Commit Graph

286 Commits (801a3eac362ad7c2314c87f18f962ec4251612cb)

Author SHA1 Message Date
Matt Nelson 95fbf7f8c5 Merge pull request #193 from subTee/master
regsvr32 (sct) Stager
2016-04-21 17:05:26 -04:00
Casey Smith 0686f48e37 Update regsvr32.py 2016-04-21 13:02:18 -06:00
Casey Smith f7df5ee06a Update regsvr32.py 2016-04-21 12:53:01 -06:00
Casey Smith 37f6e4f362 Update regsvr32.py 2016-04-21 12:52:40 -06:00
Casey Smith eb764d1aa9 Create regsvr32.py 2016-04-21 12:49:33 -06:00
Matt Nelson dce67beaeb Added tab-completion for list command 2016-04-15 14:42:12 -04:00
HarmJ0y 96ac925773 Merge pull request #182 from xorrior/master
Added MiniEye collection module; Minor change to ChromeDump
2016-04-11 15:47:19 -07:00
xorrior 523e4458c1 Added MiniEye collection module; Minor change to ChromeDump
MiniEye - Collect recordings from Webcam.
ChromeDump - Modified sqlite DB connection string for read-only access.
2016-04-09 22:11:28 -04:00
HarmJ0y 54037db2b6 Merge pull request #176 from luxcupitor/dev
Modules for unauthenticated access to Jenkins Script Consoles to run OS commands
2016-04-08 15:12:17 -07:00
HarmJ0y db7c1c95b3 Merge pull request #177 from n0clues/master
Binding Empire's native listeners to IP specified in Host option…
2016-04-06 22:21:25 -07:00
n0clues f376dc243c Binding Empire's native listeners to IP specified in Host option instead to 0.0.0.0 - issue#175 2016-04-06 14:24:02 +02:00
Lux Cupitor 4f61ecda2b added modules for unauthenticated Jenkins Script console access 2016-04-06 08:06:24 -04:00
Harmj0y b56e5d29ec listener starting now returns more verbose errors on failure in console and API
merge of @mynameisiv's .jpg screenshot PR
fix for path errors in some cases for ./setup/setup_database.py
2016-04-01 17:06:21 -04:00
mynameisv 917cb2b246 screeshot in jpeg and shortcut 2016-03-31 23:27:15 +02:00
Harmj0y ac5b002301 Updated changelog and version number for 1.5.0 release. 2016-03-31 16:06:02 -04:00
HarmJ0y dae17d1bc1 Merge pull request #165 from Kevin-Robertson/master
Inveigh 1.1 and Tater Modules
2016-03-31 11:13:53 -07:00
Harmj0y c6662d8a3a Added loading of external module directories with the 'load /DIR/' command in the main menu.
Solves issue #81.
2016-03-30 23:03:02 -04:00
Kevin Robertson 32b36c9597 Comment/Notes changes and WPADResponse removal
Updated additional comment/notes. I removed WPADResponse from inveigh
and inveigh_bruteforce since wpad.dat code contains commas. The python
code that is parsing the commas for the array parameters is getting in
that way. I can add WPADResponse back in later.
2016-03-30 15:35:44 -04:00
Alexander d7cf4c02c4 Merge branch 'master' of https://github.com/0xbadjuju/Empire 2016-03-30 08:27:52 -05:00
Alexander e6aff73eb1 Merge remote-tracking branch 'refs/remotes/origin/dev' 2016-03-30 08:21:56 -05:00
Kevin Robertson 987679bd9a Fixed missing single quote in description 2016-03-30 08:52:20 -04:00
Kevin Robertson 7a3a95f735 Sync features with updated versions of Inveigh and Tater
Upgrading collection/inveigh, lateral_movement/inveigh_relay, and
privesc/tater. Adding collection/inveigh_bruteforce.
2016-03-29 23:55:39 -04:00
Alexander 74945a953a Update normal.py 2016-03-29 17:00:45 -05:00
Alexander f6fc8550b1 Added normal.dot persistence mechanism 2016-03-29 16:38:02 -05:00
Harmj0y b3e8ebabe5 Expanded server/agent epoch check from +/- 10 minutes to +/- 12 hours 2016-03-26 00:00:40 -04:00
Harmj0y c2ba61ca8d added -sta to stager launching 2016-03-25 19:45:09 -04:00
Harmj0y 16fbd88339 For stagers generated through the API, if 'OutFile' is set in the
passed arguments, the 'Output' field in stager data return will
contain the base64 encoded value of the generated stager data.
2016-03-24 22:24:01 -04:00
Harmj0y b43da089ef Added POST /api/modules/<path:module_name> to task a module with specified options
Fix multi-stager generation bug
More exception handling in empire.py
2016-03-24 16:03:31 -04:00
Harmj0y 31eb9d387a Changed API path from /empire/api/ to /api/
Fixed agent renaming bug
2016-03-23 14:30:54 -04:00
HarmJ0y 446a004cc1 Merge pull request #157 from PowerShellEmpire/restful_api
RESTful API
2016-03-22 14:15:25 -07:00
Harmj0y d67bbcce15 more small bug fixes 2016-03-22 14:37:10 -04:00
Harmj0y 2a13328c5b nav menu bug fix and standardization 2016-03-22 14:32:47 -04:00
Harmj0y ce307aa6db fix for issue #155 2016-03-22 01:51:23 -04:00
Harmj0y 502dc5c679 Added SSL and basic token auth to the RESTful API
Added random RESTful API token generation on server startup
2016-03-22 01:41:48 -04:00
Harmj0y ae9f046aba Added trollsploit/rick_astley to run @SadProcessor's audio rickroll 2016-03-21 23:11:12 -04:00
Harmj0y 9f1deb1d9e Added /empire/api/agents/<string:agent_name>/results to return agent tasking results and remove results from backend db 2016-03-21 22:56:02 -04:00
Harmj0y eaaea57253 Added /empire/api/listeners/kill to kill a listener specified by POST data
Added /empire/api/listeners/options to enumerate currently set listener options
Added start to docstrings in functions -> still need to describe complete request/response JSON formats
removed /empire/api/agents/ID/X
/empire/api/agents/name/Y -> /empire/api/agents/Y
removed /empire/api/listeners/id/X
/empire/api/listeners/name/Y -> /empire/api/listeners/Y
"X listeners currently active" now pulls from the backend DB
2016-03-21 21:50:19 -04:00
Harmj0y 334f1f4b5c Added POST to /empire/api/stagers in API to generate stagers
moved empire instantiation into the restful api start
2016-03-21 21:03:32 -04:00
Harmj0y c15f445892 Revamp of some of the backend to allow for a proper RESTful API
Cleaned up some SQL calls
Moved tasking/results into database fields for agents, instead of being kept in memory on the client
Added --headless option to ./empire
2016-03-21 20:20:03 -04:00
Harmj0y e6e5222647 Added lateral_movement/new_gpo_immediate_task 2016-03-19 11:51:09 -04:00
Harmj0y 97335b83d6 -Added the ability to specify multiple function names to helpers.generate_dynamic_powershell_script()
-Added Unconstained option to get_computer
-Added AdminCount option to get_user
-Added situational_awareness/network/powerview/get_gpo_computer to get computers a GPO is applied to
2016-03-19 10:53:28 -04:00
Harmj0y d5db75c3d0 -Updated PowerView.ps1 code
-Re-tested all powerview modules
-Updated some module options
-Fixed bug in helpers.generate_dynamic_powershell_script()

-Added situational_awareness/network/powerview/get_domain_policy
-Added situational_awareness/network/powerview/get_dfs_share
-Added situational_awareness/network/powerview/get_fileserver
-Added situational_awareness/network/powerview/get_rdp_session
-Added situational_awareness/network/powerview/get_site
-Added situational_awareness/network/powerview/get_subnet
-Added situational_awareness/host/get_proxy
-Added situational_awareness/host/get_pathacl
-Added management/get_domain_sid
2016-03-19 08:38:18 -04:00
Harmj0y 2382bd0dea Added privesc/getsystem 2016-03-11 19:31:27 -05:00
Harmj0y da52a6268b Attempted fix for issue #136 2016-03-03 19:33:45 -05:00
Harmj0y 08ca63fe09 First pass at stager retries. 2016-03-03 19:13:44 -05:00
Harmj0y 355db39847 Added privesc/mcafee_sitelist 2016-02-18 00:08:08 -05:00
Harmj0y c32e3d15cd Additional debugging on sysinfo checkin. 2016-02-17 21:58:09 -05:00
Harmj0y 3b0003f0ce '--debug 2' now prints all debug signal output to the script as well as ./empire.debug 2016-02-17 20:06:33 -05:00
Harmj0y b0d90be6fe Updated changelog and version number. Added '--version' cli option. 2016-02-16 02:27:37 -05:00
Harmj0y 473be51acd Changed '--listeners' option to '--listener' 2016-02-16 02:02:18 -05:00
Harmj0y 75ea648c49 Small bug fixes. 2016-02-16 01:53:16 -05:00
Harmj0y 734831b5fb Added a start to cli option parsing for displaying listeners/stagers and generating stagers. 2016-02-16 01:52:32 -05:00
Harmj0y 4bab4f9484 'seachmodule' with no term now lists all modules and descriptions 2016-02-16 00:35:32 -05:00
Kevin Robertson 8b385928dc Added Tater privesc module
Empire module version of https://github.com/Kevin-Robertson/Tater.
