e61d12b640
Updated mimikatz dlls
2016-03-31 15:35:28 -04:00
dae17d1bc1
Merge pull request #165 from Kevin-Robertson/master
...
Inveigh 1.1 and Tater Modules
2016-03-31 11:13:53 -07:00
32b36c9597
Comment/Notes changes and WPADResponse removal
...
Updated additional comment/notes. I removed WPADResponse from inveigh
and inveigh_bruteforce since wpad.dat code contains commas. The python
code that is parsing the commas for the array parameters is getting in
that way. I can add WPADResponse back in later.
2016-03-30 15:35:44 -04:00
7a3a95f735
Sync features with updated versions of Inveigh and Tater
...
Upgrading collection/inveigh, lateral_movement/inveigh_relay, and
privesc/tater. Adding collection/inveigh_bruteforce.
2016-03-29 23:55:39 -04:00
b3e8ebabe5
Expanded server/agent epoch check from +/- 10 minutes to +/- 12 hours
2016-03-26 00:00:40 -04:00
ae9f046aba
Added trollsploit/rick_astley to run @SadProcessor's audio rickroll
2016-03-21 23:11:12 -04:00
d5db75c3d0
-Updated PowerView.ps1 code
...
-Re-tested all powerview modules
-Updated some module options
-Fixed bug in helpers.generate_dynamic_powershell_script()
-Added situational_awareness/network/powerview/get_domain_policy
-Added situational_awareness/network/powerview/get_dfs_share
-Added situational_awareness/network/powerview/get_fileserver
-Added situational_awareness/network/powerview/get_rdp_session
-Added situational_awareness/network/powerview/get_site
-Added situational_awareness/network/powerview/get_subnet
-Added situational_awareness/host/get_proxy
-Added situational_awareness/host/get_pathacl
-Added management/get_domain_sid
2016-03-19 08:38:18 -04:00
45d219e1f5
bug fix for Invoke-PsExec and some x64 pointers
2016-03-11 20:33:46 -05:00
2382bd0dea
Added privesc/getsystem
2016-03-11 19:31:27 -05:00
da52a6268b
Attempted fix for issue #136
2016-03-03 19:33:45 -05:00
8c1927887a
remove output
2016-03-03 18:22:24 -05:00
7d711d4e77
Implemented mynameisv's download chunking.
2016-03-03 18:21:16 -05:00
355db39847
Added privesc/mcafee_sitelist
2016-02-18 00:08:08 -05:00
8b385928dc
Added Tater privesc module
...
Empire module version of https://github.com/Kevin-Robertson/Tater .
2016-02-15 18:40:09 -05:00
c0d427cdc8
Corrected several bugs in how the workingHours window is handled in the agent
...
Added validation to the workinghours time format
2016-01-11 01:24:46 -05:00
f02e675f52
Renamed to Find-ManagedSecurityGroups at @harmjoy's request
2015-12-28 17:44:16 +00:00
d82f5208a7
Merge branch 'master' of https://github.com/PowerShellEmpire/Empire into identify_ad_managed_security_groups
2015-12-28 17:40:17 +00:00
da439c441b
Merge pull request #118 from jamcut/trusted-document-store
...
Add module to enumerate trusted documents and locations for MS Office.
2015-12-27 13:03:54 -08:00
a66d2e536e
Implemented @Harmj0y changes
2015-12-27 00:04:38 -05:00
d49b080037
Added GitHub link to Notes section of ps1 file
2015-12-24 08:35:50 -05:00
c7dfa63ee8
Added description
2015-12-24 11:59:12 +00:00
74abeaa2a6
Added link to PR
2015-12-24 11:56:11 +00:00
264863b7bc
remove debugging print
2015-12-24 11:48:11 +00:00
bc949a8ae4
use samaccountname for the username
2015-12-24 11:47:52 +00:00
3f49d7fcfe
Remove trailing spaces
2015-12-24 11:34:02 +00:00
a078c2bd76
Works
2015-12-24 11:23:24 +00:00
c51b33b74c
Add module to enumerate trusted documents and locations for MS Office.
2015-12-23 13:45:56 -05:00
0a3aaecb13
Update
2015-12-23 17:02:10 +00:00
c6ff79d7b8
Merge pull request #117 from stufus/add_egress_busting
...
Add Egress Checking Traffic Generator Module
2015-12-22 11:40:32 -08:00
dbbe61df41
Broken -but adding notes for testing nTSecurityDescriptor
2015-12-22 00:23:44 +00:00
150d89d292
Initial module creation
2015-12-21 23:13:13 +00:00
c97acb0ee6
Fix comments
2015-12-21 22:49:06 +00:00
f98844d905
Fix comments
2015-12-21 22:48:39 +00:00
4c87700c6d
Fix up verbosity
2015-12-21 22:47:54 +00:00
cea0826222
Rework this to remove the -verbosity parameter now that Ive realised that Write-Verbose exists....:)
2015-12-21 22:18:52 +00:00
dc9808b06b
Merge branch 'master' of https://github.com/PowerShellEmpire/Empire into add_egress_busting
2015-12-21 20:50:11 +00:00
8401be21f4
Updated header
2015-12-21 20:48:48 +00:00
d48563e6e8
Sorted out verbose output
2015-12-21 20:44:51 +00:00
6186502749
Added Inveigh's HTTP NTLMv2 to SMB relay as an Empire module
...
This module is a direct copy/paste of the Invoke-InveighRelay function
from the standalone version of Inveigh. The module will relay incoming
HTTP NTLMv2 authentication requests to an SMB target. If authentication
is successful and the user is a local administrator on the target
system, the specified command should be executed on the target PSexec
style. This module can be used with or without collection/inveigh. If
collection/inveigh is used, ensure that HTTP is disabled in
collection/inveigh. If this module is used without collection/inveigh,
another method will need to be employed to trigger incoming HTTP
requests.
This module has been successfully tested with Empire's launcher
one-liner to establish additional agents. In testing I observed a delay
(30 seconds or so) between the service creation message and Empire's
agent active message.
harmj0y: As I mentioned in the collection/inveigh pull request comments,
the length of the parameter names is throwing off Empire's options
command column display alignment. I'm not sure if there is an easy fix
for this. Also, I used the same code that you added to inveigh.py after
the pull request. With this code, I did not observe that the
SMBRelayCommand value needed to be wrapped in quotes.
2015-12-14 21:48:49 -05:00
e2209606aa
Synced collection/inveigh with current standalone Inveigh code
...
Direct copy/paste of Invoke-Inveigh function from current standalone
version of Inveigh. This version contains a number of
additions/changes/bug fixes. There are two primary additions that may be
useful to Empire users. The first is that 1122334455667788 is no longer
used as the default challenge over HTTP since it's now getting flagged
by SEP and maybe others. The default behavior is a random challenge for
each request. A specific challenge can also be specified through the
'challenge' parameter. The second is the ability to set a run time so
that collection/inveigh will auto-exit after a specified number of
minutes. On the python side, I have added the additional relevant
parameters and flipped the module to opsec safe since no files are
created on disk.
2015-12-13 19:31:52 -05:00
93c1d46236
Updated powerview.ps1
...
Added situational_awareness/network/powerview/get_cached_rdpconnection
Added situational_awareness/network/powerview/set_ad_object
Added management/downgrade_account
2015-12-11 17:56:25 -05:00
74b72a380b
Fixing help
2015-12-10 19:27:02 +00:00
5e7ff31a42
Fix up brackets
2015-12-10 19:22:03 +00:00
a39f7f1753
Takes too long to generate the array when scanning 1-65535 so work as we go along
2015-12-10 19:19:24 +00:00
36644c2a85
Argh, apparently you cant use > and <, roll on -gt....
2015-12-10 19:14:34 +00:00
cba71f42bf
Consistency
2015-12-10 19:11:38 +00:00
58c5ca4fd0
Added help information etc
2015-12-10 19:09:02 +00:00
503522b6d6
Moving verbosity to specific functions
2015-12-10 10:49:06 +00:00
a1ce988d48
Adding configurable parameters
2015-12-10 10:47:30 +00:00
10318899fd
Tidying up powershell function definition
2015-12-10 10:39:09 +00:00
064e2ac33f
Taken from egresscheck-framework, need to tidy it up though
2015-12-02 19:41:33 +00:00
9d9389d0a1
Merge pull request #104 from monoxgas/master
...
Added Hashdump using Invoke-DCSync
2015-12-01 10:28:45 -05:00
1ba56acc13
Added persistence/userland/backdoor_lnk
2015-11-30 23:20:49 -05:00
5a85be3d37
Update Fixes
2015-11-30 18:21:22 -07:00
3d801abcfb
Invoke-DCsync PS1
2015-11-30 17:18:41 -07:00
66b7aa17f1
Added several modules in management/mailraider/* to integrate @xorrior's MailRaider.ps1
2015-11-29 11:58:16 -05:00
743fe02b44
Removed non-ascii character from Get-FoxDump.ps1
...
