Closed h00die-gr3y closed 11 months ago
The problem appears to be that the time on the server and the host where the agent are running are not synchronized. The JWT was issued "in the future" from the server's perspective and therefore is invalid. The Agent issued the JWT at 09:06:06
but was evaluated on the server at 08:55:49.670379755
. There is almost an 11 minute time difference.
Hi Russel, Thanks for the feedback. Indeed the time on my NAS box was not synced. I did another run where I synced both my Linux Kali server and the NAS server with ntp to ensure that they are having the same time.
> Merlin» date
>
> [i] Executing system command...
>
> [+] Wed Jun 23 12:40:14 CEST 2021
UNIXNET_NAS> date
Wed Jun 23 12:40:18 CEST 2021
UNIXNET_NAS>
I did the same run again but it throws me the error 404 with the both servers have the same time synced with ntp. As I said, I have this problem only with the arm5 agent.
Merlin ARM5 Agent debug output: UNIXNET_NAS> ./merlinAgent-Linux-arm5 -v -debug -url https://192.168.201.19:443 -psk merlin [DEBUG]Entering agent.New() function [i]Host Information: [i] Agent UUID: 546d32c9-9a89-45d3-bbba-9f58bfae8632 [i] Platform: linux [i] Architecture: arm [i] User Name: root [i] User GUID: 0 [i] Hostname: UNIXNET_NAS [i] PID: 30034 [i] IPs: [127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] [DEBUG]Leaving agent.New function [DEBUG]Entering into clients.http.New()... [DEBUG]new client PSK: merlin [DEBUG]new client Secret: f6274d9892026fe47dd5f96f708ef8983dccc7bacf5ee4a90b2400805adaea0a [DEBUG]Entering into clients.http.getClient()... [i]Client information: [i] Protocol: h2 [i] URL: https://192.168.201.19:443 [i] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 [i] HTTP Host Header: [i] Payload Padding Max: 4096 [i] JA3 String: [-]Agent version: 1.0.1 [-]Agent build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c [DEBUG]Entering into agent.getAgentInfoMessage function... [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: paddingmax [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: protocol [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: ja3 [DEBUG]Returning AgentInfo message: {Version:1.0.1 Build:70c07d5831774f1f271ca9f6420c2c0ee66d3a2c WaitTime:30s PaddingMax:4096 MaxRetry:7 FailedCheckin:0 Skew:3000 Proto:h2 SysInfo:{Platform:linux Architecture:arm UserName:root UserGUID:0 HostName:UNIXNET_NAS Pid:30034 Ips:[127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] Domain:} KillDate:0 JA3:} [DEBUG]Entering clients.http.Initial function [DEBUG]Input AgentInfo: {Version:1.0.1 Build:70c07d5831774f1f271ca9f6420c2c0ee66d3a2c WaitTime:30s PaddingMax:4096 MaxRetry:7 FailedCheckin:0 Skew:3000 Proto:h2 SysInfo:{Platform:linux Architecture:arm UserName:root UserGUID:0 HostName:UNIXNET_NAS Pid:30034 Ips:[127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] Domain:} KillDate:0 JA3:} [DEBUG]Entering into clients.http.opaqueAuth()... [DEBUG]Entering into agent.opaqueRegister [-]Starting OPAQUE Registration [DEBUG]Entering into clients.http.getJWT()... [DEBUG]Entering into opaque.UserRegisterInit... [DEBUG]OPAQUE UserID: 546d32c99a8945d3bbba9f58bfae8632 [DEBUG]OPAQUE Alpha: db8b63fab0c60633de8232cef8e268f9c7156f64f7562217bb8242cbc5e8c22b [DEBUG]OPAQUE PwdU: 05ba3c4b86ffabf464b3e1fcb090f5cc2974aaf01eccde87635ca2b73f8da110 [DEBUG]Sending OPAQUE RegInit message [DEBUG]Entering into agent.sendMessage() [-]Sending OPAQUE message to https://192.168.201.19:443 [DEBUG]Sending POST request size: 6052 to: https://192.168.201.19:443 [DEBUG]HTTP Response: &{Status:200 OK StatusCode:200 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Type:[application/octet-stream] Date:[Wed, 23 Jun 2021 10:35:47 GMT]] Body:{cs:0x8ee630} ContentLength:-1 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0x874f00 TLS:0xb040c0} [DEBUG]Entering into opaque.UserRegisterComplete... [-]Received OPAQUE server registration initialization message [DEBUG]OPAQUE Beta: dc7a9cb299d87c0b983d47fc725c023bff8dd61a7bec9950fdf7fd590e80cead [DEBUG]OPAQUE V: 6770de6a1472116ff26b2066e47b35567f8684013b369fab3b2ee2d3f1cffe63 [DEBUG]OPAQUE PubS: accee7e2c55d1bacdbb6498af558f26539178ca2c811c093ca005aeb8c4e175c [DEBUG]OPAQUE EnvU: a28625a4a69aa7ccaa8de076b70d7590e2e56b6d3f94fc6be8c7893db9224004752ee9c403885940751e05de4babe4a76557e8b935fa90dbc5f41f9c29f0a307e660ebadde31e6f76262f48eb47f8aae23364dbfbfc47d99810fbabbf23c5930f7a49ff5520da879d4998ea5e7dc827316088eae7ffc4fd6db3b75272b24a999 [DEBUG]OPAQUE PubU: 9d52ad112859ec6cd75f26c212143bd0ab236daa926d164e2d852e326ce8d656 [DEBUG]Sending OPAQUE RegComplete message [DEBUG]Entering into agent.sendMessage() [-]Sending OPAQUE message to https://192.168.201.19:443 [DEBUG]Sending POST request size: 6209 to: https://192.168.201.19:443 [DEBUG]HTTP Response: &{Status:404 Not Found StatusCode:404 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Length:[0] Date:[Wed, 23 Jun 2021 10:36:44 GMT]] Body:{Reader:0x8f45e0} ContentLength:0 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0x875d80 TLS:0xb045a0} [!]there was an error performing OPAQUE User Registration: there was an error sending the OPAQUE User Registration Complete message to the server: there was an error communicating with the server: 404 [-]1 out of 7 total failed checkins [-]Sleeping for 31.826s at 2021-06-23T10:36:46Z
Merlin Server Debug output: [+] Debug output enabled Merlin» Merlin» [!] Received HTTP/2.0 POST connection from 192.168.201.3:48042
[DEBUG] HTTP Connection Details: Host: 192.168.201.19:443 URI: / Method: POST Protocol: HTTP/2.0 Headers: map[Accept-Encoding:[gzip] Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..xLjCpym9WJeuSQYT.1TWRMbVFFWZ69KDcgqhePpDyNUS157zwJ-tIUCJHDPuxd3VaCGJT8b2JtNd1vZe0LMjwyRP6zom8EqzpeWUeOwyKq4UUjRDo_wa-r02evQ2zJEDUcRn3EsmOWM545ngmJ_uo1YzhOcaGhhWE7mwMeDLLP_54ktrEttqWuecPrsO63Rp3hB8djarRCyljPu1sLQGI0Rfse8Ueq-kew1-rCDPMHiabD4brBN5HPEcCWzkTh8BwMyLTPoJj-QY.EA1A50HGjsyvNn-l5uGRGg] Content-Length:[6052] Content-Type:[application/octet-stream; charset=utf-8] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36]] TLS Negotiated Protocol: h2 TLS Cipher Suite: 4867 TLS Server Name: Content Length: 6052 [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..xLjCpym9WJeuSQYT.1TWRMbVFFWZ69KDcgqhePpDyNUS157zwJ-tIUCJHDPuxd3VaCGJT8b2JtNd1vZe0LMjwyRP6zom8EqzpeWUeOwyKq4UUjRDo_wa-r02evQ2zJEDUcRn3EsmOWM545ngmJ_uo1YzhOcaGhhWE7mwMeDLLP_54ktrEttqWuecPrsO63Rp3hB8djarRCyljPu1sLQGI0Rfse8Ueq-kew1-rCDPMHiabD4brBN5HPEcCWzkTh8BwMyLTPoJj-QY.EA1A50HGjsyvNn-l5uGRGg
[-] Checking to see if authorization JWT was signed by server's interface key... [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..xLjCpym9WJeuSQYT.1TWRMbVFFWZ69KDcgqhePpDyNUS157zwJ-tIUCJHDPuxd3VaCGJT8b2JtNd1vZe0LMjwyRP6zom8EqzpeWUeOwyKq4UUjRDo_wa-r02evQ2zJEDUcRn3EsmOWM545ngmJ_uo1YzhOcaGhhWE7mwMeDLLP_54ktrEttqWuecPrsO63Rp3hB8djarRCyljPu1sLQGI0Rfse8Ueq-kew1-rCDPMHiabD4brBN5HPEcCWzkTh8BwMyLTPoJj-QY.EA1A50HGjsyvNn-l5uGRGg
[!] there was an error decrypting the JWT: square/go-jose: error in cryptographic primitive
[-] Authorization JWT not signed with server's interface key, trying again with PSK... [DEBUG]there was an error getting the agent's wait time: 546d32c9-9a89-45d3-bbba-9f58bfae8632 is not a valid agent [DEBUG]Agent wait time: [-]The returned Agent wait time was empty, using default 60s [DEBUG]agentID: 546d32c9-9a89-45d3-bbba-9f58bfae8632 [DEBUG]Leaving jwt.ValidateJWT without error [DEBUG]Entering into jwt.DecryptJWE function
[i] UnAuthenticated JWT
[DEBUG]Input JWE String: eyJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjo1MDAwMDAsInAycyI6InVKb2J0UlpRN0RPLXU3U1JmOHhURVEifQ.JfDDvh0kDOUFdOg68v-GA66_PD5vL8Px06dOivNiu_e8WhhFYATbuw.fFm90PnpeEZGtqL3.A3Kj1SvFhlszvuxACzDiReTN6svts0mUvHeMVFe32h_X8xy-UF3k6hemxCG3vNUR8rBAk47xdFRUSLVA5gzQgpuIi962Sl5IRFXWAX7L64O5IBVhW46CQPfmmkiKDuh5Ek8uGprZudz-jJ_G9aZmqn3xbE8aj2GOsig0datRHWN1wITG39-qB4anGH-P-vldn00ultv2MO0zynGqWf7oRtl9KmpiL3AeVCNCbl2eoy2b9p0aeu7aGnTKUXNagUqU0CL56FI-vXX1eQjIbkKRrvBQa4pow0dPgn54fjR4AmzVSVQqeP-EG3SKFMY36N57D_MIFPNwa4UdtK2RiA1sKuzXqkVUIGcrhMyS1NFM5WB7kJ0TMoW2l9AD8iNzERHam_vPDC0kvTcnF4SSDNo60oUJ1lOyFf7HtzSw2lMUwa04cYhCoR3biarJFT0AbwBHUWfNvh92Qq1LI7s12z35v-3tlPuTPcd6CKBMyRwaXdu3gnvJAgc6KcsEXAR0qNgvS9bqn12n4a3a3pAbk_cwBeGlPbzJAEVWmjNHU4QBQ9XmZ7xMHmihmjFxMcVzN0tHN44r-K0-AQyUUeLFi6tjqTin-vm19USUOs3NTpc4EyX1w_APv3vCX8vuNacYN_a_4dwTPP8phrZSAAGzz3Ff2w96AaU3d9oUUEnJBvfkN4qG9cRTr3T8K4EjDrYQh2Qq2q1gPWOmRQUH-dRPYJJE6B_BY86uq64F-SyuWBfh-KN8-PwTreMbDCqEIQMscdlEZA1pY1OJ6xnhJLOBryhcet4INDF_1NJwez4HiGuKU_yGt1OvZJslfkSGDjfVZ3yHdR9Pq2RPH1utpdkG2mPpo0AdCrasKsyCI_9qV15JVr-F7IhulPfajBNfvXxbYhEmkT-SJ0G9FB_cqoWSyBL2GxruWYovpbSkiW4xzAQ-4mlxdVTz9kB6ZMf_E_eaeG8lKn9NMIEI50U5tjGU_peUaLh7lfqdRfzsznHIfXoxZWbb52mq75nG3UIR1uwXCimYUe09jAK1WKuYUk1dYfWldxob1zCzvrRqaqVJllRDNrY-IzsVqMKSNHCA-yK0AnJV_tU2PP4ivHsDMGeVr7rIXIWNCjXKaxoEB6LLDZlfKpP-cNgPtlEy5as0jEVtXEmZO5Ae1jv6EGbcjZ9ZUdYOYOVAZnL_eFexLn2TE8jMHZnm1jVZG10yRdLfVWcpex_mevWilc7TvwTWk_KR0fDGlS5_phKcjfaSlxm5Lxc7DKL3f6czpt86S1mTKKrsBgW3DVH82x1Pl5It4c4RKQ8odgyxlCfaLBYLJTFD6aB273UdDFkW4ewa1U-cQzHTO2XeoTbl4Vx-9lvuIZOUWJIAKodp5i9z41z7kHlYDbW817KADrSmZ8CBHpLmIuD2wLTq_HdkiSxtCiN9EkY4ZQw-VHeWRCqRrME_PGU4p2qoNC80qKwGENT9lLFr-6fuez64gjf8WFTacCBB8MOZUw_aEv_YLcXG9p52Vvolftc54tP5UtJtY9XqCZuFHteKHIIs8Ln7Bvrw6ZMDhM8eXHN6zZwE126dVatdm_yLBrawgN_l58h6XGQ0UGN1hxTMGUIVTh_NPLCHhWpgqSLhcYXsOF8XCdtx0exz4IWHgwQtO3Xf84saBRQZVwJ0OyMad7IaJud74rUNJRMhyGkKJf0qqug8eohiQ5zt0AfSm8CwS9PKSBhi6YpLRjdQcgkcGb3iuBfExcotzddyIAx3jON-oyr7VvZupXQfsuBR6EV4JTekTEHw53aaFrF53M-VEpDKvDKC5NQ7aZCl4fId73t-J4A1jxxYuUR84zWdELdAfLSspvmopiYmFc8di-2OWb5dr3akL4fJTTdg6CgdYnx-o4-yAEosincuP3TMyD9mhNJWLG7kQOrsJ8KJxDi4EI3RTuly8LiGJc7O9X1UQlKkTGkZjs0c2CE6_jIJS2a0CdxIitUtdiL6SOlbRFcTXrG1mHhyhmHweVXhqOul3LB5cZtURcw25wBqIId1_mb2mOkjjbOEjDgIhNSpFtbLt2K0dwEjAOCTSiGF8OylW4sX9f0__d1Seu3goNrW8x9euQAEY2Wm_7HvZceeEr87PddeSeMFE15V3az4qF9-CTgoJqmx2etIWbfxp06XB9zBp7495CzlZgS2ff94kVIOVZYz2U52jfF91BM-qb2g5RyFakIzbmBapEHXOOfQhIbUMu-iTMoV-wnoxmO1wkdNhVgVpJve12aTgmOcWaLZEj5yMqGLoap4RG4FMm6ewXcW4RCX3Ka8Wz0UvHRT97KNpjVdWdY_vAY-CpPu461XOpcL50cRsQT2MyhshRzMlz9RQNN8suzWiA1TiLlRJqZNV9FW94_h8ah_Ud_uZ0GbuiZGQZ7HTu_S_MG68lF81uwoL5KHovabsCVSzM0pc5EZKQbUiMMcmelOwqvLtAaFI67DLNlu7X5nyd_Wvis4t3d3Zt7O5zlw_v9QYU9kIrhLUySfG1T1_1TmB88cvac7jOCjhqvYAHbjqJr2oEkhAOXQH3-jRikk_e073QeFs4NzzJnaghMcsxeGxtgCcQAMCygs4eXfsU1J_ZvgauW9aCUKt490BRza6uIxkJERZqW6KYQSQek8SjPd5917KtiSECOwO_KYMHSLcZlJRKAHms4tgaVjt0RulCAtshVQ6xCvhTzbmJvmvMbr52UqWCiL8lsi26Xm9MisN5DTT1wj9fWWSmZ9LlrYbusoJaePvKDGQi48ZyrbV3wGYj8D22vbG5sLq72hqdNBQdbjQlswj7MkzdkrnNJWmhvrbqKGAy2nhY1BLQnk_oDeSs_ki-bnupmeDhx96ID5VGd0nOwM_UAImXgaxZqVwD732YwPUyfFy5u6FezJH2jP4xmB54H7OpKCuQFpW--8WjUnUQYCMSBqopeccIGclRnHJbXTXel2nXdifYQLQ9hfTAe7NvgxSdxk0iYcRPB8L-IAVUK9h4F8YlktNg68OEtzBjH4f6FmKQcnE9L_UwklN4HEIzF_1l4K5Y-oEY6krpMFZeR6fcudokYTIPrN2ytWwg9pYyl9rMEQ2YCodZEh87lojvWgCXxndVG8d1RRJ-68rI84RGsRXm6E-mJW_3DynuFpuOWR9h6V7h6O9YgHv1eFHMkZU0fZO76kEzok3CfjLUrebjuGOejIQfQ1a3ta79gG1yF-uUZ8BZOo6h_PPRG-OIrD8CypnZoiHjarHSy0I6GO3g6EcV7x0rqvhCzW-5CarItYq9onJrRZrfKL-izRuDLPJbJoiHfQTC84LNsd5ZCheAlX5G3S954Ge3zqj9Uma6yneDxZYYARIgdj8IQDmgb-5cwB0Fbn-rWvGibNeOqIbuVsXtTBdAjt-k0G_h56qWDO9juU42RP9_cE5XE_w_aYL4C2TnG5hWNtxFI8dNrhBNPAHE5ySbeR-VLXEmelIH0kEMGxARqISkkHS0sllpi9h_aQTfIePh8OFAF9POB36EpYPQE17mlhgYMEPpAENYsH9c9CRkT9dMqJF0nuaEDb99sCb6RSq71KNqMLCTD43y2dZrbu7_uMd0ZW-tfgYwxN6ct7u14UokpwzyPdP8ievm9TC9MM06p7hlHqE-OBeTKx6l3VZ1-H1njxZErewInVu16GxOyc-SYcDQRLhyzERCXNPKSbxeNaDVroZHSv30C-uYQc5VbT2nVYewPrOh-4qr75E6fthGN8wYT9gOSnRXi3RbywEyQaB_Sxzgi7JgEaw8_xRqXnvvVjqlVOSshPmQo8l-tf_2stNE0PSii545X7EzKNAhjbBbO8Wwoo4mom0Dlq9Gt6Mrt-vX-8vyGoL4QoB4Z8F-QCzNMfoL-euLcjRZhmXFPJsCx-ZHEMpqG_iogTPceogZrSjTFne8Dw6Le4p74RMt-Y83FHEQUm9ZHLsYWiYHtTAw5wzneGYk7AMaaduYI36tw2-YShk2fDilp-dbx9paPErAKkIyHQH0om-qE7OF3T95q71nt7IXinPquzUwAJNqk5zL26E3gquMskxf2popLKXOmABHBs188CZ8g23t0Kdm1krG5BXTtdG-YWPE2M3sjz3mkCFfK9msebXMPh4iVyfccknpnsYPgjstmZjwqrGsL4xP-MXQ9Afz8CnzF0pOfOvflsl28A3mm0hFg_bNvZZ8ta23F_CfCE3Dl93hcs8_0NDn-VzRSkh6wI2joKZczwllfKyz93j4GWukgGysTCiezfrdUt4_YRVSJ8WR5lmTzwKgm28v3yxFya5nYdkYKnM6zrQB0av2oJeKRpyNA1ASIzb41IVOhULmnCks960vS-N5cN5d3Rw9PQJ5NlOE_rxXNPEVEawuyJeIFSuZGlzn1xS2LNBNPmFASmUa8XnYsukHhOLTpXWH_NapSn1YH7TG0vqvpXjA5FSVpKj6RLOJrJ21n5YDc3IORD-YQF61VmPFuk5zv9sSr5ObxWFmdAxAN676BQFEEIvHRo2PaxjO4cLk7ZdWFFKGhEeJ1Q4Xll7YB7DcIea3jmB3GOgfTRJUoHm6J3okj9jPTTpDa62W9u-Qtqrb9vAcJdYBqCHKtUPeH25BySxkhOvPNEKsuNJDEHqufPpB9I40kl0KnIApTkrWc5oNcb0H8jRG2pkWSfo0NcDygc4WLzN5Cp9JOkrhEKeoukjPUQMbCclxE34BUQYOlCoF5PVdwnE3huBIHLnlJYdleesOQXmZoswwpzjR3obisfboIJ5KIr9vXgP2MnHsKmqBuzDuHl-Gcabjcn1YB1gzMhTPpSADPt_GfniqfwCXGg7Tzx09SOSeUisbDEdu79uhz0M-vQDn4xyzeGs6-nJolJWBOXvBhtpbG5Fy5qp4fJyUC01hh3m_aO-2bB-uOMbAFYAAtLc3CwxqlTBeAP7iILWOsd9nFvr9aAaz8dl3WDUv0_bhCNxbA8CUdBCXls4kn2tXprZ4iggTOqxrLviVZ1zyLZd0hch41zG-QOyZG7l9hEYNfEGkJh2nWlSOzxgch-HgjjPPcOLs0PWjH50qBj-oJQGXcfSPD_v914SwHcGotai2eSN-UUql2MRcH4jeOGRLJVtfgQT0ItR4G4o-FJ-EyGxfhK1W0itH-C9r-r_k87VZxAfquz6RP9YnoxQRDPGbAnQKHFyShwIi6daAhz5yHPA3FSpl4NKGkhIW3COGyvypyFDPl3saUcQHLgb03VCFahggi31f6xIC7WA-S2Vy8v4LrjbujOue3J4ColtugkQ2Rh9939orXywJoypeF0dQPSzWNT-8su0WgDexUIDSz0hAHKL5OZWxEpJC_4J0Gk9GDPpmDWOwaXBzldzzdLP7cwtdSRRZGtn_kzJqkt9QRFCt-SFFQg-Xj5-X6NMxiv9h2v-drfThJ24J8z3dEIxDEVTVF96ZfrGKyoVwCzMo57yhiI5jRaR3G3OuAAkRatSypvhP7a7Jw4IAAXpwljMpNsvpEmGCKQ8RK8Qskv7excyf6Wu50vfJPoGF4PRPZ72h-Ie2D6iyvRQKINu4Z1X4Pre7u62eKfSo2R6iskNDG_ETvXogjEkwh5W-ibcGgAvvL-AQvF4uC9-lXsPQmuPdvwSbKR4zCH0V_G6oted1tfSw2K97lohPV4L2-n6BVyE-kn6Ao57W1jTFKS-__wapGHg0lyFA-Z50xhnrZmIXdEFuUuCs9D-pt9_vx67-tlxNJz2855a5KyPfVZVuStCNVtSlZsZ2NiKo5c_U5wgJQfVqBwbgLyY0Grfssy17Lj7OWnPHzXL0rljiSILdVlBdrTzkHxpewS9h9d1lPi5NXEOJRnH928XxEQVdqFZShhNJCA.ejQJYzXsB2lts1WV0ML3lA
[DEBUG]Parsed JWE:
&{Header:{KeyID: JSONWebKey:
[DEBUG] [DEBUG]POST DATA: {0 546d32c9-9a89-45d3-bbba-9f58bfae8632 2 {1 [0 0 0 16 84 109 50 201 154 137 69 211 187 186 159 88 191 174 134 50 219 139 99 250 176 198 6 51 222 130 50 206 248 226 104 249 199 21 111 100 247 86 34 23 187 130 66 203 197 232 194 43]} szLDGNDMiqsukSnNeAmOToTnaWOMuYRweNFoxUiXsVFifUezzetZobbnhnHXQoLWOBHtkwrTYTPGcPVZHLhwRbVMiLJtsULqgzxXGtSfqjcbbChJXRuuNAnkDCZuGTfYCYrieLPzjZlHEJVfzTlTcQsRZoeOvFgReZJNOLlLQSUfVrXMTMREmYJJxyaChROEiQuWarNIoTwmwEMQBYPOqISyvNZzhbDMaAsBYyKgClCDjQMFzSciMQJFwvpNjpsCnnabfMgkiTArIPeFoJIefDZKHQnawGFkAoBmzsfaDluuFnrEJHhxZEtmDGhbUbEATNizDvSHipeVIJzLOjToFBzWGzQUgQGEgNAvzfOuGtDJDpzMysTAVsZjhwWLVqcLHfeKZsAabzpCKzSRvAifQJhAeZHvSABXrLKikdoffNLscEmMWoeCfNOPAsOCEJgvpgtOoFnufNrpKXDsEmNgnTTUYUuLebjDiKCEyRwVTUQGegNJlagceSJLFfXNIYjajbBDNVsPtBxurzpDWEQXozxNjSBiFNeLTfXsACQMoARvSidrYUFbRieCXFcrBLoShiMHSlAPxAYTFQupCvELriUaJyLfVrJpCEIdXJHHHIwkebPkZejLANkjJwGhgvKDtgtKckqKogCDMqwqRsobGvODeZFHUIZkQTJbzRKDxzrwfOBnidtYnmoBSHwOVgZyNPYlRjjNoBhpvBShEDrjrVecAxCdcNfBHTLAqynXlMwVgqHxXGoenvimxCusBgKpipFKRiwXynqLzZRfvXQfVBjNyZMtAmZPyTYMcXvwiyKVUsesWMSYBhvnSNdDWOPyluzmidvNrrDEjkzwSvpmxzAUXXGCZLfoqrSJXZdxNfFDCUrhrWjNlKwJqjbCPnpBtGAAaEZaAVwQdwtRPXEWPTUZapyRRfmhIdBRvZgFDWnluCeVjsnMKUSgrHCRzAPfDotEmLJpMafwGWeJXcJrbnAYGOBrftSTDCcjBIuCYFIOdvxlpnMUUygHxtURJxXKLLTTOcrEXPRQjsTNhLszEpvmkgCBGrllrIRhfLAaXYrsFIEsidWPMJocHevVbXDOtoeprUzVmCCqRHbMgWiVgYGhOBBiMrWIomtReHxVcBaMGmAdINitlLmYtlxEaIztGOwsFxQvJvUlkXDUkRTWpMJoyUHfKHiHkLEiahinaNmJeIacgzAmFnFAnsxHAnjZZgKBGjwrLyVboxKUbisqcxthHJNgkFZzfEMlyzCLvHdFJjJWJydfMGFIbUDaeMNBrNJXgrapQUukDLSAWYjWYvbWNxQwZLAmKDkBNvQEVdncnOPDfcdDLkAGdKRBoyfHjPiQbrsunjIOcPOEAqvXeBDhUIglbuBTyMrRUmpdYMqidQjcczgawSzrguXIaOrjxuQvPnsnPQLPaJISRKSCgeAGBngeTmdSSuUzIWhIuFqAVUcuGOYiWctxixPThcHRzmNnJbCYTqgKGUcGgsKbQwZyhvvoUyimaPOXjkvxcFLtQzFoohMTaXRHSxSNareqijPYtwvPwWcvuYJLfxVPjdQCbbpeAadYGsRRCUdKzwbVQaUkkhDuzdIxDckfrCbOVukjartOoMIrRXMgWFJhcrORagbLXmAWPGfjBGSblAENcImYCShonOyMSbLHpukAhGIbKyTEcTJJYNhreElygHZQzzfIwSsnBIORiBkapyYmnAsOWQwYIHtnzxFmRlKBTnyGhScOkBoOZEibvUPGnlGPKntIZpEzPOFuFtgtPNdQtncfCgUCvGGxBzdAyqcEVagdDbYsMlzBEkiQGKbrGuDpNKEmWQoKqTPGcKTlxZLtqVISYviSpRAkMBobFwLRYWfXzqENacDxBWPjmVzbHdqZbOQnUXIfUJyOchJnpvEzeQQkbKfboQEshtCHGFIubTcHjNLRXLvJeaMGTBGuGRCdVTohNaotMteOrjcZwnRFuQjwqeLhgKmWBVCfDgRQGgBqReOsvjlVAgELeVEtNtBOlAPDLYmnHdOAVSniCCncGgNIOvPqnxGnCwsXoVokeUbpnKhXbyMQqWBaPKATIIdyFuehqGPbsPXYjorjhLwEwTAXJdGEedZjTKDdJFWewKRIZzkBweQnYABEMgfDgYfUEdAMVcFLEhNTRqOtqNZxWNdAOTDYwgsJozzGDjphAqHYQCglLHOZdrTfbdzXEwwXHfvPsRfSiSGEDJFtjKbvLlvhNUOPPCuvVyaRZfLnhXpTjCfJxefbOATeOfYOnCOixKLyEWHcyjLbTeLgYcQsuUdFnRMgKaFAuLVtMhQNHqqcdjqLMluIALdgLKCEIWtDJzUsymnzLwLLAaEznyCxFXquWyTrEwrnjrssdIKSyNiYhQTOnRpHWcxBDBpByTTrqqANJQByjJAwHgQZxLYnDgeCLPwReBZlQdCinbGAXGWCqdHVpWHrhLGldLQGXeqfdGqfopuwTaesiVczELcOFjMqlIsRvjjVTxyOAxtonURVMJvHuleOikuJZyfIUBAWwRzTMGRWxsFySLRsufKFcpSqAsUdFWndEEdrAyyHeEMlfvARtBpRbkXlmdOMyaGPOKyfyCUvkeSImvCQMztoEIqKyrTfAztRPbVrwLtGYrFrvnVPBrGfdsZiZwUnbyRPFZvYVPTOyrcINXVMkrqoUZztNGNAcnRcqxneVaJzbKzEdsYqMIqqSkAjCPOKKMgVGPIvoLLoafPlEnYzTolblRgGefazkElhZuCzXpzyKLzvIWzxDmQqEZdNuyXkEEUSJfCfCjOjlMvZmjusMIwtppQJxcwzHQFscLevLJFZaRHjrOGyVyMrMIYIYtktFWjmenxnrJkSwQUaGStoqGbWWpVRRqAvViZFgybCSeIxPctzaXlENdoQGrPiRznWfscCCveRENTnWHmzDPPRyezRUhGGXLVYwrNuLgUkbWwrAcQNlIfGEzBKSHoTYyykaxMqOTmEpMPamoKXAwmdYDgWHzyjYqnwmAGhwDerfbtiglmRohDAWgTvsUQFRFQllPNgmrItUbJPMiBWhFXegJJvMXBojJZwnWizeTgOpPWesTFTBbcMCzFZKZDhjvkuPBFRrvRQzwRRjMfdcSvFUeZZolCqTwLCTXvPkHEpxsKkpTCdAmVCkiiPoHChFSVwSEqIiDlWoPnRIULTQrPVQYbBrAdtsMQeAGGWGvITJJfyExgxXNkMZqMZNOkSsHOsWXHxxlgUoXAEfefGnsAfJilzkxQAasfjUPYqyEWPmjtLVLHSXZgyykPGZDlwasKPVThhCzQvGkuttsvsuaLdTdeJBCihlKQUEBAJFvGSZTVEEmxbnKYXEqGzmmOnsTClUTSxHLjnIwFedYRAbJcuKjSdyyDpPqSUKNbVtbSOGrFixXSechmFmolHiBjFrwsLdiicyjhDrCRLAKhSOhifKyFORwiNENKCSgrVhmyfOERuuHUaErvAkdgurgwZfzVBQXCAXZFypdbWxpBKuUsPemBegeFrIXZwDbLVExwTlCbhZTMTVLhDioJtwomdPKJSQLhbTzFsBBAgvtzygAohzMiawtWyJJoXhDOLbBhLrUiDJnHcFClbzzSXVvZakFDpEkTXxKUMpsJkYUYbfjDETjKAfidUHIAjflqvawoDBSSPIoeteKfOOOsFsCEWTOYycpXCVnUICygywKEKjlEXzVGkCjCPNEbmjWUlymXLLthotJIrLyxDimIYYJBnpWvPfIvscnoYoYuANcvCMZAFkvIPGqhyTKkxowjJjlcejAjPYaQCaRvFGBQPHiDHJYbUGYMqCFdfHvRFMiglutTiKfvosvemDrTwkRcbItXMqdkVBYahJjBjVBgUXppMZMijidqohLUTXEpwTMuQsByyiIGyEWDxmoqlSIvaDukRPgxwUbIDxFmNxSUVzTWIevBkHJcLLZFptzIqwBxgdmhBFwYqaGnnOTUjuZNzSwEdBbdNEuikrDCEebgwKWkQqLwOnCkfWocxtqIjsDKIjyTpVEMCPPDXtrXiJWmziNVnjNyFRueEFzNKuPaaTTivSoXdNcGtyQjKAVDVeNHLBbyPkvsuhOtsDGRLiywDRtjnEjLQ }
[-] Received OPAQUE message, decrypted JWE with interface PSK
[DEBUG] Entering into opaque.UnAuthHandler() function...
[-] Received OPAQUE message type: 1
[DEBUG] Entering into opaque.RegistrationInit() function... [DEBUG]Entering into opaque.ServerRegisterInit() function...
[DEBUG] Entering into agents.newAgent function
[-] Created agent log file at: /opt/merlin/data/agents/546d32c9-9a89-45d3-bbba-9f58bfae8632 agent_log.txt
[DEBUG] Leaving agents.newAgent function without error
[DEBUG] Entering into agents.Log
[DEBUG] Leaving agents.OPAQUERegistrationInit function without error
[DEBUG] Leaving opaque.UnAuthHandler() function without error
[!] Received HTTP/2.0 POST connection from 192.168.201.3:48043
[DEBUG] HTTP Connection Details: Host: 192.168.201.19:443 URI: / Method: POST Protocol: HTTP/2.0 Headers: map[Accept-Encoding:[gzip] Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..xLjCpym9WJeuSQYT.1TWRMbVFFWZ69KDcgqhePpDyNUS157zwJ-tIUCJHDPuxd3VaCGJT8b2JtNd1vZe0LMjwyRP6zom8EqzpeWUeOwyKq4UUjRDo_wa-r02evQ2zJEDUcRn3EsmOWM545ngmJ_uo1YzhOcaGhhWE7mwMeDLLP_54ktrEttqWuecPrsO63Rp3hB8djarRCyljPu1sLQGI0Rfse8Ueq-kew1-rCDPMHiabD4brBN5HPEcCWzkTh8BwMyLTPoJj-QY.EA1A50HGjsyvNn-l5uGRGg] Content-Length:[6209] Content-Type:[application/octet-stream; charset=utf-8] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36]] TLS Negotiated Protocol: h2 TLS Cipher Suite: 4867 TLS Server Name: Content Length: 6209 [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..xLjCpym9WJeuSQYT.1TWRMbVFFWZ69KDcgqhePpDyNUS157zwJ-tIUCJHDPuxd3VaCGJT8b2JtNd1vZe0LMjwyRP6zom8EqzpeWUeOwyKq4UUjRDo_wa-r02evQ2zJEDUcRn3EsmOWM545ngmJ_uo1YzhOcaGhhWE7mwMeDLLP_54ktrEttqWuecPrsO63Rp3hB8djarRCyljPu1sLQGI0Rfse8Ueq-kew1-rCDPMHiabD4brBN5HPEcCWzkTh8BwMyLTPoJj-QY.EA1A50HGjsyvNn-l5uGRGg
[-] Checking to see if authorization JWT was signed by server's interface key... [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..xLjCpym9WJeuSQYT.1TWRMbVFFWZ69KDcgqhePpDyNUS157zwJ-tIUCJHDPuxd3VaCGJT8b2JtNd1vZe0LMjwyRP6zom8EqzpeWUeOwyKq4UUjRDo_wa-r02evQ2zJEDUcRn3EsmOWM545ngmJ_uo1YzhOcaGhhWE7mwMeDLLP_54ktrEttqWuecPrsO63Rp3hB8djarRCyljPu1sLQGI0Rfse8Ueq-kew1-rCDPMHiabD4brBN5HPEcCWzkTh8BwMyLTPoJj-QY.EA1A50HGjsyvNn-l5uGRGg
[!] there was an error decrypting the JWT: square/go-jose: error in cryptographic primitive
[-] Authorization JWT not signed with server's interface key, trying again with PSK... [DEBUG]Agent wait time: [-]The returned Agent wait time was empty, using default 60s [!]The JWT claims were not valid for 546d32c9-9a89-45d3-bbba-9f58bfae8632 [-]Agent Wait Time: 60s, Time now: 2021-06-23 12:36:44.154549379 +0200 CEST m=+10261.529613865 [-]JWT Claim Expiry: 2021-06-23 12:35:25 +0200 CEST [-]JWT Claim Issued: 2021-06-23 12:35:15 +0200 CEST
[-] Authorization JWT not signed with PSK, returning 404...
[!] square/go-jose/jwt: validation failed, token is expired (exp)
Looks like we're still running into the same problem, but for a different reason. The JWT expired at 2021-06-23 12:35:25 +0200 CEST
and was evaluated at 2021-06-23 12:36:44.154549379 +0200 CEST
. The JWT was invalid because the expiration time was reached. I'm speculating that the crypto is too slow and causing the delay. One work around to try is set the agent's sleep time to 2 minutes. We can also reduce the crypto rounds in the source to see if that lightens the load. I'll post a link of what lines to modify in the source.
Increase the time from 10 seconds to 60 seconds on this line and see if that works better https://github.com/Ne0nd0g/merlin-agent/blob/master/clients/http/http.go#L264
Hi Russel, Played around with your suggestion to increase the expiry date from 10 to 60 seconds. It allows me to authenticate now without an error 404, however I get a re-authentication message due to an expired JWT when the agent checks in again. Also the agent information is not properly displayed when I check it with the sessions command.
Connecting to the agent and submitting a command like ls
is executed on the agent however the job submission results to the server triggers the expiry JWT message and initiate the re-authentication. I have shared the sequence of events below without debug to understand the issue better.
I also played with the number and increased from 60 to 120 seconds and also tried 300 seconds. All the with the same results. I am really wondering if this is the solution to the problem because I do not see this behavior with other agents.
Agent output with 300 seconds expiry: UNIXNET_NAS> ./merlinAgent-Linux-arm5 -v -url https://192.168.201.19:443 -psk merlin [i]Host Information: [i] Agent UUID: 0c5c9caf-4312-4dcc-b998-0c5158a0c051 [i] Platform: linux [i] Architecture: arm [i] User Name: root [i] User GUID: 0 [i] Hostname: UNIXNET_NAS [i] PID: 30139 [i] IPs: [127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] [i]Client information: [i] Protocol: h2 [i] URL: https://192.168.201.19:443 [i] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 [i] HTTP Host Header: [i] Payload Padding Max: 4096 [i] JA3 String: [-]Agent version: 1.0.1 [-]Agent build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c [-]Starting OPAQUE Registration [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server registration initialization message [-]Sending OPAQUE message to https://192.168.201.19:443 [-]OPAQUE registration complete [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 31.681s at 2021-06-23T19:18:09Z [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 30.279s at 2021-06-23T19:21:51Z [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]Native job type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 30.111s at 2021-06-23T19:25:30Z [-]Executing native command: ls [+]listing directory contents for: ./ [+]Directory listing for: /root
-rw-r--r-- 2014-11-04 06:42:22 364 .profile -rwxr-xr-x 2021-06-23 19:13:23 7798784 merlinAgent-Linux-arm5 [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]Native job type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 32.69s at 2021-06-23T19:29:10Z [-]Executing native command: ls [+]listing directory contents for: ./ [+]Directory listing for: /root
-rw-r--r-- 2014-11-04 06:42:22 364 .profile -rwxr-xr-x 2021-06-23 19:13:23 7798784 merlinAgent-Linux-arm5 [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 31.004s at 2021-06-23T19:32:54Z [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443
Merlin Server output with 300 seconds expiry: [+] New authenticated agent checkin for 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:17:33Z Merlin» Merlin» sessions
AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS
+--------------------------------------+----------+------+------+-----------+--------+ 0c5c9caf-4312-4dcc-b998-0c5158a0c051 | / | | | Unknown: |
Merlin» sessions
AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS
+--------------------------------------+----------+------+------+-----------+--------+ 0c5c9caf-4312-4dcc-b998-0c5158a0c051 | / | | | Unknown: |
Merlin» [!] Agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 connected with expired JWT. Instructing agent to re-authenticate
[+] New authenticated agent checkin for 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:21:15Z
[!] Agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 connected with expired JWT. Instructing agent to re-authenticate Merlin» Merlin» interact 0c5c9caf-4312-4dcc-b998-0c5158a0c051 Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» info Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» [!] Error converting to a time duration: time: invalid duration "" Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» ls
[-] Created job zsAtMDngDX for agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:23:49Z Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» [+] New authenticated agent checkin for 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:24:54Z Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» ls Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» [-] Created job IrORwhRsGP for agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:25:04Z Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» Merlin[agent][0c5c9caf-4312-4dcc-b998-0c5158a0c051]» [!] Agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 connected with expired JWT. Instructing agent to re-authenticate
[+] New authenticated agent checkin for 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:28:34Z
[!] Agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 connected with expired JWT. Instructing agent to re-authenticate
[+] New authenticated agent checkin for 0c5c9caf-4312-4dcc-b998-0c5158a0c051 at 2021-06-23T19:32:18Z
[!] Agent 0c5c9caf-4312-4dcc-b998-0c5158a0c051 connected with expired JWT. Instructing agent to re-authenticate
-sleep 60s
flag?sessions
and info
command output is incomplete because the server did not process the AgentInfo message from the agent where that information comes from. My guess is that problem is that the crypto operations are too time consuming and causing the timeouts.
Many other platforms do not use JWTs to prevent replay attacks. Typically, as long as you know the password for encryption you're "authenticated" and messages will be processed.
Hi Russel, I am using a Synology DiskStation DS209. I am using DSM version 4.2. I have shared the link to latest version: https://www.synology.com/en-global/support/download/DS209#system. You probably can use any arm5 image to test the agent because i have run the agent against on an old arm5 router. Same result.
Last but not least I tested with -sleep 60s but issue remains
Hi Russel, I have some good news for you. I managed to get around the problem. I recompiled the agents with the latest version of Golang (1.16.5) and the issue has disappeared. I initially compiled the agents and server with go1.15.9. Maybe they fixed some bugs in the crypto. Saw some articles on the internet.
Anyhow, it works as charm now... I will close the issue...
Merlin» sessions
AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS
+--------------------------------------+-----------+------+-------------+-----------------+---------+ aea23a8f-e40f-4041-a77f-e8ceee4e88e8 | linux/arm | root | UNIXNET_NAS | HTTP/2 over TLS | Delayed
Merlin Version: 1.0.1
Merlin Build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c
Go Version: **go1.16.5 linux/arm64**
GOPATH Environment Variable: /root/go
GOROOT Environment Variable: /usr/local/go
Operating System: Kali Linux ARM64 on Raspberry PI
Well Russel, I was a bit too soon with my conclusion. Left it running for a while and got the error back. I think it was triggered by another issue (see bold marked message below in the agent output)
After this happened, the agent fails consistently checking in with the usual error described above. Also after fresh start.
[-]Checking in...
[-]Sending StatusCheckIn message to https://192.168.201.19:443
[+]Idle message type received!
[-]Received idle command, doing nothing
[-]Sleeping for 11.817s at 2021-06-29T21:01:13Z
[-]Checking in...
[-]Sending StatusCheckIn message to https://192.168.201.19:443
[+]OPAQUE message type received!
[-]Received re-authentication request
[-]Starting OPAQUE Authentication
[-]Sending OPAQUE message to https://192.168.201.19:443
[+]Invalid: 0 message type received!
[!]Input message was not for this agent (8c30d7d8-1988-41e3-9d22-84859d1974a4):
{Version:0 ID:00000000-0000-0000-0000-000000000000 Type:0 Payload:
Merlin Server showed this error: [!] the 8370eb47-78b5-4b76-8b26-45c6cb90db64 agent has already been registered
[!] the 8370eb47-78b5-4b76-8b26-45c6cb90db64 agent has already been registered
[!] the 8370eb47-78b5-4b76-8b26-45c6cb90db64 agent has already been registered
[!] the 8370eb47-78b5-4b76-8b26-45c6cb90db64 agent has already been registered
Glad you got the agent working momentarily by using the Go 1.16.5. I should have caught it earlier. The go.mod
file requires Go 1.16 so you shouldn't have been able to use Go 1.15.
Can you confirm what version of the Server & Agent you are using? Can you run the agent with the -debug
flag?
Hi Russell, Here is another run... As you can see, we still have the timing issue, however with the new compiled version it has become more stable. I do think that there is still some more debug to be done to understand this a bit better. One thing I sensed that if I get in a 404 error with the agent, I can only recover to get the agent working again by rebooting my Linux server hosting the Merlin server and start a fresh Merlin server. I will share a broken session with debug output in a separate thread.
Merlin Version: 1.0.1 Merlin Build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c Go Version: go1.16.5 linux/arm64 GOPATH Environment Variable: /root/go GOROOT Environment Variable: /usr/local/go Operating System: Kali Linux ARM64 on Raspberry PI
Merlin Server output: [+] Started HTTPS listener on 0.0.0.0:443 Merlin[listeners][Default]» [+] New authenticated agent checkin for 2584a462-a892-4894-b026-5e4ee688a08f at 2021-07-01T17:07:32Z
[!] Agent 2584a462-a892-4894-b026-5e4ee688a08f connected with expired JWT. Instructing agent to re-authenticate
[+] New authenticated agent checkin for 2584a462-a892-4894-b026-5e4ee688a08f at 2021-07-01T17:11:10Z Merlin[listeners][Default]» Merlin[listeners][Default]» back Merlin[listeners]» main Merlin» sessions
AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS
+--------------------------------------+----------+------+------+-----------+--------+ 2584a462-a892-4894-b026-5e4ee688a08f | / | | | Unknown: |
Merlin» [!] Agent 2584a462-a892-4894-b026-5e4ee688a08f connected with expired JWT. Instructing agent to re-authenticate
[+] New authenticated agent checkin for 2584a462-a892-4894-b026-5e4ee688a08f at 2021-07-01T17:14:47Z Merlin» Merlin» sessions
AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS
+--------------------------------------+----------+------+------+-----------+--------+ 2584a462-a892-4894-b026-5e4ee688a08f | / | | | Unknown: |
Merlin» sessions
AGENT GUID | PLATFORM | USER | HOST | TRANSPORT | STATUS
+--------------------------------------+-----------+------+-------------+-----------------+---------+ 2584a462-a892-4894-b026-5e4ee688a08f | linux/arm | root | UNIXNET_NAS | HTTP/2 over TLS | Delayed
Merlin» interact 2584a462-a892-4894-b026-5e4ee688a08f Merlin[agent][2584a462-a892-4894-b026-5e4ee688a08f]» ls Merlin[agent][2584a462-a892-4894-b026-5e4ee688a08f]» [-] Created job tEFcwSknhY for agent 2584a462-a892-4894-b026-5e4ee688a08f at 2021-07-01T17:17:33Z
[-] Results job tEFcwSknhY for agent 2584a462-a892-4894-b026-5e4ee688a08f at 2021-07-01T17:19:23Z
[+] Directory listing for: /root
-rw-r--r-- 2014-11-04 06:42:22 364 .profile -rwxr-xr-x 2021-06-29 19:52:23 7798784 merlinAgent-Linux-arm5
Merlin[agent][2584a462-a892-4894-b026-5e4ee688a08f]» Merlin[agent][2584a462-a892-4894-b026-5e4ee688a08f]»
Agent Output: UNIXNET_NAS> ./merlinAgent-Linux-arm5 -v -url https://192.168.201.19:443 -psk merlin [i]Host Information: [i] Agent UUID: 2584a462-a892-4894-b026-5e4ee688a08f [i] Platform: linux [i] Architecture: arm [i] User Name: root [i] User GUID: 0 [i] Hostname: UNIXNET_NAS [i] PID: 31429 [i] IPs: [127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] [i]Client information: [i] Protocol: h2 [i] URL: https://192.168.201.19:443 [i] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 [i] HTTP Host Header: [i] Payload Padding Max: 4096 [i] JA3 String: [-]Agent version: 1.0.1 [-]Agent build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c [-]Starting OPAQUE Registration [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server registration initialization message [-]Sending OPAQUE message to https://192.168.201.19:443 [-]OPAQUE registration complete [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 32.32s at 2021-07-01T17:08:43Z [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 31.948s at 2021-07-01T17:12:21Z [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]OPAQUE message type received! [-]Received re-authentication request [-]Starting OPAQUE Authentication [-]Sending OPAQUE message to https://192.168.201.19:443 [-]Received OPAQUE server complete message [-]Sending OPAQUE message to https://192.168.201.19:443 [+]Agent authentication successful [+]Jobs message type received! [+]AgentControl job type received! [-]Received Agent Control Message: agentInfo [-]Sleeping for 30.26s at 2021-07-01T17:15:58Z [-]Checking in... [-]Sending Jobs message to https://192.168.201.19:443 [+]Idle message type received! [-]Received idle command, doing nothing [-]Sleeping for 32.678s at 2021-07-01T17:17:29Z [-]Checking in... [-]Sending StatusCheckIn message to https://192.168.201.19:443 [+]Jobs message type received! [+]Native job type received! [-]Sleeping for 30.604s at 2021-07-01T17:19:03Z [-]Executing native command: ls [+]listing directory contents for: ./ [+]Directory listing for: /root
-rw-r--r-- 2014-11-04 06:42:22 364 .profile -rwxr-xr-x 2021-06-29 19:52:23 7798784 merlinAgent-Linux-arm5
Debug output with 404 error:
Merlin Server Debug Output: Merlin» [!] Received HTTP/2.0 POST connection from 192.168.201.3:57768
[DEBUG] HTTP Connection Details: Host: 192.168.201.19:443 URI: / Method: POST Protocol: HTTP/2.0 Headers: map[Accept-Encoding:[gzip] Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..4cC6A94g7MOeMJ3j.79hDD0ALjOgC4JExf5yEjCMU9EdDN6Z7OiK_Np1R0tvnDnYrMQnxGNj8emwIEmUMS16WJIAQSiJNcidTc-ep4MLSe_M6ZSaMTEPswyA1YLK33dLt1vhVFCgk5wCJdCGa1lvIRcrcMjy_6_SmUFWq-Q0cmlIa3vvMnCkbF6Br-i_zboxMSoZRvGQKobRgt3o3PgJyQoWxOI5irlzEWotebVSP0qY36GI9PpVPleAuhBTv7nsKDqeHw4KAzEA.xOByn0OBN8Ntxihy3YrHCw] Content-Length:[6052] Content-Type:[application/octet-stream; charset=utf-8] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36]] TLS Negotiated Protocol: h2 TLS Cipher Suite: 4867 TLS Server Name: Content Length: 6052 [DEBUG]Entering into jwt.ValidateJWT
[-] Checking to see if authorization JWT was signed by server's interface key... [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..4cC6A94g7MOeMJ3j.79hDD0ALjOgC4JExf5yEjCMU9EdDN6Z7OiK_Np1R0tvnDnYrMQnxGNj8emwIEmUMS16WJIAQSiJNcidTc-ep4MLSe_M6ZSaMTEPswyA1YLK33dLt1vhVFCgk5wCJdCGa1lvIRcrcMjy_6_SmUFWq-Q0cmlIa3vvMnCkbF6Br-i_zboxMSoZRvGQKobRgt3o3PgJyQoWxOI5irlzEWotebVSP0qY36GI9PpVPleAuhBTv7nsKDqeHw4KAzEA.xOByn0OBN8Ntxihy3YrHCw [DEBUG]Entering into jwt.ValidateJWT
[!] there was an error decrypting the JWT: square/go-jose: error in cryptographic primitive
