[Carbanak]: Without a Database Connected that Payload UUID Tracking will not work

[SauravChittal]

Contribution Description

I was recently trying to emulate the carbanak attacks using different VMs, and I was able to get everything working up until step 8. I was able to create and vbs script and was able to make it run during startup too, and it is able to connect with my attack platform too, however, on the meterpreter, it gives me the following error: https://192.168.0.4:80 handling request from <cfo_ip>; (UUID: wmjrrk) Without a Database Connected that Payload UUID Tracking will not work!

When I start and connect msfconsole to postgresql, I get the new following error:

https://192.168.0.4:80 handling request from <cfo_ip>; (UUID: wmjrrk) Redirecting stageless connection from <a huge bunch of gibberish> with UA 'Mozilla/5.0 (Windows NT 6.1; Trident 7.0; rv:11.0) Like Gecko'

How would you solve these errors?

Supporting files or evidence

No response

Where did you find this information?

No response

Operating System

Linux

Code of Conduct

• [X] I agree I am allowed to share this information and agree with the Developer's Certificate of Origin.

[archcloudlabs]

The error you're describing appears to be a known issue with the Metasploit framework that was fixed in 2021.

This issue appears to have popped up in 2018 in this thread here but fixed in 2021 with this PR.

Per the provided output in PR 15546, it looks similar to what you have provided above, but the output in the PR shows that a session is created.

msf6 exploit(multi/handler) > 
[*] Started HTTPS reverse handler on https://192.168.140.1:8443
[*] Handler is ignoring unknown payloads
[*] https://192.168.140.1:8443 handling request from 192.168.140.132; (UUID: ayeihldr) Redirecting stageless connection from /LCTedX-MufPS_NP9s-FRfA2vRchyXXGhGnMpOBvZ_dEN4zYA-To1Yi8Ap5B with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://192.168.140.1:8443 handling request from 192.168.140.132; (UUID: ayeihldr) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.168.140.1:8443 -> 127.0.0.1) at 2021-08-18 17:02:42 -0500

By chance are you using an older version of Metasploit that does not have this patch? Are you obtaining a Meterpreter session even with this additional output?

[SauravChittal]

I checked my metasploit version, and confirmed that it was 6.3.31-dev, so I don't think it was because my Metasploit doesn't have the patch since it's a very recent version.

When I actually restart the CFO, this is what happens in my msf screen:

and it just keeps scrolling with these specific error messages.

[archcloudlabs]

By chance have you executed the setup.sh script prior to running the emulation?

[SauravChittal]

Admittedly I hadn't, I did all the steps that were labelled in the attack, which might've cause this specific issue. However, now that I ran setup.sh, after replacing all the IP and hostnames as needed, I don't get the error about the databases, however, I still get this error:

Again, it just keeps going on, and as fast as I can tell, I see no meterpreter session