Added ascii check before module tasking
2015-11-28 20:24:45 -05:00
42c7eb901d
Merge branch 'master' of https://github.com/xorrior/Empire
2015-11-28 16:34:19 -05:00
104166f8e8
Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump
2015-11-28 16:34:13 -05:00
6c867048c4
Add Invoke-SSHCommand
2015-11-25 15:49:36 -05:00
acb9d1bb2f
Added ChromeDump and FoxDump modules
2015-11-25 11:55:36 -05:00
abb1c7f555
Changed User Agent to be 2.0 compatible
2015-11-23 15:40:45 -05:00
c2c1676eea
Added Random User Agents
2015-11-23 11:37:54 -05:00
b703e13614
Added HTTP-Login Recon Module
2015-11-23 08:50:58 -05:00
b8d34090fe
Added JBoss JMX Console exploit deployment module.
2015-11-20 12:37:19 -05:00
8961af6262
Added situational_awareness/network/powerview/get_loggedon and get_session
2015-11-12 23:17:37 -05:00
6058f25a57
few tweaks to recon/find_fruit
2015-11-08 20:40:07 -05:00
c68177cff7
Merge pull request #87 from rvrsh3ll/master
...
Threading Updates
2015-11-08 20:37:41 -05:00
fbd0b3434e
Added ColdFusion
2015-11-08 20:08:46 -05:00
c9afcc138f
Updated PowerView, added situational_awareness/network/powerview/get_forest
2015-11-08 19:36:20 -05:00
7db7ec6bbc
All PowerUp modules now dynamically built from a single source file
...
PowerUp bug fixes
Added privesc/powerup/service_exe_restore, pulled logic from other modules
Added management/spawnas to spawn agents with explicit credentials
Debug functionality (--debug) now outputs the source of the last tasked script to ./LastTask.ps1
Write-Verbose and Write-Debug lines now stripped from tasked scripts
2015-11-08 18:51:57 -05:00
746f390a1d
Added Threading
...
Added FoundOnly
2015-11-08 08:10:32 -05:00
4908aca8c5
Specifying Mandatory Level Name instead of SID can lead to false-negative result (for non-latin names, as for me - cyrillic). Changed to SID
2015-11-01 23:55:08 +03:00
123a2435a7
updated dlls to fix bug in injection and dll payload injection
2015-10-30 11:58:21 -04:00
d6daa45646
Merge branch 'master' into module_dev_paranoia
2015-10-28 23:39:38 -04:00
e62c5866c0
Moved Find-Fruit.ps1 source to ./data/module_source/recon/*
...
Output tweak for find_fruit, added ShowAll flag
2015-10-28 13:52:35 -04:00
e08625b919
Merge pull request #73 from PowerShellEmpire/powerview2.0_update
...
Powerview2.0 update
2015-10-27 15:19:15 -04:00
cd0e50a7aa
Error handling and recurse more than one level for PowerView >_<
2015-10-26 18:03:39 -04:00
b4af938188
Updated PowerView to 2.0.1
2015-10-26 15:29:37 -04:00
e82dffc654
Added leechristensen's fix to support .Net 3 and 4. Fixes a bug with injection on boxes without .NET 4.0
2015-10-26 14:19:44 -04:00
0cbdb165a2
-Updated powerview.ps1 source to Version 2.0
...
-Built a way to dynamically generate the stripped PowerView code for functions needed by PowerView modules (helpers -> generate_dynamic_powershell_script), and updated all relevant PowerView modules
-Renamed PowerView modules to better match PowerView 2.0 naming scheme and moved to situational_awareness/network/powerview/*
-Removed old split-out PowerView source files
-Removed situational_awareness/network/netview
-Combined stealth_userhunter into option for userhunter
-Added situational_awareness/network/get_forest_domain, situational_awareness/network/powerview/get_object_acl, situational_awareness/network/powerview/find_computer_field, situational_awareness/network/powerview/find_user_field, situational_awareness/network/powerview/get_ou, situational_awareness/network/powerview/get_group, situational_awareness/network/powerview/get_group_member, situational_awareness/network/powerview/get_gpo, situational_awareness/network/powerview/find_gpo_location, situational_awareness/network/powerview/find_gpo_computer_admin, situational_awareness/network/powerview/process_hunter, situational_awareness/network/powerview/find_foreign_group, situational_awareness/network/powerview/find_foreign_user
-renamed collection/filesearch to collection/find_interesting_file
2015-10-23 21:40:06 -04:00
d5344b6716
Merge pull request #51 from xorrior/master
...
Modified Invoke-WinEnum
2015-10-13 06:56:12 -04:00
7541ea23e8
Modified Invoke-WinEnum
...
Added Firewall Rules enumeration. Slightly modified file searches to
only pull files owned by the user. Changed formatting.
2015-09-14 16:34:32 -04:00
140c4baf7a
Fixed write_dllhijacker.
2015-09-12 08:23:12 -04:00
7390ce012c
Delete Invoke-BypassUAC.ps1~
2015-09-12 12:44:01 +02:00
eaedd354c7
updated to support win10
2015-09-04 21:20:30 -04:00
875284be7a
Working release
2015-09-03 03:44:34 -04:00
788be8b06a
Converted message HMAC from MD5 to SHA1
2015-08-27 18:40:19 -04:00
8eaf601ea5
Merge pull request #33 from PowerShellEmpire/inveigh
...
Integration of Kevin Robertson's Inveigh project
2015-08-26 17:23:52 -04:00
d3fc5137d4
added privesc/bypassuac_wscript
2015-08-25 21:18:48 -04:00
fb9c18769f
Added collection/inveigh.
2015-08-25 17:21:59 -04:00
31febba7cb
Modified packet. Support unicode chars in agent
2015-08-24 09:04:21 -04:00
cf935db0ae
Merge pull request #18 from 1njected/master
...
Added support for custom proxy and fixed Epoch/counter to support other cultures/datetime-formats
2015-08-24 08:00:58 -04:00
be637dd38a
Updated .dll for Invoke-Mimikatz, including lsadump::dcsync functionality.
2015-08-24 01:28:11 -04:00
804e1a01a2
Revamped basic shell operations in agent core (cp, dir, mv, etc.)
...
Standardized UNC path normalization in agent core
added hostname alias
2015-08-20 15:32:26 -04:00
39d974bb09
Continued porting native shell commands to WMI replacents in agent core
...
In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases
Modified ./setup/reset.sh to work from parent or ./setup/ folders
2015-08-20 14:35:42 -04:00
fdfb0ba337
Removed "whoami" from the high integrity check.
2015-08-19 21:08:57 -04:00
ae741e2c85
Implement agent route command in WMI.
2015-08-19 20:51:36 -04:00
f5916f0d3e
Fixed Epoch/counter to support other cultures/datetime-formats
2015-08-20 00:55:21 +02:00
109fa29f60
Combined code components for agent.ps1 shell command section.
2015-08-19 18:33:04 -04:00
e68870f143
the following agent commands now use WMI instead of native binaries: ps, tasklist, ipconfig, ifconfig
2015-08-19 18:16:01 -04:00
4bb0bc4d47
Corrected menu behavior on agent exit, bug fix on some dir behavior
2015-08-19 15:51:36 -04:00
f07a4d4a3f
Added collection/netripper implementation of the NetRipper project from Ionut Popescu (@NytroRST)
2015-08-18 21:09:05 -04:00
6ddce8bb7e
Added lateral_movement/invoke_psexec
2015-08-16 10:46:22 -04:00
2b499a559c
Added modules management/timestomp, trollsploit/process_killer, persistence/elevated/wmi, situational_awareness/network/smbscanner
2015-08-16 10:46:12 -04:00
da6c5a983c
Updated Lost Agent Detection
2015-08-14 09:42:54 -04:00
834b5c03fc
Added missed CB limits
2015-08-14 09:42:54 -04:00
4624cff0e6
Authenticate the encrypted communications
2015-08-08 18:54:02 +01:00
58d626dda4
removed line after function definition
2015-08-07 19:37:12 -04:00
751d0c15d6
Initial BSidesLV '15 release of v1.0.0
2015-08-05 14:36:39 -04:00
enigma0x3
HarmJ0y
Kevin Robertson
Stuart Morgan
Jeff McCutchan
Monox Gas
Nick Landers
xorrior
rvrsh3ll
tguglanaklona
enigma0x3
pasv
root
Justin
Tomas Rzepka
Jon Cave