Version 1.4

P2P Connections

This describes how to report back p2p connection information to the server

What is the p2p info for

This message type allows agents to report back new or removed connections between themselves or elsewhere within a p2p mesh. Apfell uses these messages to construct a graph of connectivity that's displayed to the user and for handling routing for messages through the mesh.

Agent message to Apfell

The agent message to Apfell has the following form:

{
 "edges": [
    {
      "source": "uuid of callback",
      "destination": "uuid of adjoining callback",
      "direction": 1 or 2 or 3,
      "metadata": "{ optional metadata json string }",
       "action": "add" or "remove"
       "c2_profile": "name of the c2 profile used in this connection"
     }
   ]
}

Just like other post_response messages, this message has the same UUID and encryption requirements found in Agent Message Format. Some things to note about the fields:

  • edges is an array of JSON objects describing the state of the connections that Apfell knows about. Each edge in this array has the following fields:

    • source this is one end of the p2p connection (more often than not, this is the agent that's reporting this information)

    • destination this is the other end of the p2p connection

    • direction this details the direction of communication.

      • 1 - means from source to destination (this of this like connecting to a bind shell)

      • 2 - means from destination to source (think of this like a reverse connection)

      • 3 - means the communication is bidirectional

      • These overall help give the resulting mesh some directionality in how messages can be constructed if the server is going to specify the routing direction

    • metadata is additional information about the connection that the agent wants to report. For example, when dealing with SMB bind pipes, this could contain information about the specific pipe name instances that are being used if they're being programmatically generated.

    • action this indicates if the connection described above is to be added or removed from Apfell.

    • c2_profile this indicates which c2 profile is used for the connection

Response message from Apfell

After getting a message like this, Apfell responds with a message of the following form:

{
    "status": "success" or "error",
    "error": "error message if status was error",
    "task_id": "id of task"
}

This is very similar to most other response messages from the Apfell server.

Last updated