Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Agent communicates with base64 obfuscation despites different operation settings #2975

Open
l1ghts4ber opened this issue May 10, 2024 · 6 comments
Open

Agent communicates with base64 obfuscation despites different operation settings #2975

l1ghts4ber opened this issue May 10, 2024 · 6 comments
Assignees
@elegantmoose
Labels
bug

Comments

@l1ghts4ber
Copy link

Description
When starting an operation with plain-text obfuscator the agent nevertheless communicates with base64 encryption.

To Reproduce
Steps to reproduce the behavior:

  1. Start New Operation with plain-text Obfuscator (different settings for Adversary, Fact Source etc. not tested yet)
  2. Run Links while capture network traffic

Expected behavior
The agent's communication (beaconing/commands) should be readable in plain-text from captured network traffic.

Screenshots
Operation setup:
image

This is a sample http-data snipped of a HTTP/200 OK Message from Caldera to the agent:
image

This is a sample decoded beacon POST Request from a pcap file analyzed with wireshark:

image

Desktop (please complete the following information):

  • OS: Ubuntu 22.04 LTS
  • Browser Chrome Version 124.0.6367.201 (Offizieller Build) (64-Bit)
  • Caldera v5.0.0

Additional context
Caldera v5.0.0 standard installation with git clone https://github.com/mitre/caldera.git --recursive
@l1ghts4ber l1ghts4ber added the bug label May 10, 2024
@l1ghts4ber
Copy link
Author

May be related to:
https://github.com/mitre/caldera/issues/2970

@guillaume-duong-bib
Copy link

I haven't checked anything, but I think you might be confusing the base64 command obfuscation versus the base64 payload encoding for network transport. Try to start the same operation with base64 obfuscation, you should see a difference in the command field.

@l1ghts4ber
Copy link
Author

l1ghts4ber commented May 13, 2024
edited

With plain-text, the command itself, too gets base64 encoded (in network Traffic). Will provide a screenshot as soon as I can.

@guillaume-duong-bib
Copy link

guillaume-duong-bib commented May 14, 2024
edited

Alright, so here are some results:

  1. Operation with no obfuscation
    Payload from the server to the agent:
    eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogMzgsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCJjZDY3MTM5NC1hMGY3LTRlNWUtOWEyNy0yNTA2NGIyNGE0YmRcXFwiLCBcXFwic2xlZXBcXFwiOiAzLCBcXFwiY29tbWFuZFxcXCI6IFxcXCJaV05vYnlCb1pXeHNidz09XFxcIiwgXFxcImV4ZWN1dG9yXFxcIjogXFxcInBzaFxcXCIsIFxcXCJ0aW1lb3V0XFxcIjogNjAsIFxcXCJwYXlsb2Fkc1xcXCI6IFtdLCBcXFwidXBsb2Fkc1xcXCI6IFtdLCBcXFwiZGVhZG1hblxcXCI6IGZhbHNlLCBcXFwiZGVsZXRlX3BheWxvYWRcXFwiOiB0cnVlfVwiXSJ9
    Translates into:
    {"paw": "udjwbm", "sleep": 38, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"cd671394-a0f7-4e5e-9a27-25064b24a4bd\\\", \\\"sleep\\\": 3, \\\"command\\\": \\\"ZWNobyBoZWxsbw==\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"}
    Command translates into:

echo hello

  1. Operation with base64 obfuscation
    Payload from the server to the agent:
    eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogNDIsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCJjOTZkNTU5Yi1hNjBjLTQ4YjItYmI4YS1mMTkyYTQ1Y2YwNDJcXFwiLCBcXFwic2xlZXBcXFwiOiAzLCBcXFwiY29tbWFuZFxcXCI6IFxcXCJjRzkzWlhKemFHVnNiQ0F0Ulc1aklGcFJRbXBCUjJkQlluZEJaMEZIWjBGYVVVSnpRVWQzUVdKM1FUMD1cXFwiLCBcXFwiZXhlY3V0b3JcXFwiOiBcXFwicHNoXFxcIiwgXFxcInRpbWVvdXRcXFwiOiA2MCwgXFxcInBheWxvYWRzXFxcIjogW10sIFxcXCJ1cGxvYWRzXFxcIjogW10sIFxcXCJkZWFkbWFuXFxcIjogZmFsc2UsIFxcXCJkZWxldGVfcGF5bG9hZFxcXCI6IHRydWV9XCJdIn0=
    Translates into:
    {"paw": "udjwbm", "sleep": 42, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"c96d559b-a60c-48b2-bb8a-f192a45cf042\\\", \\\"sleep\\\": 3, \\\"command\\\": \\\"cG93ZXJzaGVsbCAtRW5jIFpRQmpBR2dBYndBZ0FHZ0FaUUJzQUd3QWJ3QT0=\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"}
    Command translates into:

powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwA=

  1. Operation with caesar obfuscation:
    Payload from the server to the agent:
    eyJwYXciOiAidWRqd2JtIiwgInNsZWVwIjogNDUsICJ3YXRjaGRvZyI6IDAsICJpbnN0cnVjdGlvbnMiOiAiW1wie1xcXCJpZFxcXCI6IFxcXCIyOTdkMjdiZi1iNTVkLTRlMzQtYmE0Mi1mMjMzY2E3NzVmN2RcXFwiLCBcXFwic2xlZXBcXFwiOiA0LCBcXFwiY29tbWFuZFxcXCI6IFxcXCJKR1Z1WTNKNWNIUmxaQ0E5SUNKeGIzUjdJSFJ4ZUhoN0lqc2dKR050WkNBOUlDSWlPeUFrWlc1amNubHdkR1ZrSUQwZ0pHVnVZM0o1Y0hSbFpDNTBiME5vWVhKQmNuSmhlU2dwT3lCbWIzSmxZV05vSUNna2JHVjBkR1Z5SUdsdUlDUmxibU55ZVhCMFpXUXBJSHNrYkdWMGRHVnlJRDBnVzJOb1lYSmRLQ2hiYVc1MFhWdGphR0Z5WFNSc1pYUjBaWElwSUMwZ01USXBPeUFrWTIxa0lDczlJQ1JzWlhSMFpYSTdmU0IzY21sMFpTMXZkWFJ3ZFhRZ0pHTnRaRHM9XFxcIiwgXFxcImV4ZWN1dG9yXFxcIjogXFxcInBzaFxcXCIsIFxcXCJ0aW1lb3V0XFxcIjogNjAsIFxcXCJwYXlsb2Fkc1xcXCI6IFtdLCBcXFwidXBsb2Fkc1xcXCI6IFtdLCBcXFwiZGVhZG1hblxcXCI6IGZhbHNlLCBcXFwiZGVsZXRlX3BheWxvYWRcXFwiOiB0cnVlfVwiXSJ9
    Translates into:
    {"paw": "udjwbm", "sleep": 45, "watchdog": 0, "instructions": "[\"{\\\"id\\\": \\\"297d27bf-b55d-4e34-ba42-f233ca775f7d\\\", \\\"sleep\\\": 4, \\\"command\\\": \\\"JGVuY3J5cHRlZCA9ICJxb3R7IHRxeHh7IjsgJGNtZCA9ICIiOyAkZW5jcnlwdGVkID0gJGVuY3J5cHRlZC50b0NoYXJBcnJheSgpOyBmb3JlYWNoICgkbGV0dGVyIGluICRlbmNyeXB0ZWQpIHskbGV0dGVyID0gW2NoYXJdKChbaW50XVtjaGFyXSRsZXR0ZXIpIC0gMTIpOyAkY21kICs9ICRsZXR0ZXI7fSB3cml0ZS1vdXRwdXQgJGNtZDs=\\\", \\\"executor\\\": \\\"psh\\\", \\\"timeout\\\": 60, \\\"payloads\\\": [], \\\"uploads\\\": [], \\\"deadman\\\": false, \\\"delete_payload\\\": true}\"]"}
    Command translates into:

$encrypted = "qot{ tqxx{"; $cmd = ""; $encrypted = $encrypted.toCharArray(); foreach ($letter in $encrypted) {$letter = [char](([int][char]$letter) - 12); $cmd += $letter;} write-output $cmd;

Summary

You are right in saying that the command itself gets b64 encoded, but that's not obfuscation. The obfuscation options are meant for host-level obfuscation, not network-level. And although it seems unnecessary to have a second layer of b64 encoding for the command when the whole payload already is b64-encoded, it doesn't matter as the agent will decode it before executing it.

You can see on my first example that the command is indeed b64-encoded in the payload, but what's executed by powershell is a plain echo hello.

On the contrary, for the second operation, there is a third level of b64 encoding (actually, obfuscation) that does not get peeled off before being given to powershell, which will execute powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwA=. So in that case we have 2 levels of b64 encoding, and one level of b64 obfuscation.

Third operation is the same: one level of b64 encoding in the payload, one in the command, but both are peeled off and powershell actually executes $encrypted = "qot{ tqxx{"; $cmd = ""; $encrypted = $encrypted.toCharArray(); foreach ($letter in $encrypted) {$letter = [char](([int][char]$letter) - 12); $cmd += $letter;} write-output $cmd;

@l1ghts4ber
Copy link
Author

Thank's for clarification!

@elegantmoose
Copy link
Contributor

Kudos @guillaume-duong-bib for explanation.

@l1ghts4ber good to close?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elegantmoose elegantmoose

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elegantmoose @l1ghts4ber @guillaume-duong-bib