2016-02-15 18:40:09 -05:00
Harmj0y 3cf322e76a Fix for issue #125 2016-01-14 15:57:26 -05:00
Harmj0y c0d427cdc8 Corrected several bugs in how the workingHours window is handled in the agent
Added validation to the workinghours time format
2016-01-11 01:24:46 -05:00
Harmj0y e696bb7078 spelling mistakes 2015-12-30 16:18:59 -05:00
Harmj0y 8281a9e7ba Empire 1.4 release.
Encompases all changes since tagged 1.3.1 release.
Added 'Contribution Rules' to the README.md
2015-12-29 19:29:05 -05:00
Harmj0y 0d30181baf Added situational_awareness/network/powerview/find_managed_security_groups module
implementing @stufus' recent changes
2015-12-29 15:58:39 -05:00
Harmj0y 82fed97485 Fixed various issues for agent profile setting/handling
'DefaultProfile' option in listener menu is now tab-completable and can take a path to a profile.txt
2015-12-29 15:57:01 -05:00
HarmJ0y da439c441b Merge pull request #118 from jamcut/trusted-document-store
Add module to enumerate trusted documents and locations for MS Office.
2015-12-27 13:03:54 -08:00
Jeff McCutchan b7eb2852f3 Removed more commented lines 2015-12-27 00:08:27 -05:00
Jeff McCutchan a66d2e536e Implemented @Harmj0y changes 2015-12-27 00:04:38 -05:00
Jeff McCutchan ffa6ca6cd0 Added reference to original .ps1 file here too... 2015-12-24 08:40:12 -05:00
Jeff McCutchan 3c7c4278fa Change verbiage in module description 2015-12-23 14:00:06 -05:00
Jeff McCutchan c51b33b74c Add module to enumerate trusted documents and locations for MS Office. 2015-12-23 13:45:56 -05:00
Harmj0y 687954b6ef -Sync of Kevin Robertson's lateral_movement/inveigh_relay module
-Sync stufus' exfiltration/egresscheck module
-Added module menu dynamic sizing for prettified output
2015-12-22 15:05:22 -05:00
HarmJ0y c6ff79d7b8 Merge pull request #117 from stufus/add_egress_busting
Add Egress Checking Traffic Generator Module
2015-12-22 11:40:32 -08:00
HarmJ0y ffe76b3828 Merge pull request #110 from Kevin-Robertson/master
Added Inveigh's HTTP NTLMv2 to SMB relay as an Empire module
2015-12-22 11:40:14 -08:00
Stuart Morgan c2d6172587 Fixed author array 2015-12-21 23:01:38 +00:00
Stuart Morgan 4c87700c6d Fix up verbosity 2015-12-21 22:47:54 +00:00
Stuart Morgan cea0826222 Rework this to remove the -verbosity parameter now that Ive realised that Write-Verbose exists....:) 2015-12-21 22:18:52 +00:00
Stuart Morgan dc9808b06b Merge branch 'master' of https://github.com/PowerShellEmpire/Empire into add_egress_busting 2015-12-21 20:50:11 +00:00
Harmj0y c95d8786aa hop.php redirector fix
removed requirement for credentials from lateral_movement/invoke_psremoting
2015-12-21 00:33:03 -05:00
Harmj0y c12eac3200 Added trollsploit/rick_ascii 2015-12-16 20:36:07 -05:00
Harmj0y bcb2f4677f Fix for issue #112 2015-12-16 17:42:51 -05:00
Stuart Morgan 8f88c5bdce This works! Amazingly....just needs tidying up and polishing (and sorting out the Write-Hosts) 2015-12-15 23:49:09 +00:00
Stuart Morgan 8ff5f7723a turns out that you need commas in the options dict....:) 2015-12-15 23:38:33 +00:00
Stuart Morgan b4ed0ceadb Added the options to the python side 2015-12-15 23:34:38 +00:00
Stuart Morgan d1572d325b Continuing work 2015-12-15 23:29:00 +00:00
Kevin Robertson 6186502749 Added Inveigh's HTTP NTLMv2 to SMB relay as an Empire module
This module is a direct copy/paste of the Invoke-InveighRelay function
from the standalone version of Inveigh. The module will relay incoming
HTTP NTLMv2 authentication requests to an SMB target. If authentication
is successful and the user is a local administrator on the target
system, the specified command should be executed on the target PSexec
style. This module can be used with or without collection/inveigh. If
collection/inveigh is used, ensure that HTTP is disabled in
collection/inveigh. If this module is used without collection/inveigh,
another method will need to be employed to trigger incoming HTTP
requests.

