Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Empire 3.0 / Python 3 #27

Merged
merged 60 commits into from
Dec 23, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
078d405
python 3 stage one updates
Hubbl3 Oct 22, 2019
2245d7c
python 3 stage 2/intial running config updates
Hubbl3 Oct 23, 2019
045a912
python 3 first round of py 2 remediation
Hubbl3 Oct 25, 2019
fdddd8a
Http listener with Multi/launcher working
Hubbl3 Oct 26, 2019
875dd27
remove venv
vinnybod Oct 26, 2019
7d69969
fix for issue #5
Hubbl3 Oct 28, 2019
14e0d55
Updated empire.py and requirements.txt
invalid-email-address Oct 29, 2019
b6570e8
Fix for port issue - issue #11
Cx01N Nov 2, 2019
a94193f
Fixed PSinject - issue #6
Cx01N Nov 2, 2019
a9ae77c
python3 multi/launcher working. Lots of debug statements printing
invalid-email-address Nov 2, 2019
f29b108
Fixed agent tasking
Cx01N Nov 4, 2019
282645d
Updated PSinject compatibility with Python 3
Cx01N Nov 6, 2019
abcbe48
converted bytes wrappers
Hubbl3 Nov 8, 2019
375f6b0
intial beta of 2/3 crossover functioning
Hubbl3 Nov 8, 2019
57bb9dd
Update README.md
Cx01N Nov 8, 2019
e2396ab
Fixed Mimikatz error #15
Cx01N Nov 9, 2019
673ed24
Fixed Python 3 tab complete - Issue #13)
Cx01N Nov 9, 2019
b6ae5ca
Http_com update
Cx01N Nov 10, 2019
9c6f749
Fixed listener http_com
Cx01N Nov 11, 2019
3b19ab2
Update Mimikatz/dcsync
Cx01N Nov 11, 2019
2577f57
Cleaned up debug messages
Cx01N Nov 11, 2019
fea2bc7
Fixed http_hop token issue #17
Cx01N Nov 13, 2019
f2afb30
Fixed dsync hashdump error #7
Cx01N Nov 17, 2019
62d5f62
Updated to Mimikatz 2.2.0 20190408
Cx01N Nov 17, 2019
3172e11
Http_hop updates
Cx01N Nov 21, 2019
9eff92f
Changed obfuscate home address
Cx01N Nov 21, 2019
3addba1
http_hop fixed #18
Hubbl3 Nov 22, 2019
8c5b8fe
Updated Redirector
Cx01N Nov 22, 2019
ac7790c
Quote error in Http-hop
Cx01N Nov 23, 2019
e4586b1
Removed unused comments
Cx01N Nov 23, 2019
a6e367b
Merge pull request #21 from BC-SECURITY/python3-http_hop
Cx01N Nov 23, 2019
34f167a
Make uselistener accessible from main menu
Hubbl3 Nov 24, 2019
8802b9a
Merge pull request #22 from BC-SECURITY/python3-http_hop
Cx01N Nov 24, 2019
42646fa
Added Invoke-RID_Hijack
Cx01N Nov 24, 2019
7078f1d
Added internal monologue (Pull #19)
Cx01N Nov 24, 2019
fcb47dd
Added Invoke-SMBLogin
Cx01N Nov 25, 2019
63f3c6a
Added Sherlock module - #20
Cx01N Nov 27, 2019
f00932a
Added MS15-078 check - #20
Cx01N Nov 30, 2019
0e4e0ec
randomized JA3S signature
Hubbl3 Dec 2, 2019
0bda20f
Update changelog
Hubbl3 Dec 3, 2019
69bead5
Added contributor credits to changelog
Cx01N Dec 3, 2019
f869839
added JA3S radnomization code to http_com and http_mapi
Hubbl3 Dec 3, 2019
d639e3a
added JA3S radnomization code to http_com and http_mapi
Hubbl3 Dec 3, 2019
be27799
Updated README
Cx01N Dec 3, 2019
dbaae9c
Update README.md
Hubbl3 Dec 3, 2019
6fe381b
Fix Port issue - #24
Cx01N Dec 5, 2019
9f1ca8c
Removed debug txt file
Cx01N Dec 6, 2019
2829029
Fixed orphaned agents - #23
Cx01N Dec 7, 2019
8ab137c
Removed Add-Content
Cx01N Dec 7, 2019
b0c3030
Updated version number
Cx01N Dec 8, 2019
fcee965
Updated to Mimikatz 2.2.0 20191125
Cx01N Dec 8, 2019
d5e18eb
Variable type checking
Cx01N Dec 8, 2019
2ea59bf
Added Get-LAPSPasswords - #20
Cx01N Dec 8, 2019
6d886ff
Updated documentation
Cx01N Dec 8, 2019
972429c
Re-enabled clearing main menu
Cx01N Dec 8, 2019
d96a7ac
Add docker deploys (#25)
vinnybod Dec 8, 2019
9fcef74
Fix Invoke_ReverseDNSlookup error - #8
Cx01N Dec 9, 2019
34fd539
Merge branch 'master' into dev
vinnybod Dec 9, 2019
f6a9db9
Cleaned up debug messages
Cx01N Dec 11, 2019
8e86a3b
Update Readme
Cx01N Dec 23, 2019
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ develop-eggs/
dist/
downloads/
eggs/
lib/
# lib/
lib64/
parts/
sdist/
Expand Down
23 changes: 23 additions & 0 deletions .github/workflows/dockerimage.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Docker Image CI

