DNS C2 not creating session?

[markus-nclose]

Describe the bug
Followed the how-to on setting up the DNS C2 not sure if I'm missing a simple step. Testing over internet via AD DNS server. Running the debug on the Linux client - I receive an error:
2020/06/08 13:43:57 udp-dns.go:242: Encrypted session id = 1 2020/06/08 13:43:57 udp-dns.go:247: Session ID decode error illegal base64 data at input byte 0 2020/06/08 13:43:57 transports.go:174: [dns] Connection failed Failed to decode session id 2020/06/08 13:43:57 transports.go:193: Sleep 60 second(s) ...

To Reproduce
Steps to reproduce the behavior:

1. Setup DNS nameserver
2. Run server on Ubuntu and followed instructions on Wiki
3. Run client on Ubuntu linux with nameserver configured
4. See error

Expected behavior
Session should be created on the server.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Ubuntu 18.04 on both sides
• Version - latest 1.0.2

Additional context
TCP dump of the last section (after cert base64)
14:06:38.636588 IP 1.2.3.4.41178 > 192.168.0.199.domain: 31570% [1au] TXT? w49xcFBwDhqKWeP6kWDpN4RFeCPt7qWmt6KJGXBp58BRRN5tWd0pmueqfTAxMgK.9nC8jm6XUjc8x6b4002T4BJNh2CmPNY1mK2huGM14bq71GphC9bMhn8TtJQ016r.4ru917nZVegm3fjvnJWY8HhMYQ78Mn3tu84t5Ew1KF37p78tjv8DDX4b01hjq9K.a2aAAaA.Aaa8r6b-c7._.Si.C2.domain123.zA.net. (261) 14:06:38.637600 IP 192.168.0.199.domain > 1.2.3.4.41178: 31570- 1/0/0 TXT "0" (496) 14:06:38.659683 IP 1.2.3.4.55665 > 192.168.0.199.domain: 33254% [1au] TXT? w49XCfBwdHQkWEP6KwdpN4RFecPt7qwmt6kjgXBP58brrN5Twd0pMuEqFTaxMgK.9Nc8JM6xujc8X6B4002T4bjNH2CmpNY1MK2HUgm14bQ71GpHc9bMHn8TTJQ016R.4Ru917nzvEgM3fjVNJwy8hHmyq78mn3TU84T5ew1kF37p78tJv8DDx4b01hJQ9k.a2AAaaA.AAA8r6B-c7._.si.C2.domain123.zA.neT. (261) 14:06:38.660293 IP 192.168.0.199.domain > 1.2.3.4.55665: 33254- 1/0/0 TXT "0" (496) 14:06:38.681539 IP 1.2.3.4.46907 > 192.168.0.199.domain: 1351% [1au] TXT? W49XCFBWdHQKwep6KWDpN4RFecPt7QwmT6KJgxbP58brRN5TWd0pmuEQFTAXMGk.9nC8jM6XUjC8x6B4002T4BjNh2CmPnY1MK2Hugm14bq71gPhc9BMhN8tTJQ016r.4rU917NZvEgm3FJvnjwY8HHmYq78mn3Tu84T5EW1kF37P78Tjv8DdX4b01hJq9K.a2AAaAA.aaa8R6B-c7._.si.c2.domain123.zA.neT. (261) 14:06:38.682163 IP 192.168.0.199.domain > 1.2.3.4.46907: 1351- 1/0/0 TXT "0" (496) 14:06:38.731918 IP 1.2.3.4.41379 > 192.168.0.199.domain: 46002% [1au] TXT? fp8Xf9md8HWPh0y5C1PfAcPxmFPz2Qj4.a4aaaaA.Aaa8r6B-C7._.Si.C2.domain123.za.neT. (102) 14:06:38.732876 IP 192.168.0.199.domain > 1.2.3.4.41379: 46002- 1/0/0 TXT "0" (178) 14:06:38.754515 IP 1.2.3.4.9659 > 192.168.0.199.domain: 55118% [1au] TXT? FP8XF9md8HwpH0y5C1PFaCpXmFpz2Qj4.A4AAAAA.AAa8R6b-c7._.SI.c2.domain123.ZA.nEt. (102) 14:06:38.755506 IP 192.168.0.199.domain > 1.2.3.4.9659: 55118- 1/0/0 TXT "0" (178) 14:06:38.777236 IP 1.2.3.4.39426 > 192.168.0.199.domain: 44919% [1au] TXT? FP8xf9md8HWPh0y5C1PfAcpxMFPZ2QJ4.A4aaAaA.aaA8r6b-C7._.Si.c2.domain123.za.Net. (102) 14:06:38.778167 IP 192.168.0.199.domain > 1.2.3.4.39426: 44919- 1/0/0 TXT "0" (178) 14:06:38.826388 IP 1.2.3.4.50455 > 192.168.0.199.domain: 17903% [1au] TXT? AAa8r6b-C7._._SI.C2.domain123.za.NET. (62) 14:06:38.829934 IP 192.168.0.199.domain > 1.2.3.4.50455: 17903- 1/0/0 TXT "bKWCwldXnETzMVUUlJgu0n/G/uM2huBQLvaDrPiqeXRiBOQ9PUfq5Rc" (152) 14:06:38.848832 IP 1.2.3.4.30390 > 192.168.0.199.domain: 22136% [1au] TXT? aaA8R6b-C7._._Si.C2.domain123.za.neT. (62) 14:06:38.849853 IP 192.168.0.199.domain > 1.2.3.4.30390: 22136- 1/0/0 TXT "1" (98) 14:06:39.506538 IP 1.2.3.4.2849 > 192.168.0.199.domain: 41635% [1au] TXT? AAa8r6B-C7._._Si.C2.domain123.zA.NeT. (62) 14:06:39.507199 IP 192.168.0.199.domain > 1.2.3.4.2849: 41635- 1/0/0 TXT "1" (98) 14:06:39.776935 IP 1.2.3.4.40057 > 192.168.0.199.domain: 50731% [1au] TXT? AAa8r6b-C7._._SI.C2.domain123.ZA.neT. (62) 14:06:39.777894 IP 192.168.0.199.domain > 1.2.3.4.40057: 50731- 1/0/0 TXT "1" (98) 14:06:39.798910 IP 1.2.3.4.42030 > 192.168.0.199.domain: 64208% [1au] TXT? aaa8r6b-c7._._sI.C2.domain123.zA.NeT. (62)

