kevoreilly / capemon

capemon: CAPE's monitor
GNU General Public License v3.0
102 stars 49 forks source link

Broken sleep hooks resulting in nonstable (not working) TCP sessions #34

Closed ilzaman closed 12 months ago

ilzaman commented 2 years ago

Hello CAPE team! I'm working on a diploma thesis aimed at analyzing CAPEv2 abilities in tracking Meterpreter based exploits and I have noticed that no matter what my TCP sessions are pretty unstable. That means that after a sucesfull conection all sessions last about 30 secs and then they die off. Presumably because some heartbeat timer expires prematurely. The culprit seem to be the NtWaitForSingleObject hook which does not react to the force-sleepskip setting. When force-sleepskip=0 option is set, the issue is still there. In order to remove it I had to recompile the monitor with this hook disabled. Best Ilzaman

kevoreilly commented 2 years ago

Very interesting observation - can you share some samples/hashes which demonstrate this?

Thanks for reporting

ilzaman commented 2 years ago

I can't really share any samples/hashes as they are bound to my local setup. But I'm using just the generic reverse_tcp payload from metasploit. Generated by msfvenom. I could run it on the public instance and send you the hash if that would be of any help. I'd need my account activated for that tho. I've already pinged you on twitter but...

kevoreilly commented 2 years ago

Should be sorted now, so if you don't mind submitting to public then I can try and get to the bottom of and hopefully fix this issue.

ilzaman commented 2 years ago

Hello, Is there any network block on the outgoing connections from the CAPE VM's? On the public instance. I can't get a connection back from it and I thought that my firewall was the issue and was troubleshooting that but it seems like the traffic gets blocked at the VM's.

doomedraven commented 2 years ago

On public could be that vpn is down

El mar., 29 mar. 2022 21:14, ilzaman @.***> escribió:

Hello, Is there any network block on the outgoing connections from the CAPE VM's? On the public instance. I can't get a connection back from it and I thought that my firewall was the issue and was troubleshooting that but it seems like the traffic gets blocked at the VM's.

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/capemon/issues/34#issuecomment-1082273175, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34V6VRGL5WRPW4IVULVCNI7TANCNFSM5Q4FXTJQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

ilzaman commented 2 years ago

Oh. Is there anything that can be done about it? As I’ll be unable to provide the requested samples without it

doomedraven commented 2 years ago

Try now, i have restarted vans

On 29 Mar 2022, at 21:33, ilzaman @.***> wrote:

Oh. Is there anything that can be done about it? As I’ll be unable to provide the requested samples without it

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/capemon/issues/34#issuecomment-1082296230, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH35DKL4RNCGQZJSA6RLVCNLJ3ANCNFSM5Q4FXTJQ. You are receiving this because you commented.

ilzaman commented 2 years ago

Yes that did help, although I do still need to resolve some of my local firewall issues. Will be back with more info soon.

ilzaman commented 2 years ago

Hello all,

this is the file on public instance on which you can observe the issue with sleep hooks. https://capesandbox.com/analysis/262720/ MD5: cfa58e50787d69e47d6f27e171ef9382

If you'd need to run that again please let me know as I'd have to compile and run a new file... Thanks to not having static IP and so on.

Best

Ilzaman