search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
8.3k stars 1.09k forks source link

WG Listener + portfw, i'm not understanding. #487

Open ghost opened 3 years ago

ghost commented 3 years ago

So, I've tried to use the portfw feature of implant, but seems i'm some way stupid and it won't work.

i did: portfwd add -r ip:80 (to reach an internal website) then i tried to connect to 127.0.0.1:8080 but no luck (also tried as proxy out of boredom)

So i've seen inside the wiki that you advice to use wireguard impants + wireguard portfwd, still with no luck.

I've setup the listener as is: wg -l 53 -L ServerIP -x 9874 -n 9875 -p

Then generated an implant with this: generate --wg server.remote.domain:53 --os linux -a amd64 -b -d -X 9874 -T 9875 (yes, server.remote.domain resolves to ServerIP).

This is the log from the debug implant:

2021/08/02 00:58:39 sliver.go:61: Hello my name is AVERAGE_TOENAIL
2021/08/02 00:58:39 limits.go:52: Limit checks completed
2021/08/02 00:58:39 transports.go:168: Starting connection loop ...
2021/08/02 00:58:39 transports.go:179: Next CC = wg://server.remote.domain:53
2021/08/02 00:58:39 transports.go:332: Connecting -> server.remote.domain:53
2021/08/02 00:58:39 tcp-wg.go:219: Configuring wg device with: private_key=3811c7c2bfeba3b46895e0fd6ba3f9448eea6a9a7cc275a058193f4d193b8d4e
public_key=976ecf026afbb95993c8e89b1b1ca359c26cb0133f82012ac7b05f0a22a1377c
endpoint=ServerIP:53
allowed_ip=0.0.0.0/0
DEBUG: [c2/wg] 2021/08/02 00:58:39 UAPI: Updating private key
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - UAPI: Created
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - UAPI: Updating endpoint
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - UAPI: Adding allowedip
2021/08/02 00:58:39 tcp-wg.go:229: Successfully set wg device config
DEBUG: [c2/wg] 2021/08/02 00:58:39 UDP bind has been updated
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - Starting...
DEBUG: [c2/wg] 2021/08/02 00:58:39 Interface state was Down, requested Up, now Up
2021/08/02 00:58:39 tcp-wg.go:147: Intial wg connection. Attempting to connect to wg key exchange listener
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - Routine: sequential receiver - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: encryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: decryption worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: handshake worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: TUN reader - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - Sending handshake initiation
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: event worker - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Interface up requested
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: receive incoming IPv4 - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 Routine: receive incoming IPv6 - started
DEBUG: [c2/wg] 2021/08/02 00:58:39 peer(l27P…hN3w) - Routine: sequential sender - started
DEBUG: [c2/wg] 2021/08/02 00:58:45 peer(l27P…hN3w) - Handshake did not complete after 5 seconds, retrying (try 2)
DEBUG: [c2/wg] 2021/08/02 00:58:45 peer(l27P…hN3w) - Sending handshake initiation
DEBUG: [c2/wg] 2021/08/02 00:58:42 peer(l27P…hN3w) - Handshake did not complete after 5 seconds, retrying (try 4)
DEBUG: [c2/wg] 2021/08/02 00:58:42 peer(l27P…hN3w) - Sending handshake initiation
DEBUG: [c2/wg] 2021/08/02 00:58:47 peer(l27P…hN3w) - Handshake did not complete after 5 seconds, retrying (try 5)
DEBUG: [c2/wg] 2021/08/02 00:58:47 peer(l27P…hN3w) - Sending handshake initiation

netstat shows port 53 is listening:

udp        0      0 0.0.0.0:53              0.0.0.0:*                           2851413/sliver-serv 
udp6       0      0 :::53                   :::*                                2851413/sliver-serv

So it should work(?)

If i check for the other ports they won't show up, but maybe it's correct like this.

Sorry if i didn't use the template you proposed, because i don't think it's a bug and maybe i'm setting everything bad.

PS: https c2/implants are working :S

rkervella commented 3 years ago

We recommend you use wg-portfwd for Wireguard implants.

ghost commented 3 years ago

Sure, i know that. But my issue is that the WG implant isn't connecting/working and i'm not understanding why. Can you give me some advice?

moloch-- commented 3 years ago

Compiling the implant with --debug may give you more information about what's going on, I'm guessing it's simply a matter of getting the syntax of the command correct.

One notable thing, when using portfwd or wg-portfwd you do not connect to the local port as a proxy, it's a TCP tunnel so you'd connect directly to it as if it were the target port (i.e., if it's a website you'd curl localhost:8080 or use your browser). This is different than using wg-socks, which you would configure as a proxy (see SOCKS Proxy on the wiki for more details).

ghost commented 3 years ago

So, first of all, the output in the issue is the implant with already debug. Also i tried to directly connect and didn't work.

moloch-- commented 3 years ago

Interesting, not sure what's going wrong based on your description / log output. Are there any errors in the server logs? (~/.sliver/logs/sliver.log)

ghost commented 3 years ago

Errors nope, not a chance.

rkervella commented 3 years ago

From the implant's logs, looks like the implant cannot connect to the WG server. Is there anything that blocks the connection server-side or implant side?

litobro commented 1 year ago

I know this is an old issue, but I am running into the same problem but have narrowed down the scope.

The implant works fine when I run it on my local net, but when I attempt to deploy it to the HTB Dante ProLab, it fails to handshake. I believe this is likely due to the OpenVPN connection used by HTB. Were you attempting to use the wg implant over OpenVPN?