Keycroc cannot connect to c2

[ipfsec]

Hi,

I'm not shure if i'm in the right forum because i don't know if its a C2Cloud or a Keycroc or a user issue 😕 I've got my keycroc last week and configured it over the weekend and played around. Now i have installed C2Cloud on a AWS Lightsail Instace and it's running fine.

I've downloaded the device.config and scp'd it over to the keycroc (so its online in my wireless network) but the device never gonna connect to the c2 installation. 😕

C2 is running with certificate. Service status seems fine. I opened the ports tcp/80, tcp/8080, tcp/22, tcp/2022 and tcp/443 incoming.

Does anyone have an idea why its not working? 😞

Thanks a lot!
ipfsec

[ipfsec]

Nevermind. Got it. Seems to be a problem when copying from OSX Machine via finder to the device. So if you having trouble also, try to scp directly 😉

[Darren Kitchen]

Our of curiosity, what was the issue you had with Finder on your Mac? 

[ipfsec]

Hi Darren,

seems that Finder is copying in strange way. Just drag & dropped it from my downloads folder onto the keycroc and it didn't work. After scp'ing it via terminal I had no issues with connecting.  😕

[brish]

Since upgrading to the latest firmware, I have been unable to get my Key Croc to connect to C2. Was there any follow up with this issue or other known aspects about it? 

I have completely reset it. I have tried with multiple internet and wifi connections where I have complete control. The Croc can see (at least ping) the server where C2 is located. All other devices can still connect to C2. I have tested removing the firewall settings on the C2 server. I have removed and created a new device in C2 downloading the updated config. Based on this post, I have removed all aspects of the device.config file and sent it to the Croc with scp from Windows. In all previous cases (including when it worked in the past), I was using arming mode and just copied the device.config file to the root of the Croc in Windows Explorer.

On a side note that may not be related, I have had much more difficulty connecting to wifi since upgrading. Changing the config.txt has not worked immediately. I did find that I could update the wpa_supplicant.conf file which would work. After resetting, I noticed that the connections were easier. However, after I changed the root password, it was not wanting to connect when making changes to the config file. Once I changed it back to the default password, the config.txt file changes seem to work just fine. I have not tested this thoroughly, so it may just be a coincidence. This also did not resolve the issue with C2.

[Jscott3717]

I am having issues getting my key croc to connect to the C2 server  I have moved to device.config file to the udisk using both the explorer and the command prompt with no luck  Any suggestions? Thank you

 

[Jtyle6]

Did you put your WiFi info into the confg file?

https://docs.hak5.org/hc/en-us/articles/360048015093-Getting-the-Key-Croc-Online

Edited October 20, 2020 by Jtyle6
Website

[P0E]

Sorry to resurrect such an old thread but I'm having similar issues to you @brish - I've got a full functional C2 server with other Hak5 devices connecting fine, my KeyCroc connects to wifi no problem, C2 has a proper CA signed certificate, my KeyCroc can telnet to my C2 server on all ports no problem but it will just not connect!  Tried both firmware versions, no luck - it's driving me nuts.

[dark_pyrro]

From my post(s) on Discord:

It could be linked to the fact that Let's Encrypt changed their root certificate as per the 30th of September. This can/will create problems for certain devices and operating systems. There is a fair amount of general info about this on the internet to read and how to solve it. Since the Croc is running Debian Jessie 8, it could be working, or not. Jessie is one of the operating systems that could work depending on how updated it is. If it's not updated, it might not work since it trusts the old/unsupported chain and root cert. So, IdenTrust DST Root CA X3 has expired and ISRG Root X1 is the one to use. Validate the chain (for example using the "openssl" command on the Croc). It will perhaps say that the chain ends up with the expired IdenTrust DST Root CA X3 certificate. The scenario might be worth checking at least.

On the Croc, do the following

First check if this is the problem you are facing or not, either by executing:
openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com
or:
curl -I https://your.c2-domain.com/

Both should indicate that the certificate has expired (the root certificate that is)

Verify if the expired "DST Root CA X3" certificate is available on the system (hence probably giving you problems with the Croc), it will be there if you got expired certificate issues from the commands above
Command:
grep X3 /etc/ca-certificates.conf
Output (or the vital part of it):
mozilla/DST_Root_CA_X3.crt

Older Debian releases most likely have the needed ISRG Root X1 present as well
Command:
grep X1 /etc/ca-certificates.conf
Output (or the vital part of it):
mozilla/ISRG_Root_X1.crt

"Backup" the ca-certificates.conf file
cp /etc/ca-certificates.conf /etc/ca-certificates.conf.old1

Disable/remove/"blacklist" the X3 root certificate:
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf

Then execute:
update-ca-certificates -f

Check that the change has taken place. The output of the command below should show the "DST Root CA X3" as the "diff" since it's removed
diff /etc/ca-certificates.conf /etc/ca-certificates.conf.old1

Verify the certificate chain again, it should now be OK (or, if you have C2 running, the Croc should show up more or less immediately after the "update-ca-certificates" command has been executed):
openssl s_client -connect your.c2-domain.com:443 -servername your.c2-domain.com
and/or:
curl -I https://your.c2-domain.com/

Edited November 6, 2021 by dark_pyrro

[P0E]

Awesome thanks buddy - I'll try it out!

[MikeCheval]

Thank you so much ! Works perfectly ! 💯

[oldjamey]

This is the only thing that worked for me. It took me hours of troubleshooting to finally find my way to this post.  The only thing that I might add is that this should also be done on the c2 server and not just the croc.  It was only when I updated both that it successfully connected.  Thanks for the help.  @Darren Kitchen, they should really address this in the documentation or fix this via the device firmware and c2 binaries.

Until then, just create use this patch script from @dark_pyrro's commands above and save in `~/c2_connection_patch.sh` on the croc and c2 server, then run `sh ~/c2_connection_patch.sh`:

#!/bin/sh

# check if patch needs to be applied:
if grep X3 /etc/ca-certificates.conf | grep -qE '^!'; then
  echo 'system is already patched.'
  exit 0
fi

# backup /etc/ca-certificates.conf:
echo 'backing up /etc/certificates.conf...'
cp /etc/ca-certificates.conf /etc/ca-certificates.conf.bak

# blacklist the X3 root certificate:
echo 'blacklisting the X3 root certificate...'
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf

# update ca certs:
echo 'updating ca certs...'
update-ca-certificates -f

echo 'done.'
echo
echo 'please reboot hak5 device, and restart cloud c2 server.'