Commit Graph

286 Commits (801a3eac362ad7c2314c87f18f962ec4251612cb)

Author SHA1 Message Date
Harmj0y 743fe02b44 Removed non-ascii character from Get-FoxDump.ps1
Added ascii check before module tasking
2015-11-28 20:24:45 -05:00
xorrior 42c7eb901d Merge branch 'master' of https://github.com/xorrior/Empire 2015-11-28 16:34:19 -05:00
xorrior 104166f8e8 Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 16:34:13 -05:00
Harmj0y f853e6d750 Added option parsing and cred store support to lateral_movement/invoke_sshcommand 2015-11-28 16:00:16 -05:00
HarmJ0y ebc023d560 Merge pull request #101 from rvrsh3ll/master
Add Invoke-SSHCommand
2015-11-28 15:50:57 -05:00
rvrsh3ll 6c867048c4 Add Invoke-SSHCommand 2015-11-25 15:49:36 -05:00
xorrior c65498371f Merge branch 'master' of https://github.com/xorrior/Empire 2015-11-25 11:55:44 -05:00
xorrior acb9d1bb2f Added ChromeDump and FoxDump modules 2015-11-25 11:55:36 -05:00
HarmJ0y ddb47c3cdb Merge pull request #98 from PowerShellEmpire/script_autorun
Script autorun
2015-11-24 17:07:14 -05:00
Harmj0y 3817385bb2 Fixed agent result caching bug (again)
Fixed multiple agent-interaction bug that causes results to be displayed simultaneously
2015-11-24 00:41:16 -05:00
Harmj0y 79400a329f Fixup for recon/http_login 2015-11-24 00:22:42 -05:00
HarmJ0y cf9f2f0cbf Merge pull request #96 from rvrsh3ll/master
Added HTTP-Login Recon Module
2015-11-23 23:16:14 -05:00
Harmj0y 6de27d4846 Corrected /dc flag in credentials/mimikatz/dcsync 2015-11-23 21:06:06 -05:00
rvrsh3ll b703e13614 Added HTTP-Login Recon Module 2015-11-23 08:50:58 -05:00
Harmj0y aa9c9e804e Added management/invoke_script 2015-11-22 17:36:57 -05:00
Harmj0y e59844be72 Added ability to set a script to run on each agent checkin with "set Agent autorun" in module menu.
"(Empire: agents) > clear autorun" will clear out any current autoruns
WARNING: this requires a DB schema mod to work correctly, meaning you will lose current
agent connection information if run!
2015-11-22 17:25:28 -05:00
Harmj0y 8637a49338 Fixed nested menu bug that caused buildup of "Agent X not active."
Main display menu now shows each time "main" menu is entered.
2015-11-21 20:03:40 -05:00
Harmj0y 2c14853b29 Fix for exploitation/exploit_jboss 2015-11-21 18:07:57 -05:00
rvrsh3ll b8d34090fe Added JBoss JMX Console exploit deployment module. 2015-11-20 12:37:19 -05:00
Harmj0y 8961af6262 Added situational_awareness/network/powerview/get_loggedon and get_session 2015-11-12 23:17:37 -05:00
Harmj0y 6058f25a57 few tweaks to recon/find_fruit 2015-11-08 20:40:07 -05:00
HarmJ0y c68177cff7 Merge pull request #87 from rvrsh3ll/master
Threading Updates
2015-11-08 20:37:41 -05:00
Harmj0y c9afcc138f Updated PowerView, added situational_awareness/network/powerview/get_forest 2015-11-08 19:36:20 -05:00
Harmj0y 7252718537 derp 2015-11-08 19:00:03 -05:00
Harmj0y 7db7ec6bbc All PowerUp modules now dynamically built from a single source file
PowerUp bug fixes
Added privesc/powerup/service_exe_restore, pulled logic from other modules
Added management/spawnas to spawn agents with explicit credentials
Debug functionality (--debug) now outputs the source of the last tasked script to ./LastTask.ps1
Write-Verbose and Write-Debug lines now stripped from tasked scripts
2015-11-08 18:51:57 -05:00
rvrsh3ll 746f390a1d Added Threading
Added FoundOnly
2015-11-08 08:10:32 -05:00
Harmj0y 3315c106ba Renamed privesc/directuac to privesc/ask
Added local admin priv and opsec checks
2015-11-05 13:06:36 -05:00
João Pena Gil 6adfacf8f6 Privesc - DirectUAC
Added DirectUAC module.

