search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.46k stars 2.82k forks source link

ERROR: HMAC verification failed #1229

Open daniellukas12 opened 6 years ago

daniellukas12 commented 6 years ago

Empire Version 2.5

OS Information (Linux flavor, Python version) linux

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

this error show when a agent come

Screenshot of error, embedded text output, or Pastebin link to the error

Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 2292, in wsgi_app response = self.full_dispatch_request() File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1815, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1718, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1813, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1799, in dispatch_request return self.view_functionsrule.endpoint File "/home/casey_uhelskii/Empire//lib/listeners/http.py", line 1082, in handle_post dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP) File "/home/casey_uhelskii/Empire/lib/common/agents.py", line 1541, in handle_agent_data dataToReturn.append((language, self.handle_agent_staging(sessionID, language, meta, additional, encData, stagingKey, listenerOptions, clientIP))) File "/home/casey_uhelskii/Empire/lib/common/agents.py", line 1386, in handle_agent_staging sessionKey = self.agents[sessionID]['sessionKey'] KeyError: '7VND4M5Y'

Any additional information

Datacrass commented 5 years ago

Had the same issue during an engagement:

[2018-11-26 13:02:00,664] ERROR in app: Exception on /news.php [POST] Traceback (most recent call last): File "/Library/Python/2.7/site-packages/flask/app.py", line 1982, in wsgi_app response = self.full_dispatch_request() File "/Library/Python/2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request rv = self.handle_user_exception(e) File "/Library/Python/2.7/site-packages/flask/app.py", line 1517, in handle_user_exception reraise(exc_type, exc_value, tb) File "/Library/Python/2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request rv = self.dispatch_request() File "/Library/Python/2.7/site-packages/flask/app.py", line 1598, in dispatch_request return self.view_functionsrule.endpoint File "/Users/X/Empire//lib/listeners/http.py", line 1082, in handle_post dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP) File "/Users/X/Empire/lib/common/agents.py", line 1541, in handle_agent_data dataToReturn.append((language, self.handle_agent_staging(sessionID, language, meta, additional, encData, stagingKey, listenerOptions, clientIP))) File "/Users/X/Empire/lib/common/agents.py", line 1386, in handle_agent_staging sessionKey = self.agents[sessionID]['sessionKey'] KeyError: '67T4EL8G'

mr64bit commented 5 years ago

It appears that the agent is attempting the second step of the staging process, but the server hasn't received step one. Can you reproduce this with --debug 2 on the server and give me the debug log?

Datacrass commented 5 years ago

Hello, Please find the debug log output included here:

2018-11-26 13:34:45 empire : {"print": true, "message": "[] Empire starting up..."} 2018-11-26 13:36:15 listeners/http/http : {"print": true, "message": "[+] Listener successfully started!", "listener_options": {"StagerURI": {"Required": false, "Description": "URI for the stager. Must use /download/. Example: /download/stager.php", "Value": ""}, "ProxyCreds": {"Required": false, "Description": "Proxy credentials ([domain\]username:password) to use for request (default, none, or other).", "Value": "default"}, "KillDate": {"Required": false, "Description": "Date for the listener to exit (MM/dd/yyyy).", "Value": ""}, "Name": {"Required": true, "Description": "Name for the listener.", "Value": "http"}, "Launcher": {"Required": true, "Description": "Launcher string.", "Value": "powershell -noP -sta -w 1 -enc "}, "DefaultProfile": {"Required": true, "Description": "Default communication profile for the agent.", "Value": "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}, "DefaultLostLimit": {"Required": true, "Description": "Number of missed checkins before exiting", "Value": 60}, "Host": {"Required": true, "Description": "Hostname/IP for staging.", "Value": "http://10.160.255.198:80"}, "Port": {"Required": true, "Description": "Port for the listener.", "Value": 80}, "WorkingHours": {"Required": false, "Description": "Hours for the agent to operate (09:00-17:00).", "Value": ""}, "CertPath": {"Required": false, "Description": "Certificate path for https listeners.", "Value": ""}, "DefaultJitter": {"Required": true, "Description": "Jitter in agent reachback interval (0.0-1.0).", "Value": 0.0}, "SlackChannel": {"Required": false, "Description": "The Slack channel or DM that notifications will be sent to.", "Value": "#general"}, "BindIP": {"Required": true, "Description": "The IP to bind to on the control server.", "Value": "0.0.0.0"}, "UserAgent": {"Required": false, "Description": "User-agent string to use for the staging request (default, none, or other).", "Value": "default"}, "StagingKey": {"Required": true, "Description": "Staging key for initial agent negotiation.", "Value": "n%_a|+QW:{)E7#z}&KD8hJmZNlPo/]Sf"}, "DefaultDelay": {"Required": true, "Description": "Agent delay/reach back interval (in seconds).", "Value": 5}, "SlackToken": {"Required": false, "Description": "Your SlackBot API token to communicate with your Slack instance.", "Value": ""}, "ServerVersion": {"Required": true, "Description": "Server header for the control server.", "Value": "Microsoft-IIS/7.5"}, "Proxy": {"Required": false, "Description": "Proxy to use for request (default, none, or other).", "Value": "default"}}} 2018-11-26 13:36:31 empire : {"print": false, "message": "[] Generated launcher", "options": {"ProxyCreds": {"Required": false, "Description": "Proxy credentials ([domain\]username:password) to use for request (default, none, or other).", "Value": "default"}, "Language": {"Required": true, "Description": "Language of the stager to generate.", "Value": "powershell"}, "Base64": {"Required": true, "Description": "Switch. Base64 encode the output.", "Value": "True"}, "OutFile": {"Required": false, "Description": "File to output launcher to, otherwise displayed on the screen.", "Value": ""}, "Obfuscate": {"Required": false, "Description": "Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.", "Value": "False"}, "ObfuscateCommand": {"Required": false, "Description": "The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.", "Value": "Token\All\1,Launcher\STDIN++\12467"}, "SafeChecks": {"Required": true, "Description": "Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.", "Value": "True"}, "StagerRetries": {"Required": false, "Description": "Times for the stager to retry connecting.", "Value": "0"}, "Listener": {"Required": true, "Description": "Listener to generate stager for.", "Value": "http"}, "Proxy": {"Required": false, "Description": "Proxy to use for request (default, none, or other).", "Value": "default"}, "UserAgent": {"Required": false, "Description": "User-agent string to use for the staging request (default, none, or other).", "Value": "default"}}} 2018-11-26 13:37:51 listeners/http/http : {"print": false, "message": "[] GET request for 10.160.255.198/admin/get.php from 10.160.19.84"} 2018-11-26 13:37:51 listeners/http/http : {"print": false, "message": "[] GET cookie value from 10.160.19.84 : session=Diyib25THq/gkttPsOpd7AVKOR0="} 2018-11-26 13:37:51 agents/00000000 : {"print": false, "message": "[] handle_agent_data(): sessionID 00000000 issued a STAGE0 request"} 2018-11-26 13:37:51 listeners/http/http : {"print": true, "message": "[] Sending POWERSHELL stager (stage 1) to 10.160.19.84"} 2018-11-26 13:37:58 listeners/http/http : {"print": false, "message": "[] POST request data length from 10.160.19.84 : 452"} 2018-11-26 13:37:58 agents/PU7YVCWZ : {"print": false, "message": "[] handle_agent_data(): sessionID PU7YVCWZ issued a STAGE1 request"} 2018-11-26 13:37:58 agents/PU7YVCWZ : {"print": false, "message": "[] Agent PU7YVCWZ from 10.160.19.84 posted public key"} 2018-11-26 13:37:59 agents/PU7YVCWZ : {"print": true, "message": "[!] HMAC verification failed from 'PU7YVCWZ'"} 2018-11-26 13:37:59 listeners/http/http : {"print": true, "message": "[!] Error returned for results by 10.160.19.84 : ERROR: HMAC verification failed"} 2018-11-26 13:37:59 listeners/http/http : {"print": false, "message": "[] POST request data length from 10.160.19.84 : 180"} 2018-11-26 13:37:59 agents/PU7YVCWZ : {"print": false, "message": "[] handle_agent_data(): sessionID PU7YVCWZ issued a STAGE2 request"} 2018-11-26 13:38:43 empire : {"print": true, "message": "[] Empire shutting down..."}

ThePirateWhoSmellsOfSunflowers commented 5 years ago

Hi,

Have you tried this workaround? I'm not sure if it's the same issue, but worth a try.

:sunflower: