License Validation Clarification

[oac]

Can I get some info on how the licenses are validated?  I'm attempting to shove that Hak5C2 into a docker container, but I'm getting errors after deployment attempting to validate a license.

I'm deploying a Debian 9.5, both as a Digital Ocean droplet for initial testing and then as a Debian container.  When I run as the container, it can't validate the licensing.

I did a PCAP of the network traffic on the Droplet and can see it chatting with the licensing server, but that's obviously encrypted and I have no idea what the licensing server is looking for or why it can't validate.  Does the licensing server require additional visibility on the deployment?

[Sebkinne]

Hi Oac,

Does you docker container have network access to https://c2.hak5.org? As long as the server can reach that URL (and you have a valid license), you should be good to go.

[oac]

You're welcome to give it a look yourself, but I can't figure it out.  I've validated the container can reach https://c2.hak5.org and tried it with debian and ubuntu builds.

There might be an issue with how I'm doing the reverse proxy as the c2 host itself is not directly accessible on 80,8080,or 443 - it feeds through a reverse proxy on the front.  I put that info in the README on the github.  But I just get the following when entering the info using a key I ordered less than an hour ago and never used before.

https://github.com/overallcoma/Hak5-C2

Also - if it is a problem that I put a copy of the client on github let me know and I'll pull it off - I can implement a download-at-build setup if that is preferred.

[oac]

Quick update - I did modify the docker run slightly and attempt to just do 8080:8080 mapping, skip the encryption all together and go by IP address.  This also failed in the same way.

Does the license validation do something to check that it can directly reach the host?  Or that the hostname it gives itself is a valid, internet-accessible hostname?  Because I'm putting it behind a reverse proxy I set the hostname as the internal IP (you'll that in the run.sh script).

Still the same error and I tried it with another license I just generated a few minutes before I made this post, a few bit after the last post.  Maybe there is a verbose logging mechanism so I can see what is going on when it tries to connect?

[Sebkinne]

Hi Oac,

Currently the Cloud C2 server doesn't work properly behind a reverse proxy - we'll introduce settings which support this in the next update, which should be out within the week.

Unfortunately, this doesn't seem to have anything to do with the fact the license cannot be validated. The message "error validating license key" means that there was an issue communicating with the c2.hak5.org server, or that the response was incomplete or corrupted. 

I'm going to see if I can replicate the issue. If I can we'll make sure it's fixed for the next update.

[oac]

Thanks Seb

Let me know if I can assist.  Bear in mind if you're using that repo I linked that I did not put in any volumes so none of the config data will be stored.  I figured I would implement volumes once it was validating the setup.

If you want a pcap or whatnot of the communication coming off the container during license validation, let me know.

[reinaertvdc]

The problem still exists, but I found the cause: the package ca-certificates is missing in the Docker containers. Using the Dockerfile below, I confirmed that C2 is able to validate the license key.

FROM debian:stable-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
		ca-certificates \
	&& rm -rf /var/lib/apt/lists/*

...