446 lines
16 KiB
Plaintext
446 lines
16 KiB
Plaintext
Running
|
|
---------
|
|
-Fix for issue 340 Added pip install setuptools and apt-get install libssl-dev
|
|
|
|
|
|
9/23/2016
|
|
---------
|
|
-Version 2.0.0 beta, DerbyCon release
|
|
|
|
-Listeners abstracted out to modules
|
|
-Flask used for listener/http instead of base http server
|
|
-client key negotiation abstracted out and implemented in agents
|
|
|
|
-New nested "routing/metadata" packet structure introduced in prep for additional transports
|
|
-all packetes now wrapped with an HMAC'ed RC4 "routing" packet that uses the staging key
|
|
-this is so all agents can decrypt 'routing' information for future p2p comms
|
|
-increases flexibilty for malleable comms (i.e. sessionid removed from POST requests)
|
|
-removes the need to keep track of which URIs are used for tasking/post/staging
|
|
|
|
-Agent data handling improved and abstracted away for listener module use
|
|
-handle_agent_data() handles raw packets, usable by any listener module
|
|
-handle_agent_staging() handles agent key exchange/staging
|
|
-handle_agent_request() handles an agent tasking request
|
|
-handle_agent_response() handles an agent result response
|
|
|
|
-EmPyre integration:
|
|
-Start of integration of EmPyre staging/comms implemented in listeners/http
|
|
-Agent is language-aware:
|
|
"interact AGENT" drops you into the language-appropriate agent menu
|
|
"usemodule [tab]" from an agent only tab-completes language-appropriate modules
|
|
-stagers were broken out into operating system designations:
|
|
-stagers.generate_launcher() now accepts a language specification, which wraps
|
|
the stager generation functionality for listener module
|
|
|
|
-PowerShell:
|
|
-RC4 implemented for first stage obfuscation
|
|
-staging now uses HMAC and nonces
|
|
-epoch-syncing removed
|
|
-core agent cleanup
|
|
|
|
-Listeners:
|
|
added http
|
|
added http_foreign (for 'foreign' Emire listeners)
|
|
added meterpreter (for meterpreter/cobalt strike, using Invoke-Shellcode)
|
|
added management/switch_listener module which switches an agent to a new listener module comms
|
|
redid hop listeners, added listeners/http_hop
|
|
added listeners/http_com which uses IE com objects for communications
|
|
|
|
-Tons of bug fixes (and new bug introductions :)
|
|
-Removed lots of code rot
|
|
-Vastly increased debugging output (--debug 2)
|
|
-New 'Language'/'MinLanguageVersion' options added to modules
|
|
-stagers now have a 'language' option, and are folder-separated by operating system
|
|
-added @mattifestation's AMSI bypass into PowerShell stagers 'safe checks'
|
|
-redid PowerShell jobs architecture to use a separate app domain instead of PowerShell jobs
|
|
-Added key reneogitation in case agents are 'orphaned'
|
|
-moved stager.ps1/stager.py to ./agent/stagers/http.ps1 / ./agent/stagers/http.py
|
|
-agent generation now patches in the comms methods into the base agent.ps1 (need to do agent.py)
|
|
-powershell listeners are now properly hot-swappable with management/switch_listener
|
|
-the external/generate_agent module will now generate a staged agent and preregister it (only for PowerShell at this time)
|
|
-PowerView code updated
|
|
-PowerUp code updated
|
|
-new tables -> results and taskings to separate out stuff for the RESTful API
|
|
-CLI/RESTful API broken, needs testing
|
|
|
|
|
|
7/20/2016
|
|
---------
|
|
-Version 1.5.3
|
|
-Fix for issue #273 - added hostnames to raw screenshot output file
|
|
