Shark Jack C2 Connection Last Seen: never

[Jayel]

Hi, 

It's my first Hak5 tool.

Been trying to get it set up with the C2 instance I've created on a private server. I have upgraded the firmware to 1.1.0 and copying the device.config to /etc

I've completed following steps but just can't get my SJ to connect to C2 it just says Last Seen:never. 

• Using Kali version 2021.3
• Sharkjack is updated to the latest Firmware - Version 1.1.0
• Payload and loot works fine
• Got Hak5cloudC2 community edition running on Amazon lightsail on static IP
• Added device but update last seen:never 
• I have placed the device.config - in /etc/  

           root@shark:/etc# ls *.config
           C2.config      device.config

• While I have SJ plugged into the ethernet port of my laptop in arming mode, I manually tried to connect with C2CONNECT command:

         root@shark:/etc# C2CONNECT
         sshd already running
         warning: commands will be executed using /bin/sh
         job 1 at Wed Nov 6 06:25:00 2019

• Tried to disconnect and reconnect several times C2DISCONNECT > C2CONNECT then I get the following message: 

         root@shark:/etc# C2CONNECT
         sshd already running
         Device already connected to C2

• Tried reboot in Hak5cloudC2 
• Tried remove and re-added device
• SSL certificate or DNS not configured so site is not secure. 

I just can't seem to get my SJ connected to C2. 

Where do I need to go from here? 

Need your help. 

 

[dark_pyrro]

You say that loot works fine. Do you mean "local" loot or loot sent to the C2 server from the Shark? Just to get an understanding if you have some kind of connection to the C2 server or not. In what way have you started your C2 server? What command line options are used? (Don't post any IP addresses though).

[Jayel]

I mean local loot works fine but not C2 server. 

Here's the process of how I start my C2 server. 

1. I setup a C2 server in Amazon lightsail 

2. Connected using SSH and ran the following command.  
wget https://c2.hak5.org/dl -O c2.zip

3. unzip c2.zip

4. IP=$(curl -s https://checkip.amazonaws.com) && \
echo "Copy the below setup token and browse to http://$IP:8080" && \
./c2-*_amd64_linux -hostname $IP

5. Open browser and go to http://52.xx.xx.xx:8080

6. I was able to successfully login to Hak5 C2 cloud and added my SJ

7. I clicked on setup and downloaded C2 client.

8. Copied the device.config file to shark jack /etc directory. 

9. Then manually invoked C2CONNECT 

10. Still unable to connect to SJ, uptime is last seen:never 

I haven't been able to get my SJ connected to C2 at all. What am I doing wrong? 

If required, I can share snapshots of what I've exactly done. I could probably upload to google drive or something. 

Not sure if anyone is having same issue as me. Does not having SSL certificate affect C2 connection at all? 

 

[dark_pyrro]

OK, good explanation of what you have been trying to do. It helps when trying to troubleshoot.

At first, it did sound like you were able to ship loot to the C2 server from the Shark, but now I understand that it's not working either (which makes it more of a logic scenario).

If you cat the device.config file that you have put in /etc of the Shark, can you see the correct IP address of the C2 server in the file (it's a lot that's just unreadable, but the IP address should show at the start of the file)?

Not using https shouldn't be an issue. It's not mandatory (even though it of course makes things secure over open networks such as the internet).

[Jayel]

Yes, I can see the correct IP address, this is what's on the first line.

52.xx.xx.xx*8080B �����\nF����U���F=I�YR�{c�▒^B}
 

Also I'm not sure if it helps in troubleshooting but sharkjack.sh script wont connect to my SJ.

I tried "[C]onnect - get a shell on your shark jack." but it's stuck on

Waiting for a Shark Jack to be connected..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

[dark_pyrro]

Did you restart the C2 server at some point? With what command line did you restart it (I guess you aren't running it as a service, but start it manually)? With the actual IP address as a command line parameter or the $IP variable that was used in Darren's YouTube tutorial?

[Jayel]

I only restarted via Hak5CloudC2 GUI by selecting my SJ then hitting Reboot option under the description. 

Also tried to reboot my AWS lightsail C2 server instance from AWS's main menu but each and every time I start my AWS C2 server, I need to run the following command in order to be able to connect to Hak5 Cloud C2 GUI console. 

 

ubuntu@ip-172-26-4-206:~$ IP=$(curl -s https://checkip.amazonaws.com) && \
> 
> echo "Copy the below setup token and browse to http://$IP:8080" && \
> 
> ./c2-*_amd64_linux -hostname $IP
Copy the below setup token and browse to http://52.xx.xx.xx:8080
[*] Initializing Hak5 Cloud C2 v3.1.2
[*] Hostname: 52.xx.xx.xx
[*] DB Path: c2.db
[*] Validating License
[*] License Valid
[*] Running Hak5 Cloud C2

 

How do you expect me to restart the C2 server, which commandline can I use to restart? As mentioned, I only tried to reboot via GUI. 

 

[dark_pyrro]

As long as you populate the $IP variable each time, it should work. It's just that I've helped users that use the tutorial that Darren put up on YouTube, but they don't fully understand how it works and starts the C2 server using the $IP variable, but isn't populating that variable with any relevant IP address. This makes it look like the C2 server is correctly started but the hostname is all wrong.

Are all the necessary ports open on the Lightsail VPS?

[Jayel]

Yes, all necessary ports are open exactly as per Dareen's instructions. I don't really fully understand how it works either but just followed Darren's video. 

Have I ran out of options? 

[dark_pyrro]

No, this should work without any problems. I have my Shark connected to my C2 server which is on a Lightsail VPS as well. I will go out for a walk now, perhaps there are some other things that I don't include in the troubleshooting scenario right now that might pop up during the walk.

[dark_pyrro]

I would suggest going back to basics and start over. Not the download part, but start the C2 server without using the $IP variable, instead, use:

./c2-*_amd64_linux -hostname [public IP address of the C2 server/VPS]

Keep the terminal window open on the VPS where you started the C2 server using the command above. Do not close it. That will terminate the server.

Go to the C2 web UI and remove the already existing Shark, then add it once again and create a new device.config file

Transfer the device.config file to the Shark (/etc)

Make sure that the Shark has a working internet connection

Run C2CONNECT on the Shark

[Jayel]

As suggested I actioned the following: 

1. Replaced $IP variable with C2 server IP. 

IP=$(curl -s https://checkip.amazonaws.com) && \
echo "Copy the below setup token and browse to http://52.xx.xx.xx:8080" && \
./c2-*_amd64_linux -hostname 52.xx.xx.xx

2. Removed SJ from C2 web UI and re-added then removed existing device.config file then downloaded a new file from c2 web UI then created a new device.config file and transferred the device.config file into /etc directory. 

• Removed existing device.config file:

          root@shark:/etc# ls *.config
          C2.config      device.config
          root@shark:/etc# rm device.config
          root@shark:/etc# ls *.config
          C2.config
 

• Downloaded a new device.config file from c2 web UI
   
• Transferred device.config file into the /etc directory

          ┌──(test㉿test)-[~/Downloads]
          └─$ scp device.config root@172.16.24.1:/etc/
           root@172.16.24.1's password: 
           device.config 

 

           root@shark:/etc# ls *.config
           C2.config      device.config
 

• Ran C2CONNECT on SJ

          root@shark:/etc# C2CONNECT
          sshd already running
          warning: commands will be executed using /bin/sh
          job 1 at Sun Mar  6 12:56:00 2022
 

Waited 10 minutes to see if if it'll pick up my SJ in C2 web GUI but problem still exists. Uptime last seen never. 

3. I rebooted via GUI but no success. 

4. I rebooted C2 server with commandline sudo reboot and reinitiated connection with single commandline below: 

    ./c2-*_amd64_linux -hostname 52.xx.xx.xx

5. Then C2 server got started: 

ast login: Tue Mar  8 03:28:30 2022 from 54.xxx.xxx.xx
ubuntu@ip-172-26-4-206:~$ ./c2-*_amd64_linux -hostname 52.xx.xx.xx
[*] Initializing Hak5 Cloud C2 v3.1.2
[*] Hostname: 52.xx.xx.xx
[*] DB Path: c2.db
[*] Validating License
[*] License Valid
[*] Running Hak5 Cloud C2

 

6. C2 web UI is accessible again but SJ device still shows Uptime last seen never.  

[dark_pyrro]

OK, right now I'm out of options regarding ways to try to assist you. My Shark works perfectly well with my C2 server. Since you have the most basic setup of C2 (no https, no domain name used, etc.) it should really work. A lot of stuff is taken away from the scenario that could add complexity when running it in the way you do. The only thing that I can think of is network access, but that is such a basic thing that I haven't bothered to ask since I know that you are aware of the fact that the Shark of course needs access to the internet. It's the last thing I can think of to try, ping some resource on the internet (but don't ping your Lightsail VPS since it won't answer to pings by default). Other than that, review the firewall settings on your VPS instance and make sure they are exactly as specified in the tutorial/docs. If you have added/installed/activated some local firewall on the VPS OS (such as ufw) then check that as well ("sudo ufw status" if running Ubuntu Server).

Also (with the C2 server running) execute:
ssh -lwhatever [C2 server public IP address] -p 2022
or
ssh whatever@[C2 server public IP address] -p 2022

You won't be able to login, but you should get some kind of response if the VPS is set up correctly.

An nmap scan will show (at least) the ports relevant to C2.

Other than that, you could perhaps "shark the Shark". In other terms, use Wireshark and sit between the Shark and the network and record some traffic as you try to connect with C2CONNECT and look at what's happening on the wire.

As a last resort, I would probably set up the C2 server locally in my own network to exclude any "disturbances" and control all of the infrastructure used. Limiting any sources of failure. If that works I would try running it on the VPS again assured that it should really work and nothing is wrong with the Shark or C2 themselves.

[Jayel]

Dump question but how do I verify that I have an internet connection on my SJ? It appears that I don't have an internet connection on my SJ.

root@shark:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Network unreachable

root@shark:~# ping google.com
ping: bad address 'google.com'

root@shark:~# ping 192.168.xxx.xxx       <<<<<<<<<<< IP add of Kali box that I'm working from
PING 192.168.xxx.xxx (192.168.xxx.xxx): 56 data bytes
ping: sendto: Network unreachable

root@shark:~# ping 52.xx.xx.xx              <<<<<<<<<<< IP add of my AWS VPC
PING 52.xx.xx.xx (52.xx.xx.xx): 56 data bytes
ping: sendto: Network unreachable

Sorry for being such a noob but how do I get internet on my SJ? VPS firewall settings are good. 

[dark_pyrro]

One way is to connect it to a local network (that offers internet access) and using NETMODE DHCP_CLIENT in the payload (using arming mode).

https://docs.hak5.org/shark-jack/writing-payloads/the-netmode-command

This payload is specifically for testing internet access

https://github.com/hak5/sharkjack-payloads/blob/master/payloads/library/util/internet-access-tester/payload.sh

[Jayel]

My SJ is connected to the ethernet port of laptop dock that's directly connected to my laptop. (as my laptop doesn't have an ethernet port) 

Tried NETMODE DHCP_CLIENT commandline but fails with Broken pipe error. 

 

root@shark:~# NETMODE DHCP_CLIENT
client_loop: send disconnect: Broken pipe

root@shark:~/payload# NETMODE DHCP_CLIENT
client_loop: send disconnect: Broken pipe

 

[dark_pyrro]

Skip that scenario. Connect it to a switch port instead.

[Jayel]

1. I connected SJ to one of my modem port in Arming mode. 

Can't connect to SJ anymore via SSH. 

2. Access via local browser shows: 

     Status
     Device: shark
     Firmware Version: 1.1.0
     Web UI Version: 1.0.1
     IP Address: 172.16.24.1

3. Replaced original nmap payload with internet access test payload: 

    #!/bin/bash
#
# Title: Internet Access Tester
# Author: Hak5Darren
# Version: 1.0
#
# Description: This payload tests the port to see if the Shark Jack can
# obtain an IP address from DHCP, and if it can access the Internet by
# testing a specified HTTP URL.
#
# LED SETUP (Magenta)... Setting NETMODE to DHCP_CLIENT
# LED Red... No IP address from DHCP yet
# LED Yellow... Obtained IP address from DHCP, waiting on Internet access
# LED Green... Confirmed access to Internet
PUBLIC_TEST_URL="http://www.example.com"
LED SETUP
# Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+
NETMODE DHCP_CLIENT
LED R SOLID
while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done
LED Y SOLID
while ! wget $PUBLIC_TEST_URL -qO /dev/null; do sleep 1; done
LED G SOLID

 

LED status moved quickly from LED Red > LED Yellow > LED Solid Green while my SJ was connected to my modem port at all times.  

