Merge pull request #425 from BC-SECURITY/dev

Empire 3.6.3 Release

VERSION

@@ -1 +1 @@
-3.6.2
+3.6.3

changelog

@@ -1,3 +1,11 @@
+12/18/2020
+------------
+- Version 3.6.3 Master Release
+        - Added save path to download file message - #414 (@meldridge)
+        - Updated installation file formatting - #410 (@Pernat1y)
+        - Fixed python 3.9.1 issue with deprecated base64 function - #422 (@brimstone)
+        - Fixed dump creds and hash not being logged in credentials properly - #423 (@Cx01N)
+
 11/27/2020
 ------------
 - Version 3.6.2 Master Release

lib/common/agents.py

@@ -316,7 +316,7 @@ def save_file(self, sessionID, path, data, filesize, append=False):
         percent = round(int(os.path.getsize("%s/%s" % (save_path, filename)))/int(filesize)*100,2)
 
         # notify everyone that the file was downloaded
-        message = "[+] Part of file {} from {} saved [{}%]".format(filename, sessionID, percent)
+        message = "[+] Part of file {} from {} saved [{}%] to {}".format(filename, sessionID, percent, save_path)
         signal = json.dumps({
             'print': True,
             'message': message
@@ -2059,6 +2059,22 @@ def process_agent_packet(self, sessionID, responseName, taskID, data):
                 # dynamic script output -> non-blocking
                 self.update_agent_results_db(sessionID, data)
 
+                # see if there are any credentials to parse
+                time = helpers.get_datetime()
+                creds = helpers.parse_credentials(data)
+                if creds:
+                    for cred in creds:
+
+                        hostname = cred[4]
+
+                        if hostname == "":
+                            hostname = self.get_agent_hostname_db(sessionID)
+
+                        osDetails = self.get_agent_os_db(sessionID)
+
+                        self.mainMenu.credentials.add_credential(cred[0], cred[1], cred[2], cred[3], hostname,
+                                                                 osDetails, cred[5], time)
+
                 # update the agent log
                 self.save_agent_log(sessionID, data)
 

lib/common/empire.py

@@ -18,7 +18,7 @@
 
 from flask_socketio import SocketIO
 
-VERSION = "3.6.2 BC Security Fork"
+VERSION = "3.6.3 BC Security Fork"
 
 from pydispatch import dispatcher
 

lib/common/helpers.py

@@ -543,25 +543,25 @@ def parse_mimikatz(data):
         for x in range(8, 13):
             if lines[x].startswith(b"Domain :"):
 
-                domain, sid, krbtgtHash = "", "", ""
+                domain, sid, krbtgtHash = b"", b"", b""
 
                 try:
-                    domainParts = lines[x].split(":")[1]
-                    domain = domainParts.split("/")[0].strip()
-                    sid = domainParts.split("/")[1].strip()
+                    domainParts = lines[x].split(b":")[1]
+                    domain = domainParts.split(b"/")[0].strip()
+                    sid = domainParts.split(b"/")[1].strip()
 
                     # substitute the FQDN in if it matches
-                    if hostDomain.startswith(domain.lower()):
+                    if hostDomain.startswith(domain.decode("UTF-8").lower()):
                         domain = hostDomain
                         sid = domainSid
 
                     for x in range(0, len(lines)):
-                        if lines[x].startswith("User : krbtgt"):
-                            krbtgtHash = lines[x + 2].split(":")[1].strip()
+                        if lines[x].startswith(b"User : krbtgt"):
+                            krbtgtHash = lines[x + 2].split(b":")[1].strip()
                             break
 
-                    if krbtgtHash != "":
-                        creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid))
+                    if krbtgtHash != b"":
+                        creds.append(("hash", domain.decode('UTF-8'), "krbtgt", krbtgtHash.decode('UTF-8'), hostName.decode('UTF-8'), sid.decode('UTF-8')))
                 except Exception as e:
                     pass
 
@@ -570,23 +570,20 @@ def parse_mimikatz(data):
         if b'** SAM ACCOUNT **' in lines:
             domain, user, userHash, dcName, sid = "", "", "", "", ""
             for line in lines:
-                try:
-                    if line.strip().endswith("will be the domain"):
-                        domain = line.split("'")[1]
-                    elif line.strip().endswith("will be the DC server"):
-                        dcName = line.split("'")[1].split(".")[0]
-                    elif line.strip().startswith("SAM Username"):
-                        user = line.split(":")[1].strip()
-                    elif line.strip().startswith("Object Security ID"):
-                        parts = line.split(":")[1].strip().split("-")
-                        sid = "-".join(parts[0:-1])
-                    elif line.strip().startswith("Hash NTLM:"):
-                        userHash = line.split(":")[1].strip()
-                except:
-                    pass
+                if line.strip().endswith(b"will be the domain"):
+                    domain = line.split(b"'")[1]
+                elif line.strip().endswith(b"will be the DC server"):
+                    dcName = line.split(b"'")[1].split(b".")[0]
+                elif line.strip().startswith(b"SAM Username"):
+                    user = line.split(b":")[1].strip()
+                elif line.strip().startswith(b"Object Security ID"):
+                    parts = line.split(b":")[1].strip().split(b"-")
+                    sid = b"-".join(parts[0:-1])
+                elif line.strip().startswith(b"Hash NTLM:"):
+                    userHash = line.split(b":")[1].strip()
 
             if domain != "" and userHash != "":
-                creds.append(("hash", domain, user, userHash, dcName, sid))
+                creds.append(("hash", domain.decode('UTF-8'), user.decode('UTF-8'), userHash.decode('UTF-8'), dcName.decode('UTF-8'), sid.decode('UTF-8')))
 
     return uniquify_tuples(creds)
 
@@ -851,7 +848,7 @@ def decode_base64(data):
         data += b'=' * missing_padding
 
     try:
-        result = base64.decodestring(data)
+        result = base64.decodebytes(data)
         return result
     except binascii.Error:
         # if there's a decoding error, just return the data

setup/install.sh

@@ -1,63 +1,86 @@
 #!/bin/bash
+
 function install_powershell() {
-	# Deb 10.x
-	if cat /etc/debian_version | grep 10.* ; then
-    # Download the Microsoft repository GPG keys
-    wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb
+	# Debian 10.x
+	if grep "10.*" /etc/debian_version 2>/dev/null; then
+		# Download the Microsoft repository GPG keys
+		wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb
+
+		# Register the Microsoft repository GPG keys
+		sudo dpkg -i packages-microsoft-prod.deb
 
-    # Register the Microsoft repository GPG keys
-    sudo dpkg -i packages-microsoft-prod.deb
+		# Update the list of products
+		sudo apt-get update
 
-    # Update the list of products
-    sudo apt-get update
+		# Install PowerShell
+		sudo apt-get install -y powershell
 
-    # Install PowerShell
-    sudo apt-get install -y powershell
-	# Deb 9.x
-	elif cat /etc/debian_version | grep 9.* ; then
+	# Debian 9.x
+	elif grep "9.*" /etc/debian_version 2>/dev/null; then
 		# Install system components
 		sudo apt-get install -y apt-transport-https curl
+
 		# Import the public repository GPG keys
 		curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+
 		# Register the Microsoft Product feed
 		sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch main" > /etc/apt/sources.list.d/microsoft.list'
+
 		# Update the list of products
 		sudo apt-get update
+
 		# Install PowerShell
 		sudo apt-get install -y powershell
-	# Deb 8.x
-	elif cat /etc/debian_version | grep 8.* ; then
+
+	# Debian 8.x
+	elif grep "8.*" /etc/debian_version 2>/dev/null; then
 		# Install system components
 		sudo apt-get install -y apt-transport-https curl gnupg
+
 		# Import the public repository GPG keys
 		curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+
 		# Register the Microsoft Product feed
 		sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-jessie-prod jessie main" > /etc/apt/sources.list.d/microsoft.list'
+
 		# Update the list of products
 		sudo apt-get update
+
 		# Install PowerShell
 		sudo apt-get install -y powershell
-	#Ubuntu
-	elif lsb_release -d | grep -q "Ubuntu"; then
+
+	# Ubuntu
+	elif lsb_release -d 2>/dev/null | grep -q "Ubuntu"; then
 		# Read Ubuntu version
 		local ubuntu_version=$( grep 'DISTRIB_RELEASE=' /etc/lsb-release | grep -o -E [[:digit:]]+\\.[[:digit:]]+ )
+
 		# Install system components
 		sudo apt-get install -y apt-transport-https curl
+
 		# Import the public repository GPG keys
 		curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+
 		# Register the Microsoft Ubuntu repository
 		curl https://packages.microsoft.com/config/ubuntu/$ubuntu_version/prod.list | sudo tee /etc/apt/sources.list.d/microsoft.list
+
 		# Update the list of products
 		sudo apt-get update
+
 		# Install PowerShell
 		sudo apt-get install -y powershell
-	#Kali Linux
-	elif lsb_release -d | grep -q "Kali"; then
+
+	# Kali Linux
+	elif lsb_release -d 2>/dev/null | grep -q "Kali"; then
 		apt update && apt -y install powershell
+
+	else
+		echo 'Unsupported OS. Exiting.' && exit
 	fi
-	if ls /opt/microsoft/powershell/*/DELETE_ME_TO_DISABLE_CONSOLEHOST_TELEMETRY; then
-		rm /opt/microsoft/powershell/*/DELETE_ME_TO_DISABLE_CONSOLEHOST_TELEMETRY
-	fi
+
+	# Disable telemetry
+	rm /opt/microsoft/powershell/*/DELETE_ME_TO_DISABLE_CONSOLEHOST_TELEMETRY 2>/dev/null
+
+	# Install Invoke-Obfuscation module
 	mkdir -p /usr/local/share/powershell/Modules
 	cp -r ../lib/powershell/Invoke-Obfuscation /usr/local/share/powershell/Modules
 }
@@ -81,7 +104,7 @@ function install_xar() {
 function install_bomutils() {
 	git clone https://github.com/hogliux/bomutils.git
 	(cd bomutils && make)
-	(cd bomutils && make install)
+	(cd bomutils && sudo make install)
 	chmod 755 bomutils/build/bin/mkbom && sudo cp bomutils/build/bin/mkbom /usr/local/bin/.
 }
 
@@ -101,7 +124,7 @@ function is_libssl_1_0() {
 	false
 }
 
-# Ask for the administrator password upfront so sudo is no longer required at Installation.
+# Ask for the sudo password upfront so it is no longer required during installation.
 sudo -v
 
 IFS='/' read -a array <<< pwd
@@ -113,18 +136,21 @@ fi
 
 Pip_file="requirements.txt"
 
-if lsb_release -d | grep -q "Kali"; then
+if lsb_release -d 2>/dev/null | grep -q "Kali"; then
 	apt-get update
 	sudo apt-get install -y make autoconf g++ python3-dev swig python3-pip libxml2-dev default-jdk zlib1g-dev libssl1.1 build-essential libssl-dev libxml2-dev zlib1g-dev
-elif lsb_release -d | grep -q "Ubuntu"; then
+elif lsb_release -d 2>/dev/null | grep -q "Ubuntu"; then
 	if is_libssl_1_0; then
 		LibSSL_pkgs="libssl1.0.0 libssl-dev"
 		Pip_file="requirements_libssl1.0.txt"
 	else
 		LibSSL_pkgs="libssl1.1 libssl-dev"
 	fi
 	sudo apt-get update
-	sudo apt-get install -y make autoconf g++ python3-dev swig python3-pip libxml2-dev default-jdk $LibSSL_pkgs build-essential
+	sudo apt-get install -y make autoconf g++ python3-dev swig python3-pip libxml2-dev default-jdk "$LibSSL_pkgs" build-essential
+elif grep "Fedora release" /etc/redhat-release 2>/dev/null; then
+	sudo dnf update
+	sudo dnf install -y autoconf autogen make gcc-c++ libxml2-devel openssl-devel python3-pip python3-devel python3-m2crypto
 else
 	echo "Unknown distro - Debian/Ubuntu Fallback"
 	if is_libssl_1_0; then
@@ -134,7 +160,7 @@ else
 		LibSSL_pkgs="libssl1.1 libssl-dev"
 	fi
 	sudo apt-get update
-	sudo apt-get install -y make autoconf g++ python3-dev swig python3-pip libxml2-dev default-jdk libffi-dev $LibSSL_pkgs build-essential
+	sudo apt-get install -y make autoconf g++ python3-dev swig python3-pip libxml2-dev default-jdk libffi-dev "$LibSSL_pkgs" build-essential
 fi
 
 install_xar
@@ -143,17 +169,13 @@ install_bomutils
 
 install_powershell
 
-if ls /usr/bin/ | grep -q "python3"; then
-	if ! type pip3 > /dev/null; then
-		sudo apt-get --assume-yes install python3-pip
-	fi
-	sudo pip3 install -r $Pip_file
-fi
+# Install Python dependencies
+sudo pip3 install -r "$Pip_file"
 
-# set up the database schema
+# Set up the database schema
 python3 ./setup_database.py
 
-# generate a cert
+# Generate a cert
 ./cert.sh
 
 cd ..