-Fix for issue #285 - credential export supporting commas
|
|
-Start of code standardization/pep8 cleanup - mods to agents.py, empire.py, and credentials.py
|
|
-moved collection/keethief to collection/vaults/keethief
|
|
-added collection/vaults/find_keepass_config to enumerate KeePass configs on a system
|
|
-added collection/vaults/add_keepass_config_trigger to add a trigger backdoor to all reachable KeePass instances
|
|
-added collection/vaults/get_keepass_config_trigger to enumerate all triggers for all reachable KeePass instances
|
|
-added collection/vaults/remove_keepass_config_trigger to remove all triggers for all reachable KeePass instances
|
|
-Misc. bug fixes
|
|
|
|
7/16/2016
|
|
---------
|
|
-Added collection/keethief module to pilfer KeePass key material from memory
|
|
-"creds X" now searches additional fields for the term (like domain)
|
|
-merged credentials/enum_cred_store from @BeetleChunks
|
|
|
|
7/15/2016
|
|
---------
|
|
-Merged @rvrsh3ll's collection/browser_data module
|
|
-Merged @curi0usJack's situational_awareness/network/smbautobrute module
|
|
-fix for issue #258 - "interact AGENT" now works globally in every menu except an active agent menu
|
|
-fix for issue #221 - hop listeners
|
|
-fix for issue #252 - management/invoke_script now no longer requires an external script
|
|
-fix for issue #257 - sysinfo now executed after running the steal_token command
|
|
|
|
6/24/2016
|
|
---------
|
|
-Updated Invoke-Mimikatz to include a fix for multi-cpu boxes/processor detection
|
|
-Merged @n0clues pull request to change paths from %TEMP% to %PUBLIC% for spawnas module to fix a bug when spawning as a different user.
|
|
-Fixed a typo in the dcsync_hashdump that caused it to crash the Empire server
|
|
-Merged in Inveigh 1.1.1 and current Tater build thanks to @Kevin-Robertson
|
|
-Fixed a bug in the REST API due to the port being a string and not an int
|
|
-Added 417 Expectation failed error bug fix for older proxies (Squid) thanks to @i223t
|
|
|
|
6/9/2016
|
|
---------
|
|
-Updated SQLite dll for Get-ChromeDump.ps1
|
|
|
|
5/27/2016
|
|
---------
|
|
-Fixed format issues with Get-ComputerDetails.ps1
|
|
-More verbose output added to PowerUp's Invoke-ServiceCMD
|
|
-Made Get-SPN PowerShell 2.0 compatible
|
|
-Updated RunAs to include an argument parameter
|
|
-Merged @tristandostaler's /api/map feature to the Rest API
|
|
-Merged in @andrew-morris's installer update to include -Y switch for apt-get commands
|
|
-Merged in MS16-032 local privesc from @leoloobeek
|
|
|
|
5/4/2016
|
|
---------
|
|
-Merged @jaredhaight's Invoke-MetasploitModule module
|
|
|
|
5/2/2016
|
|
---------
|
|
-tightened up argparse validation
|
|
|
|
4/24/2016
|
|
---------
|
|
-Added credentials/get_spn_tickets to request SPN tickets.
|
|
-Added credentials/mimikatz/extract_tickets
|
|
|
|
4/21/2016
|
|
---------
|
|
-Merged @Subtee's regsvc32 (sct) stager
|
|
|
|
4/1/2016
|
|
---------
|
|
-listener starting now returns more verbose errors on failure in console and API
|
|
-merge of @mynameisiv's .jpg screenshot PR
|
|
-Fix for path errors in some cases for ./setup/setup_database.py
|
|
|
|
============
|
|
3/31/2015 - RELEASE 1.5
|
|
============
|
|
-Encompasses all changes since the 1.4 tagged release
|
|
|
|
|
|
3/31/2016
|
|
---------
|
|
-Merge of Inveigh 1.1 update and privesc/tater
|
|
-Updated of Invoke-Mimikatz.ps1 source
|
|
-Updated mimikatz dlls to version 2.1 alpha
|
|
-Included modification to suppress cmd.exe when spawned via PTH.
