SSC Posted March 19 Share Posted March 19 ScreenCrab is running and connecting back to my Android Smartphone's WiFi, autoexec and wifiinfo works. C2 is running on 10.0.0.2 and has port forwards for 443 and 2022 from the external firewall. Certificate has been created externally, certificate and key (as well as self-signed ca) imported - C3 server configured for the same dns name that the server is running with -hostname C2 web interface on 443 as well as ssh on port 2022 are reachable from the internet. device.config is exported to the root of the sdcard. The device is still not registering/offline - any ideas? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 19 Share Posted March 19 Did you manage to get the public key to the Crab in the correct location? That could be tricky when it comes to the Crab since it's rather "closed" out of the box. Quote Link to comment Share on other sites More sharing options...
SSC Posted March 19 Author Share Posted March 19 oh yes, the crab needs to make sure there is no MITM when its talking to the C2. didnt think anyone would implement SSL the way it should be, usually everyone disregards untrustable certs... how can I get my key on the crab? ssh login seems not to work with the web user... Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 19 Share Posted March 19 To get the key there without void any warranty might be tricky (as said). It's for sure easier if able to access the Crab using hardware serial or adding ssh support, but those are tweaks that will void warranty. The only alternative that I can think of would be to create an autoexec.txt file on th eMicro SD card that is scripted to transfer any key file to the correct location of the Crab. Quote Link to comment Share on other sites More sharing options...
SSC Posted March 21 Author Share Posted March 21 I couln't bring my local installation to connect via https, the autoexec file ignored the copy commands for my self-signed CA public key (commands in the backend seem to be whitelisted as they should be ;)) so i've set up a amazon lightsail instance (exactly as described in the videos/howTos), made the dns entry and restarted the c2 binary with -hostname *DNS-entry* -https. now I just get the message "TLS handshare error from *ScreenCrab-IP* remote error: tls: unknown certificate everything worked with http and 8080, after switching to https and renewing the screencrab config, it stopped working and every few seconds the TLS handshake error is thrown. any ideas? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 21 Share Posted March 21 2 hours ago, SSC said: I couln't bring my local installation to connect via https, the autoexec file ignored the copy commands for my self-signed CA public key (commands in the backend seem to be whitelisted as they should be 😉 Even though you've seemed to have given up the idea; the public key file needs to be copied to a destination that isn't exactly "default" and it has to be named a specific way (the public key file) as well to be accepted. 2 hours ago, SSC said: everything worked with http and 8080, after switching to https and renewing the screencrab config, it stopped working and every few seconds the TLS handshake error is thrown. Did you run http/8080 using the public IP or the DNS name, or did you "introduce" the DNS name to the setup when you started using https? Just to make sure that there's no issue with the domain name (and linking it to the public IP of the VPS using a DNS record). Quote Link to comment Share on other sites More sharing options...
SSC Posted March 21 Author Share Posted March 21 I tried appending the public key to /etc/ssl/cert.pem (found the path in the howTo in https://docs.hak5.org/cloud-c2/guides/cloud-c-setup-with-self-signed-ssl-certificates) HTTP works both via IP and DNS. Tried HTTP with IP first, tried to switch to HTTPS with DNS, then went back to HTTP with DNS. I did use my own DNS servers to make an A entry and didn't use the VPS's nameservers, but that shouldn't make a difference, or should it? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 21 Share Posted March 21 25 minutes ago, SSC said: I tried appending the public key to /etc/ssl/cert.pem (found the path in the howTo in https://docs.hak5.org/cloud-c2/guides/cloud-c-setup-with-self-signed-ssl-certificates) It's not where the Crab stores public key files, fwiw (that's what I was referring to when mentioning "default" destination). It should probably be /system/etc/security/cacerts/ since it's Android. It also needs to be named in a specific way in order to be accepted by the system (also an Android "thing"). You need to calculate the hash of the certificate and name the file using that hash (along with a trailing ".0") 30 minutes ago, SSC said: didn't use the VPS's nameservers, but that shouldn't make a difference, or should it? That shouldn't matter. It should work. Is port 80 open in the VPS firewall (and any OS firewall that might be enabled)? Quote Link to comment Share on other sites More sharing options...
