{"id":515,"date":"2018-12-17T18:29:07","date_gmt":"2018-12-17T18:29:07","guid":{"rendered":"https:\/\/www.attackdebris.com\/?p=515"},"modified":"2018-12-17T18:51:55","modified_gmt":"2018-12-17T18:51:55","slug":"troubleshooting-empire-and-poshc2_python-https-connections","status":"publish","type":"post","link":"https:\/\/www.attackdebris.com\/?p=515","title":{"rendered":"Troubleshooting Empire and PoshC2_Python HTTPS Connections"},"content":{"rendered":"

I\u2019ve experienced a bit of trouble of late with both Empire and PoshC2_Python payloads failing to call back to their corresponding Empire and\/or PoshC2 listener\/server. This brief post detailing the fixes\/workarounds I’ve used may be helpful to someone else.<\/p>\n

I understand the issues are a result of the OpenSSL configuration in Kali Linux (The Kali build used here is up-to-date as of December 2018)<\/p>\n

Troubleshooting Empire<\/h3>\n

I’ll discuss Empire first, the following figure details my setup:<\/p>\n

\"\"<\/a><\/p>\n

Once our Empire listener is up and running we attempt to run our PowerShell launcher on the victim. It fails silently, we receive no indication of why. However, capturing the session with Wireshark does indicate the source of the problem, namely a Protocol Version issue:<\/p>\n

Alert (Level: Fatal, Description: Protocol Version)<\/pre>\n
\"\"<\/a><\/p>\n
Performing a quick sslscan reveals our Empire Listener only supports TLS 1.2:<\/p>\n
\"\"<\/a><\/p>\n
The Fix<\/h3>\n
It turns out we need to downgrade the TLS protocol support we’re using on our Empire listener. We can tweak this via the following file:<\/p>\n
~\/Empire\/lib\/listeners\/http.py<\/pre>\n
We now need to find the following lines in http.py (from line 1146 onward in my case):<\/p>\n
pyversion = sys.version_info\r\n\r\n# support any version of tls\r\npyversion = sys.version_info\r\nif pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:\r\nproto = ssl.PROTOCOL_TLS\r\nelif pyversion[0] >= 3:\r\nproto = ssl.PROTOCOL_TLS\r\nelse:\r\nproto = ssl.PROTOCOL_SSLv23<\/pre>\n
Basically, we need to comment out 8 lines and add a single new line:<\/p>\n
#pyversion = sys.version_info\r\n\r\n#support any version of tls\r\n#pyversion = sys.version_info\r\n#if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:\r\n# proto = ssl.PROTOCOL_TLS\r\n#elif pyversion[0] >= 3:\r\n# proto = ssl.PROTOCOL_TLS\r\n#else:\r\n# proto = ssl.PROTOCOL_SSLv23\r\nproto = ssl.PROTOCOL_TLSv1<\/pre>\n
Once we’ve made the change, we need to restart Empire (assuming its running).<\/p>\n
As can be seen below, as a result of the change our listener is now accepting TLS 1.0 connections:<\/p>\n
\"\"<\/a><\/p>\n
As a result of our tweak, once a payload is run on our target\/victim, Agents are successfully checking in once again:<\/p>\n
\"\"<\/a><\/p>\n
Troubleshooting PoshC2_Python<\/h3>\n
As our PoshC2_Python server is also running on Kali it effectively suffers from the same issue.<\/p>\n
We’ve already discussed the problem, seen the associated packet capture and sslscan data, so we’ll jump straight into the fix.<\/p>\n
The fix is actually provided by the main PoshC2 developer @benpturner and is referenced here (but still needs to be made manually):<\/p>\n
https:\/\/github.com\/nettitude\/PoshC2_Python\/issues\/13<\/em><\/a><\/p>\n
Essentially we need to comment out 3 lines (lines 311, 312 & 313) in the following file:<\/p>\n
\/opt\/PoshC2_Python\/C2Server.py<\/pre>\n
Original content:<\/p>\n
if (os.path.isfile(\"%sposh.crt\" % ROOTDIR)) and (os.path.isfile(\"%sposh.key\" % ROOTDIR)):\r\ntry:\r\nhttpd.socket = ssl.wrap_socket (httpd.socket, keyfile=\"%sposh.key\" % ROOTDIR, certfile=\"%sposh.crt\" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLS)\r\nexcept Exception as e:\r\nhttpd.socket = ssl.wrap_socket (httpd.socket, keyfile=\"%sposh.key\" % ROOTDIR, certfile=\"%sposh.crt\" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)\r\n# add this if required - https:\/\/github.com\/nettitude\/PoshC2_Python\/issues\/13\r\n# httpd.socket = ssl.wrap_socket (httpd.socket, keyfile=\"%sposh.key\" % ROOTDIR, certfile=\"%sposh.crt\" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)<\/pre>\n
Tweaked\/commented content:<\/p>\n
if (os.path.isfile(\"%sposh.crt\" % ROOTDIR)) and (os.path.isfile(\"%sposh.key\" % ROOTDIR)):\r\n#try:\r\n#httpd.socket = ssl.wrap_socket (httpd.socket, keyfile=\"%sposh.key\" % ROOTDIR, certfile=\"%sposh.crt\" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLS)\r\n#except Exception as e:\r\nhttpd.socket = ssl.wrap_socket (httpd.socket, keyfile=\"%sposh.key\" % ROOTDIR, certfile=\"%sposh.crt\" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)\r\n# add this if required - https:\/\/github.com\/nettitude\/PoshC2_Python\/issues\/13\r\n# httpd.socket = ssl.wrap_socket (httpd.socket, keyfile=\"%sposh.key\" % ROOTDIR, certfile=\"%sposh.crt\" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)<\/pre>\n
As can be seen below, once the PoshC2 server is restarted we now have TLS 1.0 support:<\/p>\n
\"\"<\/a><\/p>\n
We’re now able to successfully receive the agent connection from our target victim:<\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
I\u2019ve experienced a bit of trouble of late with both Empire and PoshC2_Python payloads failing to call back to their corresponding Empire and\/or PoshC2 listener\/server. This brief post detailing the fixes\/workarounds I’ve used may be helpful to someone else. I understand the issues are a result of the OpenSSL configuration in Kali Linux (The Kali … <\/p>\n
Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[14,16],"tags":[],"class_list":["post-515","post","type-post","status-publish","format-standard","hentry","category-powershell","category-red-team","item-wrap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p3MDvd-8j","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=515"}],"version-history":[{"count":19,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/515\/revisions"}],"predecessor-version":[{"id":542,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=\/wp\/v2\/posts\/515\/revisions\/542"}],"wp:attachment":[{"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.attackdebris.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}