Jump to content

Sharkjack C2 Strange IP Addresses


Ehrm

Recommended Posts

Hello all,

While working on setting up my Sharkjack, I've come across an interesting issue with how the data is transmitted back to my C2. I have the following gathering happening on my device's payload:

INTERNALIP=$(ifconfig eth0 | grep "inet addr" | awk {'print $2'} | awk -F: {'print $2'})
GATEWAY=$(route -n | grep UG | awk {'print $2'})
PUBLICIP=$(curl -w "\n" $PUBLIC_IP_URL) || FAIL
echo -e "Date: $(date)\n\
Internal IP Address: $INTERNALIP\n\
Public IP Address: $PUBLICIP\n\
Gateway: $GATEWAY\n" >> $LOG

Now, the device itself is printing to the serial connection the appropriate Public IP and Gateway, however, when checking the output on my C2 instance, I'm seeing the Hostname of the gateway router and the Public IP address is showing the Gateway's IP ON the C2 instance. 

WAN IP          WAN Gateway   WAN Subnet Mask   External IP
192.168.1.40   RT-AC68P-[||]    255.255.255.0   192.168.1.1

Am I missing how the C2 gathers this information from the variables? 

Link to comment
Share on other sites

Describe more in detail on how you involve C2 in the mix. If it's the Shark that provides the info (C2 itself shouldn't gather anything really) and then transmits it as loot to the C2 server, then what you see on the C2 side is what the Shark has gathered using some payload or such. I'm not sure what you expect to happen, hence the need for more details. What is producing the "incorrect" information? I can't see the link between your posted payload and the output that follows that in the post (the section with 192.168.1.x network info).

Link to comment
Share on other sites

24 minutes ago, dark_pyrro said:

Describe more in detail on how you involve C2 in the mix. If it's the Shark that provides the info (C2 itself shouldn't gather anything really) and then transmits it as loot to the C2 server, then what you see on the C2 side is what the Shark has gathered using some payload or such. I'm not sure what you expect to happen, hence the need for more details. What is producing the "incorrect" information? I can't see the link between your posted payload and the output that follows that in the post (the section with 192.168.1.x network info).

1) it does appear the script itself is gathering the data, the base version is this: https://hak5.org/blogs/payloads/nmap-ip-info-payload-for-shark-jack-w-c2 the only modifications I've done is to include curl instead of wget on line 55 and change route to strip resolution from the gateway name on 56. 

2)the loot text files are being transmitted to the C2, along with a compiled ip_info.txt, this is output as:

Date: Wed Aug  3 19:53:47 UTC 2022
Internal IP Address: 192.168.1.40
Public IP Address: [CENSORED]
Gateway: 192.168.1.1

this is expected behavior and fine for my engagement if it has to be, however, the CloudC2 software is showing the IP's from my first post on the Device Overview page, to give you a better direction on where the first posts IP  location. I can from here provide a screenshot if needed. 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...