on:
push:
branches:
- master
- dev
release:
types: [published]

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Publish Docker
uses: elgohr/[email protected]
with:
name: bcsecurity/empire
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
dockerfile: Dockerfile
tag_names: true
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,5 @@ setup/xar*/
setup/bomutils/
.venv
.DS_Store
venv/

61 changes: 22 additions & 39 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,33 +1,23 @@
# NOTE: Only use this when you want to build image locally
# else use `docker pull empireproject/empire:{VERSION}`
# all image versions can be found at: https://hub.docker.com/r/empireproject/empire/
# else use `docker pull bcsecurity/empire:{VERSION}`
# all image versions can be found at: https://hub.docker.com/r/bcsecurity/empire/

# -----BUILD COMMANDS----
# 1) build command: `docker build -t empireproject/empire .`
# 2) create volume storage: `docker create -v /opt/Empire --name data empireproject/empire`
# 3) run out container: `docker run -ti --volumes-from data empireproject/empire /bin/bash`
# 1) build command: `docker build -t bcsecurity/empire .`
# 2) create volume storage: `docker create -v /empire --name data bcsecurity/empire`
# 3) run out container: `docker run -ti --volumes-from data bcsecurity/empire /bin/bash`

# -----RELEASE COMMANDS----
# 1) `USERNAME=empireproject`
# 2) `IMAGE=empire`
# 3) `git pull`
# 4) `export VERSION="$(curl -s https://raw.githubusercontent.com/EmpireProject/Empire/master/lib/common/empire.py | grep "VERSION =" | cut -d '"' -f2)"`
# 5) `docker tag $USERNAME/$IMAGE:latest $USERNAME/$IMAGE:$VERSION`
# 1) `docker push $USERNAME/$IMAGE:latest`
# 2) `docker push $USERNAME/$IMAGE:$VERSION`
# Handled by GitHub Actions

# -----BUILD ENTRY-----

# image base
FROM ubuntu:16.04

# pull from BUILD
ARG empirversion
FROM python:3.7.5-buster

# extra metadata
LABEL maintainer="EmpireProject"
LABEL maintainer="bc-security"
LABEL description="Dockerfile base for Empire server."
LABEL version=${empirversion}

# env setup
ENV STAGING_KEY=RANDOM
Expand All @@ -36,25 +26,18 @@ ENV DEBIAN_FRONTEND=noninteractive
# set the def shell for ENV
SHELL ["/bin/bash", "-c"]

# install basic build items
RUN apt-get update && apt-get install -qy \
wget \
curl \
git \
sudo \
apt-utils \
lsb-core \
python2.7 \
python-dev \
&& ln -sf /usr/bin/python2.7 /usr/bin/python \
&& rm -rf /var/lib/apt/lists/*

