Commit Graph

251 Commits (de03f902ec5129ae4ec3dfbc062e201c72584aae)

Author SHA1 Message Date
xorrior e3f1c1eb47 Added java template 2016-09-29 11:57:58 -04:00
xorrior 460876d8f0 Migrated EmPyre stagers from dev branch in EmPyre repo 2016-09-29 11:41:09 -04:00
xorrior a0310db58e Migrated misc resources from EmPyre repo for new stagers 2016-09-28 22:29:47 -04:00
HarmJ0y 26cd0089dd 2.0.0 beta, DerbyCon release 2016-09-23 14:04:35 -04:00
enigma0x3 03ca7bdbcc Updated to include UAC level check 2016-09-10 15:43:18 -04:00
enigma0x3 313e9d027b Added checks for UAC levels and fixed a bug with the path to powershell.exe not being found 2016-09-10 15:30:45 -04:00
HarmJ0y 2b124f8a44 Merge pull request #312 from Zer1t0/arp
ArpScanning with reflection
2016-08-31 14:38:12 -07:00
Yeolsooyy 51987d8f08 Use reflection instead of c# code 2016-08-28 21:10:46 +02:00
enigma0x3 eefc493411 Added fileless UAC bypass using eventvwr.exe 2016-08-15 17:55:57 -04:00
Matt Nelson 2523f84f0f Fixed bug with fqdn
Thanks to @curi0usJack for reporting this.
2016-08-06 23:10:01 -07:00
Harmj0y bec33f73ac moved collection/keethief to collection/vaults/keethief
added collection/vaults/find_keepass_config to enumerate KeePass configs on a system
added collection/vaults/add_keepass_config_trigger to add a trigger backdoor to all reachable KeePass instances
added collection/vaults/get_keepass_config_trigger to enumerate all triggers for all reachable KeePass instances
added collection/vaults/remove_keepass_config_trigger to remove all triggers for all reachable KeePass instances
misc. bug fixes
2016-07-20 23:44:30 -04:00
Harmj0y 7790b250a2 misc. bug fixes and standardization updates 2016-07-20 23:39:25 -04:00
Harmj0y 0163ebec06 Added missing Invoke-CredentialInjection.ps1 file
Updated .gitignore
2016-07-20 21:51:14 -04:00
Matt Nelson e83b545476 Merge pull request #277 from BeetleChunks/master
Adding credentials module to extract the current interactive user's Credential Manager credentials.
2016-07-16 22:06:04 -04:00
Harmj0y 39d174235a Added module collection/keethief 2016-07-16 19:58:08 -04:00
HarmJ0y 8028963b64 Merge pull request #274 from curi0usJack/dev
Adding SMB auto-brute module
2016-07-15 14:51:25 -07:00
BeetleChunks 7ad52105ee Add files via upload 2016-07-08 08:59:13 -05:00
@424f424f 05302321ac Add Browser Search Module 2016-07-07 22:46:41 -04:00
curi0usJack 2ebf5832c8 Added Invoke-SMBAutoBrute.ps1 2016-07-07 16:30:14 -05:00
Matt Nelson 039934b883 Merge pull request #235 from Kevin-Robertson/master
Sync with Inveigh 1.1.1 and current Tater
2016-06-24 22:15:37 -04:00
enigma0x3 9698b75398 Updated Invoke-Mimikatz dlls after updating Invoke-Mimikatz from PowerSploit 2016-06-24 20:59:30 -04:00
enigma0x3 1a266ce6a0 Updated Invoke-Mimikatz with version from 'master' in PowerSploit. Fixed processor arch detection bug 2016-06-24 20:27:00 -04:00
Matt Nelson 13405e78d6 Update PowerUp.ps1
Changed "Balue" to "Value" thanks to @Und3rf10w.
2016-06-14 07:36:08 -04:00
enigma0x3 9df8e9bf03 Fix for error when loading SQLite assembly 2016-06-09 09:35:28 -04:00
Harmj0y b6db99f66f Fix for situational_awareness/host/computerdetails object output. 2016-05-27 15:16:22 -04:00
Harmj0y 0fb6599c77 More verbose output for Invoke-ServiceCMD in PowerUp to address issue #219 2016-05-27 14:37:15 -04:00
Harmj0y e0802fb6d1 Fix for issue #230 (PowerShell 2.0 compatibility for Get-SPN.ps1) 2016-05-27 14:18:08 -04:00
Harmj0y 7a47ea3583 Fix for issue #232 2016-05-27 14:02:34 -04:00
lloobeek 61bddbc9ab Edited MS16-032 exploit for Empire 2016-05-12 01:16:04 -05:00
Kevin Robertson 5158c160b4 Sync with Inveigh 1.1.1 and current Tater 2016-05-10 23:12:34 -04:00
Jared Haight b3224860df adding the invoke-metasploitpayload module 2016-04-29 11:52:58 -04:00
Harmj0y b977dec1ae Updated PowerView
Added credentials/get_spn_tickets to request user SPN tickets
Added credentials/mimikatz/extract_tickets to extract kerberos tickets from memory
Updated PowerView location citations
2016-04-24 11:26:39 -04:00
HarmJ0y 96ac925773 Merge pull request #182 from xorrior/master
Added MiniEye collection module; Minor change to ChromeDump
2016-04-11 15:47:19 -07:00
xorrior 523e4458c1 Added MiniEye collection module; Minor change to ChromeDump
MiniEye - Collect recordings from Webcam.
ChromeDump - Modified sqlite DB connection string for read-only access.
2016-04-09 22:11:28 -04:00
Lux Cupitor 188157e3ec removed comment 2016-04-06 08:12:36 -04:00
Lux Cupitor 4f61ecda2b added modules for unauthenticated Jenkins Script console access 2016-04-06 08:06:24 -04:00
HarmJ0y ae324964c6 Merge pull request #169 from mynameisv/dev
screeshot in jpeg and shortcut
2016-04-01 13:52:04 -07:00
Harmj0y e43fb94634 correct conflict in changelog 2016-03-31 17:34:46 -04:00
mynameisv 917cb2b246 screeshot in jpeg and shortcut 2016-03-31 23:27:15 +02:00
enigma0x3 30ef8172a0 Updated to hide process window for mimikatz pth 2016-03-31 16:52:36 -04:00
enigma0x3 c4a8a249fe Updated mimikatz version 2016-03-31 16:24:41 -04:00
enigma0x3 e61d12b640 Updated mimikatz dlls 2016-03-31 15:35:28 -04:00
HarmJ0y dae17d1bc1 Merge pull request #165 from Kevin-Robertson/master
Inveigh 1.1 and Tater Modules
2016-03-31 11:13:53 -07:00
Kevin Robertson 32b36c9597 Comment/Notes changes and WPADResponse removal
Updated additional comment/notes. I removed WPADResponse from inveigh
and inveigh_bruteforce since wpad.dat code contains commas. The python
code that is parsing the commas for the array parameters is getting in
that way. I can add WPADResponse back in later.
2016-03-30 15:35:44 -04:00
Kevin Robertson 7a3a95f735 Sync features with updated versions of Inveigh and Tater
Upgrading collection/inveigh, lateral_movement/inveigh_relay, and
privesc/tater. Adding collection/inveigh_bruteforce.
2016-03-29 23:55:39 -04:00
Harmj0y b3e8ebabe5 Expanded server/agent epoch check from +/- 10 minutes to +/- 12 hours 2016-03-26 00:00:40 -04:00
Harmj0y ae9f046aba Added trollsploit/rick_astley to run @SadProcessor's audio rickroll 2016-03-21 23:11:12 -04:00
Harmj0y d5db75c3d0 -Updated PowerView.ps1 code
-Re-tested all powerview modules
-Updated some module options
-Fixed bug in helpers.generate_dynamic_powershell_script()

-Added situational_awareness/network/powerview/get_domain_policy
-Added situational_awareness/network/powerview/get_dfs_share
-Added situational_awareness/network/powerview/get_fileserver
-Added situational_awareness/network/powerview/get_rdp_session
-Added situational_awareness/network/powerview/get_site
-Added situational_awareness/network/powerview/get_subnet
-Added situational_awareness/host/get_proxy
-Added situational_awareness/host/get_pathacl
-Added management/get_domain_sid
2016-03-19 08:38:18 -04:00
Harmj0y 45d219e1f5 bug fix for Invoke-PsExec and some x64 pointers 2016-03-11 20:33:46 -05:00
Harmj0y 2382bd0dea Added privesc/getsystem 2016-03-11 19:31:27 -05:00
Harmj0y da52a6268b Attempted fix for issue #136 2016-03-03 19:33:45 -05:00
Harmj0y 8c1927887a remove output 2016-03-03 18:22:24 -05:00
Harmj0y 7d711d4e77 Implemented mynameisv's download chunking. 2016-03-03 18:21:16 -05:00
Harmj0y 355db39847 Added privesc/mcafee_sitelist 2016-02-18 00:08:08 -05:00
Kevin Robertson 8b385928dc Added Tater privesc module
Empire module version of https://github.com/Kevin-Robertson/Tater.
2016-02-15 18:40:09 -05:00
Harmj0y c0d427cdc8 Corrected several bugs in how the workingHours window is handled in the agent
Added validation to the workinghours time format
2016-01-11 01:24:46 -05:00
Stuart Morgan f02e675f52 Renamed to Find-ManagedSecurityGroups at @harmjoy's request 2015-12-28 17:44:16 +00:00
Stuart Morgan d82f5208a7 Merge branch 'master' of https://github.com/PowerShellEmpire/Empire into identify_ad_managed_security_groups 2015-12-28 17:40:17 +00:00
HarmJ0y da439c441b Merge pull request #118 from jamcut/trusted-document-store
Add module to enumerate trusted documents and locations for MS Office.
2015-12-27 13:03:54 -08:00
Jeff McCutchan a66d2e536e Implemented @Harmj0y changes 2015-12-27 00:04:38 -05:00
Jeff McCutchan d49b080037 Added GitHub link to Notes section of ps1 file 2015-12-24 08:35:50 -05:00
Stuart Morgan c7dfa63ee8 Added description 2015-12-24 11:59:12 +00:00
Stuart Morgan 74abeaa2a6 Added link to PR 2015-12-24 11:56:11 +00:00
Stuart Morgan 264863b7bc remove debugging print 2015-12-24 11:48:11 +00:00
Stuart Morgan bc949a8ae4 use samaccountname for the username 2015-12-24 11:47:52 +00:00
Stuart Morgan 3f49d7fcfe Remove trailing spaces 2015-12-24 11:34:02 +00:00
Stuart Morgan a078c2bd76 Works 2015-12-24 11:23:24 +00:00
Jeff McCutchan c51b33b74c Add module to enumerate trusted documents and locations for MS Office. 2015-12-23 13:45:56 -05:00
Stuart Morgan 0a3aaecb13 Update 2015-12-23 17:02:10 +00:00
HarmJ0y c6ff79d7b8 Merge pull request #117 from stufus/add_egress_busting
Add Egress Checking Traffic Generator Module
2015-12-22 11:40:32 -08:00
Stuart Morgan dbbe61df41 Broken -but adding notes for testing nTSecurityDescriptor 2015-12-22 00:23:44 +00:00
Stuart Morgan 150d89d292 Initial module creation 2015-12-21 23:13:13 +00:00
Stuart Morgan c97acb0ee6 Fix comments 2015-12-21 22:49:06 +00:00
Stuart Morgan f98844d905 Fix comments 2015-12-21 22:48:39 +00:00
Stuart Morgan 4c87700c6d Fix up verbosity 2015-12-21 22:47:54 +00:00
Stuart Morgan cea0826222 Rework this to remove the -verbosity parameter now that Ive realised that Write-Verbose exists....:) 2015-12-21 22:18:52 +00:00
Stuart Morgan dc9808b06b Merge branch 'master' of https://github.com/PowerShellEmpire/Empire into add_egress_busting 2015-12-21 20:50:11 +00:00
Stuart Morgan 8401be21f4 Updated header 2015-12-21 20:48:48 +00:00
Stuart Morgan d48563e6e8 Sorted out verbose output 2015-12-21 20:44:51 +00:00
Kevin Robertson 6186502749 Added Inveigh's HTTP NTLMv2 to SMB relay as an Empire module
This module is a direct copy/paste of the Invoke-InveighRelay function
from the standalone version of Inveigh. The module will relay incoming
HTTP NTLMv2 authentication requests to an SMB target. If authentication
is successful and the user is a local administrator on the target
system, the specified command should be executed on the target PSexec
style. This module can be used with or without collection/inveigh. If
collection/inveigh is used, ensure that HTTP is disabled in
collection/inveigh. If this module is used without collection/inveigh,
another method will need to be employed to trigger incoming HTTP
requests.

