/bin/sh: 1: powershell: not found

[flzj1h2kl4c]

First and foremost I wanted to thank you for spending your time on this project, I'm surprised it hasn't been integrated in the main Empire build just yet. AMSI is definitely becoming a nuisance during red team engagements sometimes.

Empire Version

1.6.0 (direct clone from ObfuscatedEmpire repo)

OS Information (Linux flavor, Python version)

Debian GNU/Linux 8

Linux redacated 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) x86_64 GNU/Linux Python 2.7.9

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

The preobfuscate command doesn't function adequately, whenever I attempt to preobfuscate all modules, I get the following error:

/bin/sh: 1: powershell: not found

I couldn't figure out what caused it, so after I gave up on that I moved onto just enabling obfuscation for all commands, which did indeed generate a properly obfuscated launcher for the listener.

Except when an agent attempts to establish a session, the same error is once again present.

Screenshot of error, embedded text output, or Pastebin link to the error

[>] Preobfuscate all powershell modules using obfuscation command: "Token,All,1"? This may take a substantial amount of time. [y/N] y
[>] Force reobfuscation of previously obfuscated modules? [y/N] y
[*] Obfuscating Invoke-VoiceTroll.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Thunderstruck.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Set-Wallpaper.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Exploit-JBoss.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Exploit-Jenkins.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating HTTP-Login.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Find-Fruit.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Inveigh.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-Screenshot.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-ChromeDump.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-ClipboardContents.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-InveighUnprivileged.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-BrowserData.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Out-Minidump.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-FoxDump.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-IndexedItem.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-Keystrokes.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-NetRipper.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-NinjaCopy.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating KeePassConfig.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating KeeThief.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-EgressCheck.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-PostExfil.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating MailRaider.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-PSInject.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating New-HoneyHash.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-RunAs.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Set-MacAttribute.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-SecurityPackages.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating PowerBreach.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Install-SSP.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-BackdoorLNK.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Tater.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-EventVwrBypass.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-BypassUAC.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-System.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-MS16032.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-WScriptBypassUAC.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-GPPPassword.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating PowerUp.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-SiteListPassword.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-SMBAutoBrute.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-ARPScan.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-ReverseDNSLookup.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating powerview.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-SmbScanner.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Portscan.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-SPN.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Find-TrustedDocuments.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-ComputerDetails.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-SystemDNSServer.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Paranoia.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-WinEnum.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-VaultCredential.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating dumpCredStore.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-CredentialInjection.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-DCSync.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-PowerDump.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-TokenManipulation.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Mimikatz.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Get-RickAstley.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-SSHCommand.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-PsExec.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-InveighRelay.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-DllInjection.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-Shellcode.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-ReflectivePEInjection.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-ShellcodeMSIL.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscating Invoke-MetasploitPayload.ps1...
/bin/sh: 1: powershell: not found
[*] Obfuscation complete.

[cobbr]

I've had a couple other people report the same exact problem. The root of the problem seems to be that PowerShell is not getting properly installed onto your system. You can test this by just trying to run powershell from a terminal prompt, and seeing if you get dropped into a PowerShell prompt.

PowerShell is supposed to be installed automatically in ObfuscatedEmpire's setup script, but there appears to be some missing dependency to PowerShell in the setup script. It would be helpful if you could show the output when you run the setup.sh script. Others using Kali 2.0 have found the libicu55 package to be reported as missing when PowerShell is attempted to be installed, it would be interesting to see if you are running into the same problem on pure Debian.

This may be a product of the fact that PowerShell is not officially supported on Debian platforms. Others have found a workaround to this by installing the Ubuntu libicu55 package, though I can't confirm because I have never been able to reproduce the issue on my own.

In any case, ObfuscatedEmpire should output a more clear/obvious message when PowerShell is not found to be installed. I will work on adding that in the next few days. Thanks for the report!

[flzj1h2kl4c]

It appears that is definitely the issue, installing libicu55 under that Debian version seems to be a pain in the ass so far (due to other dependencies colliding etc), I'll just switch to Ubuntu.

Thanks for the quick reply!

[cobbr]

Yeah no problem, let me know how it works out.

[flzj1h2kl4c]

I can confirm that it's working as intended on Ubuntu 16.04 LTS

[cobbr]

Glad you got it working!

I'm going to keep this issue open until:

• I implement a more obvious error message that PowerShell hasn't been installed correctly
• I can find a suitable solution for a reliable PowerShell install on Kali/Debian.

If others run into a similar problem, hopefully they will see this open issue and (maybe) we'll be able to solve for a solution on Kali/Debian.

