Jump to content

Help using SSL on C2


Th4ntis

Recommended Posts

Posted

So I'm running a VPS and i've never had to make an SSL Cert for it(Kinda new to this), so I looked up how to make an SSL Cert so I can use it and connect to the C2 securely. So, I found this guide and is essentially says to run this command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

So I do and I do make the cert. So I run this command:

./c2_community-linux-64 -hostname (VPS IP) -certFile string /etc/ssl/certs/apache-selfsigned.crt

It DOES run, but I can still only get to it if I use HTTP(http://(VPS IP):8080).  So can someone maybe help me out or point me in the right direction. Much appreciated.

Posted
8 hours ago, Audrick said:

When I use https on my C2 I get to it via https://c2.mysecretsite.com I don't use port 8080

I am running this command in roots crontab @ reboot

/root/web/c2_community-linux-64 -hostname c2.mysecretsite.com -db /root/web/c2.db -https

If that helps. 

A

That's what I had tried but

image.png.0879c2df7097031c1dc12f54ab4f236b.png

Posted

When you run CloudC2 in SSL mode, it requires port 80 and 443.

Going by your screenshot, something has already taken up port 80 on your VPS.

 

You can check what's running on port 80 using:

netstat -tulpn | grep :80

 

If your VPS complains about netstat not being installed, you may need to install net-tools aswell.

  • 2 months later...
Posted
On 9/5/2019 at 11:21 PM, Th4ntis said:

 


./c2_community-linux-64 -hostname (VPS IP) -certFile string /etc/ssl/certs/apache-selfsigned.crt

 

I think the issue may be your syntax. Try to take out the word "string" from the above command. You copied the example too literally. The "string" is a placeholder, and it is supposed to be substituted with the path to the certificate file. You have the path, just don't need the word "string" in there.

Posted

Thank you for the link to the Guide on OpenSSL 

For me at least, I was able to create the key and the .crt ... however, when I run the command 

./c2_community-linux-64 -hostname https://c2.mydomain.net -https -certFile /etc/ssl/certs/selfsigned.crt
[*] Initializing Hak5 Cloud C2
[*] Running Hak5 Cloud C2
[!] Webserver failed to start: open : no such file or directory
[*] Shutting down gracefully
[*] Server stopped

Posted

@UnLo

Try these suggestions:

  • Use a full path for the executable part: /root/c2_community-linux-64 (or wherever this file is located - type in pwd to see the folder name). It's always best practice to use the full path
  • Take out the https:// in the hostname, and just use: c2.mydomain.net
  • Verify that the certFile path is correct: /etc/ssl/certs/selfsigned.crt 
  • Do you also have a key file that was created when you created the SSL certificate? You should specify it as well with -keyFile switch

Here is my full command:

/root/c2_community-linux-64 -db /root/c2.db -hostname c2.myhostname.com -https -keyFile /etc/letsencrypt/live/c2.myhostname.com/privkey.pem -certFile /etc/letsencrypt/live/c2.myhostname.com/fullchain.pem

In my case, my -certFile is a bundled file that contains both the certificate and the intermediate trusted certificates from LetsEncrypt.

Posted
8 minutes ago, Flatlinebb said:

@UnLo

In my case, my -certFile is a bundled file that contains both the certificate and the intermediate trusted certificates from LetsEncrypt.

Is that Step with LetsEncrypt required? or will what I did with OpenSSL work just fine?

Posted
Just now, UnLo said:

Is that Step with LetsEncrypt required? or will what I did with OpenSSL work just fine?

I think it is specific to LetsEncrypt only. In your case, since you are using a self-signed cert, it is not needed. I just wanted to be clear with my example in case someone reads it in the future. I outlined my own struggles with certs in another post.

Posted

sudo /home/user/c2_community-linux-64 -hostname c2.mydomain.net -https -keyFile /etc/ssl/private/selfsigned.key -certFile /etc/ssl/certs/selfsigned.crt
[*] Initializing Hak5 Cloud C2
[*] Initial setup detected. Setup token: xxxx-xxxx-xxxx-xxxx
[*] Running Hak5 Cloud C2
2019/11/12 23:24:47 http: TLS handshake error from xxx.xxx.xxx.xxx:33760: remote error: tls: unknown certificate
 

 

Unfortunately it doesn't seem to like me, even though the server started. However, interestingly.... this time I am presented with the link to proceed wow... thank you. Not sure it is "as it should be" just yet, but delighted to actually see the login screen. 

Posted

That is actually progress 🙂 I had this same issue - an untrusted certificate. That's what triggers the TLS handshake error. It's your browser rejecting the self-signed and "untrusted" cert. Try a different browser maybe.  You may want to look into using LetsEncrypt and not use a self-signed cert for this exact reason. Per Darren's post, the built-in cert process in C2 is getting fixed and they will release an updated version, which will take care of the SSL cert for you. Unless you want to play with LetsEncrypt and certbot: https://certbot.eff.org/

 

Posted

i'll say, I actually got to use my License key! attempting to enroll a device now. Thx for the assist, looking forward to the update that makes this work as it should.

Posted

SO, i've gone back through and re-run this command. The first time through I skipped all the details of the certificate when setting it up. Including the FQDN. (Doh) Anyway. .. I decided to go back through and re-run this command after killing my server, removing the keys and the .db file and starting fresh. This time I did complete the certificate details including the FQDN, I restarted server with new key and cert file.. everything started up, however I still get the same TLS Handshake error  TLS; Unknown certificate when I make a connection from the browser. I'm guessing... this error & cert details could also be the root of why my devices won't connect back to c2, (downloading device.config for pineapple, sharkjack, packet squirrel ) even though these devices are online and can ping the server.

Posted

@UnLo

When you generate your own SSL certificate, it is by definition untrusted, regardless of the information you fill out during the creation process. This is why your web browser doesn't like the certificate, and this is most likely why your devices will not connect to your C2 server. 

You have two options: use Letsencrypt to generate a trusted SSL certificate, or wait for the C2 server binary to be updated by the Hak5 team, so it generates a valid trusted certificate for you. Technically, you have 3 options - don't use SSL at all.

Posted
On 11/12/2019 at 6:20 PM, Flatlinebb said:

I think it is specific to LetsEncrypt only. In your case, since you are using a self-signed cert, it is not needed. I just wanted to be clear with my example in case someone reads it in the future. I outlined my own struggles with certs in another post.

This has been bugging me, obviously. So I followed the instructions for certbot. After removing my openssl keys and shutting down my server I followed the instructions outlined here

Might your struggles have included this message -> Webserver failed to start: tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched
[*] Shutting down gracefully
[*] Server stopped

 

**Solved had my key and cert files switched around by mistake - > no more TLS errors -> hopefully I can get a device to show up in the dashboard now.

 

image.png.768502b6abb6dfd159ef2e98d4eaca80.png

 

....-> jackpot!

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...