Open l1ghts4ber opened 1 month ago
May be related to: https://github.com/mitre/caldera/issues/2970
I haven't checked anything, but I think you might be confusing the base64 command obfuscation versus the base64 payload encoding for network transport. Try to start the same operation with base64 obfuscation, you should see a difference in the command
field.
With plain-text, the command itself, too gets base64 encoded (in network Traffic). Will provide a screenshot as soon as I can.
Alright, so here are some results:
eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogMzgsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCJjZDY3MTM5NC1hMGY3LTRlNWUtOWEyNy0yNTA2NGIyNGE0YmRcXFwiLCBcXFwic2xlZXBcXFwiOiAzLCBcXFwiY29tbWFuZFxcXCI6IFxcXCJaV05vYnlCb1pXeHNidz09XFxcIiwgXFxcImV4ZWN1dG9yXFxcIjogXFxcInBzaFxcXCIsIFxcXCJ0aW1lb3V0XFxcIjogNjAsIFxcXCJwYXlsb2Fkc1xcXCI6IFtdLCBcXFwidXBsb2Fkc1xcXCI6IFtdLCBcXFwiZGVhZG1hblxcXCI6IGZhbHNlLCBcXFwiZGVsZXRlX3BheWxvYWRcXFwiOiB0cnVlfVwiXSJ9
Translates into:
{"paw": "udjwbm", "sleep": 38, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"cd671394-a0f7-4e5e-9a27-25064b24a4bd\\\", \\\"sleep\\\": 3, \\\"command\\\": \\\"ZWNobyBoZWxsbw==\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"}
Command translates into:echo hello
eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogNDIsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCJjOTZkNTU5Yi1hNjBjLTQ4YjItYmI4YS1mMTkyYTQ1Y2YwNDJcXFwiLCBcXFwic2xlZXBcXFwiOiAzLCBcXFwiY29tbWFuZFxcXCI6IFxcXCJjRzkzWlhKemFHVnNiQ0F0Ulc1aklGcFJRbXBCUjJkQlluZEJaMEZIWjBGYVVVSnpRVWQzUVdKM1FUMD1cXFwiLCBcXFwiZXhlY3V0b3JcXFwiOiBcXFwicHNoXFxcIiwgXFxcInRpbWVvdXRcXFwiOiA2MCwgXFxcInBheWxvYWRzXFxcIjogW10sIFxcXCJ1cGxvYWRzXFxcIjogW10sIFxcXCJkZWFkbWFuXFxcIjogZmFsc2UsIFxcXCJkZWxldGVfcGF5bG9hZFxcXCI6IHRydWV9XCJdIn0=
Translates into:
{"paw": "udjwbm", "sleep": 42, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"c96d559b-a60c-48b2-bb8a-f192a45cf042\\\", \\\"sleep\\\": 3, \\\"command\\\": \\\"cG93ZXJzaGVsbCAtRW5jIFpRQmpBR2dBYndBZ0FHZ0FaUUJzQUd3QWJ3QT0=\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"}
Command translates into:powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwA=
eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogNDUsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCIyOTdkMjdiZi1iNTVkLTRlMzQtYmE0Mi1mMjMzY2E3NzVmN2RcXFwiLCBcXFwic2xlZXBcXFwiOiA0LCBcXFwiY29tbWFuZFxcXCI6IFxcXCJKR1Z1WTNKNWNIUmxaQ0E5SUNKeGIzUjdJSFJ4ZUhoN0lqc2dKR050WkNBOUlDSWlPeUFrWlc1amNubHdkR1ZrSUQwZ0pHVnVZM0o1Y0hSbFpDNTBiME5vWVhKQmNuSmhlU2dwT3lCbWIzSmxZV05vSUNna2JHVjBkR1Z5SUdsdUlDUmxibU55ZVhCMFpXUXBJSHNrYkdWMGRHVnlJRDBnVzJOb1lYSmRLQ2hiYVc1MFhWdGphR0Z5WFNSc1pYUjBaWElwSUMwZ01USXBPeUFrWTIxa0lDczlJQ1JzWlhSMFpYSTdmU0IzY21sMFpTMXZkWFJ3ZFhRZ0pHTnRaRHM9XFxcIiwgXFxcImV4ZWN1dG9yXFxcIjogXFxcInBzaFxcXCIsIFxcXCJ0aW1lb3V0XFxcIjogNjAsIFxcXCJwYXlsb2Fkc1xcXCI6IFtdLCBcXFwidXBsb2Fkc1xcXCI6IFtdLCBcXFwiZGVhZG1hblxcXCI6IGZhbHNlLCBcXFwiZGVsZXRlX3BheWxvYWRcXFwiOiB0cnVlfVwiXSJ9