Description:

Leverages Start-Process' -Verb runAs option inside a loop to prompt the user for a high integrity context before running the agent code.
UAC will report Powershell is requesting Administrator privileges. Because this does not use the BypassUAC DLLs, it should not trigger any AV alerts.
2015-11-05 09:53:34 +00:00
Harmj0y 4e95039bc4 added persistence/misc/add_netuser to add local/domain users 2015-11-04 15:19:06 -05:00
Harmj0y ced2b5d373 Merge branch 'master' of https://github.com/PowerShellEmpire/Empire 2015-11-02 14:53:06 -05:00
Harmj0y 55709598d5 Bug fix in some packet responses. 2015-11-02 14:52:46 -05:00
redfast00 545d947183 Corrected a typo preventing the autorunning macro from automatically running 2015-10-30 21:44:58 +01:00
Harmj0y c26a63ad94 marked module option as not required 2015-10-30 13:51:59 -04:00
Harmj0y 581c9aa948 Moved antivirusproduct to situational_awareness/host/antivirusproduct ,
added ComputerName option, output pipeline fix.
2015-10-30 13:39:25 -04:00
HarmJ0y 59aa123d88 Merge pull request #77 from mh4x0f/master
added module collection/Get-AntiVirusProduct
2015-10-30 13:36:21 -04:00
Harmj0y 1bedcee211 Updated version number and changelog for 1.3.1 2015-10-30 12:08:57 -04:00
Mharcos Nesster 95ef63fb74 added module collection/Get-AntiVirusProduct 2015-10-30 00:22:16 -02:00
pasv d6daa45646 Merge branch 'master' into module_dev_paranoia 2015-10-28 23:39:38 -04:00
Harmj0y e62c5866c0 Moved Find-Fruit.ps1 source to ./data/module_source/recon/*
Output tweak for find_fruit, added ShowAll flag
2015-10-28 13:52:35 -04:00
HarmJ0y 8ac51073e6 Merge pull request #69 from rvrsh3ll/master
Added find-fruit.py
2015-10-28 13:41:34 -04:00
Steve Borosh c948fcdbfb Parameter fixes 2015-10-27 17:43:01 -04:00
Harmj0y 4ceafec807 add_sid_history Groups bug fix 2015-10-27 14:48:43 -04:00
Steve Borosh 2855b3e045 Fix 2015-10-24 22:58:38 -04:00
Steve Borosh d66c511252 Added find-fruit.py 2015-10-24 22:09:35 -04:00
Harmj0y 0cbdb165a2 -Updated powerview.ps1 source to Version 2.0
-Built a way to dynamically generate the stripped PowerView code for functions needed by PowerView modules (helpers -> generate_dynamic_powershell_script), and updated all relevant PowerView modules
-Renamed PowerView modules to better match PowerView 2.0 naming scheme and moved to situational_awareness/network/powerview/*
-Removed old split-out PowerView source files
-Removed situational_awareness/network/netview
-Combined stealth_userhunter into option for userhunter
-Added situational_awareness/network/get_forest_domain, situational_awareness/network/powerview/get_object_acl, situational_awareness/network/powerview/find_computer_field, situational_awareness/network/powerview/find_user_field, situational_awareness/network/powerview/get_ou, situational_awareness/network/powerview/get_group, situational_awareness/network/powerview/get_group_member, situational_awareness/network/powerview/get_gpo, situational_awareness/network/powerview/find_gpo_location, situational_awareness/network/powerview/find_gpo_computer_admin, situational_awareness/network/powerview/process_hunter, situational_awareness/network/powerview/find_foreign_group, situational_awareness/network/powerview/find_foreign_user
-renamed collection/filesearch to collection/find_interesting_file
2015-10-23 21:40:06 -04:00
enigma0x3 5d8a64f75b Merge pull request #63 from jamcut/legacy-option-for-macro-stager
Added "LegacyMacro" option for Office 97-2003 compatibility
2015-10-21 12:39:09 -04:00
Jeff McCutchan eb779309d2 Changed the macro to support both file types 2015-10-15 14:24:42 -04:00
enigma0x3 2cb68f2da6 Update prompt.py 2015-10-14 17:12:53 -04:00
Jeff McCutchan 3b8d18a41e Added "LegacyMacro" option which creates a macro compatible with Office 97-2003 documents. 2015-10-14 17:08:43 -04:00
enigma0x3 d5344b6716 Merge pull request #51 from xorrior/master
Modified Invoke-WinEnum
2015-10-13 06:56:12 -04:00
enigma0x3 4f413b1a98 Updated name so the script loads correctly. 2015-10-12 17:26:59 -04:00
enigma0x3 a46bdac77d Updated to remove testing code and return "script" 2015-10-08 19:24:08 -04:00
i223t b35ce82976 417 Expectation failed error fix 2015-10-02 09:13:23 +01:00
Harmj0y 6be3d4ce8b remove debug 2015-09-22 09:34:27 -04:00
Harmj0y 858f6b3a1c Additional download file path checks. 2015-09-22 09:33:21 -04:00
Harmj0y 9079a54119 Fix for 'skywalker' file overwrite exploit on control server.
Thank you to @zeroSteiner for the disclosure!
2015-09-21 22:32:46 -04:00
xorrior 7541ea23e8 Modified Invoke-WinEnum
Added Firewall Rules enumeration. Slightly modified file searches to
only pull files owned by the user. Changed formatting.
2015-09-14 16:34:32 -04:00
Harmj0y ed8c476f43 Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation
Added management/enable_multi_rdp to patch terminal services to allow mutiple connections
2015-09-12 08:32:43 -04:00
Harmj0y 140c4baf7a Fixed write_dllhijacker. 2015-09-12 08:23:12 -04:00
enigma0x3 d581538fd1 updated description 2015-09-09 13:46:07 +02:00
enigma0x3 629c8f695c Updated to change comment wording 2015-09-03 07:55:48 -04:00
pasv 22dea0ba0a Fixed module template to reflect required OutputExtension parameter 2015-09-03 04:05:45 -04:00
pasv 875284be7a Working release 2015-09-03 03:44:34 -04:00
Harmj0y fd1d17a647 Added /dc option to credentials/mimikatz/dcsync 2015-09-02 21:43:01 -04:00
Jack64 d06370e4f1 fix hard-coded event subscription name
Before this change, the command
` set SubName `
did not change the event subscription name installed by the agent as instructed by the user.
2015-08-31 15:45:38 +01:00
Harmj0y a92189b95c Updated changelog and version for 1.2 release. 2015-08-30 15:59:50 -04:00
Harmj0y e1cdef1d19 Removed print output 2015-08-30 15:47:47 -04:00
Harmj0y 40fda2dd04 Merge branch 'master' of https://github.com/PowerShellEmpire/Empire 2015-08-29 20:35:10 -04:00
Harmj0y c021bdf6f3 Credentials from collection/prompt now scraped into the creds db 2015-08-29 20:34:23 -04:00
Harmj0y 788be8b06a Converted message HMAC from MD5 to SHA1 2015-08-27 18:40:19 -04:00
Harmj0y a669c85824 Modified war stager to not drop any temp files to disk. 2015-08-26 20:23:10 -04:00
HarmJ0y c0d7fcaf55 Merge pull request #30 from ch33kyf3ll0w/master
Added the war.py Stager
2015-08-26 20:18:50 -04:00
HarmJ0y 8eaf601ea5 Merge pull request #33 from PowerShellEmpire/inveigh
Integration of Kevin Robertson's Inveigh project
2015-08-26 17:23:52 -04:00
enigma0x3 d3fc5137d4 added privesc/bypassuac_wscript 2015-08-25 21:18:48 -04:00
Harmj0y fb9c18769f Added collection/inveigh. 2015-08-25 17:21:59 -04:00
sixdub d1ce277330 Merge branch 'master' into international_support 2015-08-24 22:56:58 -04:00
ch33kyf3ll0w ef64deb25d Created war.py
Wrote a new stager that deploys the empire agent via WAR file.
2015-08-24 18:40:06 -05:00
sixdub 32e95b4f93 Fixed credential parsing bug 2015-08-24 18:42:32 -04:00
Harmj0y b2cca2f3fd Added credentials/mimikatz/dcsync for remote DC credential extraction
Added situational_awareness/network/get_domaintrusts
Added /sids argument for credentials/mimikatz/golden_ticket
Added credential parsing for dcsync output
updated links for PowerTools
2015-08-24 17:33:35 -04:00
root 31febba7cb Modified packet. Support unicode chars in agent 2015-08-24 09:04:21 -04:00
Justin cf935db0ae Merge pull request #18 from 1njected/master
Added support for custom proxy and fixed Epoch/counter to support other cultures/datetime-formats
2015-08-24 08:00:58 -04:00
Harmj0y 59633fefa1 More bug fixes for lsadump::dcsync. 2015-08-24 01:45:04 -04:00
Harmj0y 683e6403c3 Added -Domain option for lsadump::dcsync in credentials/mimikatz/dcsync 2015-08-24 01:33:12 -04:00
Harmj0y be637dd38a Updated .dll for Invoke-Mimikatz, including lsadump::dcsync functionality. 2015-08-24 01:28:11 -04:00
Harmj0y 54c7300998 Tweaks to fix for issue #23 2015-08-21 15:24:12 -04:00
Harmj0y b434102f2c Error handling for issue #23 2015-08-21 14:17:55 -04:00
Harmj0y 5b40197fd5 'list [agents/listeners] <modifier>' should now be a universal option in every menu
Added 'run' alias for 'execute' in listener menu as well.
2015-08-20 19:08:40 -04:00
Harmj0y 0e0c94b94a Aliased run for execute. 2015-08-20 18:49:23 -04:00
Harmj0y 804e1a01a2 Revamped basic shell operations in agent core (cp, dir, mv, etc.)
Standardized UNC path normalization in agent core
added hostname alias
2015-08-20 15:32:26 -04:00
Harmj0y 39d974bb09 Continued porting native shell commands to WMI replacents in agent core
In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases
Modified ./setup/reset.sh to work from parent or ./setup/ folders
2015-08-20 14:35:42 -04:00
Harmj0y 4bb0bc4d47 Corrected menu behavior on agent exit, bug fix on some dir behavior 2015-08-19 15:51:36 -04:00
Harmj0y 23a3aa3f07 Added management/zipfolder for folder zipping/exfiltration. 2015-08-19 14:56:00 -04:00
Harmj0y 46bf3040f0 Added collection/packet_capture to use netsh to initiate a packet capture. 2015-08-19 12:57:35 -04:00
Tomas Rzepka cf96626e8d Added support for custom proxy. 2015-08-19 10:00:32 +02:00
Harmj0y f07a4d4a3f Added collection/netripper implementation of the NetRipper project from Ionut Popescu (@NytroRST) 2015-08-18 21:09:05 -04:00
ch33kyf3ll0w 5308dafff2 Update hta.py
Unexpected line ident. Threw off Empire startup.
2015-08-16 12:27:26 -05:00
Casey Smith 1d37d7702a Create hta.py 2015-08-16 10:46:29 -04:00
Harmj0y 6ddce8bb7e Added lateral_movement/invoke_psexec 2015-08-16 10:46:22 -04:00
Harmj0y 2b499a559c Added modules management/timestomp, trollsploit/process_killer, persistence/elevated/wmi, situational_awareness/network/smbscanner 2015-08-16 10:46:12 -04:00
enigma0x3 8c36d463e3 Update macro.py
"Set" in VBA instantiates an object. A string var isn't defined as an object, so this fails. Updated to remove "Set" from initial str instantiation.