[cobbr]

ObfuscatedEmpire now prints a warning message and exits gracefully when trying to obfuscate without PowerShell being installed. Implemented in dac5ba6b39a0d2c1477bd18b50764288a5a3bb9f

[p0wner]

I bumped into the same issue today with Kali. As explained above, this is due to the fact that libicu55 and PowerShell are not (yet) available on Debian distro. However, installing the Ubuntu files did run just fine and could be a work around in the mean-time:

• Install libicu55: wget -O libicu55_55.1-7ubuntu0.2_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu55_55.1-7ubuntu0.2_amd64.deb sudo dpkg –i libicu55_55.1-7_amd64.deb

• Install libssl1.0.0 wget -O libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb sudo dpkg –i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb

• Install Powershell wget -O powershell_6.0.0-alpha.9-1ubuntu1.16.04.1_amd64.deb https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.9/powershell_6.0.0-alpha.9-1ubuntu1.16.04.1_amd64.deb sudo dpkg -i powershell_6.0.0-alpha.9-1ubuntu1.16.04.1_amd64.deb

Not ideal but that should get you up and running.

[ValtteriL]

On Debian 8, install the powershell package meant for ubuntu 14.04, then you don't need to install libicu55 or libssl1.0.0 explicitly.

wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.9/powershell_6.0.0-alpha.9-1ubuntu1.14.04.1_amd64.deb sudo dpkg -i powershell_6.0.0-alpha.9-1ubuntu1.14.04.1_amd64.deb

This is a dated release, but works. I also tried with the newest, but it resulted in several segmentation faults when preobfuscating. As p0wner put it, not ideal but that should get you up and running.

[cobbr]

@ValtteriL thanks for the suggestion! I'll take a look at it, though I'd prefer not to use the package for the older repo.

I also tried the new beta PowerShell from the Microsoft apt repository, and also was running into some segmentation faults, same as you. I'm hoping that those issues get fixed and eventually we can move to the official apt repository.

[cobbr]

An update for anyone that's curious. There's an issue in Kali/Debian9 for the new beta PowerShell in some crypto library. Turns out you can get it to work if you force connections from your Kali/Debian9 host to 40.114.241.141 to not resolve. Very strange, but it works.

Tracking that issue here: https://github.com/PowerShell/PowerShell/issues/4320 Once fixed, we'll switch to the apt repo.

[cobbr]

Using the PowerShell apt repo now: 17c732ab6744cf8e50427ca79a4e5c38749cafa9

Still have to download and install the libicu and libssl1.0.0 debs manually, since it has dependencies not in the Kali repo. (by manually I mean the setup script downloads and installs using wget/dpkg, not that this is an extra step after the setup.sh script)

[cobbr]

Yay no more manual deb downloads :) as of 89d0deb63a6fa2a10a48dea0bb1d3c69fe52672a (empire-dev branch)

Anyone let me know if they still have issues, otherwise will close soon.

[cobbr]

@nanodestructo Fix for pwsh has been added to the empire-dev branch only. Are you using the correct branch? The changes haven't been merged up to the main Empire project quite yet.

If so, be sure to run the ./setup/install.sh script.

[cobbr]

@nanodestructo You should not need to link/rename from pwsh.

1. Are you using the empire-dev branch? git checkout empire-dev
2. Have you run the ./setup/install.sh script?

I have not tested on Mint.

[thedickestrick]

@nanodestructo @cobbr changing the pwsh link to powershell worked for me too. thanks guys!

[thedickestrick]

@cobbr I am getting lots of errors in my windows/macro stager output though... all within the AWH() function in the Bk string. If I delete some of the random double quotes (") in the string the compiler seems to work. Disclaimer: Not an expert tho.

[cobbr]

@thedickestrick You should not need to link pwsh to powershell. Mind sharing what OS you are using? are you using empire-dev branch? Have you run the ./setup/install.sh script?

Glad you got it working, just want to make sure I have it working for others.

I'll take a look at the macro stager, I recently fixed things in the vbs_launcher that might need to also be fixed in macro as well. Answering some of the questions mentioned above will help me debug it.

[thedickestrick]

@cobbr Kali rolling. Latest distribution. Def using the empire-dev branch. Def ran then ./setup/install.sh script.

Thanks for your quick response!

[daniel-infosec]

@cobbr Linux ip-XXX-XXX-XXX-XXX 4.4.0-1041-aws #50-Ubuntu SMP Wed Nov 15 22:18:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Also ran into this problem today.

[unbaiat]

powershell_6.0.0-alpha.9-1ubuntu1.14.04.1_amd64.deb works with kali3