[RELEASE] Hak5 Cloud C2 2.1.x

[Foxtrot]

Hi,

We're happy to announce 2.1.x of the Cloud C2, which features some quality of life improvements and bug fixes.

Change Log (2.1.2)

• General
  • Fixed an issue where the Terminal would not initialise properly.
  • Links in the Terminal are now clickable and will open in a new tab.

Change Log (2.1.1):

• General
  • Fixed an issue where devices would not be deleted from the Hak5 Cloud C2.
  • Fixed an issue where, in rare instances, the UI would not load.
• Loot
  • Remove 32 character limit for loot export paths.

Change Log (2.1.0):

• General
  • Update ACME LetsEncrypt generation to use the ACME2 standard.
  • Users are now forced to enter the name of the device in order to wipe or remove it from the Cloud C2.
• Loot
  • Fix an issue where downloads for non-ASCII loot would be corrupt.
  • Loot size is now displayed in human readable format instead of just bytes.

 

You can update over the air via the Hak5 Cloud C2 Web UI, or via the Hak5 Download Center.

[Flatlinebb]

Thank you so much for the update! We appreciate your time working on fixing bugs. I upgraded mine manually, and it worked fine. I haven't tested the auto-cert creation with the new ACMEv2 yet, because I'm using a standalone copy of certbot. Needless to say, it works fine with my existing certificates.

[UnLo]

3 hours ago, Flatlinebb said:

Needless to say, it works fine with my existing certificates.

Very cool! 

Much excite very wow. Will update soon 

[Midnyteshade]

I updated but get these errors in both FF and Chrome: 

runtime-es2015.edb2fcf2778e7bf1d426.js:1 Failed to load module script: The server responded with a non-JavaScript MIME type of "text/plain". Strict MIME type checking is enforced for module scripts per HTML spec.
polyfills-es2015.37079d968779460d22e5.js:1 Failed to load module script: The server responded with a non-JavaScript MIME type of "text/plain". Strict MIME type checking is enforced for module scripts per HTML spec.
main-es2015.bf287fa2e71c29519f64.js:1 Failed to load module script: The server responded with a non-JavaScript MIME type of "text/plain". Strict MIME type checking is enforced for module scripts per HTML spec.

[Foxtrot]

On 11/23/2019 at 4:46 PM, Midnyteshade said:

I updated but get these errors in both FF and Chrome: 

runtime-es2015.edb2fcf2778e7bf1d426.js:1 Failed to load module script: The server responded with a non-JavaScript MIME type of "text/plain". Strict MIME type checking is enforced for module scripts per HTML spec.
polyfills-es2015.37079d968779460d22e5.js:1 Failed to load module script: The server responded with a non-JavaScript MIME type of "text/plain". Strict MIME type checking is enforced for module scripts per HTML spec.
main-es2015.bf287fa2e71c29519f64.js:1 Failed to load module script: The server responded with a non-JavaScript MIME type of "text/plain". Strict MIME type checking is enforced for module scripts per HTML spec.

That's quite odd, I can't reproduce this myself. What versions of Firefox and Chrome are you using it? How are you hosting the C2? 

EDIT: While I can't reproduce this myself, I've found an issue where someone else is experiencing this. I will fix this with a 2.1.1 update tomorrow. You can read more about the issue here.

[Midnyteshade]

I'm using the latest version of each, FF and Chrome.  Reverting to 2.0 works fine, but anytime I run 2.1 I get these errors.  I'm hosting using c2_community-windows-64.exe -hostname [host].  Thanks for your speedy response and fix. 🙂

[Foxtrot]

On 11/24/2019 at 11:09 PM, Midnyteshade said:

I'm using the latest version of each, FF and Chrome.  Reverting to 2.0 works fine, but anytime I run 2.1 I get these errors.  I'm hosting using c2_community-windows-64.exe -hostname [host].  Thanks for your speedy response and fix. 🙂

2.1.1 is live now, it should resolve your issue.

[Midnyteshade]

Yes it did, thanks again.

[Irukandji]

2 hours ago, Foxtrot said:

2.1.1 is live now, it should resolve your issue.

I will grab it when I get home..

[Foxtrot]

2.1.2 has been released.

[liu]

On 21/11/2019 at 16:11, Foxtrot said:

Hola,

Nos complace anunciar 2.1.x del Cloud C2, que presenta algunas mejoras en la calidad de vida y correcciones de errores.

Registro de cambios (2.1.2)

• General
  • Se solucionó un problema por el cual la Terminal no se inicializaba correctamente.
  • Ahora se puede hacer clic en los enlaces en la Terminal y se abrirán en una nueva pestaña.

Registro de cambios (2.1.1):

• General
  • Se solucionó un problema por el cual los dispositivos no se eliminarían del Hak5 Cloud C2.
  • Se solucionó un problema por el cual, en raras ocasiones, la IU no se cargaba.
• Botín
  • Elimine el límite de 32 caracteres para las rutas de exportación de botín.

