-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS C2 not creating session? #211
Comments
Can you get us a redacted excerpt of the sliver server logs too? Should be in |
I have attached it. Hope I got all the info |
In the meanwhile I have created another record by a different hosting company but it made no difference. |
Yea it seems to be some quirk with AD DNS, once I finish the external builders improving the DNS C2 is next on my list. |
Likely related to #116 |
Having same issues in some red team work.
If you need any other infos let me know. |
I ended up using dnscat2 to successfully establish DNS tunnel. Not the same functionality, but it works. |
To me dnscat2 didn't work either as the client is without the needed GLIBC to work with dnscat. |
Yea our DNS implementation is unstable, but I haven't had any time to work on improving it yet. |
I hope it will become stable as this is for now the only solution i have been able to use over DNS's. |
Hello, |
yes, we have a solution, which was a ground up re-write of the dns c2 channel in v1.5, but you'll have to wait for us to finish the new version. |
Ok thank you for the update! |
Fixed in v1.5 |
Describe the bug
Followed the how-to on setting up the DNS C2 not sure if I'm missing a simple step. Testing over internet via AD DNS server. Running the debug on the Linux client - I receive an error:
2020/06/08 13:43:57 udp-dns.go:242: Encrypted session id = 1 2020/06/08 13:43:57 udp-dns.go:247: Session ID decode error illegal base64 data at input byte 0 2020/06/08 13:43:57 transports.go:174: [dns] Connection failed Failed to decode session id 2020/06/08 13:43:57 transports.go:193: Sleep 60 second(s) ...
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Session should be created on the server.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
TCP dump of the last section (after cert base64)
14:06:38.636588 IP 1.2.3.4.41178 > 192.168.0.199.domain: 31570% [1au] TXT? w49xcFBwDhqKWeP6kWDpN4RFeCPt7qWmt6KJGXBp58BRRN5tWd0pmueqfTAxMgK.9nC8jm6XUjc8x6b4002T4BJNh2CmPNY1mK2huGM14bq71GphC9bMhn8TtJQ016r.4ru917nZVegm3fjvnJWY8HhMYQ78Mn3tu84t5Ew1KF37p78tjv8DDX4b01hjq9K.a2aAAaA.Aaa8r6b-c7._.Si.C2.domain123.zA.net. (261) 14:06:38.637600 IP 192.168.0.199.domain > 1.2.3.4.41178: 31570- 1/0/0 TXT "0" (496) 14:06:38.659683 IP 1.2.3.4.55665 > 192.168.0.199.domain: 33254% [1au] TXT? w49XCfBwdHQkWEP6KwdpN4RFecPt7qwmt6kjgXBP58brrN5Twd0pMuEqFTaxMgK.9Nc8JM6xujc8X6B4002T4bjNH2CmpNY1MK2HUgm14bQ71GpHc9bMHn8TTJQ016R.4Ru917nzvEgM3fjVNJwy8hHmyq78mn3TU84T5ew1kF37p78tJv8DDx4b01hJQ9k.a2AAaaA.AAA8r6B-c7._.si.C2.domain123.zA.neT. (261) 14:06:38.660293 IP 192.168.0.199.domain > 1.2.3.4.55665: 33254- 1/0/0 TXT "0" (496) 14:06:38.681539 IP 1.2.3.4.46907 > 192.168.0.199.domain: 1351% [1au] TXT? W49XCFBWdHQKwep6KWDpN4RFecPt7QwmT6KJgxbP58brRN5TWd0pmuEQFTAXMGk.9nC8jM6XUjC8x6B4002T4BjNh2CmPnY1MK2Hugm14bq71gPhc9BMhN8tTJQ016r.4rU917NZvEgm3FJvnjwY8HHmYq78mn3Tu84T5EW1kF37P78Tjv8DdX4b01hJq9K.a2AAaAA.aaa8R6B-c7._.si.c2.domain123.zA.neT. (261) 14:06:38.682163 IP 192.168.0.199.domain > 1.2.3.4.46907: 1351- 1/0/0 TXT "0" (496) 14:06:38.731918 IP 1.2.3.4.41379 > 192.168.0.199.domain: 46002% [1au] TXT? fp8Xf9md8HWPh0y5C1PfAcPxmFPz2Qj4.a4aaaaA.Aaa8r6B-C7._.Si.C2.domain123.za.neT. (102) 14:06:38.732876 IP 192.168.0.199.domain > 1.2.3.4.41379: 46002- 1/0/0 TXT "0" (178) 14:06:38.754515 IP 1.2.3.4.9659 > 192.168.0.199.domain: 55118% [1au] TXT? FP8XF9md8HwpH0y5C1PFaCpXmFpz2Qj4.A4AAAAA.AAa8R6b-c7._.SI.c2.domain123.ZA.nEt. (102) 14:06:38.755506 IP 192.168.0.199.domain > 1.2.3.4.9659: 55118- 1/0/0 TXT "0" (178) 14:06:38.777236 IP 1.2.3.4.39426 > 192.168.0.199.domain: 44919% [1au] TXT? FP8xf9md8HWPh0y5C1PfAcpxMFPZ2QJ4.A4aaAaA.aaA8r6b-C7._.Si.c2.domain123.za.Net. (102) 14:06:38.778167 IP 192.168.0.199.domain > 1.2.3.4.39426: 44919- 1/0/0 TXT "0" (178) 14:06:38.826388 IP 1.2.3.4.50455 > 192.168.0.199.domain: 17903% [1au] TXT? AAa8r6b-C7._._SI.C2.domain123.za.NET. (62) 14:06:38.829934 IP 192.168.0.199.domain > 1.2.3.4.50455: 17903- 1/0/0 TXT "bKWCwldXnETzMVUUlJgu0n/G/uM2huBQLvaDrPiqeXRiBOQ9PUfq5Rc" (152) 14:06:38.848832 IP 1.2.3.4.30390 > 192.168.0.199.domain: 22136% [1au] TXT? aaA8R6b-C7._._Si.C2.domain123.za.neT. (62) 14:06:38.849853 IP 192.168.0.199.domain > 1.2.3.4.30390: 22136- 1/0/0 TXT "1" (98) 14:06:39.506538 IP 1.2.3.4.2849 > 192.168.0.199.domain: 41635% [1au] TXT? AAa8r6B-C7._._Si.C2.domain123.zA.NeT. (62) 14:06:39.507199 IP 192.168.0.199.domain > 1.2.3.4.2849: 41635- 1/0/0 TXT "1" (98) 14:06:39.776935 IP 1.2.3.4.40057 > 192.168.0.199.domain: 50731% [1au] TXT? AAa8r6b-C7._._SI.C2.domain123.ZA.neT. (62) 14:06:39.777894 IP 192.168.0.199.domain > 1.2.3.4.40057: 50731- 1/0/0 TXT "1" (98) 14:06:39.798910 IP 1.2.3.4.42030 > 192.168.0.199.domain: 64208% [1au] TXT? aaa8r6b-c7._._sI.C2.domain123.zA.NeT. (62)
Debug section on client:
2020/06/08 13:43:56 udp-dns.go:548: [base32] "a2aaaaa=" 2020/06/08 13:43:56 udp-dns.go:125: [dns] lookup -> w49xcfbwdhqkwep6kwdpn4rfecpt7qwmt6kjgxbp58brrn5twd0pmueqftaxmgk.9nc8jm6xujc8x6b4002t4bjnh2cmpny1mk2hugm14bq71gphc9bmhn8ttjq016r.4ru917nzvegm3fjvnjwy8hhmyq78mn3tu84t5ew1kf37p78tjv8ddx4b01hjq9k.a2aaaaa.aaa8r6b-c7._.si.c2.domain123.za.net. 2020/06/08 13:43:56 udp-dns.go:161: Sending domain #3 of 3 2020/06/08 13:43:56 udp-dns.go:169: Send data[378:410] 32 bytes 2020/06/08 13:43:56 udp-dns.go:175: Subdata subdomains: 1 2020/06/08 13:43:56 udp-dns.go:186: Subdata #0 [0:32]: "fp8xf9md8hwph0y5c1pfacpxmfpz2qj4" 2020/06/08 13:43:56 udp-dns.go:191: Encoded subdata: []string{"fp8xf9md8hwph0y5c1pfacpxmfpz2qj4"} 2020/06/08 13:43:56 udp-dns.go:548: [base32] "a4aaaaa=" 2020/06/08 13:43:56 udp-dns.go:125: [dns] lookup -> fp8xf9md8hwph0y5c1pfacpxmfpz2qj4.a4aaaaa.aaa8r6b-c7._.si.c2.domain123.za.net. 2020/06/08 13:43:56 udp-dns.go:125: [dns] lookup -> aaa8r6b-c7._._si.c2.domain123.za.net. 2020/06/08 13:43:57 udp-dns.go:242: Encrypted session id = 1 2020/06/08 13:43:57 udp-dns.go:247: Session ID decode error illegal base64 data at input byte 0 2020/06/08 13:43:57 transports.go:174: [dns] Connection failed Failed to decode session id 2020/06/08 13:43:57 transports.go:193: Sleep 60 second(s) ...
Awesome project guys! Thanks
The text was updated successfully, but these errors were encountered: