DNS Issues with resolvers using DNS-0x20 encoding #1587
Comments
|
I think the real bug is in the detection of case sensitive vs. case insensitive encoding, the implant should* be able to detect this manipulation and fallback to base32 but doesn't. |
|
There are multiple issues here: First IssueAn example of a message which failes to decode is the initial TOTP message, which is always base32 encoded. sliver/implant/sliver/transports/dnsclient/dnsclient.go Lines 926 to 937 in c8a7948 The problem is that the DNS-0x20 encoding will alter the case of the subdata, which then fails decoding in the base32 encoder, as there are characters which are uppercase. sliver/util/encoders/base32.go Lines 27 to 39 in c8a7948 Possible SolutionA solution to this is doing return sliverBase32.DecodeString(strings.ToLower(string(data)))This however is partially problematic(programming wise) as, it transfers the responsibility from Second IssueSometimes, a base32 encoded value mangled by DNS-0x20(for example) is interpreted as a base58 encoded value. I have seen you mention this issue here: #1354 (comment) This can become a problem for example here: Lines 382 to 394 in c8a7948 When the data gets interpreted as base58 and produces semi-valid protobuf data, the decodeSubdata functions returns a message and no error. This becomes a problem on line 394 as we use the ID field, which is incorrectly interpreted. This issue will produce a log warning: Line 396 in c8a7948 Possible SolutionA possible solution could be that if we attempt to decode the subdata using the current method and we are unable to find a valid session id we could attempt to decode the lowercase value of the subdata. The solution would look something like this: dnsLog.Debugf("[dns] processing req for subdomain = %s", subdomain)
msg, checksum, err := s.decodeSubdata(subdomain)
if err != nil {
dnsLog.Errorf("[dns] error decoding subdata: %v", err)
return s.nameErrorResp(req)
}
// TOTP Handler can be called without dns session ID
if msg.Type == dnspb.DNSMessageType_TOTP {
return s.handleHello(domain, msg, req)
}
// All other handlers require a valid dns session ID
_, ok := s.sessions.Load(msg.ID & sessionIDBitMask)
if !ok {
subdomain = strings.ToLower(subdomain)
dnsLog.Debugf("[dns] reprocessing req for subdomain = %s", subdomain)
msg, checksum, err = s.decodeSubdata(subdomain)
if err != nil {
dnsLog.Errorf("[dns] error decoding subdata: %v", err)
return s.nameErrorResp(req)
}
_, ok := s.sessions.Load(msg.ID & sessionIDBitMask)
if !ok {
dnsLog.Warnf("[dns] session not found for id %v (%v)", msg.ID, msg.ID&sessionIDBitMask)
return s.nameErrorResp(req)
}
}This is a bit of a hacky solution, but should work. Better SolutionWould be nice to be able to determine whether the resolver manipulates the DNS queries using for example DNS-0x20 encoding. |
|
We've removed TOTP in v1.6, it would be good to address all these issues in that branch. Perhaps we should just use a single bit to indicate the Base32 vs. Base58 instead of trying to detect it. |
|
Sorry, but I do not understand. The code I referenced in the previous comment is from the master branch and not to the 1.5.x/master branch. Is there a more updated version of v1.6? |
|
Oh yes, you're right. We did remove the TOTP auth, but the message is still called TOTP. |
|
I am using BIND9 with a custom TLD in a lab environment and encountering the same issue in v1.5.42: "file":"github.com/bishopfox/sliver/server/c2/dns.go:377","func":"github.com/bishopfox/sliver/server/c2.(*SliverDNSServer).handleC2","level":"eror","msg":"[dns] error decoding subdata: invalid dns message","pkg":"c2","stream":"dns","time":"2024-04-11T13:51:09-04:00"} {"file":"github.com/bishopfox/sliver/server/c2/dns.go:361","func":"github.com/bishopfox/sliver/server/c2.(*SliverDNSServer).isC2SubDomain","level":"info","msg":"'Y1utwLtf8cjUiQzG79EKeAhKMrKCtAqxd4WPt3nrrEW5DAa4B4hBqGMxXcjHRtR.6EhPZHPu9Mfr3FLgNZTrNm1kvfVGUbJfM9r6y3kTav5TE1kQZDETnZ7MngmqA2m.xskXt92QdYcAwqYEf1SPDr8ncU8nzMKUNUJK8bSkSKqZyqHPkKwKY7ePHJdzuiP.xEgdNGHeWVmhfKB64ro9RZKBK2Ded4Y2iAq8Y.beacon.example.com.' is subdomain of 'beacon.example.com.'","pkg":"c2","stream":"dns","time":"2024-04-11T13:51:09-04:00"} The client binary is running on debian linux 12.4 |
|
i am havking the same error |
|
I'm having this issue even with force-base32 enabled. Should this work or is it a problem with my setup? |
Unfortunately no. The base32 encoder does not force lowercase characters, which will mean that decoding will not be possible using base32. |
|
for now i can make it work using DNS server 1.1.1.1, but i can not use this is production if the "victim" is using google DNS resolvers. |
|
Our team is also experiencing the same problem when using 8.8.8.8 resolver as well as some others. While using server version 1.5.42 I attempted to start the dns listener with the -D option to disable TOTP auth as suggested but this did not appear to fix the problem. I also tried to compile and run version 1.6 of the server using 9510a5f and it appears that the DNS command has been removed so I was unable to test. |
|
I'm working on a fix for v1.6 and hoping it have it done soon, it's the last major bug before the v1.6 release! |
Describe the bug
If a host, windows was used during testing, is configured to use a DNS resolver which employs what is known as DNS-0x20 encoding, the DNS C2 communication channel is never established.
The encoding known as DNS-0x20, will basically randomly change the case of each character in a DNS query. This will garble the DNS queries sent to the sliver server which result in error messages in the logs.
Here is an example (cleaned for privacy) of what will be seen in the
sliver.logfile:To Reproduce
Configure a host to use the Google public DNS resolver (8.8.8.8) and attempt to deploy a DNS beacon.
Expected behavior
The beacon is successfully deployed and can be used.
Desktop (please complete the following information):
Additional context
Found this article as well as the linked whitepaper
The text was updated successfully, but these errors were encountered: