Jump to content

Keycroc cannot connect to c2


ipfsec
 Share

Recommended Posts

Hi,

I'm not shure if i'm in the right forum because i don't know if its a C2Cloud or a Keycroc or a user issue 😕 I've got my keycroc last week and configured it over the weekend and played around. Now i have installed C2Cloud on a AWS Lightsail Instace and it's running fine.

I've downloaded the device.config and scp'd it over to the keycroc (so its online in my wireless network) but the device never gonna connect to the c2 installation. 😕

C2 is running with certificate. Service status seems fine. I opened the ports tcp/80, tcp/8080, tcp/22, tcp/2022 and tcp/443 incoming.

Does anyone have an idea why its not working? 😞

Thanks a lot!
ipfsec

Link to comment
Share on other sites

Hi Darren,

seems that Finder is copying in strange way. Just drag & dropped it from my downloads folder onto the keycroc and it didn't work. After scp'ing it via terminal I had no issues with connecting.  😕

Link to comment
Share on other sites

  • 1 month later...

Since upgrading to the latest firmware, I have been unable to get my Key Croc to connect to C2. Was there any follow up with this issue or other known aspects about it? 

I have completely reset it. I have tried with multiple internet and wifi connections where I have complete control. The Croc can see (at least ping) the server where C2 is located. All other devices can still connect to C2. I have tested removing the firewall settings on the C2 server. I have removed and created a new device in C2 downloading the updated config. Based on this post, I have removed all aspects of the device.config file and sent it to the Croc with scp from Windows. In all previous cases (including when it worked in the past), I was using arming mode and just copied the device.config file to the root of the Croc in Windows Explorer.

On a side note that may not be related, I have had much more difficulty connecting to wifi since upgrading. Changing the config.txt has not worked immediately. I did find that I could update the wpa_supplicant.conf file which would work. After resetting, I noticed that the connections were easier. However, after I changed the root password, it was not wanting to connect when making changes to the config file. Once I changed it back to the default password, the config.txt file changes seem to work just fine. I have not tested this thoroughly, so it may just be a coincidence. This also did not resolve the issue with C2.

Link to comment
Share on other sites

  • 2 months later...
  • 11 months later...

Sorry to resurrect such an old thread but I'm having similar issues to you @brish - I've got a full functional C2 server with other Hak5 devices connecting fine, my KeyCroc connects to wifi no problem, C2 has a proper CA signed certificate, my KeyCroc can telnet to my C2 server on all ports no problem but it will just not connect!  Tried both firmware versions, no luck - it's driving me nuts.

Link to comment
Share on other sites

From my post(s) on Discord:

It could be linked to the fact that Let's Encrypt changed their root certificate as per the 30th of September. This can/will create problems for certain devices and operating systems. There is a fair amount of general info about this on the internet to read and how to solve it. Since the Croc is running Debian Jessie 8, it could be working, or not. Jessie is one of the operating systems that could work depending on how updated it is. If it's not updated, it might not work since it trusts the old/unsupported chain and root cert. So, IdenTrust DST Root CA X3 has expired and ISRG Root X1 is the one to use. Validate the chain (for example using the "openssl" command on the Croc). It will perhaps say that the chain ends up with the expired IdenTrust DST Root CA X3 certificate. The scenario might be worth checking at least.

On the Croc, do the following


First check if this is the problem you are facing or not, either by executing:
openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com
or:
curl -I https://your.c2-domain.com/

Both should indicate that the certificate has expired (the root certificate that is)

Verify if the expired "DST Root CA X3" certificate is available on the system (hence probably giving you problems with the Croc), it will be there if you got expired certificate issues from the commands above
Command:
grep X3 /etc/ca-certificates.conf
Output (or the vital part of it):
mozilla/DST_Root_CA_X3.crt

Older Debian releases most likely have the needed ISRG Root X1 present as well
Command:
grep X1 /etc/ca-certificates.conf
Output (or the vital part of it):
mozilla/ISRG_Root_X1.crt

"Backup" the ca-certificates.conf file
cp /etc/ca-certificates.conf /etc/ca-certificates.conf.old1

Disable/remove/"blacklist" the X3 root certificate:
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf

Then execute:
update-ca-certificates -f

Check that the change has taken place. The output of the command below should show the "DST Root CA X3" as the "diff" since it's removed
diff /etc/ca-certificates.conf /etc/ca-certificates.conf.old1

Verify the certificate chain again, it should now be OK (or, if you have C2 running, the Croc should show up more or less immediately after the "update-ca-certificates" command has been executed):
openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com
and/or:
curl -I https://your.c2-domain.com/

Edited by dark_pyrro
Link to comment
Share on other sites

  • 4 weeks later...
  • 7 months later...

This is the only thing that worked for me. It took me hours of troubleshooting to finally find my way to this post.  The only thing that I might add is that this should also be done on the c2 server and not just the croc.  It was only when I updated both that it successfully connected.  Thanks for the help.  @Darren Kitchen, they should really address this in the documentation or fix this via the device firmware and c2 binaries.

Until then, just create use this patch script from @dark_pyrro's commands above and save in `~/c2_connection_patch.sh` on the croc and c2 server, then run `sh ~/c2_connection_patch.sh`:

#!/bin/sh

# check if patch needs to be applied:
if grep X3 /etc/ca-certificates.conf | grep -qE '^!'; then
  echo 'system is already patched.'
  exit 0
fi

# backup /etc/ca-certificates.conf:
echo 'backing up /etc/certificates.conf...'
cp /etc/ca-certificates.conf /etc/ca-certificates.conf.bak

# blacklist the X3 root certificate:
echo 'blacklisting the X3 root certificate...'
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf

# update ca certs:
echo 'updating ca certs...'
update-ca-certificates -f

echo 'done.'
echo
echo 'please reboot hak5 device, and restart cloud c2 server.'

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...