search

mgeeky / RedWarden

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
GNU General Public License v3.0
929 stars 142 forks source link

cannot receive outputs #9

Closed tionwayne2021 closed 3 years ago

tionwayne2021 commented 3 years ago

when i interact with a beacon for example to spawn a new beacon or print working directory no output comes back unnamed

but when i use directly without redwarden everything works perfectly please reply

mgeeky commented 3 years ago

As stated in README:

- My packets are getting dropped. Why?

Try to enable debug: True and trace: True to collect as many log as possible. Then you would need to go through logs and inspect what's going on. Do the packets look exactly how you expected them in your Malleable profile? Or maybe there was a subtle tamperation along the network that causes RedWarden to drop the packet (and it could make Teamserver drop it as well?).

Probably RedWarden drops your Beacon packets because it considers that something doesn't look right in your HTTP packets, or maybe there is some kind of a bug while processing them.

Please do enable Debug, Verbose and Trace and paste here outputs that RedWarden generates. We'll see if that's something that can be easily addressed.

Best regards, M.

tionwayne2021 commented 3 years ago

Traceback (most recent call last): File "/usr/lib/python3.9/asyncio/selector_events.py", line 261, in _add_reader key = self._selector.get_key(fd) File "/usr/lib/python3.9/selectors.py", line 193, in get_key raise KeyError("{!r} is not registered".format(fileobj)) from None KeyError: '6 is not registered'

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/opt/RedWarden/./RedWarden.py", line 233, in main serve_proxy(srv[0], srv[1], srv[2], srv[3]) File "/opt/RedWarden/./RedWarden.py", line 152, in serve_proxy server.add_sockets(foosock) File "/usr/local/lib/python3.9/dist-packages/tornado/tcpserver.py", line 165, in add_sockets self._handlers[sock.fileno()] = add_accept_handler( File "/usr/local/lib/python3.9/dist-packages/tornado/netutil.py", line 282, in add_accept_handler io_loop.add_handler(sock, accept_handler, IOLoop.READ) File "/usr/local/lib/python3.9/dist-packages/tornado/platform/asyncio.py", line 150, in add_handler self.selector_loop.add_reader(fd, self._handle_events, fd, IOLoop.READ) File "/usr/lib/python3.9/asyncio/selector_events.py", line 336, in add_reader self._add_reader(fd, callback, *args) File "/usr/lib/python3.9/asyncio/selector_events.py", line 263, in _add_reader self._selector.register(fd, selectors.EVENT_READ, File "/usr/lib/python3.9/selectors.py", line 360, in register self._selector.register(key.fd, poller_events) FileExistsError: [Errno 17] File exists

[DEBUG] 2021-10-10/16:03:47: Logging stats for peer 3.133.95.109: elapsed: 0, count: 1 [INFO] 2021-10-10/16:03:47: [REQUEST] GET /Preserve/stat/3E8YZFXJ ==== REQUEST ==== GET /Preserve/stat/3E8YZFXJ HTTP/1.1 Accept: image/, application/json, application/xhtml+xml Accept-Language: en-jm Accept-Encoding: , identity Cookie: SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0=RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 Host: 00000220.5982300 Connection: Keep-Alive Cache-Control: no-cache

==== COOKIES ==== SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0 RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw

[DEBUG] 2021-10-10/16:03:47: Calling IP Lookup provider: ip_api_com [DEBUG] 2021-10-10/16:03:47: SENDING REVERSE-PROXY REQUEST to []:

GET /json/3.133.95.109 HTTP/1.1
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

None

[DEBUG] 2021-10-10/16:03:47: New IP lookup entry cached: 3.133.95.109 [DEBUG] 2021-10-10/16:03:47: Analysing IP Geo metadata keywords... [DEBUG] 2021-10-10/16:03:47: Extracted keywords from Peer's IP Geolocation metadata: ({'3.133.95.109', '(us-east-2)', 'AWS', 'Inc.', 'Amazon.com,', 'States', 'Ohio', '40.0992', 'United', 'AS16509', 'US', 'Dublin', 'success', 'America/New_York', 'EC2', 'OH', '43017', 'ec2-3-133-95-109.us-east-2.compute.amazonaws.com', '-83.1141', 'Amazon.com, Inc.', 'AWS EC2 (us-east-2)', 'AS16509 Amazon.com, Inc.', 'United States'}) [DEBUG] 2021-10-10/16:03:47: Peer's IP Geolocation metadata didn't raise any suspicion. [DEBUG] 2021-10-10/16:03:47: (ProxyPass) Processed request with URL ("/Preserve/stat/3E8YZFXJ"...) didnt match ProxyPass entry 0 URL regex: "^/dl/.+$". [DEBUG] 2021-10-10/16:03:47: Deep request inspection of URI (/Preserve/stat/3E8YZFXJ) parsed as section:http-get, variant:default [DEBUG] 2021-10-10/16:03:47: Metadata container: SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0=RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw [DEBUG] 2021-10-10/16:03:47: [3.133.95.109: ALLOW] Peer's request is accepted [INFO] 2021-10-10/16:03:47: == Valid malleable http-get (variant: default) request inbound. [DEBUG] 2021-10-10/16:03:47: Returning cached entry for IP address: 3.133.95.109 [INFO] 2021-10-10/16:03:47: Here is what we know about that address (3.133.95.109): ({'organization': ['AWS EC2 (us-east-2)', 'Amazon.com, Inc.', 'AS16509 Amazon.com, Inc.'], 'continent': '', 'continent_code': '', 'country': 'United States', 'country_code': 'US', 'ip': '3.133.95.109', 'city': 'Dublin', 'timezone': 'America/New_York', 'fulldata': {'status': 'success', 'country': 'United States', 'countryCode': 'US', 'region': 'OH', 'regionName': 'Ohio', 'city': 'Dublin', 'zip': '43017', 'lat': 40.0992, 'lon': -83.1141, 'timezone': 'America/New_York', 'isp': 'Amazon.com, Inc.', 'org': 'AWS EC2 (us-east-2)', 'as': 'AS16509 Amazon.com, Inc.', 'query': '3.133.95.109'}, 'reverse_ip': 'ec2-3-133-95-109.us-east-2.compute.amazonaws.com'}) [ALLOW, 2021-10-10/18:03:47, 3.133.95.109, r:0] "/Preserve/stat/3E8YZFXJ" - UA: "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" [INFO] 2021-10-10/16:03:47: Connected peer sent 1 valid http-get and 0 valid http-post requests so far, out of 15/5 required to consider him temporarily trusted [DEBUG] 2021-10-10/16:03:47: Peer reached the server at port: 443 [DEBUG] 2021-10-10/16:03:47: Stripping HTTP request from superfluous headers... [DEBUG] 2021-10-10/16:03:47: Redirecting to "https://documentsofconnecticutsharing.com:1082/Preserve/stat/3E8YZFXJ" [INFO] 2021-10-10/16:03:47: Plugin redirected request from [00000220.5982300] to [documentsofconnecticutsharing.com:1082] [DEBUG] 2021-10-10/16:03:47: Plugin redirected request to a full URL: (https://documentsofconnecticutsharing.com:1082/Preserve/stat/3E8YZFXJ) [DEBUG] 2021-10-10/16:03:47: Plugin overidden host header: [00000220.5982300] => [documentsofconnecticutsharing.com:1082] [DEBUG] 2021-10-10/16:03:47: Adjusting Host header for Domain-Fronting needs as requested by Plugin [DEBUG] 2021-10-10/16:03:47: DEBUG REQUESTS: request("GET", "https://documentsofconnecticutsharing.com:1082/Preserve/stat/3E8YZFXJ", "", ... [DEBUG] 2021-10-10/16:03:47: SENDING REVERSE-PROXY REQUEST to [00000220.5982300]:

GET /Preserve/stat/3E8YZFXJ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36
Accept-Encoding: *, identity
Accept: image/*, application/json, application/xhtml+xml
Connection: keep-alive
Accept-Language: en-jm
Cookie: SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0=RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw
Content-Length: 0
Host: 00000220.5982300

None

[DEBUG] 2021-10-10/16:03:47: Response from reverse-proxy fetch came at 2181 bytes. [DEBUG] 2021-10-10/16:03:47: Decoding content from identity [DEBUG] 2021-10-10/16:03:47: malleable_redirector: response_handler [DEBUG] 2021-10-10/16:03:47: Returning cached entry for IP address: 3.133.95.109 [DEBUG] 2021-10-10/16:03:47: Analysing IP Geo metadata keywords... [DEBUG] 2021-10-10/16:03:47: Extracted keywords from Peer's IP Geolocation metadata: ({'3.133.95.109', '(us-east-2)', 'AWS', 'Inc.', 'Amazon.com,', 'States', 'Ohio', '40.0992', 'United', 'AS16509', 'US', 'Dublin', 'success', 'America/New_York', 'EC2', 'OH', '43017', 'ec2-3-133-95-109.us-east-2.compute.amazonaws.com', '-83.1141', 'Amazon.com, Inc.', 'AWS EC2 (us-east-2)', 'AS16509 Amazon.com, Inc.', 'United States'}) [DEBUG] 2021-10-10/16:03:47: Peer's IP Geolocation metadata didn't raise any suspicion. [DEBUG] 2021-10-10/16:03:47: (ProxyPass) Processed request with URL ("/Preserve/stat/3E8YZFXJ"...) didnt match ProxyPass entry 0 URL regex: "^/dl/.+$". [DEBUG] 2021-10-10/16:03:47: Deep request inspection of URI (/Preserve/stat/3E8YZFXJ) parsed as section:http-get, variant:default [DEBUG] 2021-10-10/16:03:47: Metadata container: SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0=RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw [DEBUG] 2021-10-10/16:03:47: [3.133.95.109: ALLOW] Peer's request is accepted [DEBUG] 2021-10-10/16:03:47: Plugin has altered the response. [DEBUG] 2021-10-10/16:03:47: Plugin has modified the response body. Using it instead [DEBUG] 2021-10-10/16:03:47: Encoding content to identity [INFO] 2021-10-10/16:03:47: [RESPONSE] HTTP 200 OK, length: 2181, keep-alive: yes ==== REQUEST ==== GET /Preserve/stat/3E8YZFXJ HTTP/1.1 Accept: image/, application/json, application/xhtml+xml Accept-Language: en-jm Accept-Encoding: , identity Cookie: SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0=RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 X-Proxy2-Ignore-Response-Decompression-Errors: 1 X-Proxy2-Override-Host-Header: documentsofconnecticutsharing.com:1082 X-Proxy2-Domain-Front-Host-Header: 00000220.5982300 Content-Length: 0 Host: documentsofconnecticutsharing.com:1082

