Uncover Suspicious DNS Queries

Introduction

In this challenge, you will step into the role of a cybersecurity analyst tasked with investigating potential data exfiltration through DNS queries. Your mission is to analyze network traffic captured in a pcapng file to identify all queried domain names that might reveal communication with command and control servers.

You will use tshark, the command-line network protocol analyzer, to extract DNS query names from the capture file. The challenge requires you to filter for DNS traffic, extract query names, sort them alphabetically, remove duplicates, and save the results to a file for further analysis. This practical exercise will enhance your skills in network traffic analysis and help you detect suspicious DNS activities that could indicate malicious behavior.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/display_filters -.-> lab-548854{{"Uncover Suspicious DNS Queries"}} wireshark/export_packets -.-> lab-548854{{"Uncover Suspicious DNS Queries"}} wireshark/commandline_usage -.-> lab-548854{{"Uncover Suspicious DNS Queries"}} end

Uncover Suspicious DNS Queries

As a cybersecurity analyst, you've been tasked with investigating potential data exfiltration through DNS queries. Your job is to analyze network traffic and identify all domain names that were queried, which might reveal communication with command and control servers.

Tasks

Extract all DNS query names from the provided capture file, sort them alphabetically, remove duplicates, and save the results to a file for analysis.

Requirements

Use tshark command to analyze the network traffic capture file located at /home/labex/project/capture.pcapng
Filter the capture file to only display DNS traffic
Extract only the DNS query names using the field extraction feature of tshark
Sort the results alphabetically
Remove duplicate entries
Save the final list to /home/labex/project/domains.txt
All operations should be performed using a single command pipeline

Examples

If you correctly extract the DNS query names from the capture file, your /home/labex/project/domains.txt might contain entries like:

amazon.com
example.com
google.com
...

Note: The actual domains in your file may vary depending on the specific DNS queries captured in the provided file.

Hints

Use the -Y "dns" filter option to focus only on DNS protocol packets
The DNS query name field can be extracted using -T fields -e dns.qry.name
Remember that Linux commands can be chained together using pipes (|)
The sort and uniq commands are useful for organizing the output
You can review basic tshark commands in the provided cheatsheet file at /home/labex/project/tshark_cheatsheet.txt

✨ Check Solution and Practice

Summary

In this challenge, I analyzed network traffic to identify potential data exfiltration through DNS queries using tshark, a command-line version of Wireshark. I extracted DNS query names from a capture file, sorted them alphabetically, removed duplicates, and saved the results to a file for further analysis, developing practical skills in network traffic analysis and command-line filtering.

The challenge simulated a real-world cybersecurity scenario where identifying suspicious domain queries is crucial for detecting command and control communications or data exfiltration attempts. By learning to use tshark's field extraction capabilities specifically for DNS traffic, I gained valuable experience in security monitoring and network forensics that can be applied to identify potentially malicious network activities.