Registro de cambios (2.1.0):

• General
  • Actualice la generación ACME LetsEncrypt para usar el estándar ACME2.
  • Los usuarios ahora están obligados a ingresar el nombre del dispositivo para borrarlo o eliminarlo del Cloud C2.
• Botín
  • Se solucionó un problema por el cual las descargas para el botín no ASCII estarían corruptas.
  • El tamaño del botín ahora se muestra en formato legible para humanos en lugar de solo bytes.

 

Puede actualizar por aire a través de la interfaz de usuario web de Hak5 Cloud C2 o a través del Centro de descargas de Hak5 .

Hello, is it the same series to enter with that code? ... 
As I had purchased, I missed a code.
Can you receive another copy of my order? It is the number 173095, I hope I can do it. I wait for the answer

[Irukandji]

it's the dead beef one.

[Aaron Outhier]

Edit: My concerns appear to be unfounded. I've since reinstalled with no problems.

Hello,

I'm running on an Ubuntu 18.04 VPS. I keep getting hacked! Only ports open on my firewall is tcp:443 and UDP:1194. Only web server running on the box is the C2 Community Linux 64 executable. I am running OpenVPN for remote admin access.

Initial setup is done with all incoming traffic blocked at the VPS firewall and all updates are immediately applied first thing. I access the system via the VPS console. I then extract and unzip the community zip file, and run the linux 64 executable. I check my box a few hours later, and netstat is reporting reverse ssh connections from the box to an IP address that I've traced to a server in china. I have reinstalled several times with the same result.

There seems to be a security vulnerability in your web server.

I am running another Ubuntu 18.04 VPS, with only UDP:1194 traffic exposed, and do not appear to be hacked as of yet, so I don't think the problem is in OpenVPN. I used the same OpenVPN_install.sh script to install on both boxes.

[Aaron Outhier]

Is anyone else seeing any additional SSH connections? This can be determined by typing:

netstat | head -n 20

The head command just cuts the output to the first 20 lines of output, if you are wondering. Should be plenty enough to see if there are any ssh connections or connections on port 22. I trust you all can figure out how to read the table.

[Darren Kitchen]

Are you talking about SSH connections, or connection attempts? The latter is the nature of running an SSH server on the Internet. The risk is low if you are taking standard precautions (updated SSH server, good passwords, known host fingerprint checking, public key authentication, etc). A SSH SYN does not equal “getting hacked”. My very own VPS logs attempts from China and elsewhere - which is the nature of the beast. If I were concerned, I might restrict the firewall to only allow connections from my home IP address, but I don’t believe that is necessary. If you have data to share to backup your claim of a security vulnerability, we are obviously all ears and in fact have channels for such bug reporting. I don’t assume you are acting with anything less than good intentions, however making such a claim without data is not the most helpful.

[Aaron Outhier]

Darren, I have all incoming SSH connections blocked at the VPS firewall. The only ports that I had open to the public, were 443 TCP and 1194 UDP.

i used the openVPN setup script you talked about on one of your shows, and your C2 server running. Everything else running was “stock” Ubuntu software. Further, those were the only two things exposed to the Internet.

Somehow, someone got access to my machine via one of those two services, and opened an outgoing reverse ssh connection to somewhere in China.

Once again, there is no way they could have made an initial connection via ssh, since the VPS firewall would have blocked it.

Since the connections were being initiated by my server, I was unable to block the connection, and had to scrap the server all together.

I may try again when the problem is fixed. I did backup my database file before scrapping it.

Incidentally, my home router running OPNSense firewall software was also hacked shortly after posting that.

it would seem that everyone having to stay home has some side effects.

[Aaron Outhier]

Follow-up: I somehow missed the end of your message the first time through. I would concur with your statement, that the lack of data to support my concern is more likely to cause panic amoung users than to be helpful.

I am going to create another VPS, just as I did before, just for the sake of evidence gathering and fact-finding.

I will say, that I was able to detect the hacks with the netstat command.

If anyone is concerned about whether or not they have been hacked in this manner, they can run

netstat | grep ssh

and that should show you all ssh connections open on your system. There should be one ssh connection open if you are connected to your cloud server via ssh. This is not a conclusive test to see if you have been hacked or how, but just gives an indication as to a possible hack.

PLEASE DO NOT POST RESULTS WITH IP ADDRESSES ON THE FORUMS.

If you find anything suspicious, just say so, without details. unless Darren or another admin says otherwise.

@Darren KitchenI was not aware of any official channels to report such concerns. My apologies for causing any trouble. I AM trying to help, not hinder. The last thing I want to do here is cause a panic. I am a advocate of the concept/idea that one can't fix a problem if one isn't aware it exists. Let me know, either here or via PM/DM what I should check next. I will make certain that my passwords are secure, and report back in a few days the status. If you want a copy of any logs, or even access to the VPS I am about to create,  let me know. I think I am going to create daily snapshots of my VPS also for comparison.

Thank you HAK5, for creating such great products!

[Aaron Outhier]

Update: I've been running now for almost 2 weeks. No signs of my being hacked. Looks like a false alarm.

My sincere apologies if I worried anyone.