Debug section on client:
2020/06/08 13:43:56 udp-dns.go:548: [base32] "a2aaaaa=" 2020/06/08 13:43:56 udp-dns.go:125: [dns] lookup -> w49xcfbwdhqkwep6kwdpn4rfecpt7qwmt6kjgxbp58brrn5twd0pmueqftaxmgk.9nc8jm6xujc8x6b4002t4bjnh2cmpny1mk2hugm14bq71gphc9bmhn8ttjq016r.4ru917nzvegm3fjvnjwy8hhmyq78mn3tu84t5ew1kf37p78tjv8ddx4b01hjq9k.a2aaaaa.aaa8r6b-c7._.si.c2.domain123.za.net. 2020/06/08 13:43:56 udp-dns.go:161: Sending domain #3 of 3 2020/06/08 13:43:56 udp-dns.go:169: Send data[378:410] 32 bytes 2020/06/08 13:43:56 udp-dns.go:175: Subdata subdomains: 1 2020/06/08 13:43:56 udp-dns.go:186: Subdata #0 [0:32]: "fp8xf9md8hwph0y5c1pfacpxmfpz2qj4" 2020/06/08 13:43:56 udp-dns.go:191: Encoded subdata: []string{"fp8xf9md8hwph0y5c1pfacpxmfpz2qj4"} 2020/06/08 13:43:56 udp-dns.go:548: [base32] "a4aaaaa=" 2020/06/08 13:43:56 udp-dns.go:125: [dns] lookup -> fp8xf9md8hwph0y5c1pfacpxmfpz2qj4.a4aaaaa.aaa8r6b-c7._.si.c2.domain123.za.net. 2020/06/08 13:43:56 udp-dns.go:125: [dns] lookup -> aaa8r6b-c7._._si.c2.domain123.za.net. 2020/06/08 13:43:57 udp-dns.go:242: Encrypted session id = 1 2020/06/08 13:43:57 udp-dns.go:247: Session ID decode error illegal base64 data at input byte 0 2020/06/08 13:43:57 transports.go:174: [dns] Connection failed Failed to decode session id 2020/06/08 13:43:57 transports.go:193: Sleep 60 second(s) ...

Awesome project guys! Thanks

[moloch--]

Can you get us a redacted excerpt of the sliver server logs too? Should be in ~/.sliver/logs/sliver.log by default.

[markus-nclose]

I have attached it. Hope I got all the info
sliver.log

[markus-nclose]

In the meanwhile I have created another record by a different hosting company but it made no difference.
I have tested the same package through a non Active Directory DNS server and seems to work instantly.

[moloch--]

Yea it seems to be some quirk with AD DNS, once I finish the external builders improving the DNS C2 is next on my list.