==== COOKIES ==== SESSIONID_B2RIXD7J0LGEXT8FBDR5H23VMUGV9Q0 RfQNYyn1inZxrJQ7bJht4YjjRxL_1AYrloWm2seF6NjaFX8gyMMITQ1KslKKr2MJw_A6TcCTHSVxtJ00pc9k6VFX_dP3Q7JPu6IvSxnFY8uIf9V9ZnsN4SE964_thM7Y-TtpL4T75LWilKuEAX44RTBWvhkYfjmNUbdK1hNEt0zw45Nw

==== RESPONSE ==== HTTP/1.1 200 OK Content-Length: 2181

==== RESPONSE BODY ==== /! jQuery v2.2.4 | (c) jQuery Foundation | jquery.org/license / !function(a,b){'object'==typeof module&&'object'==typeof module.exp orts?module.exports=a.document?b(a,!0):function(a){if(!a.document)th row new Error('jQuery requires a window with a document');return b(a )}:b(a)}('undefined'!=typeof window?window:this,function(a,b){var c= [],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.t oString,k=i.hasOwnProperty,l={},m='2.2.4',n=function(a,b){return new n.fn.init(a,b)},o=/^[suFEFFxA0]+|[suFEFFxA0]+$/g,p=/^-ms-/,q=/- ([da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype ={jquery:m,constructor:n,selector:'',length:0,toArray:function(){retu rn e.call(this)},get:function(a){return null!=a?0>a?this[a+this.lengt h]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.con structor(),a);return b.prevObject=this,b.context=this.context,b},each:oNpPNi07TG9cUc8AnFXsHI20Wk-90pVOqlOSeRa_iVgrUOIIgsIfbfajWl_tclNDRfZfTg/! jQuery UI - v1.12.1 - 2016-09-14 http://jqueryui.com Includes: widget.js, position.js, data.js, disable-selection.js, effect.js, effects/effect-blind.js, effects/effect-bounce.js , effects/effect-clip.js, effects/effect-drop.js, effects/effect-explode.js, effects/effect -fade.js, effects/effect-fold.js, effects/effect-highlight.js, effects/effect-puff.js, effe cts/effect-pulsate.js, effects/effect-scale.js, effects/effect-shake.js, effects/effect-s ize.js, effects/effect-slide.js, effects/effect-transfer.js, focusable.js, form-reset-mix in.js, jquery-1-7.js, keycode.js, labels.js, scroll-parent.js, tabbable.js, unique-id.js, widgets/accordion.js, widgets/autocomplete.js, widgets/button.js, widgets/checkboxradio. js, widgets/controlgroup.js, widgets/datepicker.js, widgets/dialog.js, widgets/draggable .js, widgets/droppable.js, widgets/menu.js, widgets/mouse.js, widgets/progressbar.js, w idgets/resizable.js, widgets/selectable.js, widgets/selectmenu.js, widgets/slider.js, w idgets/sortable.js, widgets/spinner.js, widgets/tabs.js, widgets/tooltip.js Copyright jQuery Foundation and other contributors; Licensed MIT */

ERROR:tornado.application:Uncaught exception GET /Preserve/stat/3E8YZFXJ (3.133.95.109) HTTPServerRequest(protocol='https', host='documentsofconnecticutsharing.com:1082', method='GET', uri='/Preserve/stat/3E8YZFXJ', version='HTTP/1.1', remote_ip='3.133.95.109') Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/tornado/web.py", line 1704, in _execute result = await result File "/opt/RedWarden/lib/proxyhandler.py", line 1173, in get self.my_handle_request() File "/opt/RedWarden/lib/proxyhandler.py", line 325, in my_handle_request if self.options['access_log_format'].lower() == 'apache2': AttributeError: 'NoneType' object has no attribute 'lower' [

mgeeky commented 3 years ago

Can you please try to pull the latest RedWarden version and let me know if problem remains?

/home/user/RedWarden$ git pull

I believe that might have been already fixed in 0.9.1.

Thanks, M.

mgeeky commented 3 years ago

Were you able to resolve this issue?

Wondering if this can be closed.

tionwayne2021 commented 3 years ago

please do close it i really do not know what happened but the git pull helped thanks very much

On Tue, Oct 12, 2021 at 6:23 PM Mariusz B. @.***> wrote:

Were you able to resolve this issue?

Wondering if this can be closed.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mgeeky/RedWarden/issues/9#issuecomment-941666935, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUR4VECNJMW34Y56OEDTZKDUGSYPLANCNFSM5FWSXJDA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.