SSC Posted March 22 Author Share Posted March 22 3 hours ago, dark_pyrro said: It's not where the Crab stores public key files, fwiw (that's what I was referring to when mentioning "default" destination). It should probably be /system/etc/security/cacerts/ since it's Android. It also needs to be named in a specific way in order to be accepted by the system (also an Android "thing"). You need to calculate the hash of the certificate and name the file using that hash (along with a trailing ".0") omg that sounds annoying, didn't know that ;) since I did the internal CA thing to save time and now I already pay for a VPS instance, that pain is out of question ;) 3 hours ago, dark_pyrro said: That shouldn't matter. It should work. Is port 80 open in the VPS firewall (and any OS firewall that might be enabled)? The VPS firewall has 80, 8080, 443 and 2022 open, backend is a default LTS ubuntu without iptables, all the other ports (80, 8080, 2022) work without intervention (and the cloud c2 web interface works via browser, just the crab can't connect due to the tls: unknown certificate error) Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 23 Share Posted March 23 On 3/21/2024 at 1:24 PM, SSC said: I just get the message "TLS handshare error from *ScreenCrab-IP* remote error: tls: unknown certificate I guess you've stumbled upon a "new" thing that's related to the upstream Let's Encrypt certificate handling. I haven't had time to do it up until now, but I started my Crab and I got the same issue, i.e. the Crab is not connecting to the C2 server (it did just a week ago), and I get the same error on the C2 server side. This is probably related to Let's Encrypt phasing out a certificate type which affects certain devices such as ones that runs specific OSes, such as Android 7 and older (which includes the Crab running Android 6). I will check things further if I get the time to do it, but right now it's just a "qualified guess" from my side that seems likely to be true. 1 Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 23 Share Posted March 23 I think I got it working now. I transferred the X1 cert to the Crab and it connected to the C2 server straight away. Just need to fix how to get it on the Crab without voiding warranty. I have "full access" to my Crab so it's easily done (since I've done a bunch of hacking of the box over time), but that's not something you get out of the box. I'll try to make a tailored autoexec.txt if I get time to do it. 1 Quote Link to comment Share on other sites More sharing options...
SSC Posted March 23 Author Share Posted March 23 Awesome - thx!!! Always nice not to be the source of a problem :D But that essentially means, no SSDLC/DevSecOps dependency management lifecycle processes at hak5? I'm a little disappointed ;) Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 23 Share Posted March 23 Small company with very limited resources. I've seen a lot larger organizations fail to keep certificate management up to par. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 23 Share Posted March 23 So... this should take care of the cert issue... at least did for me With the Crab powered off, remove the Micro SD card from the Crab and insert it into a computer. If doing the step creating the hash for the certificate, it needs to be a computer with openssl installed. That step shouldn't really be necessary though since the hash displayed in this post should be "universal" (i.e. it won't change since it should be unique to the certificate). A Linux based PC has been used in the instructions below, so if using something else, commands need to be adjusted. Download the Let's Encrypt X1 pem file https://letsencrypt.org/certs/isrgrootx1.pem also linked on the page https://letsencrypt.org/certificates/ Calculate the certificate hash (optional) openssl x509 -inform PEM -subject_hash_old -in isrgrootx1.pem | head -1 Rename the pem file (or copy it) to a file name based on the hash and a .0 suffix cp isrgrootx1.pem 6187b673.0 Copy the .0 file to the root of the Micro SD card Create an autoexec.txt file in the root of the Micro SD card that contains... source /system/bin/crab && locate_sd && mount -o rw,remount /system && cp $SD_LOCATION/6187b673.0 /system/etc/security/cacerts/. && chmod 644 /system/etc/security/cacerts/6187b673.0 With the Crab still powered off, insert the Micro SD card into the Crab, then power up the Crab If everything works as expected, the Crab should show up in the C2 server web UI (assuming it has network and internet access and a device.config file that is valid for the C2 server) The .0 file (and the autoexec.txt file) can be deleted from the Micro SD card when it has been verified that the Crab can connect to the C2 server Quote Link to comment Share on other sites More sharing options...
SSC Posted April 2 Author Share Posted April 2 (edited) Thx a lot - works for me too ;) Edited April 2 by SSC Quote Link to comment Share on other sites More sharing options...
Solution Korben Posted April 30 Solution Share Posted April 30 Automated fix now available now on download portal: https://downloads.hak5.org/crab Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.