search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
8.51k stars 1.12k forks source link

Unable to run DNS C2 on latest version #1714

Open KemoLD opened 5 months ago

KemoLD commented 5 months ago

Describe the bug I created a DNS beacon, it is making queries to the domain server, but cannot connect to the sliver server form some reason Sliver is running on the domain server, and has a listener on port 53 I'm running this on version v1.5.42

To Reproduce Steps to reproduce the behavior:

  1. Run sliver
  2. Open a DNS listener dns -d salmonius.ura.org.
  3. Create a beacon generate beacon --dns salmonius.ura.org --os linux --arch amd64 -S 5 -d
  4. Run the beacon on the client

Expected behavior The beacon should connect to the sliver server

Desktop (please complete the following information):

Context Client The client is using the default Google resolver 8.8.8.8 Here are the beacon logs, as the beacon was created with the debug flag: 2024/06/11 21:29:18 sliver.go:99: Hello my name is WRONG_JEANS 2024/06/11 21:29:18 limits.go:58: Limit checks completed 2024/06/11 21:29:18 sliver.go:116: Running in Beacon mode with ID: e8828739-a70e-447f-8b05-3f4b4aeebe66 2024/06/11 21:29:18 beacon.go:102: Starting beacon loop ... 2024/06/11 21:29:18 transports.go:41: Starting c2 url generator () ... 2024/06/11 21:29:18 transports.go:104: Return generator: (chan *url.URL)(0xc00007a6c0) 2024/06/11 21:29:18 beacon.go:118: Recv from c2 generator ... 2024/06/11 21:29:18 transports.go:92: Yield c2 uri = 'dns://salmonius.ura.org' 2024/06/11 21:29:18 transports.go:92: Yield c2 uri = 'dns://salmonius.ura.org' 2024/06/11 21:29:18 beacon.go:122: Next CC = dns://salmonius.ura.org 2024/06/11 21:29:18 beacon.go:122: Next CC = dns://salmonius.ura.org 2024/06/11 21:29:18 transports.go:92: Yield c2 uri = 'dns://salmonius.ura.org' 2024/06/11 21:29:18 sliver.go:125: Next beacon = &{0xa59f60 0xa5df80 0xa59e20 0xa59ea0 0xa5dfc0 0xa59dc0 dns://salmonius.ura.org } 2024/06/11 21:29:18 dnsclient.go:152: DNS client connecting to 'salmonius.ura.org' (timeout: 5s) ... 2024/06/11 21:29:18 dnsclient.go:299: [dns] found resolvers: [127.0.0.53] 2024/06/11 21:29:18 crypto.go:227: TOTP Code: 31384098 2024/06/11 21:29:18 dnsclient.go:724: [dns] Fetching dns session id via 'baakb4p2z6ea.salmonius.ura.org.' ... 2024/06/11 21:29:18 resolver-generic.go:92: [dns] 127.0.0.53:53->A record of baakb4p2z6ea.salmonius.ura.org. ? 2024/06/11 21:29:20 resolver-generic.go:175: [dns] rtt->127.0.0.53:53 2.060703253s (err: <nil>) 2024/06/11 21:29:20 resolver-generic.go:100: [dns] error response status: 3 2024/06/11 21:29:20 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s) 2024/06/11 21:29:21 resolver-generic.go:92: [dns] 127.0.0.53:53->A record of baakb4p2z6ea.salmonius.ura.org. ? 2024/06/11 21:29:21 resolver-generic.go:175: [dns] rtt->127.0.0.53:53 27.324599ms (err: <nil>) 2024/06/11 21:29:21 resolver-generic.go:100: [dns] error response status: 3 2024/06/11 21:29:21 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s) 2024/06/11 21:29:22 resolver-generic.go:92: [dns] 127.0.0.53:53->A record of baakb4p2z6ea.salmonius.ura.org. ? 2024/06/11 21:29:22 resolver-generic.go:175: [dns] rtt->127.0.0.53:53 8.694318ms (err: <nil>) 2024/06/11 21:29:22 resolver-generic.go:100: [dns] error response status: 3 2024/06/11 21:29:22 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s) 2024/06/11 21:29:23 beacon.go:177: [beacon] dns connection error invalid rcode 2024/06/11 21:29:23 sliver.go:152: Beacon init error: invalid rcode 2024/06/11 21:29:23 sliver.go:138: Reconnect sleep: 1m0s