This module has been successfully tested with Empire's  launcher
one-liner to establish additional agents. In testing I observed a delay
(30 seconds or so) between the service creation message and Empire's
agent active message.

harmj0y: As I mentioned in the collection/inveigh pull request comments,
the length of the parameter names is throwing off Empire's options
command column display alignment. I'm not sure if there is an easy fix
for this. Also, I used the same code that you added to inveigh.py after
the pull request. With this code, I did not observe that the
SMBRelayCommand value needed to be wrapped in quotes.
2015-12-14 21:48:49 -05:00
Kevin Robertson e2209606aa Synced collection/inveigh with current standalone Inveigh code
Direct copy/paste of Invoke-Inveigh function from current standalone
version of Inveigh.  This version contains a number of
additions/changes/bug fixes. There are two primary additions that may be
useful to Empire users. The first is that 1122334455667788 is no longer
used as the default challenge over HTTP since it's now getting flagged
by SEP and maybe others. The default behavior is a random challenge for
each request. A specific challenge can also be specified through the
'challenge' parameter. The second is the ability to set a run time so
that collection/inveigh will auto-exit after a specified number of
minutes. On the python side, I have added the additional relevant
parameters and flipped the module to opsec safe since no files are
created on disk.
2015-12-13 19:31:52 -05:00
Harmj0y 93c1d46236 Updated powerview.ps1
Added situational_awareness/network/powerview/get_cached_rdpconnection
Added situational_awareness/network/powerview/set_ad_object
Added management/downgrade_account
2015-12-11 17:56:25 -05:00
Stuart Morgan 74b72a380b Fixing help 2015-12-10 19:27:02 +00:00
Stuart Morgan 5e7ff31a42 Fix up brackets 2015-12-10 19:22:03 +00:00
Stuart Morgan a39f7f1753 Takes too long to generate the array when scanning 1-65535 so work as we go along 2015-12-10 19:19:24 +00:00
Stuart Morgan 36644c2a85 Argh, apparently you cant use > and <, roll on -gt.... 2015-12-10 19:14:34 +00:00
Stuart Morgan cba71f42bf Consistency 2015-12-10 19:11:38 +00:00
Stuart Morgan 58c5ca4fd0 Added help information etc 2015-12-10 19:09:02 +00:00
Stuart Morgan 503522b6d6 Moving verbosity to specific functions 2015-12-10 10:49:06 +00:00
Stuart Morgan a1ce988d48 Adding configurable parameters 2015-12-10 10:47:30 +00:00
Stuart Morgan 10318899fd Tidying up powershell function definition 2015-12-10 10:39:09 +00:00
Stuart Morgan 064e2ac33f Taken from egresscheck-framework, need to tidy it up though 2015-12-02 19:41:33 +00:00
HarmJ0y 9d9389d0a1 Merge pull request #104 from monoxgas/master
Added Hashdump using Invoke-DCSync
2015-12-01 10:28:45 -05:00
Harmj0y 1ba56acc13 Added persistence/userland/backdoor_lnk 2015-11-30 23:20:49 -05:00
Monox Gas 5a85be3d37 Update Fixes 2015-11-30 18:21:22 -07:00
Nick Landers 3d801abcfb Invoke-DCsync PS1 2015-11-30 17:18:41 -07:00
Harmj0y 66b7aa17f1 Added several modules in management/mailraider/* to integrate @xorrior's MailRaider.ps1 2015-11-29 11:58:16 -05:00
Harmj0y 743fe02b44 Removed non-ascii character from Get-FoxDump.ps1
Added ascii check before module tasking
2015-11-28 20:24:45 -05:00
xorrior 42c7eb901d Merge branch 'master' of https://github.com/xorrior/Empire 2015-11-28 16:34:19 -05:00
xorrior 104166f8e8 Added 64-bit version of Assembly in ChromeDump. Removed unnecessary functions in FoxDump 2015-11-28 16:34:13 -05:00
rvrsh3ll 6c867048c4 Add Invoke-SSHCommand 2015-11-25 15:49:36 -05:00
xorrior acb9d1bb2f Added ChromeDump and FoxDump modules 2015-11-25 11:55:36 -05:00
rvrsh3ll abb1c7f555 Changed User Agent to be 2.0 compatible 2015-11-23 15:40:45 -05:00
rvrsh3ll c2c1676eea Added Random User Agents 2015-11-23 11:37:54 -05:00
