C2 handshake: timeout is `0`

[arschlochnop]

OS：

Linux DM 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86_64 GNU/Linux

Error message:

Target DM\root_c290e81fd-agent-abaf4d56-b118-f1f7-5a1b-e4039a0e81fd cannot be found, however, it left a message saying: [hellojVZyNRepkjSCXRbbweSPvVMeKMRllfuzNXJIuHEqBJfow]
2022/04/14 17:50:17 {hellojVZyNRepkjSCXRbbweSPvVMeKMRllfuzNXJIuHEqBJfow DM\root_c290e81fd-agent-abaf4d56-b118-f1f7-5a1b-e4039a0e81fd }: no agent found by this msg

I recompiled this program：

bash emp3r0r --build                       
/usr/bin/go
/data/go-workspace/go/bin/garble
[INFO] Remove temp history files.
[INFO] Building CC
# github.com/jm33-m0/emp3r0r/core/cmd/cc
HEADER = -H5 -T0x401000 -R0x1000
396423 symbols, 141457 reachable
    161575 package symbols, 150744 hashed symbols, 71502 non-package symbols, 12602 external symbols
569031 liveness data
[INFO] Building cat
# github.com/jm33-m0/emp3r0r/core/cmd/cat
HEADER = -H5 -T0x401000 -R0x1000
79132 symbols, 23634 reachable
    32443 package symbols, 31116 hashed symbols, 13233 non-package symbols, 2340 external symbols
90305 liveness data
[INFO] Building agent stub
# github.com/jm33-m0/emp3r0r/core/cmd/agent
HEADER = -H5 -T0x401000 -R0x1000
346445 symbols, 123695 reachable
    126804 package symbols, 148280 hashed symbols, 63649 non-package symbols, 7712 external symbols
567574 liveness data
[INFO] Building agent stub for Windows
# github.com/jm33-m0/emp3r0r/core/cmd/agent
HEADER = -H10 -T0xffffffffffffffff -R0xffffffff
327570 symbols, 116184 reachable
    119684 package symbols, 140536 hashed symbols, 60213 non-package symbols, 7137 external symbols
606672 liveness data
[INFO] Building Packer stub
# github.com/jm33-m0/emp3r0r/core/cmd/packer_stub
HEADER = -H5 -T0x401000 -R0x1000
304475 symbols, 62703 reachable
    111023 package symbols, 132853 hashed symbols, 55762 non-package symbols, 4837 external symbols
260346 liveness data

[arschlochnop]

Client error msg:

2022/04/14 18:02:00.232759 ??:1: Check CC response: started
2022/04/14 18:02:00.235739 ??:1: Hello (hellowJjSYfAAGAlnghRIbLbKZodokKqsDlVTEXNsSvoqlMBzMRqGTQGhVTYrlroWvMQiBPpNWSDpNHXDfXTOYZfalwpEWKSDGsVLmf) sent
2022/04/14 18:02:00.241860 ??:1: Hello (hellowJjSYfAAGAlnghRIbLbKZodokKqsDlVTEXNsSvoqlMBzMRqGTQGhVTYrlroWvMQiBPpNWSDpNHXDfXTOYZfalwpEWKSDGsVLmf) timeout
2022/04/14 18:02:00.243417 ??:1: sendHello failed
2022/04/14 18:02:00.241342 ??:1: Hello (hellowJjSYfAAGAlnghRIbLbKZodokKqsDlVTEXNsSvoqlMBzMRqGTQGhVTYrlroWvMQiBPpNWSDpNHXDfXTOYZfalwpEWKSDGsVLmftMh) received
2022/04/14 18:02:00.250198 ??:1: Check CC response: exited
2022/04/14 18:02:00.249150 ??:1: CCMsgTun closed
2022/04/14 18:02:00.251250 ??:1: Collecting system info for checking in
2022/04/14 18:02:00.251793 ??:1: Reading kernel version...
2022/04/14 18:02:01.002804 ??:1: Collected system info, now checking in (https://192.168.126.135:59216/emp3r0r/checkin/8917bef8-24eb-4818-863c-b630b386c16c)
2022/04/14 18:02:01.002804 ??:1: ConnectCC: connecting to https://192.168.126.135:59216/emp3r0r/checkin/8917bef8-24eb-4818-863c-b630b386c16c
2022/04/14 18:02:02.005472 ??:1: Checked in
2022/04/14 18:02:02.005550 ??:1: Checked in on CC: https://192.168.126.135:59216/
2022/04/14 18:02:02.007658 ??:1: ConnectCC: connecting to https://192.168.126.135:59216/emp3r0r/msg/f99d8b2c-60e5-43f6-91e6-8b1ee3997d46
2022/04/14 18:02:03.015331 ??:1: Connected to CC TunAPI
2022/04/14 18:02:03.015382 ??:1: Hearbeat begins
2022/04/14 18:02:03.015382 ??:1: Check CC response: started
2022/04/14 18:02:03.017991 ??:1: Hello (helloGJUOIUKeIlCwSxdKDqlOHsELDxqYoQQhQlxRmKBIzhpWXFjbmocHgHZxmzJFcUzCqSYWLahUhKzDOSIknSknHUJiudgYwBYtwVh) sent
2022/04/14 18:02:03.025280 ??:1: Hello (helloGJUOIUKeIlCwSxdKDqlOHsELDxqYoQQhQlxRmKBIzhpWXFjbmocHgHZxmzJFcUzCqSYWLahUhKzDOSIknSknHUJiudgYwBYtwVh) timeout
2022/04/14 18:02:03.027867 ??:1: sendHello failed
2022/04/14 18:02:03.024758 ??:1: Hello (helloGJUOIUKeIlCwSxdKDqlOHsELDxqYoQQhQlxRmKBIzhpWXFjbmocHgHZxmzJFcUzCqSYWLahUhKzDOSIknSknHUJiudgYwBYtwVhlZRVQU) received
2022/04/14 18:02:03.037363 ??:1: Check CC response: exited
2022/04/14 18:02:03.035807 ??:1: CCMsgTun closed

[arschlochnop]

Testing the latest release below will still have this problem.

1.15.8 (2022-04-11)

[jm33-m0]

2022/04/14 18:02:00.235739 ??:1: Hello (hellowJjSYfAAGAlnghRIbLbKZodokKqsDlVTEXNsSvoqlMBzMRqGTQGhVTYrlroWvMQiBPpNWSDpNHXDfXTOYZfalwpEWKSDGsVLmf) sent
2022/04/14 18:02:00.241860 ??:1: Hello (hellowJjSYfAAGAlnghRIbLbKZodokKqsDlVTEXNsSvoqlMBzMRqGTQGhVTYrlroWvMQiBPpNWSDpNHXDfXTOYZfalwpEWKSDGsVLmf) timeout
2022/04/14 18:02:00.243417 ??:1: sendHello failed

According to this error message, the agent throws a timeout immediately after sending hello, which is odd.

I just tested with current build on Ubuntu 20.04, it works fine though.

[jm33-m0]

Normally it should look like this

[jm33-m0]

@arschlochnop Can you check the timeout field in ~/.emp3r0r/emp3r0r.json?

timeout is a random value generated when you ~/.emp3r0r is created for the first time, it represents number of milliseconds to wait before marking the handshake as "timeout":

https://github.com/jm33-m0/emp3r0r/blob/03d6a98ca58bb204e434cf42dcc3a72d137a0c1f/core/lib/agent/poll.go#L193-L208

[arschlochnop]

timeout is 0

[jm33-m0]

Well that will be the culprit, did you set it yourself or is it generated automatically?

[arschlochnop]

I didn't customize this file, it should be set automatically.

[jm33-m0]

If you look at https://github.com/jm33-m0/emp3r0r/commit/fe3a0ae01f45b3435265eca7aff328a4ef4fde75 you will find this value should be between 5000 and 10000 when generated automatically.

[jm33-m0]

You can try deleting existing config file and rerun emp3r0r, if the improper value still pops up, please let me know.

[jm33-m0]

I have tested with https://github.com/jm33-m0/emp3r0r/releases/tag/v1.15.8, timeout is generated as a random number between 5000 and 10000.

My guess is your config file might be broken before that version.