search

iagox86 / dnscat2

BSD 3-Clause "New" or "Revised" License
3.43k stars 601 forks source link

Cannot establish encrypted tunnel with Solaris10 client #116

Closed truekonrads closed 6 years ago

truekonrads commented 6 years ago

Hello,

I cannot establish an encrypted tunnel with Solaris 10 client using latest git revision. The plain text version works - I can spawn a shell, upload files, etc:

$ sudo ruby ./dnscat2.rb -e open dnscat2.smelkovs.com --secret acme -k --firehose -a 'exec id'

New window created: 0
New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
auto_command => exec id
history_size (for new windows) => 1000
Security policy changed: Client can decide on security level
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = dnscat2.smelkovs.com]...

Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):

  ./dnscat --secret=acme dnscat2.smelkovs.com

To talk directly to the server without a domain name, run:

  ./dnscat --dns server=x.x.x.x,port=53 --secret=acme

Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.

dnscat2> Received:  24ef037ef200000000404860fd1268e5d2a06e55df3371282913d18b6628.d5931dfaa35704dcb3d581e85fe0f09bd9e8d1d99e19911233a47b80d5a9.b6df0ff0d6ed25878bb734cdd4.dnscat2.smelkovs.com (MX)
Creating Encryptor with secret: acme
New window created: 1
history_size (session) => 1000
Not decrypting data (incoming data seemed to be cleartext): ["24ef037ef200000000404860fd1268e5d2a06e55df3371282913d18b6628d5931dfaa35704dcb3d581e85fe0f09bd9e8d1d99e19911233a47b80d5a9b6df0ff0d6ed25878bb734cdd4"]
New window created: pcap1
IN:  [0x24ef] session = 7ef2 :: [[ENC|INIT]] :: flags = 0x0000, pubkey = 404860fd1268e5d2a06e55df3371282913d18b6628d5931dfaa35704dcb3d581,e85fe0f09bd9e8d1d99e19911233a47b80d5a9b6df0ff0d6ed25878bb734cdd4
  00000000  24 EF 03 7E F2 00 00 00 00 40 48 60 FD 12 68 E5   $..~.....@H`..h.
  00000010  D2 A0 6E 55 DF 33 71 28 29 13 D1 8B 66 28 D5 93   ..nU.3q()...f(..
  00000020  1D FA A3 57 04 DC B3 D5 81 E8 5F E0 F0 9B D9 E8   ...W......_.....
  00000030  D1 D9 9E 19 91 12 33 A4 7B 80 D5 A9 B6 DF 0F F0   ......3.{.......
  00000040  D6 ED 25 87 8B B7 34 CD D4                        ..%...4..
Setting their public key: 404860fd1268e5d2a06e55df3371282913d18b6628d5931dfaa35704dcb3d581 e85fe0f09bd9e8d1d99e19911233a47b80d5a9b6df0ff0d6ed25878bb734cdd4
Setting my public key: b73fc303e0c15bcc32e20f9df9f30d4826a73036035f53abb9553b3d6a344f0c 2ddf12359dc4dad00490c32186509130093d2af1f0c52849d92bf5340fb0e5a0
OUT: [0xea32] session = 7ef2 :: [[ENC|INIT]] :: flags = 0x0000, pubkey = b73fc303e0c15bcc32e20f9df9f30d4826a73036035f53abb9553b3d6a344f0c,2ddf12359dc4dad0049Setting my public key: b73fc303e0c15bcc32e20f9df9f30d4826a73036035f53abb9553b3d6a344f0c 2ddf12359dc4dad00490c32186509130093d2af1f0c52849d92bf5340fb0e5a0
OUT: [0xea32] session = 7ef2 :: [[ENC|INIT]] :: flags = 0x0000, pubkey = b73fc303e0c15bcc32e20f9df9f30d4826a73036035f53abb9553b3d6a344f0c,2ddf12359dc4dad00490c32186509130093d2af1f0c52849d92bf5340fb0e5a0
  00000000  EA 32 03 7E F2 00 00 00 00 B7 3F C3 03 E0 C1 5B   .2.~......?....[
  00000010  CC 32 E2 0F 9D F9 F3 0D 48 26 A7 30 36 03 5F 53   .2......H&.06._S
  00000020  AB B9 55 3B 3D 6A 34 4F 0C 2D DF 12 35 9D C4 DA   ..U;=j4O.-..5...
  00000030  D0 04 90 C3 21 86 50 91 30 09 3D 2A F1 F0 C5 28   ....!.P.0.=*...(
  00000040  49 D9 2B F5 34 0F B0 E5 A0                        I.+.4....
Returning an unencrypted response
Sending:  ea32037ef200000000b73fc303e0c15bcc32e20f9df9f30d4826a73036035f5.3abb9553b3d6a344f0c2ddf12359dc4dad00490c32186509130093d2af1f0c5.2849d92bf5340fb0e5a0.dnscat2.smelkovs.com
Received:  18b3037ef2146a52d2bccd0000904236a20df11145722d24f2c18ee26d02.8e148121f897b793b157dd69d04dceea66c8e8.dnscat2.smelkovs.com (TXT)
Couldn't verify packet signature!
Attempting to decrypt with secondary key
Not decrypting data (incoming data seemed to be cleartext): ["18b3037ef2146a52d2bccd0000904236a20df11145722d24f2c18ee26d028e148121f897b793b157dd69d04dceea66c8e8"]
Successfully decrypted with secondary key
An error occurred (see window 1 for stacktrace): Unknown subtype: 5226

If you think this might be a bug, please report this trace:
#<DnscatException: Unknown subtype: 5226>
/home/konrads/dnscat2/server/controller/packet.rb:267:in `parse'
/home/konrads/dnscat2/server/controller/packet.rb:359:in `parse'
/home/konrads/dnscat2/server/controller/session.rb:365:in `_handle_incoming'
/home/konrads/dnscat2/server/controller/session.rb:405:in `block in feed'
/home/konrads/dnscat2/server/controller/encryptor.rb:244:in `decrypt_and_encrypt'
/home/konrads/dnscat2/server/controller/session.rb:395:in `feed'
/home/konrads/dnscat2/server/controller/controller.rb:91:in `feed'
/home/konrads/dnscat2/server/tunnel_drivers/tunnel_drivers.rb:25:in `block in start'
/home/konrads/dnscat2/server/tunnel_drivers/driver_dns.rb:316:in `block in initialize'
/home/konrads/dnscat2/server/libs/dnser.rb:872:in `block (2 levels) in on_request'
/home/konrads/dnscat2/server/libs/dnser.rb:843:in `loop'
/home/konrads/dnscat2/server/libs/dnser.rb:843:in `block in on_request'
OUT: <no data>

On client:

client]$  ./dnscat --dns domain=dnscat2.smelkovs.com,server=8.8.8.8  --secret acme --packet-trace
Creating DNS driver:
 domain = dnscat2.smelkovs.com
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = 8.8.8.8
OUTGOING: Type = ENC :: [0x24ef] session = 0x7ef2
INCOMING: Type = ENC :: [0xea32] session = 0x7ef2
OUTGOING: Type = ENC :: [0x18b3] session = 0x7ef2
OUTGOING: Type = ENC :: [0x17b1] session = 0x7ef2
^C
truekonrads commented 6 years ago

Fixed in https://github.com/iagox86/dnscat2/pull/118 but also is a compiler issue - use gcc 5.5.0 form CSW