[-] Authorization JWT not signed with server's interface key, trying again with PSK... [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..4cC6A94g7MOeMJ3j.79hDD0ALjOgC4JExf5yEjCMU9EdDN6Z7OiK_Np1R0tvnDnYrMQnxGNj8emwIEmUMS16WJIAQSiJNcidTc-ep4MLSe_M6ZSaMTEPswyA1YLK33dLt1vhVFCgk5wCJdCGa1lvIRcrcMjy_6_SmUFWq-Q0cmlIa3vvMnCkbF6Br-i_zboxMSoZRvGQKobRgt3o3PgJyQoWxOI5irlzEWotebVSP0qY36GI9PpVPleAuhBTv7nsKDqeHw4KAzEA.xOByn0OBN8Ntxihy3YrHCw [DEBUG]there was an error getting the agent's wait time: 496ce3c4-eb6f-435e-8eba-ae9f97e18edb is not a valid agent [DEBUG]Agent wait time: [-]The returned Agent wait time was empty, using default 60s [DEBUG]agentID: 496ce3c4-eb6f-435e-8eba-ae9f97e18edb [DEBUG]Leaving jwt.ValidateJWT without error [DEBUG]Entering into jwt.DecryptJWE function [DEBUG]Input JWE String: eyJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjo1MDAwMDAsInAycyI6Il9wX0RUY1VGd29fMlZMWTNFVklZUGcifQ.ANG_7704Z_4cbrBJ4d_3CSj25ifSJZ2Ajtg0MkSQFIi8f_H8XeC6bQ.LH1HYK_pRw-BfzxP.05PQGQ98Iehe0y0TgWQSgghkHkqgj-HwVBHRvVFuG3jXwi-xdgXiKDHgekvbXxYqn5eIjWBL8ZtE2PEnL2X_0_76x6k8FlkbD-oJSOEC4k_zeudgA7YzxneZmUoWQ6C8V4a6yIt-KBydhZ5XPMq-5lUnKsm0E8OL4GczumtDRxmz38zhn_I_vW92eckPnGWtozuP_bosR7cx7amZjCsyhdcvQbUJcKArSxa-EOx5sBjnrG9GJs5ODZy-qGd7Iahp_cop8pD-28aYRxbD5loHJzX_zGMWtBT6UlOWwvaliYkWhVOFCN17NCailviqphpl5OAwk4vBWmh7cmM8DaxyQZauDU4j6vFJMn8WPj6xqiRQjFbmd8BSDh3yJ9elTD4Je0g_7aoE3DhvGsAQdXlmrbDdR87l-HOwOMzthuRHHVZGQbD-RlqN-ocvWprXhw27_RzwSG9itnoFDmVVRYkt--BebcsN2F8cpTs27iL1iFJ1FANOiQW1i3s8564Urt7Bv7_79lEOcPSYk9e0KHKCbHaOu4zmrq-gVVAauhf2FIxY2nTuhN3i5di2eZ1lBEFyJobOfa-Gq2AOWLQ1UVyMsc0cJzdFHbJT3t6Z6VPqW59j0kbuy2b3Yb3n9KdiR-hN5MUJtrr79QMQ-saJwdZG1pIxZsmhXyWvCGzglLs-q4sMZSLieKqQlffMaCUnVWnE4MASpxpRe5Bzj4zgN9IhChiF9r6x_I74-qrlth4RLvNv_vH7Pq4ynosDWItc1eWckq6IuUCM8_w1KPfKIO8x-_O0yqg3BjNp5ndBX8veLbtujdSAQDsEwUyaZnkg-7H1D_aNV4DLAo1hieXQPUwVF0nps2UnTytvRaW1L8Xw8-2k3YRTbzGtqFiIwKRYb5uR6Su-SdrM5eDtG_bIVP2uDvJtkF_DJWp7E3tuYoqSwwYQKLSxM_iLzaTaLNYD0cjZ49qIVoGKa3qndXNg-QywOYyjohqebPdKVmU0dly5R-I3TolywjcUGHmERGz2mnUBep2hiw2ZsojFCW8AhC9os5waCjh3DHI-Nfo1gP2POn7XTJo2k8vrzGrVoBbjC77Ttzf45rp2_P9iJyWzSnPGj1nUsPb2ks9_LKG-nJovTon4tNf5gLS745mdUepSUoXiPGkL93fLOea9vSKqVDROgRQPIH5vywZWMO9oxj_ISF9QXB450sfNyuxcKwRDBD7A7-Sd1HTANkzO0PvhSWnWtiVrY9_Hq1H-8dORFUuHIUsopxNLZxgBgS72NdVTc6LOXlJRiU_oJUy_XnpiMKJs8rSelBmnmgtiyLKPD3tWLXlHAoB5SI5FAzo8ob70zEqc5k_uH2vqMm353YlcXxdHmeKmfGMFEZ_NhTGxt5o5UXHOA-usFxaRvaqmDieZwrYRAA3VqbyWAxYF_JGzYKExFNpQXB4f3XQ1HBaJqU_HwmN5b03FQnMKbFBBWvYYNjgONr-eSXex43W0J3D69tubfayMxJeSnjhYmW4gsxhwUpI23SDca07sOrMWSJPUtdDHUU_7BD3mx3vQcigmLr-n4IpT1Yw4FDeqq8pAEJELSDZDP9Iea2ikCxtsM_6U8YT8paPIwX7LsZrlmmKbK0ujn81VUhCpZANakI4LIujMu_D_qyLfJTsmOrLsyguzSvF5nuhLM9sVl8dk1QqPvduc98QYULruPkMEHRrP1qy7_MXBjVFnI_xFzu-g5Py-G2KQPrlpLl9x9H59uU7UyV0GNERCgaL7NAIR6UCxwVqJvjMFE7-CWSHDsW8CT_9qgmfANfqnq-sFoidpGihLj_yquvOu1GdoaPQnHJyZ7u1VB4k7OexsTBWnbTeEP7CaKBZguSOac9EWP_P5avXI3jTHz2X07WuCVHg7GjSKBEyLDnZWLeUPU9OMH3QBzQhKEJf9ruEWb9vaCtW5Jt00mW4hcSec67cfUt05vSlzoJq53O9HP1GF73whR5gjc7gSchSs_Fa8CB3NYQMNMfCi8BPNaYG8kPoWpapbRuVMZAEU5NDyedz9PlWX8VYcoEiEl0OXPVao2pthh_Xa3rRl3wgB9oDmSwO2Pj0vb3nB-svgMcF4fP3JHMIivib2vBxDRzdwf7QjYZ-7OIoC8hQCmMrHZ3Xw3F8SLIbGRHv1Av3d9_2LOGAeecNb8o2EO6bHpRAfENILYq1KlqMzQqtZMcduUUe35x1CKqSl9lEYqKf7D-IZ7XnMq1yU7OBQZbNg-ChTKtH4N_T64VAXz6VnIgQ1W4j0QhGKE2u8B0LJ4zuG8qjyaUueD1Ocf9k_skO9E3U2E8iY4u0vdySYxfrkCBu-BgjJzbbvjgLBzLGmXQC-4kkdG-PxG-oLGrrngyofYI2k23bKzXT4-4sziJEpKDxvzuKLfo1IbTjJ00tSSqSWhedGRt5wOj3NfMwyrPZySJjRsXOm751SUx4yD2wXWxwqnCthyEObhhTcE36eoW6OoKSfS7LUXA_4inOYWEx-CTpe2woEmvSIxfN14CiMqbbDFXJe-quoiMxNUATy2mb5UJ3Rvxz19T8NVRvwT1Xo1r0RALXi9x1HYf7ERZb0jFoiYx6N22JdccUjvwj-SvVrzbzt0jvUDZDG_sy1Bqhn-csp2OIUflfhJEwooRBL5NwMkuqoJwk2QY07gJIsLOV0oPUJFQACZn89WVPUOxJFF3BlyFgF7GhHNzD2f3wjtfZbhGcZDdxXybI8dM85vbzQhmm-Ld7RmOLHVnriVpBjWhWwhzsnPlIdCfSK0oSvioqNaDbEnJUl848KbjUQ6brtRQVI1qaVIOLNi7vOdMd9d5XsYAR_rt4jvYKxsIB5wh-yEG112jn4TuMrIkCE4lsbnR2D92L226pBaS-TUIM8dbLwhy8HCpAQ_1tzdM7U1fiD5hZj5I9jSub6lNIccTCAHEiwjuk7O05IYqb4hKvgu3TKLQkIIQvxfED4jsdLqbN4t2noa_t2OEqC_AUR0wyGojl5qaSirLE4pdDTVBVcVC1cg0K4qfKmT0l0AvEa8NfrLJgx3RhIOGylXoxbofzc-Fi3lwQyVlfsnP68Wf09-XZ52p47Gp5ln5hU9oy13Ektjm7x6CLRLmpfmeKsZIhvwvGZSSp_pSyWO3_t4con3T9d-PwR_VBgWbk-HoJmQS9d3vPKa0vi2XasX4xNLLdL-NsZ7IqNj32fmifOYowy_1aMoq2XqQiL_0FmXgvhTmRXm4uPF5zSIyt5eVn9JW4HcjMTJtAzM0J_0HOg_nBXZh2SUI8Xs2xfGW8FMVwd0VyOo71l9nIIvoAw0ucrDaOVWJm3hxGUbRvqQSmJhiLxz5bPomgCxzOaM_cKgm3EALfJVcMJiWfVHgrOdAw6WitOyKFm_BtbPb9byAYjDviI868rbHPkUknmp59HiUmC8iy0ehNKfYdpdBpODl8hRSu4x-HA1UxYiRNpmUX97qI0637nTZTh2zd1OJ9gqI8-UQAjXJ6fy2P6byDyvXlWZO-2afhODX5BTsfmKfylg_65hf9qEXOKIlFBeMl7Ez_wbQuBLKiMkZf5jWjEAfO5FBttBCluCUmblJH8i1SiBqXqrEqH5pBh-YEntZ_3BSwx1edDwQxyue04eX-e7738xIzmmrUW-sTWPagtlvfpmeVWuk198_cTCW1Nbt__O3A67o8AahmaxJUBJSi-naI-E0CaiQ7ZKRbJDauLSc0YbNypdWpBMdD0Ocy6imvL8CuUQuOaifnQOiS8AULc6a7mthL_lwI62PMru5t39_mDhwNs7wxEfE5XrxsA-_iMUAY48TmsKvMNS-DDFOQfsNWTV_giQ80GaksKabgfsOhWD-Vh8E4Qmp3n5ySV0lZaDnWSLRz51AYeZ6uROHwnHVqrp3p5MRMf0yDXxUMTQ_XkvDIHXAJdivvPq99-vaZBjzh7pqJFOgzemI86adSkMaFLDqRv0R4HMNamkHxsr-W8v7rNFgHeyZQ7Mw3Al-BmWMsyAr5d789FAWN2dUVe7-x00zl9nIDo1mLJQISdJDse0RAO3l1CDXIxXF1ohxTtqHc09iDz_upR93t2HU0jflAM0AqyzdL1WPVmeKgX856E9ha_kgT1WV65AuLf1cOK6al09Dwn8ZSCrFjRGJ_CzVPN2Q8DXzCnLK8FMZCCBaowgRBBj97rSen9OhNOzOxP2iEcbcYRqSH1noZ9rhwhwqnbI6keY56zqBpt_sUuhX_hd6J_vgsqXcl09TYCdFvJlyOW2ePh3JpSxi-EUnMRp1nZiQhWaxndl64-2tFDD6oQtlC46Q4DLt76Bc9HyC5SV62KgzKjQQidxKtf51l-syg82Jx8-pK8kyb8d0WzOEpsr0Kkk--30hyymA7_Ro_EN1WstcW6MVx6XwAekx73AsydM0yF7OIKo9CUU34wkbqchZb4PVYgkcUu5qx1kzGVBSh_1be8X3u9_cUrikcx_hQJuBZG3pEJmLxFEPELqZu0xPY1jHjO70JBotN4jIAsU0d9CzRIeVVWTRh70FjVWQnCKUiq5Y0evXmbRxSOqrXTr5uo4uy0VSWD0dgXEQZ6jT6pw8FsjWjdR4j_AdQOpulhBiq1B59aJhwXP-grMy2_f6U3wDtsC-wU1PXkRPX5B6YsV0JTWnfwSgD3X8Ad9qgSJr2uS0l1T_wsOrw-mUB9Jz_1g7XXpuLEWKQqrqCV2PlK3KwOMZMz781tRt36HMVAGgYK1Pr4vYeCJOIAgVrain9uKYx9sF_L8uM2zi8y7CsbI34j4svrecw90nJ-qft5HtLTd_R775d76La_uuSPlarCVysT0ydipQ_B_RlSC8IKVpkIoq8zp9uvRxyCxC7qFbEhbw4e6QMymJnjHQ_apZTQ-RhYPzlbWyhevaY0IoTdyqd_2UCevaGrC2u9QfA3mRsgP1IlFM9hP7GtB2w8_t04x9FZFeKNNv0P2sONDqmW3jsDZwPriEgN8Gjq2GA0NKJJ0tWnVdeU63FPB1JtZQswHROFB4mJ8PsPhdTdvc2GXwR3ksUXW0NJH-hX1vwVT1iSkuXw7DZnsd55Rh2I6P4j8EfKwHId6DQyFvVZ8skLUrzvGqg3kOvRZWfCZ_bi8MFiERixQprsdKTjDUxgCMh82C4J_uzl4vz8SzYLqRHZVV21cmqW-MKY-lOlhv8XEIRLDXyUKBuqgi5p0jwAWNOdkWojvK4wenNz7y0wc8NiTXgTebAiLqkGykGp52ueEgEB4nFQZ06EntynTOvTsIWZnHNQpp8op1VHS7vzz0Gl1j3xmD8dab4Ze-50hOzqLHtNDlelaa-vZInmfoPK-7gUZWjl98bpeXGqxHzNtizYP-cnaN6U4NroRt-YKvMHqx4NeXc_PKg33LLSV1azePrIWHGNAf-JYI9535LkUeQYGI5FFJmXgPEKxjDqldI_M6ipTmC1D796AssDIfVpNe9BqMSl1NKYjuzGAhHIExCrDdshb0Fg7mmjh3dBO_D978t-YEhHohXJLK1cg1Ha0UEmiIsZOJ0PxVm6VpQemoTkETtstf3qszMz8jWHFDky9XyDO2at_tp0Gjg9A-VjRAGDtdrrbcpAW5CrK8F2vXZpPM8VZmtKIImzo7I5nEnU9ph11bxzhFGARm5Pavs5gjiyPOEFhxSN7cds78BykxjSbc-dApOY6eQMDyC4D1zqsHk0doppZegUbGhUtQFJQLZRiJfA9FLojOmvWbNSSuoWp3jeFWGLnifTB_zNLvQptNjbjzdGuNy73fpm8RHI0Wuh1oOv2WT7RRlDfWrnwuL0zlsNBYsNm9X0Dn8YWPXnWPm2DPJ11vbMC05WmMQy1SiYz_plqPRQ.4mMdaSFfnK8wg8ZGIwDEYw
[i] UnAuthenticated JWT
[DEBUG]Parsed JWE:
&{Header:{KeyID: JSONWebKey:
[DEBUG] [DEBUG]POST DATA: {0 496ce3c4-eb6f-435e-8eba-ae9f97e18edb 2 {1 [0 0 0 16 73 108 227 196 235 111 67 94 142 186 174 159 151 225 142 219 225 170 205 9 191 243 81 153 7 167 66 25 49 155 90 100 63 130 131 197 240 82 138 97 141 176 230 208 244 76 86 102]} WrarWzXhoRtBjCttjrYWERzlkHXQPdqvFLjJBghTKTTKUyoGMBxeiGjPNFeZHdygqPpQOUmHDOWwlEqqLwTGoaVWdawScNSdLDeyaspLZRctwawyZNwCDKgumKhMzHIRLEzyWWvLqfvKcOiNRSwTZBAEvUGnPgmfigLgdwFXOtwSwbwmkaIhnsgOEcdVRplTLGsTdmVwQJaADwvovqSGShstKoAqnKOnDvVrmKmBLEBiAyseBVqnaqbretvpWsKQQmTcpqXDfbTuxBsWGMcXGIQZBpFlqfAiPOMCBiQFuwYhPYfrOToRUvVhoiUDjNqbqMYnSwAlxycjcfPWUQFSCAdEnbVwCRunNtoUktJFcpoxdskyuxPMMMAzwXybifsqNGUBJwUfqcrzQLtScMhCRTmTSyufrZdPDCYUrPCWpzbzOpFPhUOVAauIETafXjjrZCnbjguYwlSHGNiSpzilkNYnTvgXCxEemWmlyRZgWPTOcmOLGaXbnpKDpUBXkNKWVkoNrtmTpqmZTwFwmrUyXTeFtAxoBbUnJKSxAmblaMXuutdtivkAmuFvrjzAwbLrLDiUUOSafTMfecPAGHFORaKskwDKbKyZwaUsAvEOVxXVLTKIYYBDVjqOJXpHJQXlrvurrZCZCROmfRIPmIBiVMghnSfXBtaTdObtGeiVFqHQknLNmSzRGyZnQPIZNpFlkEvvHqOgmwyooQMskMTYsBMilLdlWlnEBxSivbeRLRkJsHRdIUveWzJScyjvPJPSYwFqnsnMzqOaQLRoEAQZjBgTMuaUgZJWosyoJrrdDqsYfnwpIftYltZatMSTrTlTeSrNzCQoNTquCPJRgYzdVZjAuatJDNqNUHhzrnJdhaPQsVDvDhiGKIHSDKfBueKoYwJkuKTLpajzqjElYNZloLmSwkvboYzYoymEvpvzdHpivrvdMwAQhRqfubCMqjPHVwcWtaTkqptYSAPPXtJKkqbdIUexaCZGLSfVHBIrKpHYnrxFpbEjiLpbSdVkkzswvfKSZqTGAQoJfNzPvMIzOLEqwOrRRZfUuDAEhfPZacvSlgvPgIptFOwcFvaKDQNYYNhjHqUjGQatqZnTLMqAsPeaLOGngqJAAoZDOMaCnlVoPjpFjJVPYAZaXaJYOOrTSAvgofpJtIYjUySDnSDLgsHBqeoTMmaLPqRZlmHyKELOOqPzyQiyJWLbeBkpmsUuhYIycJFlDeHRspSlrhDTcBzjMIkJhyTBosSqnrRNmgcpffOMbyVvQpLCfXcPRGzfDYLTpfsvTczxcvVojlAOxJoLPJkMOvKRDnvbqmPqZlGCrUVtUHcRgKkRfbDPOiFFJItmecEHOZEXiTsBCcyoiGimlEbYdJClMkhLOcqsVghSNZYixLgAsKndhGRBvmmqfBpZJxqPZDJyHZrAJPsKwgMuQXBOYNtZfYvuuQrEEvFbhPEffMrDZQWAWaNOCSRdWMlFGMQmqYENMIZRvEDYNmooPzmPKrzErnhvFBHDNGvTjkttguUYXOOyRWNFRTOBlFJGZDosyNPXfemtRuFYZgRDlJTlYpCFzxAGaMImNsTIGGPaxadHeztprnYtjyzzRwcKafIkQPrAyGcNSuTtABTMJnsipEDOcGODwoSGhZuypiuByQvYyPUqbspIiePweDngfbCPhZwuiYZkEBGTfqhqwFeYsiHeuiMKAtdzJejUDgCoSXEwBAVNaBXXnxNYTgBLGeJqbwhaEFqmlDqydSbJnIekPSJtEQLWomZjtmQjxvFLIwvxDFAxRcTOtfUnHyryxlStxrcuWgLBACiQcWCimcRXWVfmYHhcYdjrlarieoIuYjDgFjAxLYcaVMsnnKmJJqdqXNyTZGJsuFHjZawMXoVcTTghaPtjdzGAeUhLrNZLAZhmPfQfVXagoDdEurjIAxPZRZdgTDPiuwAzLMDFPAuALlFTnLpsujhGZwOVyBumMBFvyryrIjtbedJfOOILZiFlSOlTzGdQdSlUryIcTsEaTAnyvbDwwnEHfcxXacLqHxkPaiGSCvYMVwTqiSVSJzwVSIsbIwjwrnXZsAEuSlnvUtOfFCDxyUrIqcudWUfYhwNlKBawALSEYCHBskMKMhdmmAxngEvFnJaKENeeWQfcRMSuJqSJPdxMSPwjXZWspZnHAhMFsALLIYZgIDtbQHrCHjIPOqKVUAUUevKQvWXisClmCWyWrjTFkkEDxvPaBxCpWQemmVbSNetGhrwgBxnzDOCFhLBjBtWZIzWvTHHKRrKAeITwGIfDdUyJylXlNSnizPyZpynxCJPiqSIonjygtNIpQLxAAcBzEMNzbYihMEAFgkbKFtKcrXYaIIlNbzsmzSwCuOgXzMUklLiubcKMHgywGQRWpTpbAUfLGiuwIMmUqXcBLLsfuYJSEKFgnEAylgRUnUoQNRGhapAGDRbeWgPNLVkomjnIEBPJIyouGwmicikHpJDkeEeQNABpDeIhMlvgyMjZiFdHjONiaxzYOiLHVeqxEJmVBdRykvpvPVsCKqoaaGeEYwPdxliMDetwoNQXIlFlqCDLqkvpaWpcmVpChPgNjxbFSqHoerZiXwuoLHhGuzVIjhrHbwVYtYdXMSjYQWUxLmfnrMRAIGESGLUaRsJGNUMblYMQLNIcvkhsksgdUGjlDnnJcbFzqQUnLqYfqnOPWvCnIjViTvbVveYQkeGvIEplbtDFGYrtCLLkEjrFoKpAGiKoXdQGrrZylYldiPcLgQVOgtSdIhOiSXMuZvHnlQpfcMucWCICUXBssUKeghpzgzFfIBHRZbrcoajNuSZQgoFfeeBroBkIqHHgcJXhJVuCIbKXHPPPCcBLlHJvkGJuJxjKHmIoJIbnAqVwYwWPCqPupAvCkODiCNzpzmeFIvzTnlVhWWPEeHHSfYeLjiuxTqFttMuIxOzspbLRmRmdBjaUWgTmqwbrQxXrKIylOFipVPpGKYRWyEbYPmlEJkjwpHREWJsLEGnDTuuVGfIJUOzuYEXlPErwDrHXPKkdqWwcnKVItClerqaeBJWjXokIKAFpocWKihgRILMBDpztdJLNIOWCikGokVCtnaSrFzFDtVPuNqQlKAejwKlnpnLnPCfKKDCsNItPhGjGUSbcMcGvHdSrbWRAFfNuHPreCveYIjLAImMPqsleyFpYMRkbVmplflgoGGSOoKSAJQucnJSTJSsbORHWuzUdDUPZmOeXIUTRcfflxGVefqxFXfTmWcyIWajYUmEhFaZhAPLeyaleixDVKtuMhhzxQexYNTYWMiIeAmYFvTLHHPmhFxXambMvkMwJUgwiaByonjNlYVFcxfqRYVzQAoXppQGlVuYqZDJAtEplkdFuIThyMJForfofjgQedzsOMBcJnVxAoKCgtcSfOUsWzzNWAkfkkWmAYLgFIHtuGhLEKejOaAGvWCLXwxScDJxLWEUhrHbEHvmzJjbDnvVtDeVIWCETyywKfsupfYRHMPmrMFqAVnHiIFRvUsHihzgwcFLDtnEZJBztIfiSfAmtxBIhCWrHzXMBgcCyOmPYbAeHkaQmVnwPVpefVWQopMcFNdPDYXYfPDFAOtFtMEHgGRZIaGltnEmThMncQQqMZiMEWDqVyIGddkeUcIFKZbDwjpWJOymoMfArvKzUkAMFklcDJPNFgkpLBEWBDPVwhbvYmPpDqAsaRceHDHLxszfeWZdAhzDTBhLFuVygLogyKHWblnGHhdxCyQSRMnBMIqUCPObhewZkYgfFhicFuYAAbIlxZeiElLkTtEzEHyGAWWgpNgGTwTdVpoRMAzDcDiATWNeicUhRKqtZDbILIRESoiKdsYPElLKxYrpwQqAseAFsMVCCKsXEOeybMOtQRmTftddZRESIxzxmyJnTryywETALfAenQylpIPMgwfNpUWurOLKZLvQXYSSEBcBqxMvAJeFAtWWumXfGzNLKykKvwtWsbkaasXLMhHsqTBSZfWZxclkiOUySzMWEkxGDATrrtzahrLgoNTCqIPyGAAYmbfMcMaXxLUSbNIdcdUXmkVpwZzNXoqoiyOsfzwXlRkuQpmjQqEtVBsuilhuxfoKXrOuLcGAxrAXU }
[-] Received OPAQUE message, decrypted JWE with interface PSK
[DEBUG] Entering into opaque.UnAuthHandler() function...
[-] Received OPAQUE message type: 1
[DEBUG] Entering into opaque.RegistrationInit() function... [DEBUG]Entering into opaque.ServerRegisterInit() function...
[DEBUG] Entering into agents.newAgent function
[-] Created agent log file at: /root/data/agents/496ce3c4-eb6f-435e-8eba-ae9f97e18edb agent_log.txt
[DEBUG] Leaving agents.newAgent function without error
[DEBUG] Entering into agents.Log
[DEBUG] Leaving agents.OPAQUERegistrationInit function without error
[DEBUG] Leaving opaque.UnAuthHandler() function without error
[!] Received HTTP/2.0 POST connection from 192.168.201.3:46800
[DEBUG] HTTP Connection Details: Host: 192.168.201.19:443 URI: / Method: POST Protocol: HTTP/2.0 Headers: map[Accept-Encoding:[gzip] Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..4cC6A94g7MOeMJ3j.79hDD0ALjOgC4JExf5yEjCMU9EdDN6Z7OiK_Np1R0tvnDnYrMQnxGNj8emwIEmUMS16WJIAQSiJNcidTc-ep4MLSe_M6ZSaMTEPswyA1YLK33dLt1vhVFCgk5wCJdCGa1lvIRcrcMjy_6_SmUFWq-Q0cmlIa3vvMnCkbF6Br-i_zboxMSoZRvGQKobRgt3o3PgJyQoWxOI5irlzEWotebVSP0qY36GI9PpVPleAuhBTv7nsKDqeHw4KAzEA.xOByn0OBN8Ntxihy3YrHCw] Content-Length:[6209] Content-Type:[application/octet-stream; charset=utf-8] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36]] TLS Negotiated Protocol: h2 TLS Cipher Suite: 4867 TLS Server Name: Content Length: 6209 [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..4cC6A94g7MOeMJ3j.79hDD0ALjOgC4JExf5yEjCMU9EdDN6Z7OiK_Np1R0tvnDnYrMQnxGNj8emwIEmUMS16WJIAQSiJNcidTc-ep4MLSe_M6ZSaMTEPswyA1YLK33dLt1vhVFCgk5wCJdCGa1lvIRcrcMjy_6_SmUFWq-Q0cmlIa3vvMnCkbF6Br-i_zboxMSoZRvGQKobRgt3o3PgJyQoWxOI5irlzEWotebVSP0qY36GI9PpVPleAuhBTv7nsKDqeHw4KAzEA.xOByn0OBN8Ntxihy3YrHCw
[-] Checking to see if authorization JWT was signed by server's interface key...
[!] there was an error decrypting the JWT: square/go-jose: error in cryptographic primitive
[-] Authorization JWT not signed with server's interface key, trying again with PSK... [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..4cC6A94g7MOeMJ3j.79hDD0ALjOgC4JExf5yEjCMU9EdDN6Z7OiK_Np1R0tvnDnYrMQnxGNj8emwIEmUMS16WJIAQSiJNcidTc-ep4MLSe_M6ZSaMTEPswyA1YLK33dLt1vhVFCgk5wCJdCGa1lvIRcrcMjy_6_SmUFWq-Q0cmlIa3vvMnCkbF6Br-i_zboxMSoZRvGQKobRgt3o3PgJyQoWxOI5irlzEWotebVSP0qY36GI9PpVPleAuhBTv7nsKDqeHw4KAzEA.xOByn0OBN8Ntxihy3YrHCw [DEBUG]Agent wait time: [-]The returned Agent wait time was empty, using default 60s [!]The JWT claims were not valid for 496ce3c4-eb6f-435e-8eba-ae9f97e18edb [-]Agent Wait Time: 60s, Time now: 2021-07-01 20:11:17.953952736 +0200 CEST m=+379.996820857 [-]JWT Claim Expiry: 2021-07-01 20:07:50 +0200 CEST [-]JWT Claim Issued: 2021-07-01 20:07:40 +0200 CEST
[-] Authorization JWT not signed with PSK, returning 404...
