search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.45k stars 2.82k forks source link

Fix/Documentation: Obfuscate Empire does not install properly #1262

Closed Script-Nomad closed 5 years ago

Script-Nomad commented 6 years ago

Empire Version

2.5-dev

OS Information (Linux flavor, Python version)

Fedora 28 RHEL, Linux 4.18.13-200.fc28.x86_64 Python: 2.7.15 / 3.6.6

Expected behavior and description of the error, including any actions taken immediately prior to the error.

On default installation, Empire's Obfuscate functionality failed repeatedly because of the vague error

[Errno 2] No such file or directory: '/opt/Empire/data/misc/Obfuscated.ps1' The error does not really explain what is really going wrong, which is that the Invoke-Obfuscation module is actually missing from the Powershell Modules directory because it was not able to be written on install. This causes the Invoke-Obfuscation module to fail to execute, and never creates the Obfuscated.ps1 file, resulting in this error.

I actually could not find any documentation or indicators within the setup scripts or elsewhere in the Empire code that gave me any clues. I actually found the solution by going all the way back to the original Obfuscate-Empire repo from @cobbr on the following issue: https://github.com/cobbr/ObfuscatedEmpire/issues/2

Empire's "Obfuscate" functionality should be working out of the box, or at least be able to tell the user why it doesn't work. In its current state, it can tell the user when powershell is not installed, but not when the Invoke-Obfuscation module is missing from the Powershell modules themselves.

Solution

Some powershell error-handling and a check for Invoke-Obfuscate in the powershell installation directory should be able to resolve the issue. For instance, calling Invoke-Obfuscation when it does not exist produces the following [System.Management.Automation.CommandNotFoundException] exception similar to as follows.

PS /home/truedemon> Invoke-Idontexist
Invoke-Idontexist : The term 'Invoke-Idontexist' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Invoke-Idontexist
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound: (Invoke-Idontexist:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Catching this upon execution of the Invoke-Obfuscation call should be an immediate indicator to the user that, for whatever reason, it is missing from the /path/to/microsoft/powershell/6/Modules directory, and they should simply cp -r /path/to/empire/lib/powershell/Invoke-Obfuscation /path/to/microsoft/powershell/6/Modules/

If you wanted to go a step further and handle the issue for the user, you could follow which powershell || which pwsh to where it's symbolically linked and copy it for them or cowardly bail out with the OS.Error exception that would likely follow upon failure.

Either way, it took me hours to solve this problem, when the fix should have only taken 5 minutes or less. I saw how many times it has appeared in the issue tracker, so this should cut down on the number of occurrences significantly.

mr64bit commented 5 years ago

The most likely reason Invoke-Obfuscation wouldn't install correctly is it the install script wasn't run as root. Most of the commands that require elevated permissions are prefixed by sudo, but not all of them. I've been looking at how to re-work the install script, since there have been so many issues with it lately, and this is one thing I'll keep in mind. Empire already checks for either powershell or pwsh, so that's not related to this.