search

MythicAgents / Athena

171 stars 36 forks source link

Athena callback to HTTP C2 profile with SSL enabled fails to connect #15

Closed tdaquino closed 1 year ago

tdaquino commented 1 year ago

Describe the bug Athena callback to HTTP C2 profile with SSL enabled fails to connect.

C2 profile config without SSL:

{
  "instances": [
  {
    "ServerHeaders": {
      "Server": "NetDNA-cache/2.2",
      "Cache-Control": "max-age=0, no-cache",
      "Pragma": "no-cache",
      "Connection": "keep-alive",
      "Content-Type": "application/javascript; charset=utf-8"
    },
    "port": 80,
    "key_path": "privkey.pem",
    "cert_path": "fullchain.pem",
    "debug": true,
    "use_ssl": false,
    "payloads": {}
    }
  ]
}

Athena payload config without SSL:

{
    "payload_type": "athena",
    "c2_profiles": [
        {
            "c2_profile": "http",
            "c2_profile_parameters": {
                "query_path_name": "q",
                "proxy_host": "",
                "proxy_port": "",
                "proxy_user": "",
                "proxy_pass": "",
                "callback_interval": "60",
                "callback_port": "80",
                "killdate": "2023-11-14",
                "encrypted_exchange_check": "T",
                "callback_jitter": "23",
                "headers": [
                    {
                        "name": "User-Agent",
                        "key": "User-Agent",
                        "value": "Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko"
                    }
                ],
                "AESPSK": "aes256_hmac",
                "callback_host": "http:\/\/44.199.202.148",
                "get_uri": "index",
                "post_uri": "data"
            }
        }
    ],
    "commands": [
        "load-assembly",
        "reset-assembly-context",
        "exit",
        "download",
        "unload",
        "jobkill",
        "stop-assembly",
        "sleep",
        "load",
        "link",
        "jobs",
        "load-module",
        "upload",
        "socks",
        "unlink",
        "execute-assembly",
        "token"
    ],
    "selected_os": "Windows",
    "tag": "Created by mythic_admin at 11\/14\/2022 23:55:13 UTC",
    "wrapper": false,
    "build_parameters": [
        {
            "name": "self-contained",
            "value": "True"
        },
        {
            "name": "trimmed",
            "value": "False"
        },
        {
            "name": "compressed",
            "value": "True"
        },
        {
            "name": "ready-to-run",
            "value": "False"
        },
        {
            "name": "single-file",
            "value": "True"
        },
        {
            "name": "rid",
            "value": "win-x64"
        },
        {
            "name": "forwarder-type",
            "value": "none"
        },
        {
            "name": "configuration",
            "value": "Release"
        },
        {
            "name": "native-aot",
            "value": "False"
        },
        {
            "name": "output-type",
            "value": "exe"
        }
    ],
    "filename": "athena.zip"
}

Athena callback without SSL debug output:

agent_message request from: http://44.199.202.148/data with {} and <Header('host': '44.199.202.148', 'user-agent': 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko', 'content-type': 'text/plain; charset=utf-8', 'content-length': '560')>
 and URI: 
Forwarding along to: http://mythic_server:17443/api/v1.4/agent_message
[2022-11-15 00:02:22 +0000] - (sanic.access)[INFO][35.83.212.242:49802]: POST http://44.199.202.148/data  200 284
agent_message request from: http://44.199.202.148/data with {} and <Header('host': '44.199.202.148', 'user-agent': 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko', 'content-type': 'text/plain; charset=utf-8', 'content-length': '240')>
 and URI: 
Forwarding along to: http://mythic_server:17443/api/v1.4/agent_message
[2022-11-15 00:02:22 +0000] - (sanic.access)[INFO][35.83.212.242:49802]: POST http://44.199.202.148/data  200 220

C2 profile config with SSL:

