sliver icon indicating copy to clipboard operation
sliver copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

Wireguard implants don't call back after disconnection

Open kfken opened this issue 3 years ago • 8 comments

Describe the bug I created one of the new wg implants to call back to my sliver server. Previously, mtls implants would call back and connect if I set the retries appropriately and was disconnected from the implant. It doesn't appear that the wg implants do this.

To Reproduce Steps to reproduce the behavior:

  1. generate --wg :53 -j 60 -k 5000
  2. Deploy implant, callback works
  3. disconnect the server for 24hrs (e.g. snapshot a VM)
  4. Bring server back up 5, The implant is no longer running on the host (linux) and no connection to the sliver server is established

Expected behavior The wg implant will callback and connect a new session to the server

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Linux
  • Version Ubuntu 18.04

Additional context Implants with mtls and tcp-pivot connect back successfully in the above scenario.

kfken avatar Apr 22 '21 14:04 kfken

This is with version 1.4.12; Linux sliver server, and both linux and windows implants.

kfken avatar Apr 22 '21 14:04 kfken

Sounds like a regression. I've tested implant reconnect before merging, but obviously not on a 24h time frame. I'll try to look into it.

rkervella avatar Apr 22 '21 15:04 rkervella

Alright, looks like this is the culprit: https://github.com/WireGuard/wireguard-go/blob/355fed440bd066b8aa32e63e04c7f92e7a097d88/device/timers.go#L77-L109

MaxTimerHandshakes defaults to 90/5:

https://github.com/WireGuard/wireguard-go/blob/d4112d9096f4bdd68f1a109bb12df82f5f4ca5a0/device/constants.go#L20

I'm trying to reproduce locally, but so far the implant hasn't stopped retrying to connect.

rkervella avatar Apr 28 '21 13:04 rkervella

I'm trying to reproduce locally, but so far the implant hasn't stopped retrying to connect.

Are you using Linux build? Linux process has never been running for me if it was disconnected from the server for at least 14 hrs or so. I don't have enough data to determine if Windows was more reliable. Though the OS really shouldn't matter in this case since the timeouts are the same in wg regardless of arch.

kfken avatar Apr 30 '21 02:04 kfken

Yes I am. I fucked up my lab this week so I need to fix that first to get a VM for the implant to run continuously. My test environment was:

  • sliver-server on Linux
  • Linux implant generated with default retry and errors values

The implant called back, then I killed the server for 30 minutes, and fired it up again. The implant connected back successfully.

If you're willing to run some tests, could you build an implant in debug mode (--debug) and post the logs here?

rkervella avatar Apr 30 '21 07:04 rkervella

Sure thing, I'll try it out with debug. Will post the logs once I get them.

fwiw, I used v1.4.14 and the windows implants reconnect no problem. Linux implant was still running after I connected back 20 hrs later, and the tcp pivot listener was still up and connected. But the wg server connection didn't reconnect.

kfken avatar May 07 '21 00:05 kfken

I ran the test last week end and the implant tried to reconnect (both the wg transport and the underlying mtls connection) for the expected duration. Thing is it reached the max attempts after a day and half before I could start the server again.

rkervella avatar May 07 '21 07:05 rkervella

Ok here you go. Some context:

generate --wg 10.10.1.3:53 --os linux -N test01debug -j 60 -k 5000 -b --debug

Shutdown connection approx: Fri May 7 13:23:09 PDT 2021

Connection back up at approx: Sat May 8 17:47:09 PDT 2021

sliver-debug.log

kfken avatar May 09 '21 18:05 kfken