2015-08-14 09:43:13 -04:00
sixdub 4a1a4e6960 Fixed IOError 2015-08-14 09:43:12 -04:00
enigma0x3 3ade74603f Update schtasks.py
fixed registry storage
2015-08-14 09:43:12 -04:00
enigma0x3 afe64910a3 Update registry.py
Updated to fix execution of registry key

fixed registry parsing
2015-08-14 09:43:02 -04:00
Harmj0y 4572513129 Bug fix in stagers/macro module. 2015-08-14 09:43:01 -04:00
enigma0x3 52de78bfc3 Update registry.py
Made listener requiered.
2015-08-14 09:42:55 -04:00
enigma0x3 7ca33a108e Update messages.py 2015-08-14 09:42:54 -04:00
enigma0x3 3222556c2c Update empire.py 2015-08-14 09:42:54 -04:00
enigma0x3 6ace392e19 added additional delay to intervalmax
Ensures only stale agents are actually listed.
2015-08-14 09:42:54 -04:00
Harmj0y d44b1f1ec6 Added "list stale" and "remove stale" agents commands to list/remove
agents past their max checkins.
2015-08-14 09:42:54 -04:00
Harmj0y 8423c4f3bf "agents> remove X" now removes agents that checked in > X minutes ago 2015-08-14 09:42:54 -04:00
Rohan Vazarkar bdfec8c732 Updated title credits to include enigma0x3 2015-08-14 09:42:54 -04:00
Harmj0y 404d435bb0 Fixed agent.log output bug with new lostlimit logic. 2015-08-14 09:42:54 -04:00
Harmj0y 02c25719a1 Few bug fixes for the LostAgentDetection code. 2015-08-14 09:42:54 -04:00
sixdub da6c5a983c Updated Lost Agent Detection 2015-08-14 09:42:54 -04:00
sixdub 834b5c03fc Added missed CB limits 2015-08-14 09:42:54 -04:00
enigma0x3 ef6b645ffe updated to fix usestager tab completion bug 2015-08-10 09:06:13 -04:00
enigma0x3 57c2d26333 updated ip_whitelist from file
when setting whitelists from a text file, empire adds the contents of that file to the IP black lists. updated to ensure it adds the IPs to the correct list.
2015-08-10 07:53:22 -04:00
Jon Cave 4624cff0e6 Authenticate the encrypted communications 2015-08-08 18:54:02 +01:00
Harmj0y 629c648c2b Updated citataions and documentation. 2015-08-08 12:06:44 -04:00
enigma0x3 175d8df7f0 Update userhunter.py 2015-08-06 04:08:50 -04:00
enigma0x3 fb6c28bd3b Update stealth_userhunter.py 2015-08-06 04:08:37 -04:00
enigma0x3 174e767721 Update sharefinder.py 2015-08-06 04:08:22 -04:00
enigma0x3 c911a5c478 Update reverse_dns.py 2015-08-06 04:08:08 -04:00
enigma0x3 d8dbcc7eea Update portscan.py 2015-08-06 04:07:51 -04:00
enigma0x3 d1d9ba6e36 Update netview.py 2015-08-06 04:07:34 -04:00
enigma0x3 0f3607ad9a Update mapdomaintrusts.py 2015-08-06 04:07:15 -04:00
enigma0x3 508c39c3fe Update get_user.py 2015-08-06 04:06:58 -04:00
enigma0x3 65a25425cf Update get_spn.py 2015-08-06 04:06:40 -04:00
enigma0x3 fd5d181b9d Update get_localgroup.py 2015-08-06 04:06:19 -04:00
enigma0x3 63ec7e252b Update get_exploitable_systems.py 2015-08-06 04:06:02 -04:00
enigma0x3 1915ee033a Update get_computer.py 2015-08-06 04:05:30 -04:00
enigma0x3 9c3b2192e4 Update find_localadmin_access.py 2015-08-06 04:05:11 -04:00
enigma0x3 8d9bdf272b Update arpscan.py 2015-08-06 04:04:46 -04:00
Jared Haight ca0a2e1bdf Fixed file path typo 2015-08-05 21:19:44 -04:00
Jared Haight e3148de261 Fixed file path typo 2015-08-05 21:19:18 -04:00
Harmj0y 751d0c15d6 Initial BSidesLV '15 release of v1.0.0 2015-08-05 14:36:39 -04:00