[!] square/go-jose/jwt: validation failed, token is expired (exp)
Agent Debug Output: UNIXNET_NAS> ./merlinAgent-Linux-arm5 -v -debug -url https://192.168.201.19:443 -psk merlin [DEBUG]Entering agent.New() function [i]Host Information: [i] Agent UUID: 496ce3c4-eb6f-435e-8eba-ae9f97e18edb [i] Platform: linux [i] Architecture: arm [i] User Name: root [i] User GUID: 0 [i] Hostname: UNIXNET_NAS [i] PID: 31443 [i] IPs: [127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] [DEBUG]Leaving agent.New function [DEBUG]Entering into clients.http.New()... [DEBUG]new client PSK: merlin [DEBUG]new client Secret: f6274d9892026fe47dd5f96f708ef8983dccc7bacf5ee4a90b2400805adaea0a [DEBUG]Entering into clients.http.getClient()... [i]Client information: [i] Protocol: h2 [i] URL: https://192.168.201.19:443 [i] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 [i] HTTP Host Header: [i] Payload Padding Max: 4096 [i] JA3 String: [-]Agent version: 1.0.1 [-]Agent build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c [DEBUG]Entering into agent.getAgentInfoMessage function... [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: paddingmax [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: protocol [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: ja3 [DEBUG]Returning AgentInfo message: {Version:1.0.1 Build:70c07d5831774f1f271ca9f6420c2c0ee66d3a2c WaitTime:30s PaddingMax:4096 MaxRetry:7 FailedCheckin:0 Skew:3000 Proto:h2 SysInfo:{Platform:linux Architecture:arm UserName:root UserGUID:0 HostName:UNIXNET_NAS Pid:31443 Ips:[127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] Domain:} KillDate:0 JA3:} [DEBUG]Entering clients.http.Initial function [DEBUG]Input AgentInfo: {Version:1.0.1 Build:70c07d5831774f1f271ca9f6420c2c0ee66d3a2c WaitTime:30s PaddingMax:4096 MaxRetry:7 FailedCheckin:0 Skew:3000 Proto:h2 SysInfo:{Platform:linux Architecture:arm UserName:root UserGUID:0 HostName:UNIXNET_NAS Pid:31443 Ips:[127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] Domain:} KillDate:0 JA3:} [DEBUG]Entering into clients.http.opaqueAuth()... [DEBUG]Entering into agent.opaqueRegister [-]Starting OPAQUE Registration [DEBUG]Entering into clients.http.getJWT()... [DEBUG]Entering into opaque.UserRegisterInit... [DEBUG]OPAQUE UserID: 496ce3c4eb6f435e8ebaae9f97e18edb [DEBUG]OPAQUE Alpha: e1aacd09bff3519907a74219319b5a643f8283c5f0528a618db0e6d0f44c5666 [DEBUG]OPAQUE PwdU: 94d70a22182d5f49fd60333d614292f17e38b3d90419e3d144b208305a82448f [DEBUG]Sending OPAQUE RegInit message [DEBUG]Entering into agent.sendMessage() [-]Sending OPAQUE message to https://192.168.201.19:443 [DEBUG]Sending POST request size: 6052 to: https://192.168.201.19:443 [DEBUG]HTTP Response: &{Status:200 OK StatusCode:200 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Type:[application/octet-stream] Date:[Thu, 01 Jul 2021 18:08:29 GMT]] Body:{cs:0x8fa630} ContentLength:-1 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0x880f00 TLS:0xae6180} [DEBUG]Entering into opaque.UserRegisterComplete... [-]Received OPAQUE server registration initialization message [DEBUG]OPAQUE Beta: 9a4f30d2fd2596d9df3bd37a5e6a71c6b10bce69cbecc3caa67adba4b4c88973 [DEBUG]OPAQUE V: 4a4f541b2af76671e9a530b0463ff98f7d5d17c27d36e61caa5c92400e14e4f5 [DEBUG]OPAQUE PubS: 35c21f7c1fd2473a28bdf427a79d1e7213086b05d0c186b458e7e75bb52d11a5 [DEBUG]OPAQUE EnvU: 653195edc8026de2b9a438dc391923de0759ef1e06a1a960b27cef385ce2c1b94fe36dd05eef26e0a3b763d395713e5ecd67aa1eda1c464d28d216adcab24707c4664226a34422658013b246645e8960baf27e689fef14dfb918408a7e43accdca84be498c5918559b2a0d117e14751e08acd4bb750a85bdb727742f0011180f [DEBUG]OPAQUE PubU: 80e313018e4763eefcf9ad4f022dd7d4c634224d7bb0cd044d4fa4fb9fee173f [DEBUG]Sending OPAQUE RegComplete message [DEBUG]Entering into agent.sendMessage() [-]Sending OPAQUE message to https://192.168.201.19:443 [DEBUG]Sending POST request size: 6209 to: https://192.168.201.19:443 [DEBUG]HTTP Response: &{Status:404 Not Found StatusCode:404 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Length:[0] Date:[Thu, 01 Jul 2021 18:11:17 GMT]] Body:{Reader:0x86e678} ContentLength:0 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0x881e00 TLS:0xae6660} [!]there was an error performing OPAQUE User Registration: there was an error sending the OPAQUE User Registration Complete message to the server: there was an error communicating with the server: 404 [-]1 out of 7 total failed checkins [-]Sleeping for 32.226s at 2021-07-01T18:11:58Z
There has not been activity on this issue 2 years. Closing for now, but re-open if the problem persists with the latest release.
Hi There, Let me first share my appreciation for your work. I have been exploring C2 post exploitation frameworks and I really like Merlin and the ease of use and deployment. Great Job and continue the good work !
I have been playing around with the Merlin framework and tested out multiple agent scenarios. I am running Merlin on a raspberry PI (arm64) architecture as a binary.
So far I did not run into any issue with the agents provided (arm, mips, x64, darwin etc...), however I have one use case that throws an error that I do not understand. Let me explain. I have cross compiled a new agent to support the arm5 Linux architecture. I have a NAS box that runs this Linux version.
So I cross- compiled an agent with the following settings that I took from the Makefile in the merlin-agent directory.
export GOOS=linux;export GOARCH=arm;export GOARM=5;go build -trimpath -ldflags "-s -w -X main.build=70c07d5831774f1f271ca9f6420c2c0ee66d3a2c -X github.com/Ne0nd0g/merlin-agent/agent.build=70c07d5831774f1f271ca9f6420c2c0ee66d3a2c -X main.protocol=h2 -X main.url=https://192.168.201.19:443 -X main.host= -X main.psk=merlin -X main.proxy= -buildid=" -gcflags=all=-trimpath=/root/go -asmflags=all=-trimpath=/root/go -o bin/v1.0.1/70c07d5831774f1f271ca9f6420c2c0ee66d3a2c/merlinAgent-Linux-arm5 ./main.go
After running the agent on my NAS I see the following errors at the agent level:
UNIXNET_NAS> ./merlinAgent-Linux-arm5 -v -debug -url https://192.168.201.19:443 [DEBUG]Entering agent.New() function [i]Host Information: [i] Agent UUID: 25f7ae6d-9054-4528-aea1-57d51abdd6dc [i] Platform: linux [i] Architecture: arm [i] User Name: root [i] User GUID: 0 [i] Hostname: UNIXNET_NAS [i] PID: 29135 [i] IPs: [127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] [DEBUG]Leaving agent.New function [DEBUG]Entering into clients.http.New()... [DEBUG]new client PSK: merlin [DEBUG]new client Secret: f6274d9892026fe47dd5f96f708ef8983dccc7bacf5ee4a90b2400805adaea0a [DEBUG]Entering into clients.http.getClient()... [i]Client information: [i] Protocol: h2 [i] URL: https://192.168.201.19:443 [i] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36 [i] HTTP Host Header: [i] Payload Padding Max: 4096 [i] JA3 String: [-]Agent version: 1.0.1 [-]Agent build: 70c07d5831774f1f271ca9f6420c2c0ee66d3a2c [DEBUG]Entering into agent.getAgentInfoMessage function... [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: paddingmax [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: protocol [DEBUG]Entering into clients.http.Get()... [DEBUG]Key: ja3 [DEBUG]Returning AgentInfo message: {Version:1.0.1 Build:70c07d5831774f1f271ca9f6420c2c0ee66d3a2c WaitTime:30s PaddingMax:4096 MaxRetry:7 FailedCheckin:0 Skew:3000 Proto:h2 SysInfo:{Platform:linux Architecture:arm UserName:root UserGUID:0 HostName:UNIXNET_NAS Pid:29135 Ips:[127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] Domain:} KillDate:0 JA3:} [DEBUG]Entering clients.http.Initial function [DEBUG]Input AgentInfo: {Version:1.0.1 Build:70c07d5831774f1f271ca9f6420c2c0ee66d3a2c WaitTime:30s PaddingMax:4096 MaxRetry:7 FailedCheckin:0 Skew:3000 Proto:h2 SysInfo:{Platform:linux Architecture:arm UserName:root UserGUID:0 HostName:UNIXNET_NAS Pid:29135 Ips:[127.0.0.1/8 ::1/128 192.168.201.3/24 fe80::211:32ff:fe07:b18e/64] Domain:} KillDate:0 JA3:} [DEBUG]Entering into clients.http.opaqueAuth()... [DEBUG]Entering into agent.opaqueRegister [-]Starting OPAQUE Registration [DEBUG]Entering into clients.http.getJWT()... [DEBUG]Entering into opaque.UserRegisterInit... [DEBUG]OPAQUE UserID: 25f7ae6d90544528aea157d51abdd6dc [DEBUG]OPAQUE Alpha: 545ad6c3067a8e569498d45fc5120159b01afa0ab9a0ce4b98828223de63c5ca [DEBUG]OPAQUE PwdU: d7e8c7d4c4d17bb36fb18d8daa36c1dc2efa84a12b3f6a1da446c0d1e6baba5d [DEBUG]Sending OPAQUE RegInit message [DEBUG]Entering into agent.sendMessage() [-]Sending OPAQUE message to https://192.168.201.19:443 [DEBUG]Sending POST request size: 6052 to: https://192.168.201.19:443 [DEBUG]HTTP Response: &{Status:404 Not Found StatusCode:404 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Length:[0] Date:[Sat, 19 Jun 2021 08:55:49 GMT]] Body:{Reader:0x8f45e0} ContentLength:0 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0x874f00 TLS:0xadc1e0} [!]there was an error performing OPAQUE User Registration: there was an error sending the OPAQUE User Registration Initialization message to the server: there was an error communicating with the server: 404 [-]1 out of 7 total failed checkins [-]Sleeping for 31.029s at 2021-06-19T09:06:35Z
On the server level, I see the following errors with verbose and debug turned on:
Merlin[listeners][Default]» [!] Received HTTP/2.0 POST connection from 192.168.201.3:34930
[DEBUG] HTTP Connection Details: Host: 192.168.201.19:443 URI: / Method: POST Protocol: HTTP/2.0 Headers: map[Accept-Encoding:[gzip] Authorization:[Bearer eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..wmAUhr9REDEtC12d.hF7NlblERsJA7OQAUZIaaxQrg_BYj3AAW2yjrp3bARrhAl4736Pw__Y9uD8DkhU7EBlBot1CMtarQJL6JCyuOXk1wnmxhRt0bN3aRVqZKHb93tb8iwHacreIgd4tJEIa8Ih5DwwtWcxrOKcuEbLiMYzDj_9wvd6B3W1nuHDzedw7GR9hhQNQAvJZFcl3MYUJi9YoebysvFTys3R615rGmxchlwWxnwPSFQWXgVdlu_2W7XUN1OZdyV4a108.grSVwwZ4k6hq5ysJ2PfaLg] Content-Length:[6052] Content-Type:[application/octet-stream; charset=utf-8] User-Agent:[Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36]] TLS Negotiated Protocol: h2 TLS Cipher Suite: 4867 TLS Server Name: Content Length: 6052 [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..wmAUhr9REDEtC12d.hF7NlblERsJA7OQAUZIaaxQrg_BYj3AAW2yjrp3bARrhAl4736Pw__Y9uD8DkhU7EBlBot1CMtarQJL6JCyuOXk1wnmxhRt0bN3aRVqZKHb93tb8iwHacreIgd4tJEIa8Ih5DwwtWcxrOKcuEbLiMYzDj_9wvd6B3W1nuHDzedw7GR9hhQNQAvJZFcl3MYUJi9YoebysvFTys3R615rGmxchlwWxnwPSFQWXgVdlu_2W7XUN1OZdyV4a108.grSVwwZ4k6hq5ysJ2PfaLg
[-] Checking to see if authorization JWT was signed by server's interface key...
[!] there was an error decrypting the JWT: square/go-jose: error in cryptographic primitive
[-] Authorization JWT not signed with server's interface key, trying again with PSK... [DEBUG]Entering into jwt.ValidateJWT [DEBUG]Input JWT: eyJhbGciOiJkaXIiLCJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIn0..wmAUhr9REDEtC12d.hF7NlblERsJA7OQAUZIaaxQrg_BYj3AAW2yjrp3bARrhAl4736Pw__Y9uD8DkhU7EBlBot1CMtarQJL6JCyuOXk1wnmxhRt0bN3aRVqZKHb93tb8iwHacreIgd4tJEIa8Ih5DwwtWcxrOKcuEbLiMYzDj_9wvd6B3W1nuHDzedw7GR9hhQNQAvJZFcl3MYUJi9YoebysvFTys3R615rGmxchlwWxnwPSFQWXgVdlu_2W7XUN1OZdyV4a108.grSVwwZ4k6hq5ysJ2PfaLg [DEBUG]there was an error getting the agent's wait time: 25f7ae6d-9054-4528-aea1-57d51abdd6dc is not a valid agent [DEBUG]Agent wait time: [-]The returned Agent wait time was empty, using default 60s [!]The JWT claims were not valid for 25f7ae6d-9054-4528-aea1-57d51abdd6dc [-]Agent Wait Time: 60s, Time now: 2021-06-19 08:55:49.670379755 +0000 UTC m=+1715.102568524 [-]JWT Claim Expiry: 2021-06-19 09:06:16 +0000 UTC [-]JWT Claim Issued: 2021-06-19 09:06:06 +0000 UTC
[-] Authorization JWT not signed with PSK, returning 404...
As I said, all other agents so far which I cross-compiled (Darwin, Linux-x64, Linux-arm7) do not have this issue, only the arm5 agent. To ensure that the problem in not related to my NAS box, I tested the agent on another arm5 Linux target and ran into the same issue.
Prerequisite
Environment Data
Expected Behavior
Actual Behavior
Steps to Reproduce Behavior
Misc Information