This module has been successfully tested with Empire's  launcher
one-liner to establish additional agents. In testing I observed a delay
(30 seconds or so) between the service creation message and Empire's
agent active message.

harmj0y: As I mentioned in the collection/inveigh pull request comments,
the length of the parameter names is throwing off Empire's options
command column display alignment. I'm not sure if there is an easy fix
for this. Also, I used the same code that you added to inveigh.py after
the pull request. With this code, I did not observe that the
SMBRelayCommand value needed to be wrapped in quotes.
2015-12-14 21:48:49 -05:00
Harmj0y c1043156e1 Module argument tweaks to collection/inveigh.py 2015-12-14 16:04:49 -05:00
Kevin Robertson e2209606aa Synced collection/inveigh with current standalone Inveigh code
Direct copy/paste of Invoke-Inveigh function from current standalone
version of Inveigh.  This version contains a number of
additions/changes/bug fixes. There are two primary additions that may be
useful to Empire users. The first is that 1122334455667788 is no longer
used as the default challenge over HTTP since it's now getting flagged
by SEP and maybe others. The default behavior is a random challenge for
each request. A specific challenge can also be specified through the
'challenge' parameter. The second is the ability to set a run time so
that collection/inveigh will auto-exit after a specified number of
minutes. On the python side, I have added the additional relevant
parameters and flipped the module to opsec safe since no files are
created on disk.
2015-12-13 19:31:52 -05:00
Harmj0y 93c1d46236 Updated powerview.ps1
Added situational_awareness/network/powerview/get_cached_rdpconnection
Added situational_awareness/network/powerview/set_ad_object
Added management/downgrade_account
2015-12-11 17:56:25 -05:00
Stuart Morgan 767d1f97a2 Merge branch 'master' of https://github.com/PowerShellEmpire/Empire into add_egress_busting 2015-12-11 10:04:53 +00:00
Stuart Morgan 21ae58cea0 Added template python script (on the python side) for the egresscheck ps1 2015-12-10 19:30:07 +00:00
Harmj0y 788747fa92 Added lsadump::cache and lsadump::sam Mimikatz modules. 2015-12-09 15:20:13 -05:00
Harmj0y d03cecbc37 Bug fix for installations transitioning to autorun code with old database. 2015-12-01 12:15:01 -05:00
HarmJ0y 9d9389d0a1 Merge pull request #104 from monoxgas/master
Added Hashdump using Invoke-DCSync
2015-12-01 10:28:45 -05:00
Nick Landers 7ab8cf4e94 I knew that... 2015-12-01 00:00:51 -07:00
Nick Landers e8337f47f4 Fixing small things 2015-11-30 22:19:24 -07:00
Harmj0y cb67368e2e Updated version and changelog 2015-11-30 23:23:03 -05:00
Harmj0y 1ba56acc13 Added persistence/userland/backdoor_lnk 2015-11-30 23:20:49 -05:00
Nick Landers d6443b9399 Update dcsync-hashdump.py 2015-11-30 18:27:19 -07:00
Monox Gas 5a85be3d37 Update Fixes 2015-11-30 18:21:22 -07:00
Nick Landers 63ea2f842c Create dcsync-hashdump.py 2015-11-30 17:39:30 -07:00
Harmj0y 6df2841ff7 Combined persistence/debugger/* into persistence/misc/debugger 2015-11-30 00:54:55 -05:00
Harmj0y 1d1fa61116 Added SysWow64 option to management/spawn to spawn a 32-bit powershell.exe 2015-11-29 15:20:16 -05:00
Harmj0y 41cc316406 Added MailRaider's disable_security.py module 2015-11-29 12:48:06 -05:00
Harmj0y 66b7aa17f1 Added several modules in management/mailraider/* to integrate @xorrior's MailRaider.ps1 2015-11-29 11:58:16 -05:00