Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon EmpireProject

Having trouble tracking down where to update code to modify the default info displayed by agents

Open Hubbl3 opened this issue 5 years ago • 5 comments

Empire Version

2.5

OS Information (Linux flavor, Python version)

Kali 2019.2

Any additional information

Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated.

Hubbl3 avatar Apr 12 '19 16:04 Hubbl3

Most likely handle_agent_staging in lib/common/agents.py

On Fri, Apr 12, 2019 at 12:50 PM lonewolf210 [email protected] wrote:

Empire Version

2.5 OS Information (Linux flavor, Python version)

Kali 2019.2 Any additional information

Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/EmpireProject/Empire/issues/1350, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFwUNeXyOQnJF9d1CwED_dP6zm4eNX0ks5vgLlpgaJpZM4cshzT .

mr64bit avatar Apr 12 '19 16:04 mr64bit

Most likely handle_agent_staging in lib/common/agents.py On Fri, Apr 12, 2019 at 12:50 PM lonewolf210 @.***> wrote: Empire Version 2.5 OS Information (Linux flavor, Python version) Kali 2019.2 Any additional information Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1350>, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFwUNeXyOQnJF9d1CwED_dP6zm4eNX0ks5vgLlpgaJpZM4cshzT .

Thanks that did it. I am working on a=some code that allows for vm identification/evasion. If I get it working I can put in a pull request.

In the mean time would you also be able to point me in the direction of how I would modify the cipher suite negotiation order? It looks like Empire is just using the default urllib3 cipher list?

Hubbl3 avatar Apr 16 '19 05:04 Hubbl3

https://github.com/EmpireProject/Empire/blob/dev/lib/listeners/http.py#L1173

You can call set_ciphers on the SSL context object created here, giving it the list of ciphers you want the Flask server to offer. (untested, just reading docs)

mr64bit avatar Apr 16 '19 13:04 mr64bit

OKay. Thank you. If you don't mind me asking one more question. If I was looking at modifying the powershell download cradles would I need to modify every module or if I used say an Internet Explorer COM object in the initial stager would that be sufficient?

Thanks again for the help

Hubbl3 avatar Apr 16 '19 18:04 Hubbl3

Just to add a bit of context trying to do some research on JA3 signatures and seeing what may or may not change them

Hubbl3 avatar Apr 16 '19 18:04 Hubbl3