Having trouble tracking down where to update code to modify the default info displayed by agents

Question

Having trouble tracking down where to update code to modify the default info displayed by agents

Hubbl3 opened this issue 5 years ago · comments

Hubble commented 5 years ago

Empire Version

2.5

OS Information (Linux flavor, Python version)

Kali 2019.2

Any additional information

Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated.

James · Answer 1 · Sat Apr 13 2019 00:55:51 GMT+0800 (China Standard Time)

Most likely `handle_agent_staging` in `lib/common/agents.py`

…

On Fri, Apr 12, 2019 at 12:50 PM lonewolf210 ***@***.***> wrote: Empire Version 2.5 OS Information (Linux flavor, Python version) Kali 2019.2 Any additional information Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1350>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACFwUNeXyOQnJF9d1CwED_dP6zm4eNX0ks5vgLlpgaJpZM4cshzT> .

Hubble · Answer 2 · Tue Apr 16 2019 13:55:03 GMT+0800 (China Standard Time)

Most likely handle_agent_staging in lib/common/agents.py
…
On Fri, Apr 12, 2019 at 12:50 PM lonewolf210 @.***> wrote: Empire Version 2.5 OS Information (Linux flavor, Python version) Kali 2019.2 Any additional information Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1350>, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFwUNeXyOQnJF9d1CwED_dP6zm4eNX0ks5vgLlpgaJpZM4cshzT .

Thanks that did it. I am working on a=some code that allows for vm identification/evasion. If I get it working I can put in a pull request.

In the mean time would you also be able to point me in the direction of how I would modify the cipher suite negotiation order? It looks like Empire is just using the default urllib3 cipher list?

James · Answer 3 · Tue Apr 16 2019 21:58:58 GMT+0800 (China Standard Time)

https://github.com/EmpireProject/Empire/blob/dev/lib/listeners/http.py#L1173

You can call set_ciphers on the SSL context object created here, giving it the list of ciphers you want the Flask server to offer. (untested, just reading docs)

Hubble · Answer 4 · Wed Apr 17 2019 02:16:05 GMT+0800 (China Standard Time)

OKay. Thank you. If you don't mind me asking one more question. If I was looking at modifying the powershell download cradles would I need to modify every module or if I used say an Internet Explorer COM object in the initial stager would that be sufficient?

Thanks again for the help

Hubble · Answer 5 · Wed Apr 17 2019 02:43:14 GMT+0800 (China Standard Time)

Just to add a bit of context trying to do some research on JA3 signatures and seeing what may or may not change them