the port of beacon_http and the role of external_c2.cna #1
Comments
Hi there,
Hope this helps. Regards |
Thank you for your reply. I will try again to see if it can be reproduced successfully. Thanks again~~~ |
Sorry for some reason the error output did not show up for me, so I missed that. Going to reopen so I can take a further look. |
If you need any information, please let me know. Thank you ~ |
Thanks for the detailed update. I have had a quick look and I think I know what is happening. If you notice in the Windows client screenshot, the DNS query within the HTTPS URI is inconsistent with that being received by the python DNS server with the first label missing. This seems to be down to a quirk of the specific DoH provider and the way it goes about resolving the DNS. Poor exception handling within the python3 server currently gives this exception as it only does basic label parsing to get the data elements it needs. In this case, the labels do not match up as the first is absent. However, this should only cause an exception in the specific server thread so should in theory continue. The issue I think is the DoH provider then fails to receive a response and causes everything to hang. So I can see that further exception handling is required in the python script to gracefully provide a response perhaps. This is something I can look into. I had not tried this with this DoH provider, so its interesting to see how they each differ slightly in their implementation. |
Yeah , you are right . Thank you ~~ When I change the DoH provider from "https://dns.rubyfish.cn/dns-query" to "https://dns.google.com/resolve", the above problem is solved. But it still can't working properly. The new problem is that I can't see the client's online in Cobalt Strike. And the client is terminated after running for a while. I don't know if it is a problem in the communication process between Raw DNS Server and Cobalt Strike through Port 2222. In addition, in the step 9 of Usage , I don't change the value of "encryption key/IV" in the DoHC2.py and DoHChannel.cs, and keep the default. Is it OK? Looking forward to your reply~~ Thank you . |
And now I known the reason why the client terminated is that it receives the response string "EOFEOFEOFEOF" from the Raw DNS Server. But why is this happening ? Why it does not display in the control panel of Cobalt Strike? Is this related to the version of Cobalt Strike I am using, which is "cobalstrike3.8"? |
So the 'EOF' line response is used to mark the end of the receive buffer. Dirty hack but the idea is the client iterates until it receives it. In this output everything seems OK from the configuration of the tool, however, the socket being opened to External C2 port 2222 does not seem to be receiving the stager, as I can see that the receive buffer is empty after having instructed External C2 to start. I wonder if you could try this simple client, which aims to pull the stager from port 2222. If we debug this part then it should hopefully work: https://gist.github.com/dtmsecurity/44a20a73a2caf5a7d1a92db56ac0b761 In terms of working IV/Key don't matter as long as the keys are the same in python and C# ExternalC2 Library. If you have left them intact thats not the issue here. |
Did the getStager.py script work OK? I can see the stager.bin was created, did this have data in it? |
Yes,the getStager.py works fine, and the stager.bin was created and had data in it. Is it indicates that the External C2 Server is up and running normally? I think it is. Now I guess the reason may be related to the Operating System. The DoHC2Runner.exe is compiled on Win7 32 OS. Now I am reconfiguring the environment, and plan to compile DoHC2Runner on Win7 64 OS. After the test is over, I will give you the feedback. Thank you ~~~ |
Hi, I find the reason why the response is None. It is because the length of the stager is not the multiple of 16, which making the function "encrypt" generates an exception , so the return value of "cipher_text" is "" . And the Exception is as follows: So I add the following code in the Function "encrypt". It will judge the length of the stager, and if the length is not the multiple of 16, it will append null characters. https://gist.github.com/xinhaojing/221e581cb389316f4596f3ef2a30844d Then I retest and the client can be successfully launched. In addition, when testing, I find whether launch a beacon_http/beacon_https listener is not necessary. The project is very interesting. You are very good. Thanks for your help~~~ |
Thank you for working this out and glad it’s now working. This code was added at last minute and sorry I missed this, this did not come up in my tests. I will get this fixed in the master branch ASAP. |
Thanks again, I've pushed a fix for this and also introduced some (try except) exception handling too for now. This is a temporary fix for the exception handling, as there's some other optimizations I would like to see too. |
I have same problem , I used your script DoHC2_new.py, but I can not see anything on cobaltstrike |
Hi, I am very interested in this experiment and plan to reproduce it. But I am having problems now and would like to ask.
1 In the step 2 in Usage, when launch a beacon_http/beacon_https listener,how its port should be set? And what is the role of external_c2.cna ?
2 when I run the DoHC2.py , I get the following errors . What should I do to resolve it.
Thank you for your reply.
The text was updated successfully, but these errors were encountered: