Agent didn't come back
Fankaren opened this issue · comments
I just follow the movie to have a try.
I run the agent(p8UPKP.exe) that I craete. But no agent come back.(waiting for a long long time)
Computer Info:
System: windows 2019(no network)
Is network required? Thank you.
Hi,
thanks for the feedback, I'll look into this asap.
In the meantime, do you mind doing the following tests:
- Can you try using HTTP instead of HTTPS?
- Can you show me the logs generated when the server.exe is started? Please run server.exe with --verbose argument
Thanks!
C:\Users\Administrator\Desktop\Alan.v6.0.512.4>server --verbose
?█████╗?██╗??????█████╗?███╗??██╗
██╔══██╗██║?????██╔══██╗████╗?██║
███████║██║?????███████║██╔██╗██║
██╔══██║██║?????██╔══██║██║╚████║
██║??██║███████╗██║??██║██║?╚███║
╚═╝??╚═╝╚══════╝╚═╝??╚═╝╚═╝??╚══╝
-=[ Post Exploitation Framework ]=-
Copyright (c) 2021-2022 Enkomio
[INFO] 2022-03-06 11:38:07 - Alan version: 6.0.512.4
[INFO] 2022-03-06 11:38:07 - Start listeners
[INFO] 2022-03-06 11:38:07 - Web listener started on: 0.0.0.0:8080
[INFO] 2022-03-06 11:38:08 - Using certificate: E=alan@localhost, C=Italy, S=IT, L=IT, O=AlanCA, OU=AlanFramework, CN=Enkomio. Expires: 2022/6/6 0:44:54
[INFO] 2022-03-06 11:38:08 - Web listener started on: 0.0.0.0:8443
[INFO] 2022-03-06 11:38:08 - Host address: 192.168.159.10
$:> create
Creating agent from profile: agent_default_profile.json
C&C IP: 127.0.0.1
URL path [/N6cYn]:
Packaging (Executable/DLL/PowerShell/Shellcode) [Executable]:
Agent file [C:\Users\Administrator\AppData\Local\Temp\vOXl.exe]:
Bitness (x86/x64) [x86]: x64
Listener (Http/Https) [Http]:
Binding Port [8080]:
[INFO] 2022-03-06 11:38:42 - Agent file created at: C:\Users\Administrator\AppData\Local\Temp\vOXl.exe
$:> create
Creating agent from profile: agent_default_profile.json
C&C IP: 127.0.0.1
URL path [/DpWvk]:
Packaging (Executable/DLL/PowerShell/Shellcode) [Executable]:
Agent file [C:\Users\Administrator\AppData\Local\Temp\TdX5dAZ.exe]:
Bitness (x86/x64) [x86]: x64
Listener (Http/Https) [Http]: https
Binding Port [8443]:
[INFO] 2022-03-06 11:38:55 - Agent file created at: C:\Users\Administrator\AppData\Local\Temp\TdX5dAZ.exe
$:> [TRAC] 2022-03-06 11:39:04 - Received connection on undefined endpoint: /N6cYn
$:> [TRAC] 2022-03-06 11:39:30 - Received connection on undefined endpoint: /DpWvk
$:> agents
+---+--------+---------------+--------+--------+---------+-----------+-----+
|Id |Created |Last connected |Address |Version |Listener |Entrypoint |Arch |
+---+--------+---------------+--------+--------+---------+-----------+-----+
+---+--------+---------------+--------+--------+---------+-----------+-----+
$:>
C:\Users\Administrator>C:\Users\Administrator\AppData\Local\Temp\vOXl.exe
C:\Users\Administrator>C:\Users\Administrator\AppData\Local\Temp\TdX5dAZ.exe
C:\Users\Administrator>
it looks like the endpoint is not stored inside the database when you create the agent. I confess this is really weird. Could you please verify weather inside the data folder there is a file named Endpoint.db? If so, could you please upload the file to the issue? I'd like to confirm my hypothesis by checking if inside the file the endpoints are defined.
I'll create a new version with more logging when an agent is created.
More logging will be great. These files are generated in data folder.
Endpoint.db.log
AgentSessionDto.db.log
I hope it can help you to solve this issue. Thank you.
thx for the file. They contain the endpoint that your image says is missing, so my hypothesis is not confirmed :\
Unfortunately I'm not able to reproduce the issue on my PC, I can try to run Alan on a windows 2019, but this can take a while (I have to find the ISO and install it).
Find attached an updated version (it solves an error in the JavaScript module and add more logging)
Alan.v6.0.512.15.zip
Could you please redo the test with this new version (run "server.exe --verbose" and send me the output)?
P.S.
It should not be an issue, but have you the possibility to run Alan with network connection (the server does an external connection to amazon to retrieve the public IP, this is also mentioned in the documentation)?
Hi. I try to run again in server2012r2. The agent return back successfully(immediately). I think there is something wrong with my server2019 :(
Below is my feeback from server2019. Still strange:
I recovered the network. It didn't work either. So it's no matter with the network.
data.zip.log
Thank you.
Glad that it worked in win server 2012 (to be honest, I would expect that it worked on 2019 and not in 2012 :P).
I'll keep this issue open until I'm able to to more tests with Win server 2019.
Hi. I tried to install a new winserver2019. Agent still didn't come back. Feeback below:
wireshark pcap:
winserver2019.pcapng.log
data dir:
data.zip.log
Thank you. I will try my best to help )
Hi,
thanks for the feedback much appreciated :) I think that the next step is on me by installing a Windows server 2019 and doing some test. I'll updated the issue when I have more data.
Thanks again!
Hi,
I tested Alan on Windows server 2019 and I found the bug generating the error. I compiled a new version that you can find attached. Could you please confirm that the attached version works in Windows Server 2019?
Thanks!
Hi,
I met the same error when I run the new version. Please check the feeback below.
Thanks!
Hi,
thanks for the feedback. Sorry if you still have issues, but it seems that Windows Server 2019 is a bit picky in some cases :) I changed approach and compiled a new version that you can find attached.
I tested it in Windows Server 2019 with success.
If you still have problem could you please send me a pcap or if it is easier install Fiddler and send me an image of a request sent by the agent? I think the problem is that the cookie is not sent in the HTTP request (a thing that I should have resolved in the attached version).
Thanks!,
Antonio