# build empire from source
# TODO: When we merge to master set branch to master
RUN git clone --depth=1 -b dev https://github.com/EmpireProject/Empire.git /opt/Empire && \
cd /opt/Empire/setup/ && \
COPY . /empire

RUN apt-get update && \
apt-get -y install sudo && \
apt-get -y install lsb-release

RUN cd /empire/setup/ && \
./install.sh && \
rm -rf /opt/Empire/data/empire*
RUN python2.7 /opt/Empire/setup/setup_database.py
WORKDIR "/opt/Empire"
CMD ["python2.7", "empire"]
rm -rf /empire/data/empire*

RUN python /empire/setup/setup_database.py

WORKDIR /empire

CMD ["python", "empire"]
35 changes: 26 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,9 @@
Keep up-to-date on our blog at [https://www.bc-security.org/blog][7]

# Empire
## The beta release of [Empire 3.0](https://github.com/BC-SECURITY/Empire/tree/dev) is available on the dev branch ##
Empire 3.0 is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent, and compatibility with Python 2.x/3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at [BSidesLV in 2015](https://www.youtube.com/watch?v=Pq9t59w0mUI) and Python EmPyre premeiered at HackMiami 2016. BC-Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) and JA3/S signatures at [DEF CON 27](https://github.com/BC-SECURITY/DEFCON27).

Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with [heavily here](http://www.powershellempire.com/?page_id=2) and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to improperly cite existing or prior work, please let us know.
Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with [heavily here](http://www.powershellempire.com/?page_id=2) and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to properly cite existing or prior work, please let us know at [email protected].

Empire is developed by [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [@rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), [@xorrior](https://twitter.com/xorrior), and [@bcsecurity1](https://twitter.com/BCSecurity1). While the main fork for Empire is no longer maintained, this fork is maintained by [BC-Security](https://www.bc-security.org) and will continue to receive periodic updates.

Expand All @@ -50,32 +49,50 @@ sudo ./setup/install.sh

There's also a [quickstart here](http://www.powershellempire.com/?page_id=110) and full [documentation here](http://www.powershellempire.com/?page_id=83).

## Docker
If you want to run Empire using a pre-built docker container:
```bash
docker pull bcsecurity/empire:{version}
docker run -it bcsecurity/empire:{version}

# with persistent storage
docker pull bcsecurity/empire:{version}
docker create -v /empire --name data bcsecurity/empire:{version}
docker run -it --volumes-from data bcsecurity/empire:{version}

# if you prefer to be dropped into bash instead of directly into empire
# or docker run -it --volumes-from data bcsecurity/empire:{version} /bin/bash
```

All image versions can be found at: https://hub.docker.com/r/bcsecurity/empire/
* The last commit from master will be deployed to the `latest` tag
* The last commit from the dev branch will be deployed to the `dev` tag
* All github tagged releases will be deployed using their version numbers (v3.0, v3.1, etc)

## Quickstart

Check out the [Empire wiki](https://github.com/EmpireProject/Empire/wiki/Quickstart) for instructions on getting started with Empire.

## To Do List

* Port code to work with Python 3
* ~~Port code to work with Python 3~~
* [Invoke-SocksProxy](https://github.com/p3nt4/Invoke-SocksProxy)
* Function name randomization
* JA3/S signature randomization
* Multi-menu function calls
* ~~JA3/S signature randomization~~
* ~~Multi-menu function calls~~
* Function name aliasing
* Update to [Mimikatz 2.2.0](https://github.com/gentilkiwi/mimikatz)
* ~~Update to [Mimikatz 2.2.0](https://github.com/gentilkiwi/mimikatz)~~

## Contribution Rules

Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions.

* Beginning with version 3.0, we will require that all updates be both Python 2.x/3.x compatible.
* Submit pull requests to the [dev branch](https://github.com/powershellempire/Empire/tree/dev). After testing, changes will be merged to master.
* Submit pull requests to the [dev branch](https://github.com/BC-SECURITY/Empire/tree/dev). After testing, changes will be merged to master.
* Depending on what you're working on, base your module on [./lib/modules/powershell_template.py](lib/modules/powershell_template.py) or [./lib/modules/python_template.py](lib/modules/python_template.py). **Note** that for some modules you may need to massage the output to get it into a nicely displayable text format [with Out-String](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L111).
* Cite previous work in the **'Comments'** module section.
* If your script.ps1 logic is large, may be reused by multiple modules, or is updated often, consider implementing the logic in the appropriate **data/module_source/*** directory and [pulling the script contents into the module on tasking](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L85-L95).
* Use [approved PowerShell verbs](https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx) for any functions.
* PowerShell Version 2 compatibility is **STRONGLY** preferred.
* TEST YOUR MODULE! Be sure to run it from an Empire agent and test both Python 2.x/3.x functionality before submitting a pull to ensure everything is working correctly.
* For additional guidelines for your PowerShell code itself, check out the [PowerSploit style guide](https://github.com/PowerShellMafia/PowerSploit/blob/master/README.md).

[![alt text][1.1]][1]
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.3.0
3.0
38 changes: 37 additions & 1 deletion changelog
Original file line number Diff line number Diff line change
@@ -1,8 +1,44 @@
11/26/2019
------------
- Version 3.0 Beta Release
- Added Python 2.6/7 and 3.x compatibility (@Cx01N, @Hubbl3, @Vinnybod)
- Improved Windows Defender Evasion
- Updated mimikatz binary in Invoke-Mimikatz to version 2.2.0 20191125 (@Cx01N)
- Fixed port assignment feature to listeners (@Cx01N)
- Fixed issues with http_Hop listener (@Cx01N)
- Fixed issues with redirector listener (@Cx01N)
- Fixed typos in default http listener payloads (@Hubbl3)
- Fixed psinject AV recognition (@Hubbl3)
- Updated Invoke-Obfuscation to version 1.8 (@phra)
- Updated Invoke-Kerberoast (@Zero1t0)
- Added ability to uselisteners on main menu (@Cx01N, @Hubbl3)
- Added Get-Subnet_Ranges (@benichmt1)
- Added Get-WinUpdates (@classity)
- Added Get-KerberosServiceTIcket (@OneLogicalMyth)
- Added Invoke-RID_Hijack (@r4wd3r)
- Added Invoke-internal_monologue (@audibleblink)
- Added Get-LAPSPasswords (@audibleblink)
- Added Invoke-SMBLogin (@mvelazc0)
- Added Sherlock (@_RastaMouse, @audibleblink)
- Added Outlook Sandbox Evasion for Windows Macro launcher (@Cx01N, @Hubbl3)
- Added Randomized JA3S signature (@Hubbl3)
- Added AMSI Bypass based on Tal Liberman's AMSI Bypass (@Hubbl3)
- Added Invoke-CredentialPhisher (@quickbreach)
- Made Security Bypasses configurable for launchers (@phra)
- Updated Readme to include install instruction, EOL of Core Devloper support, new contribution rules
- Added OSX shellcode stager (@johneiser)
- Added Invoke-Phant0m (@leesoh)
- Added Get-AppLockerConfig (@matterpreter)
- Added HostRecon (@RootUp)
- Added more informative PS agent directory listing (@winnie22)

Credit was given based on Commit Author if something is credited incorrectly or we missed an update
please contact us at [email protected]

03/15/2018
------------
- Version 2.5 Master Release
- Patched launcher generation bug
- Patched launcher generation bug
- Added OSX Mic record module #893 (@s0lst1c3)
- More robust password handling in ssh_command and ssh_launcher modules (@retro-engineer)
- Updated server responses for http listener (@xorrior)
Expand Down
1 change: 0 additions & 1 deletion data/agent/agent.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -471,7 +471,6 @@ function Invoke-Empire {
# uris(comma separated)|UserAgent|header1=val|header2=val2...
# headers are optional. format is "key:value"
# ex- cookies are "cookie:blah=123;meh=456"

$ProfileParts = $Profile.split('|')
$script:TaskURIs = $ProfileParts[0].split(',')
$script:UserAgent = $ProfileParts[1]
Expand Down
Loading