sliver icon indicating copy to clipboard operation
sliver copied to clipboard
verified publisher icon BishopFox

Potentially broken DNS canaries

Open malmoeb opened this issue 3 years ago • 5 comments

Describe the bug Potentially broken DNS canaries in the newest version of Sliver.

To Reproduce Steps to reproduce the behavior:

  1. I setup a new Sliver Server on a DigitalOcean droplet (v1.5.22).
  2. Configured the DNS entries as outlined here: https://github.com/BishopFox/sliver/wiki/DNS-C2
  3. Created a new implant with a canary included (--canary option)
  4. Show the C2 canary domain with canaries on the Sliver command line
  5. Start the DNS server: dns --domains 1...
  6. Name resolution of the canary domain does not return a value nor does it trigger an alarm

New DNS canary domain dmc6a3x.

Screenshot 2022-08-25 at 11 25 50

According to the sliver.log, the DNS request is seen by the sliver server:

Screenshot 2022-08-25 at 11 24 25

But Sliver is not raising an alarm nor is the domain marked as "burn". Is the failure on my side? I double-checked everything.

malmoeb avatar Aug 25 '22 10:08 malmoeb

Can you try increasing the verbosity of the logs by modifying the server.json config.

moloch-- avatar Aug 25 '22 14:08 moloch--

INFO[2022-08-25T14:39:15Z] [sliver/server/c2/dns.go:91] Starting DNS listener for [1.redacted.ch.] (canaries: true) ... INFO[2022-08-25T14:39:15Z] [github.com/grpc-ecosystem/[email protected]/logging/logrus/options.go:211] finished unary call with code OK INFO[2022-08-25T14:39:16Z] [github.com/grpc-ecosystem/[email protected]/logging/logrus/options.go:211] finished unary call with code OK INFO[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:362] 'dmc6a3x.1.redacted.ch.' is subdomain of '1.redacted.ch.' DEBU[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:345] 'dmc6a3x.1.redacted.ch.' is subdomain of c2 parent '1.redacted.ch.' DEBU[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:375] [dns] processing req for subdomain = dmc6a3x. DEBU[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:417] subdata = dmc6a3x DEBU[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:428] failed to decode subdata with encoders.Base32{} (proto: cannot parse invalid wire-format data) DEBU[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:428] failed to decode subdata with encoders.Base58{} (proto: cannot parse invalid wire-format data) ERRO[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:378] [dns] error decoding subdata: invalid dns message DEBU[2022-08-25T14:39:23Z] [sliver/server/c2/dns.go:95] DNS server took 569.426µs

malmoeb avatar Aug 25 '22 14:08 malmoeb

@malmoeb we're not able to reproduce, but canaries can be finicky. Check your DNS configuration and note that resolvers may cache canary records since we cannot include a nonce. This may result in canaries only firing a single time. We set the record TTL to 0 but many resolvers ignore TTLs.

moloch-- avatar Sep 06 '22 18:09 moloch--

@malmoeb did you ever figure out this issue? I've run into the same errors.

In3x0rabl3 avatar Sep 06 '23 12:09 In3x0rabl3

@In3x0rabl3 no, sorry. It was not soo important for me to resolve this issue, so I haven't spent more time with debugging.

malmoeb avatar Sep 06 '23 19:09 malmoeb