rvrsh3ll b703e13614 Added HTTP-Login Recon Module 2015-11-23 08:50:58 -05:00
rvrsh3ll b8d34090fe Added JBoss JMX Console exploit deployment module. 2015-11-20 12:37:19 -05:00
Harmj0y 8961af6262 Added situational_awareness/network/powerview/get_loggedon and get_session 2015-11-12 23:17:37 -05:00
Harmj0y 6058f25a57 few tweaks to recon/find_fruit 2015-11-08 20:40:07 -05:00
HarmJ0y c68177cff7 Merge pull request #87 from rvrsh3ll/master
Threading Updates
2015-11-08 20:37:41 -05:00
rvrsh3ll fbd0b3434e Added ColdFusion 2015-11-08 20:08:46 -05:00
Harmj0y c9afcc138f Updated PowerView, added situational_awareness/network/powerview/get_forest 2015-11-08 19:36:20 -05:00
Harmj0y 7db7ec6bbc All PowerUp modules now dynamically built from a single source file
PowerUp bug fixes
Added privesc/powerup/service_exe_restore, pulled logic from other modules
Added management/spawnas to spawn agents with explicit credentials
Debug functionality (--debug) now outputs the source of the last tasked script to ./LastTask.ps1
Write-Verbose and Write-Debug lines now stripped from tasked scripts
2015-11-08 18:51:57 -05:00
rvrsh3ll 746f390a1d Added Threading
Added FoundOnly
2015-11-08 08:10:32 -05:00
tguglanaklona 4908aca8c5 Specifying Mandatory Level Name instead of SID can lead to false-negative result (for non-latin names, as for me - cyrillic). Changed to SID 2015-11-01 23:55:08 +03:00
enigma0x3 123a2435a7 updated dlls to fix bug in injection and dll payload injection 2015-10-30 11:58:21 -04:00
pasv d6daa45646 Merge branch 'master' into module_dev_paranoia 2015-10-28 23:39:38 -04:00
Harmj0y e62c5866c0 Moved Find-Fruit.ps1 source to ./data/module_source/recon/*
Output tweak for find_fruit, added ShowAll flag
2015-10-28 13:52:35 -04:00
HarmJ0y e08625b919 Merge pull request #73 from PowerShellEmpire/powerview2.0_update
Powerview2.0 update
2015-10-27 15:19:15 -04:00
Harmj0y cd0e50a7aa Error handling and recurse more than one level for PowerView >_< 2015-10-26 18:03:39 -04:00
Harmj0y b4af938188 Updated PowerView to 2.0.1 2015-10-26 15:29:37 -04:00
enigma0x3 e82dffc654 Added leechristensen's fix to support .Net 3 and 4. Fixes a bug with injection on boxes without .NET 4.0 2015-10-26 14:19:44 -04:00
Harmj0y 0cbdb165a2 -Updated powerview.ps1 source to Version 2.0
-Built a way to dynamically generate the stripped PowerView code for functions needed by PowerView modules (helpers -> generate_dynamic_powershell_script), and updated all relevant PowerView modules
-Renamed PowerView modules to better match PowerView 2.0 naming scheme and moved to situational_awareness/network/powerview/*
-Removed old split-out PowerView source files
-Removed situational_awareness/network/netview
-Combined stealth_userhunter into option for userhunter
-Added situational_awareness/network/get_forest_domain, situational_awareness/network/powerview/get_object_acl, situational_awareness/network/powerview/find_computer_field, situational_awareness/network/powerview/find_user_field, situational_awareness/network/powerview/get_ou, situational_awareness/network/powerview/get_group, situational_awareness/network/powerview/get_group_member, situational_awareness/network/powerview/get_gpo, situational_awareness/network/powerview/find_gpo_location, situational_awareness/network/powerview/find_gpo_computer_admin, situational_awareness/network/powerview/process_hunter, situational_awareness/network/powerview/find_foreign_group, situational_awareness/network/powerview/find_foreign_user
-renamed collection/filesearch to collection/find_interesting_file
2015-10-23 21:40:06 -04:00
enigma0x3 d5344b6716 Merge pull request #51 from xorrior/master
Modified Invoke-WinEnum
2015-10-13 06:56:12 -04:00
xorrior 7541ea23e8 Modified Invoke-WinEnum
Added Firewall Rules enumeration. Slightly modified file searches to
only pull files owned by the user. Changed formatting.