Translates into:
{"paw": "udjwbm", "sleep": 45, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"297d27bf-b55d-4e34-ba42-f233ca775f7d\\\", \\\"sleep\\\": 4, \\\"command\\\": \\\"JGVuY3J5cHRlZCA9ICJxb3R7IHRxeHh7IjsgJGNtZCA9ICIiOyAkZW5jcnlwdGVkID0gJGVuY3J5cHRlZC50b0NoYXJBcnJheSgpOyBmb3JlYWNoICgkbGV0dGVyIGluICRlbmNyeXB0ZWQpIHskbGV0dGVyID0gW2NoYXJdKChbaW50XVtjaGFyXSRsZXR0ZXIpIC0gMTIpOyAkY21kICs9ICRsZXR0ZXI7fSB3cml0ZS1vdXRwdXQgJGNtZDs=\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"}
Command translates into:$encrypted = "qot{ tqxx{"; $cmd = ""; $encrypted = $encrypted.toCharArray(); foreach ($letter in $encrypted) {$letter = [char](([int][char]$letter) - 12); $cmd += $letter;} write-output $cmd;
You are right in saying that the command itself gets b64 encoded, but that's not obfuscation. The obfuscation options are meant for host-level obfuscation, not network-level. And although it seems unnecessary to have a second layer of b64 encoding for the command when the whole payload already is b64-encoded, it doesn't matter as the agent will decode it before executing it.
You can see on my first example that the command is indeed b64-encoded in the payload, but what's executed by powershell is a plain echo hello
.
On the contrary, for the second operation, there is a third level of b64 encoding (actually, obfuscation) that does not get peeled off before being given to powershell, which will execute powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwA=
. So in that case we have 2 levels of b64 encoding, and one level of b64 obfuscation.
Third operation is the same: one level of b64 encoding in the payload, one in the command, but both are peeled off and powershell actually executes $encrypted = "qot{ tqxx{"; $cmd = ""; $encrypted = $encrypted.toCharArray(); foreach ($letter in $encrypted) {$letter = [char](([int][char]$letter) - 12); $cmd += $letter;} write-output $cmd;
Thank's for clarification!
Kudos @guillaume-duong-bib for explanation.
@l1ghts4ber good to close?
Description When starting an operation with plain-text obfuscator the agent nevertheless communicates with base64 encryption.
To Reproduce Steps to reproduce the behavior:
Expected behavior The agent's communication (beaconing/commands) should be readable in plain-text from captured network traffic.
Screenshots Operation setup:![image](https://github.com/mitre/caldera/assets/127923841/d91ca282-39f7-4ef0-885e-c21404dd3cc0)
This is a sample http-data snipped of a HTTP/200 OK Message from Caldera to the agent:![image](https://github.com/mitre/caldera/assets/127923841/d274d03e-ff15-4910-bd74-07c45d49171d)
This is a sample decoded beacon POST Request from a pcap file analyzed with wireshark:
Desktop (please complete the following information):
Additional context Caldera v5.0.0 standard installation with git clone https://github.com/mitre/caldera.git --recursive