|
|
|
|
3/30/2016
|
|
---------
|
|
-Added loading of external modules with 'load /path/modules/'
|
|
|
|
3/25/2016
|
|
---------
|
|
-RESTful API modifications
|
|
-expanded agent/server epoch check to +/- 12 hours
|
|
-stagers now run -sta
|
|
|
|
3/24/2016
|
|
---------
|
|
-RESTful API modifications
|
|
|
|
3/22/2016
|
|
---------
|
|
-added auth to RESTful API, additional API fixes
|
|
|
|
3/21/2016
|
|
---------
|
|
-start of RESTful API implementation
|
|
|
|
3/19/2016
|
|
---------
|
|
-PowerView.ps1 update and multiple related module additions
|
|
-added github issue templates
|
|
-added situational_awareness/network/powerview/get_gpo_computer
|
|
|
|
3/11/2016
|
|
---------
|
|
-added privesc/getsystem
|
|
-bug fix for Invoke-PsExec and some x64 pointers
|
|
|
|
3/3/2016
|
|
---------
|
|
-first pass at stager retry interval
|
|
-download chunking modified
|
|
|
|
2/17/2016
|
|
---------
|
|
- '--debug 2' now displays debug information to the console as well as the empire.debug file
|
|
-added privesc/mcafee_sitelist
|
|
|
|
1/15/2016
|
|
---------
|
|
-start of command line option integration, use './empire -h' to see options
|
|
-bug fixes
|
|
-'searchmodule' with no arguments now lists all modules
|
|
|
|
1/14/2016
|
|
---------
|
|
-Fix for some UTF-8 encoding issues
|
|
|
|
1/10/2016
|
|
----------
|
|
-Corrected several bugs in how the workingHours window is handled in the agent
|
|
|
|
|
|
============
|
|
12/29/2015 - RELEASE 1.4
|
|
============
|
|
-Encompasses all changes since 1.3.1 tagged release
|
|
|
|
|
|
12/29/2015
|
|
----------
|
|
-Added situational_awareness/network/powerview/find_managed_security_groups to integrate @stufus' new code
|
|
-Fixed various issues with agent profile handling
|
|
-'DefaultProfile' option in listener menu is now tab-completable and can take a path to a profile.txt
|
|
|
|
12/28/2015
|
|
----------
|
|
-Merge of @stufus' Find-ManagedSecurityGroups code into PowerView.ps1 base
|
|
|
|
12/26/2015
|
|
----------
|
|
-Merge of @jamcut's situational_awareness/host/findtrusteddocuments module
|
|
|
|
12/22/2015
|
|
----------
|
|
-Sync of Kevin Robertson's lateral_movement/inveigh_relay module
|
|
-Sync @stufus' exfiltration/egresscheck module
|
|
-Added module menu dynamic sizing for prettified output
|
|
|
|
12/20/2015
|
|
----------
|
|
-hop.php redirector fix
|
|
|
|
12/16/2015
|
|
----------
|
|
-Sync of Kevin Robertson's collection/inveigh update
|
|
-Added trollsploit/rick_ascii
|
|
-Bug fixes
|
|
|
|
12/11/2015
|
|
----------
|
|
-Updated powerview.ps1
|
|
-Added situational_awareness/network/powerview/get_cached_rdpconnection
|
|
-Added situational_awareness/network/powerview/set_ad_object
|
|
-Added management/downgrade_account
|
|
-Merge of @mubix's setup automation
|
|
|
|
12/9/2015
|
|
---------
|
|
-Added credentials/mimikatz/cache and credentials/mimikatz/sam
|
|
|
|
11/30/2015
|
|
----------
|
|
-Combined persistence/debugger/* into persistence/misc/debugger
|
|
-Added SysWow64 option to management/spawn to spawn a 32-bit powershell.exe
|
|
-Added persistence/userland/backdoor_lnk
|
|
|
|
11/29/2015
|
|
----------
|
|
-Built several modules in management/mailraider/* to integrate @xorrior's MailRaider.ps1
|
|
|
|
11/28/2015
|
|
----------
|
|
-Merged @xorrior's FoxDump and ChromeDump modules
|
|
|
|
11/25/2015
|
|
----------
|
|
-Merged @rvrsh3ll's lateral_movement/invoke_sshcommand
|
|
|
|
11/24/2015
|
|
----------
|
|
-Added script autorun functionality
|
|
|
|
11/23/2015
|
|
----------
|
|
-Merged @rvrsh3ll's recon/http_login
|
|
|
|
11/21/2015
|
|
----------
|
|
-Merge of exploitation/exploit_jboss, bug fix
|
|
-Fix in case module returns None
|
|
-Merged debian setup.sh fix
|
|
-Merged non-interactive cert generation and added to setup.sh
|
|
-Fixed nested menu bug that caused buildup of "Agent X not active."
|
|
-Main display menu now shows each time "main" menu is entered
|
|
|
|
11/8/2015
|
|
---------
|
|
-All PowerUp modules now dynamically built from a single source file
|
|
-PowerUp bug fixes
|
|
-Added privesc/powerup/service_exe_restore, pulled logic from other modules
|
|
-Added management/spawnas to spawn agents with explicit credentials
|
|
-Debug functionality (--debug) now outputs the source of the last tasked script to ./LastTask.ps1
|
|
-Write-Verbose and Write-Debug lines now stripped from tasked scripts
|
|
-Added situational_awareness/network/powerview/get_forest module
|
|
|
|
11/4/2015
|
|
---------
|
|
-Added persistence/misc/add_netuser to add local/domain users
|
|
|
|
11/2/2015
|
|
---------
|
|
-Fixed small bug in TASK_CMD_WAIT response parsing
|
|
|
|
|
|
============
|
|
10/30/2015 - RELEASE 1.3.1
|
|
============
|
|
-Updated reflectivepick dlls to fix bug in injection and dll payload injection
|
|
|
|
|
|
============
|
|
10/29/2015 - RELEASE 1.3
|
|
============
|
|
-Encompasses all changes since 1.2 tagged release
|
|
|
|
|
|
10/26/2015
|
|
----------
|
|
-Fix for psinject bug due to lack of .NET 4.0 on target.
|
|
-Fix for bug in persistence/misc/add_sid_history
|
|
|
|
10/23/15
|
|
--------
|
|
-Updated powerview.ps1 source to Version 2.0
|
|
-Built a way to dynamically generate the stripped PowerView code for functions needed by PowerView modules (helpers -> generate_dynamic_powershell_script), and updated all relevant PowerView modules
|
|
-Renamed PowerView modules to better match PowerView 2.0 naming scheme and moved to situational_awareness/network/powerview/*
|
|
-Removed old split-out PowerView source files
|
|
-Removed situational_awareness/network/netview
|
|
-Combined stealth_userhunter into option for userhunter
|
|
-Added situational_awareness/network/get_forest_domain, situational_awareness/network/powerview/get_object_acl, situational_awareness/network/powerview/find_computer_field, situational_awareness/network/powerview/find_user_field, situational_awareness/network/powerview/get_ou, situational_awareness/network/powerview/get_group, situational_awareness/network/powerview/get_group_member, situational_awareness/network/powerview/get_gpo, situational_awareness/network/powerview/find_gpo_location, situational_awareness/network/powerview/find_gpo_computer_admin, situational_awareness/network/powerview/process_hunter, situational_awareness/network/powerview/find_foreign_group, situational_awareness/network/powerview/find_foreign_user
|
|
-renamed collection/filesearch to collection/find_interesting_file
|
|
|
|
9/21/2015
|
|
---------
|
|
-Fix for 'skywalker' file overwrite exploit on control server (thanks @zeroSteiner!)