2015-09-14 16:34:32 -04:00
Harmj0y 140c4baf7a Fixed write_dllhijacker. 2015-09-12 08:23:12 -04:00
enigma0x3 7390ce012c Delete Invoke-BypassUAC.ps1~ 2015-09-12 12:44:01 +02:00
enigma0x3 eaedd354c7 updated to support win10 2015-09-04 21:20:30 -04:00
pasv 875284be7a Working release 2015-09-03 03:44:34 -04:00
Harmj0y 788be8b06a Converted message HMAC from MD5 to SHA1 2015-08-27 18:40:19 -04:00
HarmJ0y 8eaf601ea5 Merge pull request #33 from PowerShellEmpire/inveigh
Integration of Kevin Robertson's Inveigh project
2015-08-26 17:23:52 -04:00
enigma0x3 d3fc5137d4 added privesc/bypassuac_wscript 2015-08-25 21:18:48 -04:00
Harmj0y fb9c18769f Added collection/inveigh. 2015-08-25 17:21:59 -04:00
root 31febba7cb Modified packet. Support unicode chars in agent 2015-08-24 09:04:21 -04:00
Justin cf935db0ae Merge pull request #18 from 1njected/master
Added support for custom proxy and fixed Epoch/counter to support other cultures/datetime-formats
2015-08-24 08:00:58 -04:00
Harmj0y be637dd38a Updated .dll for Invoke-Mimikatz, including lsadump::dcsync functionality. 2015-08-24 01:28:11 -04:00
Harmj0y 804e1a01a2 Revamped basic shell operations in agent core (cp, dir, mv, etc.)
Standardized UNC path normalization in agent core
added hostname alias
2015-08-20 15:32:26 -04:00
Harmj0y 39d974bb09 Continued porting native shell commands to WMI replacents in agent core
In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases
Modified ./setup/reset.sh to work from parent or ./setup/ folders
2015-08-20 14:35:42 -04:00
Harmj0y fdfb0ba337 Removed "whoami" from the high integrity check. 2015-08-19 21:08:57 -04:00
Harmj0y ae741e2c85 Implement agent route command in WMI. 2015-08-19 20:51:36 -04:00
Tomas Rzepka f5916f0d3e Fixed Epoch/counter to support other cultures/datetime-formats 2015-08-20 00:55:21 +02:00
Harmj0y 109fa29f60 Combined code components for agent.ps1 shell command section. 2015-08-19 18:33:04 -04:00
Harmj0y e68870f143 the following agent commands now use WMI instead of native binaries: ps, tasklist, ipconfig, ifconfig 2015-08-19 18:16:01 -04:00
Harmj0y 4bb0bc4d47 Corrected menu behavior on agent exit, bug fix on some dir behavior 2015-08-19 15:51:36 -04:00
Harmj0y f07a4d4a3f Added collection/netripper implementation of the NetRipper project from Ionut Popescu (@NytroRST) 2015-08-18 21:09:05 -04:00
Harmj0y 6ddce8bb7e Added lateral_movement/invoke_psexec 2015-08-16 10:46:22 -04:00
Harmj0y 2b499a559c Added modules management/timestomp, trollsploit/process_killer, persistence/elevated/wmi, situational_awareness/network/smbscanner 2015-08-16 10:46:12 -04:00
sixdub da6c5a983c Updated Lost Agent Detection 2015-08-14 09:42:54 -04:00
sixdub 834b5c03fc Added missed CB limits 2015-08-14 09:42:54 -04:00
Jon Cave 4624cff0e6 Authenticate the encrypted communications 2015-08-08 18:54:02 +01:00
enigma0x3 58d626dda4 removed line after function definition 2015-08-07 19:37:12 -04:00