-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C2 Perscriptive Ordering #790
Comments
The go http client makes a best effort to identify the proxy settings, you probably want to use the |
Yep that would probably work. I wondered though how I could know that upfront and if it would make sense to have the implant try all kinds of different options if I don't know them in advance? #791 would be my take on that. |
So for the Go http library we use a modified go get proxied library located here in the code base: https://github.com/BishopFox/sliver/tree/master/implant/sliver/proxy Which currently does employ multiple methods of identifying the proxy settings, complexities typically arise from authenticated proxies and quirks in Windows internal APIs, which is we recommend switching to |
hmmm ok so I guess I could then probably just list different HTTP connection strings when generating the implant to make it try diffrent options one after another. E.g., |
Yeap! There's for sure improvements we can still make to this, so feel free to send us PRs still. You can also force proxy settings via the c2 advanced options for the go http client in one of your connection strings. For example, something like:
|
@DominicBreuker |
Yea we need to find a way to have better UX around this feature. |
It's quite usable. You just have to know it. So it might be enough to make the docs clearer (in the client -h). The more confusing thing is the connection strategy that you can't change arbitrarily by ordering your arguments. E.g. --http --mtls --wg still calls first mtls, then wg then http,based on the performance of these protocols. |
for me personally it would be most intuitive if C2 endpoints were tried in the same order as they are specified. no need for a special argument. |
You're welcome :) |
I think this is generally how I'd expect it to work too, and we can implement it this way it just requires a bit extra parsing of the raw args as grumble doesn't supply us with the order of the arguments after they're lexically parsed |
I've encountered the same issue. In various situations (personally all of them), I've come across HTTP proxies and not HTTPS... the detection occurs correctly though it happens correctly. |
Describe the bug
When I set up an HTTP Squid proxy (local network, no HTTPS) in Windows 10, manual configuration, then Windows only accepts IP and port. The implant detects the proxy as a
WinHTTP:NamedProxy
and since no scheme is found, it defaults to HTTPS (code). Thus, it cannot connect, even though the proxy otherwise works perfectly.To Reproduce
Steps to reproduce the behavior:
generate beacon --http 192.168.1.10 --debug --save /tmp/beacon.exe --seconds 5 --jitter 0 --os windows
)error:invalid-request
.Expected behavior
The implant should try both HTTP and HTTPS for the proxy URL if the scheme is not specified
Screenshots
A screenshot of what the error looks like:
Desktop (please complete the following information):
Additional context
I've PoCed a fix for this, will open a PR and link it here
The text was updated successfully, but these errors were encountered: