Cannot get output from agents (interact)

[jaredbarez]

Using latest commit (671635a5dad75fa295479d670b332977fc863ce4) and installed all required dependencies for Ubuntu 14.04 x86_64. Agents connect to listener, but the only command that actually outputs is "info". Tcpdump shows activity when issuing other interactive agent commands but output is never displayed.

[enigma0x3]

Hey jaredbarez, After some additional testing, I am able to confirm that agent interaction works on Ubuntu 14.04.

uname -a:

agent callback & command:

additional command:

Can you provide a little more information regarding your setup? What version of Windows are you running the stager on? It sounds like your agent is dying. Info is a server side command, meaning you can run it on dead agents. Can you verify that powershell.exe is running on the Windows system? You can also generate the stager and then remove the -NoP, -NonI and -W Hidden flags. When you run that on the system, the powershell window should be visible. Try that and make sure the agent is dying.

Can you take a screenshot of the wireshark capture and post it here as well?

Thanks!

[jaredbarez]

OK. I tried the following... OS/Kernel version (it is in fact a Linux Mint but identifies as Ubuntu, as expected): IP of "Empire host" (yes I'm runnin it on my home WLAN): iptables are "clean" (host is called "fud" :) and empire process is running on 8080/tcp: Connected agent from Windows 7 32-bit machine (it is VM running in bridge mode with uniq IP/MAC addr on this same Ubuntu host): Agent's powershell process as captured in Process Hacker (note that PID is now changed to 336 for I had to launch another agent - mistakenly kiled the first agent but everything behaves the same). This connection displays every 5 secs as set in agent's options: Log of a correct beaconing from the agent (every 5 secs) as seen from Empire console: And the beconing as seen from the Wireshark capture:

I also tried to invoke some of bandwidth consuming commands blindly in order to see if command ever reaches the agent (i.e. download/upload commands creating local and remote files) but can confirm that no file is downoaded/uploaded nor the net traffic shows that. The dillema is does empire ever sends a command to the agent or the agents receives the command but for some reason doesn't execute it? In the packet capture I sent you every 200 OK response contained only default message, i.e. "It works!". Of course I confirm that powershell process (i.e. the agent) does not die (as shown above)...

[enigma0x3]

Interesting. Let's do this. Can you do an apt-get update && apt-get upgrade on your Ubuntu box. Once that is done, rm -rf your empire folder and do a fresh clone from github. Once done, go into the setup folder (empire/setup) and run "install.sh". Make sure it installs all the required dependencies and then try it again.

Let me know your results.

[jaredbarez]

Unfortunately, results are the same... except this time I noticed that immediatelly after launching empire throws some I/O errors: I noticed these errors were present all the time along. I just missed to see the output for empire cleans the screen upon launching. Any clues with this maybe ? I must admit I didn't peek into the code but if you know where exactly to look I'll be glad to help.

[enigma0x3]

Can you paste the contents of debug.log? It will be sitting in the empire directory

[jaredbarez]

Here it is but it seems correct (just agent connecting and my taskings attempts):

2015-08-12 21:12:51 Empire : [] Empire starting up... 2015-08-12 22:28:32 EmpireServer : [] Initializing HTTP server on 8080 2015-08-12 22:29:00 HttpHandler : [] /index.asp requested from None at 192.168.5.15 2015-08-12 22:29:00 Agents : [] Sending stager (stage 1) to 192.168.5.15 2015-08-12 22:29:01 HttpHandler : [] Post to /index.jsp from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:01 Agents : [] Agent MVPC4TGFZFMN1DHS from 192.168.5.15 posted to public key URI 2015-08-12 22:29:01 Agents : [] Agent MVPC4TGFZFMN1DHS from 192.168.5.15 posted valid RSA key 2015-08-12 22:29:01 HttpHandler : [] Post to /index.php from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:01 Agents : [] Sending agent (stage 2) to MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:02 Agents : [+] Initial agent MVPC4TGFZFMN1DHS from 192.168.5.15 now active 2015-08-12 22:29:07 HttpHandler : [] /news.asp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:10 Agents : [_] Tasked MVPC4TGFZFMN1DHS to run TASKSHELL 2015-08-12 22:29:12 HttpHandler : [] /admin/get.php requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:14 Agents : [_] Tasked MVPC4TGFZFMN1DHS to run TASKSYSINFO 2015-08-12 22:29:17 HttpHandler : [] /login/process.jsp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:22 HttpHandler : [] /news.asp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:27 HttpHandler : [] /news.asp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:31 Agents : [_] Tasked MVPC4TGFZFMN1DHS to run TASKSHELL 2015-08-12 22:29:32 HttpHandler : [] /login/process.jsp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:35 Agents : [_] Tasked MVPC4TGFZFMN1DHS to run TASKSHELL 2015-08-12 22:29:38 HttpHandler : [] /login/process.jsp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:43 HttpHandler : [] /news.asp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:48 HttpHandler : [] /news.asp requested from MVPC4TGFZFMN1DHS at 192.168.5.15 2015-08-12 22:29:53 HttpHandler : [*] /news.asp requested from MVPC4TGFZFMN1DHS at 192.168.5.15

[enigma0x3]

Interesting. Let me download and standup a brand new 14.04 ubuntu iso and try this completely fresh. We have only tested (and verified) Empire on Kali...so I recommend migrating to Kali (if you want to play with it while we work on getting this resolved).

Are you using Ubuntu desktop or Ubuntu server? Want to make sure I am using the same ISO as you.

[jaredbarez]

As I noted before it is in fact Linux Mint (17.2 "Rafaela"), which is based on desktop version of Ubuntu 14.04. It can be found at its usual place i.e. http://www.linuxmint.com/edition.php?id=190 As my primary "engagement" evironment is Kali I will try to launch it from there (i.e. Kali 2.0). Please don't waste your efforts if Kali and vanilla Ubuntu 14.04 are your primary platforms of interest. Just my 2c

[enigma0x3]

ahhh, I missed that. I'll get that downloaded tonight and test things.

[jaredbarez]

In that case please do post your findings after the testing. I'm now so curious about it. tnx

[jaredbarez]

I just tested this on Kali 2.0 and it fails the same way - i.e. no output from agents! My setup is host OS Linux Mint 17.2 64-bit which hosts two guests: VM1 is Kali 2.0 64-bit fully patched, VM2 is Windows 7 Pro 32-bit fully pathched. Both Kali VM and Windows VM run in bridged network mode. An interesting thing to see is now lack of I/O errors but instead of that empire in Kali shows some chars like a kind of terminal ESC codes in the same place as those I/O errors before:

[enigma0x3]

That is odd. downloading Kali 2.0 now and will get it tested.

Thanks for your patience!

[sixdub]

So we got the IOError worked out. The IOError was due to the interfaces as it tried to set up the default listener. It should not be removed and handled property. With that said, that should have had no impact on the specific error you are seeing. We have the tool up and running on Kali 2.0 and are working to recreate the issue. Banging our heads a little bit at this point... We will keep you updated. Thanks!

[jaredbarez]

OK. I just installed Kali 2.0 64-bit on a spare laptop (i.e. bare metal install) and will try to control the agents connecting from Windows 7 32-bit guest VM (which is running on Linux Mint 17.2 64-bit host OS, as you already know). The reason I didn't installed Win 7 on a bare metal is lack of the third laptop but can later reinstall that spare laptop with it and repeat the process... (my squaw will scalp-torture me :-).

[enigma0x3]

Hey man, any luck on getting this to work on Kali 2.0? We have decided to fully support 2.0 and have had multiple people test with success.

Thanks!

[CicadaMikoto]

I am testing on the next-to-newest version of Kali x64 and I am also not receiving any output from my agents. The individual agent logs show that the agents are queued to execute the commands, but nothing ever happens on the target box and no data is sent back to empire. I also tried using the trollsploit modules to generate on-screen messages, but without success. I am unsure how to proceed, as I have rm -rf'd Empire and git cloned three times now. I am up-to-date on dependencies, so I'm confused.

[enigma0x3]

This shouldn't matter, but I'm running out of ideas as we have had no other reports of this issue. Is windows firewall on and do you have AV installed that implements its own firewall? What is your environment like?

[jaredbarez]

Sorry, I am offline next few days due to nontechnical issues... Will test and report as soon as get back. Stay tuned. Tnx

[Jehovah28]

Same problem on my machines. I have tried this on three different Kali Versions (1.0.8, 1.1.0 and 2.0) and I am not receiving any output from the agents, too. All machines are VMs on a Hyper-V Server. I've tried to disable the Firewall on the target to see if this is causing the Problem but no success. I've also used three different Windows Versions (Win 7 Enterpise, Win 8.1 Enterpise and Win 10 Enterprise) as Targets but the result is always the same.

[enigma0x3]

What commands are you issuing to the agents?

[enigma0x3]

Also, can you post a screenshot of your listener config as well as your agent info? Then post the ping results between your kali box and the windows target. Also, if you can, throw up a screenshot of the commands you are trying to run on the agents.

[Jehovah28]

Listener config (everything Default except the Name)

Initial Agent Setup and test with ipconfig:

test with an module:

Agent responding:

Ping results:

It seems everything is fine but as you see their's no Output

Here is the Output from the Debugging log:

[sixdub]

Okay, thanks for all the info. We have had a couple instances of this. We have been working to try to track it down but unfortunately have been unable to recreate. We will check everything out and get back to you if we can track it down...

[enigma0x3]

Hey @Jehovah28, I do have one question. While testing, I noticed that sometimes the agents can take a little longer than expected to return output. By default, they checkin every 5 seconds. Just to be sure, can you execute the "ps" command then then just let it sit for a minute or two? I want to make sure that there just isn't a long delay before output is displayed vs no output at all.

Thanks!

[Jehovah28]

I have tried this and waited for round about 5 minutes but nothing happend. I've also installed 3 new vms on another Hypervisor but the results are the same.

[jaredbarez]

Just pulled latest Empire and setup a test on two bare metal PC installs (i.e. no virtualization of any kind): PC1 == Kali 2.0 64-bit + Empire listener, PC2 == Windows 7 32-bit + agent. Unfortunately, the results are the same as before (i.e. agent successfully connects and beacons but no interactive command ever executes). :-( FYI Windows Firewall and AV were disabled during the test.

[enigma0x3]

Interesting. Going back to virtualization, what virtualization platform do you have? Is there anyway you can set your Kali VM and your Windows VM to "host only"? This will help rule out any networking related issues. Both boxes should be in their own internal network and able to reach eachother. If you can test that, it will give us a better idea if this is network related or not as we have people using Empire on 2.0 with no issue

[jaredbarez]

OK. I just did that with no success. Two VMs with OS config/versions are same as in my bare metal test above. Network is in host-only mode for both VMs. Ping works when initiated from both directions, agent connects to Empire and beacons every default 5 secs as usual. Still no output from interactive commands! GRRRRR! This is just plain crazy.

[enigma0x3]

This would be much easier if I could just buy you a few beers and troubleshoot with you :) What stager are you using? I'm running out of things to check. Gonna ping @sixdub and @HarmJ0y to see if they have any additional input.

[jaredbarez]

Man, it works now!

[enigma0x3]

....what? It randomly starts working?

[jaredbarez]

I changed all Windows locale settings to English/US and it worked like a charm. :-) Yes, I live outside of US (i.e. Europe). @CicadaMikoto @Jehovah28 could you please test and report ? Tnx

[enigma0x3]

Wow, that is interesting. Glad you go it working! @CicadaMikoto and @Jehovah28, you might check that and see if it resolves it for you.

[sixdub]

This actually helps a lot! we will be setting up a non-english US system for testing. Thanks so much!

[jaredbarez]

Just to elaborate a bit, my Windows system is in English/US language (all strings are en/us) but regional settings and locale are set to my native settings. I also use dual keyboard layout i.e. English/US + my native one (and switch layouts when needed). Hope it helps a bit. Cheerz

[CicadaMikoto]

Hey guys,

That’s not my issue, but I will be playing with it some more to see if there are any quirks in my setup.

I’ll take you up on that beer, though. If you’re anywhere near Charlotte, NC, send me a PM :)

On Aug 19, 2015, at 9:55 AM, jaredbarez notifications@github.com wrote:

Just to elaborate a bit, my Windows system in not translated in English/US i.e. all strings are still English/US but regional settings and locale was set to other country. I also use dual keyboard layout i.e. English/US + other one (and switch layouts when needed). Hope it helps a bit. Cheerz

— Reply to this email directly or view it on GitHub https://github.com/PowerShellEmpire/Empire/issues/11#issuecomment-132606633.

[Jehovah28]

Changed local settings and it is now working :-)

[HarmJ0y]

We recently pushed some changes to master that hopefully deal with the locale/international issues, however we have limited applicable systems to properly test on. When you get a chance, update from master and see if the new code resolves the previous issues.

[CicadaMikoto]

Excellent! Will do.

On Aug 26, 2015, at 17:46, HarmJ0y notifications@github.com wrote:

We recently pushed some changes to master that hopefully deal with the locale/international issues, however we have limited applicable systems to properly test on. When you get a chance, update from master and see if the new code resolves the previous issues.

― Reply to this email directly or view it on GitHub.

[necony286]

i have the same problem but this didnt fix it :S

[necony286]

using kali 2.0 x64 on my laptop and in it i have a virtual box with my target machine with Windows 7 . all the regional settings and locale are set to English US... and i'm using DNS hostname and i have opened a port and i can see its open on canyouseeme.org i get and agent session like shown above and the only command i can type that dose anything is info so yea need a bit of help :D

[necony286]

well this fixed it for me thx to @HarmJ0y I'm guessing the likely issue is the epoch syncing- on one of the client negotiation steps, the server sends its current epoch time to the agent the agent uses to calculate the epoch diff between it and the C2 server. This is used with a 5 minute sliding window to validate packets on the agent side as well as the packets on the server side.

The purpose of this was to provide some anti-replay functionality. My guess is that the time components are getting botched somehow. If you comment out this code in agent.ps1 and replace this line in packets.py with "return True", that should side step the epoch validation.

[HackingGoblin]

I'm having this same issue. Was there ever a fix found? If I took screenshots it would be the exact same as @Jehovah28.

Edit: I tried commenting out all the epoch lines in agent.ps1 and set the line about epoch in packet.py to"return True", but still no luck. The agent won't even connect now.

[artagel]

I had this same issue (not the language related one). It ended up being time skew on my VMs.
I think having the anti-replay is nifty, but if it is happening, maybe there should be a notice.