Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon BC-SECURITY

[BUG] psinject http not work in win7

Open graylordo opened this issue 4 years ago • 4 comments

Note: Please fill out all sections (if applicable) and do not delete the below section headers, otherwise the bot will close the issue.

Empire Version

  • Empire 3.5.2

OS Information (Linux flavor, Python version)

  • OS: Ubuntu 20.10
  • Python: latest (system updated always)

Describe the bug

I tested module - psinject http on windows 7 - it doesn't work: used Windows 7 sp 1 - stock (MSDN original) and Windows 7 sp1 with latest updates. On win 10 - work it (testing on Win10 LTSC without updates)

To Reproduce

Steps to reproduce the behavior:

  1. Go to 'psinject http PID (process ID), I'm system, need user process, I know (see - ps) PID'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error - not errors, job started and ... nothing!

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

graylordo avatar Nov 07 '20 18:11 graylordo

Unfortunately, we are going to need a bit more info to try to reproduce this. Can you tell us the current version of python you are running (latest can mean a lot of things)? What process you were trying to inject into? Did you try another process or were they all giving the same error? If you use Kali or docker, do you receive the same issue?

Cx01N avatar Nov 07 '20 21:11 Cx01N

Unfortunately, we are going to need a bit more info to try to reproduce this. Can you tell us the current version of python you are running (latest can mean a lot of things)? What process you were trying to inject into? Did you try another process or were they all giving the same error? If you use Kali or docker, do you receive the same issue?

Python 3.8.6

I try to all user process and I giving the same error. If I use empire for same test (tested win 10) - it's good

Tested on Kali - the same. Win 7 - nothing, win 10 - good

graylordo avatar Nov 08 '20 17:11 graylordo

@graylordo can you be more specific with an example process please?

How did you get to system?

Hubbl3 avatar Nov 09 '20 05:11 Hubbl3

@graylordo can you be more specific with an example process please?

How did you get to system?

@Hubbl3 I have a one server (win 2012 r2) and 3 workstation computers (2 - win 10 and 1 - win 7). I have 1 domain admin 1 user local admin in all computers, except server 1 user - local admin in 1 machine, in other - user (domain user) without local admins privileges

My security test: I have the agent on 1 machine - win 10, domain user - and I want get domain admin on server. find localadmin access - I check and get machine, where I'm a local admin (I see target win 7 machine) lateral movement invoke psexec - move from win 10 to target win 7 machine At now a have agent with SYSTEM on win 7 machine and yes - psinject http PID not work on win 7 But I need any USER process and I can see this. If I change win 7 machine to win 10 machine and repeat this test - it's work!

I try to use old (original) empire - it's work I try to use old BC-Security empire, version (I don't remember) 3.2.1, 3.2.2 or 3.2.3 - not work BUT - if I replace psinject.ps1 file from original empire - it's work (but this empire I lost with data) I try to same tactic - not work now

graylordo avatar Nov 09 '20 07:11 graylordo