[moloch--]

Likely related to #116

[ghost]

Having same issues in some red team work.
What i can provide is some infos on the client where it fails:
Uname: Linux redacted 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
OS: Red Hat Enterprise Linux Server release 6.5 (Santiago)
Agent debug error:

2021/03/03 10:20:20 udp-dns.go:169: Send data[189:378] 189 bytes
2021/03/03 10:20:20 udp-dns.go:175: Subdata subdomains: 3
2021/03/03 10:20:20 udp-dns.go:186: Subdata #0 [0:63]: "2e10qm5dnw13j6hjapha013dr9qv63dthhv3mv0nrpuvh8cybad9zdc2tcqb6p6"
2021/03/03 10:20:20 udp-dns.go:186: Subdata #1 [63:126]: "nzwk4f0334mh68zp7jh7ubmhn0xbfcmcqxa7ex0unpbfdartchccut0hx7mjpam"
2021/03/03 10:20:20 udp-dns.go:186: Subdata #2 [126:189]: "hgttq97ungmbtfw949q7mvk87kwru9xhdrtm6bd7ebv52vvtxwbmamwgup1u236"
2021/03/03 10:20:20 udp-dns.go:191: Encoded subdata: []string{"2e10qm5dnw13j6hjapha013dr9qv63dthhv3mv0nrpuvh8cybad9zdc2tcqb6p6", "nzwk4f0334mh68zp7jh7ubmhn0xbfcmcqxa7ex0unpbfdartchccut0hx7mjpam", "hgttq97ungmbtfw949q7mvk87kwru9xhdrtm6bd7ebv52vvtxwbmamwgup1u236"}
2021/03/03 10:20:20 udp-dns.go:548: [base32] "a2aaaaa="
2021/03/03 10:20:20 udp-dns.go:125: [dns] lookup -> 2e10qm5dnw13j6hjapha013dr9qv63dthhv3mv0nrpuvh8cybad9zdc2tcqb6p6.nzwk4f0334mh68zp7jh7ubmhn0xbfcmcqxa7ex0unpbfdartchccut0hx7mjpam.hgttq97ungmbtfw949q7mvk87kwru9xhdrtm6bd7ebv52vvtxwbmamwgup1u236.a2aaaaa.x8tdxk872m._.si.test.redacted.to.
2021/03/03 10:20:20 udp-dns.go:161: Sending domain #3 of 3
2021/03/03 10:20:20 udp-dns.go:169: Send data[378:410] 32 bytes
2021/03/03 10:20:20 udp-dns.go:175: Subdata subdomains: 1
2021/03/03 10:20:20 udp-dns.go:186: Subdata #0 [0:32]: "ugyaa1jk6ubn551vp7jg8j0yzjcvkzf8"
2021/03/03 10:20:20 udp-dns.go:191: Encoded subdata: []string{"ugyaa1jk6ubn551vp7jg8j0yzjcvkzf8"}
2021/03/03 10:20:20 udp-dns.go:548: [base32] "a4aaaaa="
2021/03/03 10:20:20 udp-dns.go:125: [dns] lookup -> ugyaa1jk6ubn551vp7jg8j0yzjcvkzf8.a4aaaaa.x8tdxk872m._.si.test.redacted.to.
2021/03/03 10:20:20 udp-dns.go:125: [dns] lookup -> x8tdxk872m._._si.test.redacted.to.
2021/03/03 10:20:20 udp-dns.go:242: Encrypted session id = 1
2021/03/03 10:20:20 udp-dns.go:247: Session ID decode error illegal base64 data at input byte 0
2021/03/03 10:20:20 transports.go:182: [dns] Connection failed Failed to decode session id

If you need any other infos let me know.
Yeah the machine seems to be AD joined and uses local DNS

[markus-nclose]

I ended up using dnscat2 to successfully establish DNS tunnel. Not the same functionality, but it works.

[ghost]

To me dnscat2 didn't work either as the client is without the needed GLIBC to work with dnscat.
The one working into making dns queries is this one, but fails badly at that point, so i hope they will fix as I really like this c2 framework.

[moloch--]

Yea our DNS implementation is unstable, but I haven't had any time to work on improving it yet.

[ghost]

I hope it will become stable as this is for now the only solution i have been able to use over DNS's.
Other ones do not have linux implant support over DNS :)
I'm not a good dev but if i can help in anyway, just pm/tell me 👍

[b4b857f6ee]

Hello,
We got the same issue.
Did you find any solution? :)
We are using the AD in 2016 version.
We are using the DNS implant on the AD and not a client of the Active Directory Domain.
And like i can see in this issue, it's not working. We can't find why :/....
Thank you for your time :)

[moloch--]

yes, we have a solution, which was a ground up re-write of the dns c2 channel in v1.5, but you'll have to wait for us to finish the new version.

[b4b857f6ee]

Ok thank you for the update!

[moloch--]

Fixed in v1.5