From aa9e4584a6440c0231fa539f0eba41e2684eed7a Mon Sep 17 00:00:00 2001 From: bneg Date: Sat, 27 Jan 2018 15:53:44 -0800 Subject: [PATCH 1/2] Add "report" to main menu, adding some simple reporting --- lib/common/empire.py | 67 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/lib/common/empire.py b/lib/common/empire.py index bc60a69..8cf2a48 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -847,6 +847,73 @@ class MainMenu(cmd.Cmd): print helpers.color("[*] " + os.path.basename(file) + " was already obfuscated. Not reobfuscating.") helpers.obfuscate_module(file, self.obfuscateCommand, reobfuscate) + def do_report(self, line): + "Produce report CSV and log files: sessions.csv, credentials.csv, master.log" + + conn = sqlite3.connect("data/empire.db") + + # Agents CSV + cur = conn.cursor() + cur.execute('select session_id, hostname, username, checkin_time from agents') + + rows = cur.fetchall() + print helpers.color("[*] Writing data/sessions.csv") + f = open('data/sessions.csv','w') + f.write("SessionID, Hostname, User Name, First Check-in\n") + for row in rows: + f.write(row[0]+ ','+ row[1]+ ','+ row[2]+ ','+ row[3]+'\n') + f.close() + + # Credentials CSV + cur.execute(""" + SELECT + domain + ,username + ,host + ,credtype + ,password + FROM + credentials + ORDER BY + domain + ,credtype + ,host + """) + + rows = cur.fetchall() + print helpers.color("[*] Writing data/credentials.csv") + f = open('data/credentials.csv','w') + f.write('Domain, Username, Host, Cred Type, Password\n') + for row in rows: + f.write(row[0]+ ','+ row[1]+ ','+ row[2]+ ','+ row[3]+ ','+ row[4]+'\n') + f.close() + + # Empire Log + cur.execute(""" + SELECT + reporting.time_stamp + ,reporting.event_type + ,reporting.name as "AGENT_ID" + ,a.hostname + ,reporting.taskID + ,t.data AS "Task" + ,r.data AS "Results" + FROM + reporting + JOIN agents a on reporting.name = a.session_id + LEFT OUTER JOIN taskings t on (reporting.taskID = t.id) AND (reporting.name = t.agent) + LEFT OUTER JOIN results r on (reporting.taskID = r.id) AND (reporting.name = r.agent) + WHERE + reporting.event_type == 'task' OR reporting.event_type == 'checkin' + """) + rows = cur.fetchall() + print helpers.color("[*] Writing data/master.log") + f = open('data/master.log', 'w') + f.write('Empire Master Taskings & Results Log by timestamp\n') + f.write('='*50 + '\n\n') + for row in rows: + f.write('\n' + row[0] + ' - ' + row[3] + ' (' + row[2] + ')> ' + unicode(row[5]) + '\n' + unicode(row[6]) + '\n') + f.close() def complete_usemodule(self, text, line, begidx, endidx, language=None): "Tab-complete an Empire module path." From 7388fed540d0c6c98b57fe026b05a5f3489963b9 Mon Sep 17 00:00:00 2001 From: bneg Date: Sat, 27 Jan 2018 21:11:32 -0800 Subject: [PATCH 2/2] Fixed db connection --- lib/common/empire.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/common/empire.py b/lib/common/empire.py index 8cf2a48..6ddd551 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -850,10 +850,10 @@ class MainMenu(cmd.Cmd): def do_report(self, line): "Produce report CSV and log files: sessions.csv, credentials.csv, master.log" - conn = sqlite3.connect("data/empire.db") + self.conn = sqlite3.connect("data/empire.db") # Agents CSV - cur = conn.cursor() + cur = self.conn.cursor() cur.execute('select session_id, hostname, username, checkin_time from agents') rows = cur.fetchall()