ScreenCrab not connecting

[SSC]

ScreenCrab is running and connecting back to my Android Smartphone's WiFi, autoexec and wifiinfo works. 

C2 is running on 10.0.0.2 and has port forwards for 443 and 2022 from the external firewall. 

Certificate has been created externally, certificate and key (as well as self-signed ca) imported - C3 server configured for the same dns name that the server is running with -hostname

C2 web interface on 443 as well as ssh on port 2022 are reachable from the internet.

device.config is exported to the root of the sdcard.

The device is still not registering/offline - any ideas?

[dark_pyrro]

Did you manage to get the public key to the Crab in the correct location? That could be tricky when it comes to the Crab since it's rather "closed" out of the box.

[SSC]

oh yes, the crab needs to make sure there is no MITM when its talking to the C2. didnt think anyone would implement SSL the way it should be, usually everyone disregards untrustable certs... how can I get my key on the crab? ssh login seems not to work with the web user...

[dark_pyrro]

To get the key there without void any warranty might be tricky (as said). It's for sure easier if able to access the Crab using hardware serial or adding ssh support, but those are tweaks that will void warranty. The only alternative that I can think of would be to create an autoexec.txt file on th eMicro SD card that is scripted to transfer any key file to the correct location of the Crab.

[SSC]

I couln't bring my local installation to connect via https, the autoexec file ignored the copy commands for my self-signed CA public key (commands in the backend seem to be whitelisted as they should be ;)) 

so i've set up a amazon lightsail instance (exactly as described in the videos/howTos), made the dns entry and restarted the c2 binary with -hostname *DNS-entry* -https. now I just get the message "TLS handshare error from *ScreenCrab-IP* remote error: tls: unknown certificate

everything worked with http and 8080, after switching to https and renewing the screencrab config, it stopped working and every few seconds the TLS handshake error is thrown.

any ideas? 

[dark_pyrro]

2 hours ago, SSC said:

I couln't bring my local installation to connect via https, the autoexec file ignored the copy commands for my self-signed CA public key (commands in the backend seem to be whitelisted as they should be 😉

Even though you've seemed to have given up the idea; the public key file needs to be copied to a destination that isn't exactly "default" and it has to be named a specific way (the public key file) as well to be accepted.

2 hours ago, SSC said:

everything worked with http and 8080, after switching to https and renewing the screencrab config, it stopped working and every few seconds the TLS handshake error is thrown.

Did you run http/8080 using the public IP or the DNS name, or did you "introduce" the DNS name to the setup when you started using https? Just to make sure that there's no issue with the domain name (and linking it to the public IP of the VPS using a DNS record).

[SSC]

I tried appending the public key to /etc/ssl/cert.pem (found the path in the howTo in https://docs.hak5.org/cloud-c2/guides/cloud-c-setup-with-self-signed-ssl-certificates)

HTTP works both via IP and DNS. Tried HTTP with IP first, tried to switch to HTTPS with DNS, then went back to HTTP with DNS. I did use my own DNS servers to make an A entry and didn't use the VPS's nameservers, but that shouldn't make a difference, or should it? 

 

[dark_pyrro]

25 minutes ago, SSC said:

I tried appending the public key to /etc/ssl/cert.pem (found the path in the howTo in https://docs.hak5.org/cloud-c2/guides/cloud-c-setup-with-self-signed-ssl-certificates)

It's not where the Crab stores public key files, fwiw (that's what I was referring to when mentioning "default" destination). It should probably be /system/etc/security/cacerts/ since it's Android.

It also needs to be named in a specific way in order to be accepted by the system (also an Android "thing"). You need to calculate the hash of the certificate and name the file using that hash (along with a trailing ".0")

30 minutes ago, SSC said:

didn't use the VPS's nameservers, but that shouldn't make a difference, or should it? 

That shouldn't matter. It should work. Is port 80 open in the VPS firewall (and any OS firewall that might be enabled)?

[SSC]

3 hours ago, dark_pyrro said:

It's not where the Crab stores public key files, fwiw (that's what I was referring to when mentioning "default" destination). It should probably be /system/etc/security/cacerts/ since it's Android.

It also needs to be named in a specific way in order to be accepted by the system (also an Android "thing"). You need to calculate the hash of the certificate and name the file using that hash (along with a trailing ".0")

omg that sounds annoying, didn't know that ;) since I did the internal CA thing to save time and now I already pay for a VPS instance, that pain is out of question ;)

3 hours ago, dark_pyrro said:

That shouldn't matter. It should work. Is port 80 open in the VPS firewall (and any OS firewall that might be enabled)?

The VPS firewall has 80, 8080, 443 and 2022 open, backend is a default LTS ubuntu without iptables, all the other ports (80, 8080, 2022) work without intervention (and the cloud c2 web interface works via browser, just the crab can't connect due to the tls: unknown certificate error)

[dark_pyrro]

On 3/21/2024 at 1:24 PM, SSC said:

I just get the message "TLS handshare error from *ScreenCrab-IP* remote error: tls: unknown certificate

I guess you've stumbled upon a "new" thing that's related to the upstream Let's Encrypt certificate handling. I haven't had time to do it up until now, but I started my Crab and I got the same issue, i.e. the Crab is not connecting to the C2 server (it did just a week ago), and I get the same error on the C2 server side. This is probably related to Let's Encrypt phasing out a certificate type which affects certain devices such as ones that runs specific OSes, such as Android 7 and older (which includes the Crab running Android 6). I will check things further if I get the time to do it, but right now it's just a "qualified guess" from my side that seems likely to be true.

[dark_pyrro]

I think I got it working now. I transferred the X1 cert to the Crab and it connected to the C2 server straight away. Just need to fix how to get it on the Crab without voiding warranty. I have "full access" to my Crab so it's easily done (since I've done a bunch of hacking of the box over time), but that's not something you get out of the box. I'll try to make a tailored autoexec.txt if I get time to do it.

[SSC]

Awesome - thx!!! Always nice not to be the source of a problem :D

But that essentially means, no SSDLC/DevSecOps dependency management lifecycle processes at hak5? I'm a little disappointed ;) 

 

[dark_pyrro]

Small company with very limited resources. I've seen a lot larger organizations fail to keep certificate management up to par.

[dark_pyrro]

So... this should take care of the cert issue... at least did for me

With the Crab powered off, remove the Micro SD card from the Crab and insert it into a computer. If doing the step creating the hash for the certificate, it needs to be a computer with openssl installed. That step shouldn't really be necessary though since the hash displayed in this post should be "universal" (i.e. it won't change since it should be unique to the certificate). A Linux based PC has been used in the instructions below, so if using something else, commands need to be adjusted.

Download the Let's Encrypt X1 pem file
https://letsencrypt.org/certs/isrgrootx1.pem

also linked on the page
https://letsencrypt.org/certificates/

Calculate the certificate hash (optional)

openssl x509 -inform PEM -subject_hash_old -in isrgrootx1.pem | head -1

Rename the pem file (or copy it) to a file name based on the hash and a .0 suffix

cp isrgrootx1.pem 6187b673.0

Copy the .0 file to the root of the Micro SD card

Create an autoexec.txt file in the root of the Micro SD card that contains...

source /system/bin/crab && locate_sd && mount -o rw,remount /system && cp $SD_LOCATION/6187b673.0 /system/etc/security/cacerts/. && chmod 644 /system/etc/security/cacerts/6187b673.0

With the Crab still powered off, insert the Micro SD card into the Crab, then power up the Crab

If everything works as expected, the Crab should show up in the C2 server web UI (assuming it has network and internet access and a device.config file that is valid for the C2 server)

The .0 file (and the autoexec.txt file) can be deleted from the Micro SD card when it has been verified that the Crab can connect to the C2 server

[SSC]

Thx a lot - works for me too ;)

Edited April 2 by SSC