|
|
|
|
9/12/2015
|
|
---------
|
|
-Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation
|
|
-Added management/enable_multi_rdp to patch terminal services to allow mutiple connections
|
|
-Fixed bug in write_dllhijacker that prevented the dll from being written out
|
|
|
|
|
|
============
|
|
8/30/2015 - RELEASE 1.2
|
|
============
|
|
-Encompasses all changes below
|
|
--- 'Native' shell commands in agent core ported to WMI equivalents
|
|
--- HMAC now uses SHA1 instead of MD5
|
|
--- Numerous bug fixes and UI tweaks throughout code
|
|
--- Six new modules and WAR stager added, /sids option added to golden_ticket
|
|
--- Fixed international locale bug with unicode text in agent.ps1
|
|
|
|
|
|
8/29/2015
|
|
---------
|
|
-HMAC algorithm for packet comms upgraded to use SHA1 instead of MD5
|
|
-credentials collected from collection/prompt now scraped/added to credential model
|
|
|
|
8/26/2015
|
|
---------
|
|
-Added module privesc/bypassuac_wscript
|
|
-Added module collection/inveigh
|
|
-Added stager war
|
|
|
|
8/24/2015
|
|
---------
|
|
-Added credentials/mimikatz/dcsync for remote DC credential extraction
|
|
-Added situational_awareness/network/get_domaintrusts
|
|
-Added /sids argument for credentials/mimikatz/golden_ticket
|
|
-Added credential parsing for dcsync output
|
|
-updated links for PowerTools
|
|
-Fixed bug in credential parsing with ":" inside of the password,username, or domain
|
|
-Fixed international locale bug with unicode text in agent.ps1. Now all results are base64 encoded prior to being packetized. Encoding will be handled at server.
|
|
|
|
8/20/2015
|
|
---------
|
|
-Continued porting native shell commands to WMI replacents in agent core
|
|
-In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases
|
|
-Modified ./setup/reset.sh to work from parent or ./setup/ folders
|
|
-Agent core functions streamlined
|
|
-"list [agents/listeners] <modifier>" should now be a global command
|
|
|
|
8/19/2015
|
|
---------
|
|
-Added collection/netripper, port of the NetRipper project
|
|
-Added collection/packet_capture for netsh event tracing
|
|
-Added management/zipfolder for native folder compression
|
|
-Corrected menu behavior on agent exit, bug fix on some dir behavior
|
|
-Started porting native shell commands to WMI in the agent core
|
|
|
|
============
|
|
8/16/2015 - RELEASE 1.1
|
|
============
|
|
-Encompasses all changes below
|
|
--- Crypto patch to prevent DOS condition
|
|
--- Numerous bug fixes throughout code
|
|
--- Extra modules added and HTA stager
|
|
--- Ability for agents to die after certain number of failed checkins
|
|
--- Added ability to easily remove "stale" agents
|
|
|
|
|
|
8/15/2015
|
|
---------
|
|
-Added modules management/timestomp, trollsploit/process_killer, persistence/elevated/wmi, situational_awareness/network/smbscanner, lateral_movement/invoke_psexec
|
|
-Accepted HTA Stager from subtee
|
|
|
|
8/12/2015
|
|
--------
|
|
-Merged in list stale and remove stale functionality
|
|
-Fixed delay in list stale feature
|
|
-Fixed active agent message in list stale feature
|
|
-Fixed registry storage in schtasks and registry persistence modules (userland and elevated)
|
|
|
|
8/11/2015
|
|
---------
|
|
-Merged in Lost Agent Detection
|
|
-"agents> remove X" now removes agents that checked in > X minutes ago
|
|
-"agents> list stale" and "agents> remove stale" now list/remove stale agents past their max checkins
|
|
|
|
8/10/2015
|
|
---------
|
|
-Fixed tab completion of usestager module
|
|
-Added dependencies for Ubuntu 14.04
|
|
-Fixed IP Whitelisting set from file
|
|
-Added "Lost Agent Detection". Allows the ability for an agent to die after a certain number of missed checkins. This is implemented via the "lostlimit" command. Default set to 60 missed checkins.
|
|
|
|
8/9/2015
|
|
----------
|
|
-Fixed flaw in crypto allowing a DOS condition.
|
|
-Added authentication to the AES crypto scheme to verify integrity of messages
|
|
|
|
8/6/2015
|
|
-----------
|
|
-Initial release. All components released
|
|
-Commited path fix to correct bug in certain modules
|