Server Here is a tcpdump on the the domain port 53: 21:55:09.062855 eth0 In IP 172.70.173.45.16698 > 172.28.7.207.53: 26802 [1au] A? salmonius.ura.org. (47) 21:55:09.063252 eth0 Out IP 172.28.7.207.53 > 172.70.173.45.16698: 26802 NXDomain*- 0/0/0 (36) 21:55:32.922182 eth0 In IP 172.70.33.34.30794 > 172.28.7.207.53: 8562 [1au] NS? salmonius.ura.org. (47) 21:55:32.922614 eth0 Out IP 172.28.7.207.53 > 172.70.33.34.30794: 8562 NXDomain*- 0/0/0 (36) 21:55:41.644948 eth0 In IP 172.253.210.69.61718 > 172.28.7.207.53: 32847% A? BAAKB63CwWDA.saLMoNIUS.UrA.orG. (49) 21:55:41.645336 eth0 Out IP 172.28.7.207.53 > 172.253.210.69.61718: 32847 NXDomain*- 0/0/0 (49) 21:55:42.660623 eth0 In IP 172.253.8.130.51410 > 172.28.7.207.53: 18562% [1au] A? bAakb63CWwDa.sAlMoNIuS.Ura.org. (71) 21:55:42.661023 eth0 Out IP 172.28.7.207.53 > 172.253.8.130.51410: 18562 NXDomain*- 0/0/0 (49) 21:55:43.676457 eth0 In IP 172.253.213.2.52748 > 172.28.7.207.53: 62751% [1au] A? BAAkb63CwwDA.SalMonIuS.uRA.oRg. (71) 21:55:43.676803 eth0 Out IP 172.28.7.207.53 > 172.253.213.2.52748: 62751 NXDomain*- 0/0/0 (49) 21:55:43.690091 eth0 In IP 173.194.168.193.39320 > 172.28.7.207.53: 38971% [1au] A? BaaKB63CWwda.SALmONIUs.UrA.OrG. (71) 21:55:43.690308 eth0 Out IP 172.28.7.207.53 > 173.194.168.193.39320: 38971 NXDomain*- 0/0/0 (49) 21:56:02.845737 eth0 In IP 162.158.77.15.30228 > 172.28.7.207.53: 51862 [1au] NS? salmonius.ura.org. (47) 21:56:02.846141 eth0 Out IP 172.28.7.207.53 > 162.158.77.15.30228: 51862 NXDomain*- 0/0/0 (36) 21:56:12.514669 eth0 In IP 172.70.33.34.61914 > 172.28.7.207.53: 9534 [1au] A? salmonius.ura.org. (47) 21:56:12.515062 eth0 Out IP 172.28.7.207.53 > 172.70.33.34.61914: 9534 NXDomain*- 0/0/0 (36) 21:56:44.713185 eth0 In IP 172.253.221.133.47840 > 172.28.7.207.53: 50058% [1au] A? baAkbp0PnA1a.sALMoNIUs.uRa.orG. (71) 21:56:44.713597 eth0 Out IP 172.28.7.207.53 > 172.253.221.133.47840: 50058 NXDomain*- 0/0/0 (49) 21:56:44.720173 eth0 In IP 172.253.195.197.41580 > 172.28.7.207.53: 59192% [1au] A? bAakBP0PNa1A.SaLmONiUs.urA.ORg. (71) 21:56:44.720394 eth0 Out IP 172.28.7.207.53 > 172.253.195.197.41580: 59192 NXDomain*- 0/0/0 (49) 21:56:45.726322 eth0 In IP 192.178.65.8.62122 > 172.28.7.207.53: 39796% [1au] A? BAAKBP0pNA1A.SAlMOnIus.uRa.OrG. (71) 21:56:45.726695 eth0 Out IP 172.28.7.207.53 > 192.178.65.8.62122: 39796 NXDomain*- 0/0/0 (49) 21:56:45.731142 eth0 In IP 172.253.8.4.44964 > 172.28.7.207.53: 59202% A? BAAKBp0pNA1a.SaLmoniUs.ura.orG. (49) 21:56:45.731345 eth0 Out IP 172.28.7.207.53 > 172.253.8.4.44964: 59202 NXDomain*- 0/0/0 (49) 21:56:46.735787 eth0 In IP 74.125.18.5.63421 > 172.28.7.207.53: 51063% A? bAaKbP0pnA1A.SalMonIus.URA.oRG. (49)

The beacon queries are clearly being sent to the server, so why is the sliver not detecting them

moloch-- commented 4 months ago

Working on a fix, hope to have it finished soon.

haha150 commented 4 months ago

Hi, Is there any update or fix for this issue yet by any chance?

z0sen commented 4 months ago

any fix?

rustxj commented 2 months ago

v1.5.42 The problem still exists, 8.8.8.8 all decoding errors.

rustxj commented 2 months ago

any fix?

Have you found a solution?

frantz45 commented 3 weeks ago

I had exactly the same issue here, the DNS request reaches my sliver server but it answers NXDOMAIN. I checked the sliver.log and it says "totp request invalid", so I added the -D option to the dns job to disable otp and it works :)

lawtonpittenger commented 3 weeks ago

@frantz45 Could you elaborate a bit more on the fix that worked for you? Are you referring to the -d at the end of this command? generate beacon --dns salmonius.ura.org --os linux --arch amd64 -S 5 -d

frantz45 commented 2 weeks ago

@frantz45 Could you elaborate a bit more on the fix that worked for you? Are you referring to the -d at the end of this command? generate beacon --dns salmonius.ura.org --os linux --arch amd64 -S 5 -d

I mean -D (= --disable-otp) of the dns listener: dns -D -d domain.com -c