search

MythicAgents / Athena

172 stars 36 forks source link

Possible Dropped Packets/Message Encoding Problems #49

Open try-catch-try opened 11 months ago

try-catch-try commented 11 months ago

The Athena agent appears to be dropping network packets causing proxy and uploads to fail in some cases.

  1. When uploading larger binary files 10-20MB I have observed that sometimes the upload fails before completion. The file will be smaller than the original and corrupt. This happens more frequent with larger files and with non-text files. Makes me think that packets are lost or something fails when it encounters a bad character.

  2. Noticed that the proxy server is dropping packets causing binary data such as RDP/TLS streams to break when being proxied This is less noticeable when text data is transferred such as http.

Note my agents are not using the aes message encryption, so maybe that could contribute?

checkymander commented 11 months ago

Hey! I just need a bit of context

1.) Is this the upload command in Athena? 2.) What error message is being returned? 3.) Is this going through a HTTP redirector? Are there any limitations on the max size of messages?

try-catch-try commented 11 months ago

Thanks for your help!

  1. Yes using the builtin athena upload command
  2. There is no error. When the issue occurs the file upload says it is successful. But when checked on disk the uploaded file is smaller and has a different hash than the original file. This behavior is sporadic.
  3. Yes an nginx redirector is being used with client_max_body_size set to 0. Below is the redirector config.

  4. This behavior seems to have a possible link to the socks5 proxy appearing to drop packets. server { listen 443 ssl http2; server_name xxx; ssl_certificate /etc/ssl/fullchain.pem; ssl_certificate_key /etc/ssl/privkey.pem;

    # Prevents an issue where uploads of large files fail.
client_max_body_size 0;

    location / { resolver 1.1.1.1; set $rhost "xxx:443"; proxy_pass https://$rhost; proxy_cache off; proxy_set_header X-Forwarded-For $remote_addr; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } }

checkymander commented 11 months ago

Thanks for the extra info, I'm on vacation this week but plan on doing some dev work when I get back. I'll take a look at it then!

try-catch-try commented 11 months ago

Thanks enjoy your vacation. I will continue to test to figure out a trigger for the file upload. It seems to work 99% of the time.

Note on the proxy i noticed the mythic_server container is throwing the following errors in the logs.

{"level":"error","error":"write tcp 172.100.0.6:7004->172.100.0.1:35670: write: broken pipe","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func1","line":429,"server_id":1796788476,"time":"2023-10-03T20:04:47Z","message":"Failed to write to connection"}

{"level":"error","error":"EOF","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func2","line":449,"server_id":368956113,"time":"2023-10-03T20:04:51Z","message":"Failed to read from connection, sending exit"}

{"level":"error","error":"EOF","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func2","line":449,"server_id":2066524734,"time":"2023-10-03T20:04:56Z","message":"Failed to read from connection, sending exit"}

{"level":"error","error":"EOF","func":"github.com/its-a-feature/Mythic/rabbitmq.(*callbackPortUsage).handleSocksConnections.func2","line":449,"server_id":88056412,"time":"2023-10-03T20:04:57Z","message":"Failed to read from connection, sending exit"}

This was the command run through the proxy.

proxychains4 wget https://dev.mysql.com/get/Downloads/MySQLGUITools/mysql-workbench-community-8.0.34-winx64.msi

wget throws this error and rdp was throwing a similar error.:

2023-10-03 20:02:48 (473 MB/s) - Read error at byte 16084/48623616 (error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac). Retrying.

checkymander commented 8 months ago

Just wanted to give you a heads up, I'm currently doing a pretty big rewrite to Athena, and I plan on getting this issue checked out as part of it

checkymander commented 7 months ago

I've been doing a lot of testing, and think this has been resolved in my new rewrite branch. Feel free to give it a test if you have some cycles

try-catch-try commented 7 months ago

Thank you again for your help! However retesting appears to show that the issue still continues.

Setup:

  1. cloned and installed the main branch today.
  2. Generated an agent with default options, http listener(http://192.168.0.194), message encryption enabled.
  3. Executed agent and got a callback
  4. Setup a proxy on 7001 and confirmed I could curl google.com "proxychains4 curl http://www.google.com"
  5. tried "proxychains4 wget https://dev.mysql.com/get/Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi". Was able to download 30% with occasional errors then the download failed with the output below.

--2024-02-02 14:49:54-- (try:18) https://cdn.mysql.com//Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi Connecting to cdn.mysql.com (cdn.mysql.com)|224.0.0.2|:443... [proxychains] Strict chain ... 127.0.0.1:7003 ... cdn.mysql.com:443 ... OK connected. HTTP request sent, awaiting response... 206 Partial Content Length: 44032000 (42M), 33308960 (32M) remaining [application/octet-stream] Saving to: ‘mysql-workbench-community-8.0.36-winx64.msi’

mysql-workbench-community-8.0.36-winx64.msi 28%[+++++++++++++++++++++++++++===> ] 11.88M 4.39MB/s in 0.4s

2024-02-02 14:49:55 (4.39 MB/s) - Read error at byte 12457808/44032000 (error:1C800066:Provider routines::cipher operation failed; error:0A000119:SSL routines::decryption failed or bad record mac). Retrying.

--2024-02-02 14:50:05-- (try:19) https://cdn.mysql.com//Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi Connecting to cdn.mysql.com (cdn.mysql.com)|224.0.0.2|:443... [proxychains] Strict chain ... 127.0.0.1:7003 ... cdn.mysql.com:443 ... OK connected. HTTP request sent, awaiting response... 206 Partial Content Length: 44032000 (42M), 31574192 (30M) remaining [application/octet-stream] Saving to: ‘mysql-workbench-community-8.0.36-winx64.msi’

mysql-workbench-community-8.0.36-winx64.msi 30%[+++++++++++++++++++++++++++++++==> ] 12.96M 876KB/s in 1.3s

2024-02-02 14:50:07 (876 KB/s) - Read error at byte 13589728/44032000 (error:1C800066:Provider routines::cipher operation failed; error:0A000119:SSL routines::decryption failed or bad record mac). Retrying.

--2024-02-02 14:50:17-- (try:20) https://cdn.mysql.com//Downloads/MySQLGUITools/mysql-workbench-community-8.0.36-winx64.msi Connecting to cdn.mysql.com (cdn.mysql.com)|224.0.0.2|:443... [proxychains] Strict chain ... 127.0.0.1:7003 ... cdn.mysql.com:443 ... OK connected. HTTP request sent, awaiting response... 206 Partial Content Length: 44032000 (42M), 30442272 (29M) remaining [application/octet-stream] Saving to: ‘mysql-workbench-community-8.0.36-winx64.msi’

mysql-workbench-community-8.0.36-winx64.msi 30%[++++++++++++++++++++++++++++++++++ ] 12.96M --.-KB/s in 0s

2024-02-02 14:50:17 (0.00 B/s) - Read error at byte 13589728/44032000 (error:1C800066:Provider routines::cipher operation failed; error:0A000119:SSL routines::decryption failed or bad record mac). Giving up.

checkymander commented 7 months ago

FFS, I'll keep messing around with it I guess lol