kevoreilly
commented
2 years ago Very interesting observation - can you share some samples/hashes which demonstrate this?
Thanks for reporting
Closed ilzaman closed 12 months ago
kevoreilly
commented
2 years ago Very interesting observation - can you share some samples/hashes which demonstrate this?
Thanks for reporting
ilzaman
commented
2 years ago I can't really share any samples/hashes as they are bound to my local setup. But I'm using just the generic reverse_tcp payload from metasploit. Generated by msfvenom. I could run it on the public instance and send you the hash if that would be of any help. I'd need my account activated for that tho. I've already pinged you on twitter but...
kevoreilly
commented
2 years ago Should be sorted now, so if you don't mind submitting to public then I can try and get to the bottom of and hopefully fix this issue.
ilzaman
commented
2 years ago Hello, Is there any network block on the outgoing connections from the CAPE VM's? On the public instance. I can't get a connection back from it and I thought that my firewall was the issue and was troubleshooting that but it seems like the traffic gets blocked at the VM's.
doomedraven
commented
2 years ago On public could be that vpn is down
El mar., 29 mar. 2022 21:14, ilzaman @.***> escribió:
Hello, Is there any network block on the outgoing connections from the CAPE VM's? On the public instance. I can't get a connection back from it and I thought that my firewall was the issue and was troubleshooting that but it seems like the traffic gets blocked at the VM's.
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/capemon/issues/34#issuecomment-1082273175, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH34V6VRGL5WRPW4IVULVCNI7TANCNFSM5Q4FXTJQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
ilzaman
commented
2 years ago Oh. Is there anything that can be done about it? As I’ll be unable to provide the requested samples without it
doomedraven
commented
2 years ago Try now, i have restarted vans
On 29 Mar 2022, at 21:33, ilzaman @.***> wrote:
Oh. Is there anything that can be done about it? As I’ll be unable to provide the requested samples without it
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/capemon/issues/34#issuecomment-1082296230, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH35DKL4RNCGQZJSA6RLVCNLJ3ANCNFSM5Q4FXTJQ. You are receiving this because you commented.
ilzaman
commented
2 years ago Yes that did help, although I do still need to resolve some of my local firewall issues. Will be back with more info soon.
ilzaman
commented
2 years ago Hello all,
this is the file on public instance on which you can observe the issue with sleep hooks. https://capesandbox.com/analysis/262720/ MD5: cfa58e50787d69e47d6f27e171ef9382
If you'd need to run that again please let me know as I'd have to compile and run a new file... Thanks to not having static IP and so on.
Best
Ilzaman
Hello CAPE team! I'm working on a diploma thesis aimed at analyzing CAPEv2 abilities in tracking Meterpreter based exploits and I have noticed that no matter what my TCP sessions are pretty unstable. That means that after a sucesfull conection all sessions last about 30 secs and then they die off. Presumably because some heartbeat timer expires prematurely. The culprit seem to be the NtWaitForSingleObject hook which does not react to the force-sleepskip setting. When force-sleepskip=0 option is set, the issue is still there. In order to remove it I had to recompile the monitor with this hook disabled. Best Ilzaman