search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.39k stars 2.81k forks source link

Powershell stager for http(s) listener #1309

Open zinzloun opened 5 years ago

zinzloun commented 5 years ago

Empire Version

2.5

OS Information (Linux flavor, Python version)

kali-rolling 2019.1 x64, py 2.7.15+

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

The powershell stagers script created for the http listener, having https enabled, when executed generates an error in the communication channel with the server. The problem is the TLS protocol version used by default in powershell cli which is 1.0 Tested on

Screenshot of error, embedded text output, or Pastebin link to the error

My http listener configuration http

My stager multi/launcher configuration, also tested with windows/launcher_bat and windows/macro stager

PS payload executed on Win10 ["Request rejected: It's not possible to create a secure SSL\TLS channel..."] ps error win 10

Same thing on Win7 ps tls err win72

Packets exchanged between the server 192.168.1.66 and the win10 machine, same thing happens with the win7 machine wireshark tls err

TLS version of the generated certificate used by the listener listener_cert

Any additional information

I solved the problem forcing the payload agent generation on http.py file to use TLS1.2 diff

I don't know if it's the best approach or solution, in my case it solves all the problems with the stagers empire agents

Any additional comments will be very appreciated. Thank you to the Empire team for this wonderful framework

kylesmithit commented 5 years ago

I this problem and @zinzloun 's solution resolved it for me as well.

mr64bit commented 5 years ago

What Win10 build and .NET version are you running on? I haven't been able to reproduce this.

zinzloun commented 5 years ago

What Win10 build and .NET version are you running on? I haven't been able to reproduce this.

I do not think that the problem is related to the .Net, as far as I know the .Net set the TLS version available but not the default used in PS. Anyway following the information that you have requested: cattura cattura2

This is the CLR version used in my PS enviroment: cattura3

pisicode commented 5 years ago

Can confirm. The same issue happened to me as well and @zinzloun's solution worked.