Can't connect to C2 server from another network

[DangerAnt]

Hi everyone!

I'm trying to set up my C2 server so i can plant some devices for a security audit at my employer's network (with permission naturally) I have my C2 server set up at my home. When i connect my Hak5 devices to my home network they communicate without any problems, but when i restart the C2 server using my domain name and update the device configs so they connect to the server using the domain name (or public IP for that matter) i can't seam to get them to connect.

 

My C2 server is using the INTERNAL IP address of 10.0.0.16 (as you can see in the attached image) and i thought i forwarded all the needed ports, but the devices never make the connection. Furthermore if i CAT the device.config file i can see that the config does use the domain name and appears to use port 8080. These are the two bits of information that are in plain text in the config file.

My problem is that I don't really know what ports Hak5 devices use to connect to the C2 server. Based on the above mentioned clear text in the config file and also information i have scrapped together from documentation, forums, and even provided via email by Daren port 8080 seams to be correct but again i can't get the devices to connect. Any assistance would be greatly appreciated.

 

P.S. the two devices I'm working with are a Signal OWL and a WIFI Pineapple NANO. and the provided image is of my Cisco router connected directly to my modem (that is in bridge mode). There are no other known problems getting any devices or port forwarding rules working.

 

P.P.S on my network the only network traffic allowed in should be openVPN and C2 packets. I know its a bit of a mess rite now due to opening every port i can think of to get this working.

[chrizree]

8080/TCP and 2022/TCP should be open, of which 2022 should be the port for the Hak5 devices to "phone home" on (also 443/TCP if using certificate based access to the Cloud C2 instance/GUI).

Do you have access to any firewall logs (or such) to see if the Hak5 devices is even knocking on the door at all? If running an nmap scan from "the outside" against your public IP, does the desired ports show up (or checking ports with https://censys.io/ipv4 if they have been crawled by the service)?

Are you able to access the Cloud C2 web GUI connecting to it from the internet?

The device.config file is crucial for sure, but it seems as if you have control of that part of the situation, so probably not related to that.

Edit: Just checked my current device.config and it uses port 2022 (at least 2022 is a part of the file along with the domain name for my VPS where I have my Cloud C2 instance running).

[DangerAnt]

Thanks for your reply Chrizree.

 

attached is an nmap scan of my public IP showing that all the ports are in fact open. As far as router logs, unfortunately my router doesn't give great logs on this front. and as far as the web interface for C2 i have no intention of allowing the web interface be accessible from the internet, VPN to my network only. but as i said in my last post, i have had no problems with other port forwarding rules (VPN access is the only other thing i forward rules for).

[chrizree]

OK, if possible, you could set up a temporary environment to run some "man in the middle" operations on yourself to capture the traffic going to and from your Cloud C2 instance and then inspect the traffic to see if anything is showing up that can lead you to some form of conclusion. In these cases, I most often grab my prepared aluminum briefcase containing an older laptop running some Linux distro (I think it's Parrot at the moment) and an ordinary wireless home router. Then I connect the WLAN of the laptop to some network (external to your internal network in this case) and then share the ethernet port of the laptop "to other computers", hooking up the ethernet port of the laptop to the wireless router WAN port. Then connect the Hak5 device to the wireless network that is set up on the wireless router and start capturing packets on one of the laptop's NICs (wlan0-ish or eth0-ish) using Wireshark or Tshark. It doesn't require that much of traffic to get enough of a glimpse of the situation. Just run C2EXFIL as the capture is active on the laptop, abort the capture and then analyze the packets to see if something obvious is going wrong when the Hak5 device is communicating with the Cloud C2 instance of yours. And/or, in your specific case, I think it would be informative to run the capture even as you boot up the WiFi Pineapple or Signal Owl since you have problems getting them to connect at all.

[DangerAnt]

good thinking, i'll test but it will take me some time to set up. Thanks for the suggestions

[chrizree]

If you have the "ingrediences" needed (a PC with, for example, Kali or Ubuntu and a simple home WiFi router), it's not that many steps needed. Just tell me if you need some guiding. An alternative is to use a Raspberry Pi if you have one collecting dust. I put my "internal archive instructions" for that on Blogger, check the link below. It's a neat little setup that is handy to use when in temporary need of using ethernet based devices that needs WiFi in some form to be able to communicate with the rest of the world (such as the LAN Turtle or the Packet Squirrel). You need to go with the option of combining the Raspberry Pi with a WiFi router though (rather than a switch) since you are using wireless Hak5 devices that needs some auditing. Use tshark to capture the traffic on the Raspberry Pi and then analyze it using Wireshark on a PC.

https://soruhius.blogspot.com/2020/08/raspberry-pi-bridge-wlan-to-local-lan.html

[DangerAnt]

no worries on that front, i have all the toys. Routers, Pineapples, laptops, and hubs (kind of hard to find now). I just need to time to set it all up and test. Thanks again for your input and assistance.