Now what's next? 

 

[dark_pyrro]

Then your Shark has internet connection. You need to craft a payload that connects to your C2 server. Just add C2CONNECT to the bottom of the already existing "internet test" payload that your just tried. You can't access it using ssh because the ssh daemon isn't a part of the current payload. I seem to remember that it is a part of C2CONNECT though.

[Jayel]

1. Added C2CONNECT on the script. 

    #!/bin/bash
#
# Title: Internet Access Tester
# Author: Hak5Darren
# Version: 1.0
#
# Description: This payload tests the port to see if the Shark Jack can
# obtain an IP address from DHCP, and if it can access the Internet by
# testing a specified HTTP URL.
#
# LED SETUP (Magenta)... Setting NETMODE to DHCP_CLIENT
# LED Red... No IP address from DHCP yet
# LED Yellow... Obtained IP address from DHCP, waiting on Internet access
# LED Green... Confirmed access to Internet
PUBLIC_TEST_URL="http://www.example.com"
LED SETUP
# Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+
NETMODE DHCP_CLIENT
LED R SOLID
while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done
LED Y SOLID
while ! wget $PUBLIC_TEST_URL -qO /dev/null; do sleep 1; done
LED G SOLID
C2CONNECT

2. Plugged in my SJ to modem port in attack mode. 

LED changed from Red > Yellow > Green then turned itself off.

3. Unplugged SJ from the modem and plugged it into the ethernet port of my laptop in arming mode. 

4. Tried to reboot SJ via Hak5C2 cloud web UI. 

5. Uptime still showing last seen never. 

6. SSH into SJ and ran C2CONNECT again but nothing changes

root@shark:/etc# C2CONNECT
sshd already running
warning: commands will be executed using /bin/sh
job 1 at Sun Mar  6 13:36:00 2022

 

Uptime still showing last seen never and I can't ping 8.8.8.8

root@shark:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Network unreachable
 

[dark_pyrro]

Why did you unplug it from your "modem"? Plugging it into your laptop Ethernet won't help you with that setup/configuration.

20 minutes ago, Jayel said:

4. Tried to reboot SJ via Hak5C2 cloud web UI

Why did you try this? It's not possible if your Shark isn't accessible in C2.

[Jayel]

Reason why I unplugged it from the modem is bcos it was still showing last seen never in c2Web UI so I attempted to perform other actions. But you're right, SJ wasn't bookable in Web UI as it's not accessible in C2. 

If I just leave it plugged in the modem it'll turn itself off. 

Not sure where to go from here. 

[dark_pyrro]

Well, it might turn itself off because the battery is empty, or are you using the newer Shark Jack Cable?

[Jayel]

No I'm using a wireless SJ. 

I'll give it another try with charging cable plugged into the SJ. 

[Jayel]

1. This is what's currently on my payload.sh

    #!/bin/bash
#
# Title: Internet Access Tester
# Author: Hak5Darren
# Version: 1.0
#
# Description: This payload tests the port to see if the Shark Jack can
# obtain an IP address from DHCP, and if it can access the Internet by
# testing a specified HTTP URL.
#
# LED SETUP (Magenta)... Setting NETMODE to DHCP_CLIENT
# LED Red... No IP address from DHCP yet
# LED Yellow... Obtained IP address from DHCP, waiting on Internet access
# LED Green... Confirmed access to Internet
PUBLIC_TEST_URL="http://www.example.com"
LED SETUP
# Set NETMODE to DHCP_CLIENT for Shark Jack v1.1.0+
NETMODE DHCP_CLIENT
LED R SOLID
while ! ifconfig eth0 | grep "inet addr"; do sleep 1; done
LED Y SOLID
while ! wget $PUBLIC_TEST_URL -qO /dev/null; do sleep 1; done
LED G SOLID
C2CONNECT

 

2. Plugged in my SJ to modem port in attack mode with charging cable plugged in to SJ. 

LED changed from Red > Yellow > Solid Green 

Waited for more than 20 minutes but nothing happens. 

Do I need to perform any further actions from here or should I expect something to happen?