110111001101101000001100010110011001110100001100010110111001100111010111110011001101111000011001100011000101101100010111110011000101110011010111110110001100110000001100000110110001111101'