{
  "instances": [
  {
    "ServerHeaders": {
      "Server": "NetDNA-cache/2.2",
      "Cache-Control": "max-age=0, no-cache",
      "Pragma": "no-cache",
      "Connection": "keep-alive",
      "Content-Type": "application/javascript; charset=utf-8"
    },
    "port": 443,
    "key_path": "privkey.pem",
    "cert_path": "fullchain.pem",
    "debug": true,
    "use_ssl": true,
    "payloads": {}
    }
  ]
}

Athena payload config with SSL:

{
    "payload_type": "athena",
    "c2_profiles": [
        {
            "c2_profile": "http",
            "c2_profile_parameters": {
                "query_path_name": "q",
                "proxy_host": "",
                "proxy_port": "",
                "proxy_user": "",
                "proxy_pass": "",
                "callback_interval": "10",
                "callback_port": "443",
                "killdate": "2023-11-15",
                "encrypted_exchange_check": "T",
                "callback_jitter": "23",
                "headers": [
                    {
                        "name": "User-Agent",
                        "key": "User-Agent",
                        "value": "Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko"
                    }
                ],
                "AESPSK": "aes256_hmac",
                "callback_host": "https:\/\/44.199.202.148",
                "get_uri": "index",
                "post_uri": "data"
            }
        }
    ],
    "commands": [
        "load-assembly",
        "reset-assembly-context",
        "exit",
        "download",
        "unload",
        "jobkill",
        "stop-assembly",
        "sleep",
        "load",
        "link",
        "jobs",
        "load-module",
        "upload",
        "socks",
        "unlink",
        "execute-assembly",
        "token"
    ],
    "selected_os": "Windows",
    "tag": "Created by mythic_admin at 11\/15\/2022 00:45:40 UTC",
    "wrapper": false,
    "build_parameters": [
        {
            "name": "self-contained",
            "value": "True"
        },
        {
            "name": "trimmed",
            "value": "False"
        },
        {
            "name": "compressed",
            "value": "True"
        },
        {
            "name": "ready-to-run",
            "value": "False"
        },
        {
            "name": "single-file",
            "value": "True"
        },
        {
            "name": "rid",
            "value": "win-x64"
        },
        {
            "name": "forwarder-type",
            "value": "none"
        },
        {
            "name": "configuration",
            "value": "Release"
        },
        {
            "name": "native-aot",
            "value": "False"
        },
        {
            "name": "output-type",
            "value": "exe"
        }
    ],
    "filename": "athena.zip"
}

Athena callback with SSL debug output:

[2022-11-15 00:48:00 +0000] - (sanic.access)[INFO][UNKNOWN]: NONE https:///*  404 41
[2022-11-15 00:48:00 +0000] - (sanic.access)[INFO][UNKNOWN]: NONE https:///*  404 41
[2022-11-15 00:48:09 +0000] - (sanic.access)[INFO][UNKNOWN]: NONE https:///*  404 41

To Reproduce Steps to reproduce the behavior: Start an HTTP C2 profile with SSL enabled. Create an Athena payload associated with the HTTP C2 profile. Enter the proper callback host and port information. Submit the payload for build. Download and execute the Athena payload on a host and wait for the callback.

Expected behavior The payload should connect and create an active callback.

Screenshots None

Desktop (please complete the following information):

Agent Config See agent config above.

Additional context None

checkymander commented 1 year ago

Hey sorry, I completely missed this. Were you ever able to get it resolved?

Also is it a self-signed certificate? I'm wondering if it's not trusted, and that might be the issue.

tdaquino commented 1 year ago

No worries. Thanks for following up. I put it aside due to other priorities so I did not get it resolved. I definitely would have had a self-signed certificate on the server side. I can go back and test it again. Is trusting the certificate on the agent machine a requirement for the agent to work?

checkymander commented 1 year ago

I mainly asked because I don't recall if I specifically added a "ignore invalid SSL" code into the profile, so that may have been the cause of the issue. I'll look into that and add it if it's not the case at the very least.

checkymander commented 1 year ago

Added ignore invalid ssl code to HTTP profile in dev branch.