EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.44k stars 2.82k forks source link

Double Quotes in add_sid_history module #59

Closed mubix closed 9 years ago

mubix commented 9 years ago

Note sure how I'm supposed to put quotes in modules, is there a trick to it?

(Empire: persistence/misc/add_sid_history) > set Groups "Domain Admins"
(Empire: persistence/misc/add_sid_history) > run
[>] Module is not opsec safe, run? [y/N] y
(Empire: persistence/misc/add_sid_history) >
Job started: Debug32_vzw3x

Hostname: DC1.sittingduck.info / authority\system-authority\system
  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 23 2015 23:05:23)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 16 modules * * */

mimikatz(powershell) # misc::addsid notanadmin
ERROR kuhl_m_misc_addsid ; It requires at least 2 args

mimikatz(powershell) # Domain
ERROR mimikatz_doLocal ; "Domain" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file output/base64 output
         version  -  Display some version informations
              cd  -  Change or display current directory
        markruss  -  Mark about PtH

mimikatz(powershell) # Admins
ERROR mimikatz_doLocal ; "Admins" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file output/base64 output
         version  -  Display some version informations
              cd  -  Change or display current directory
        markruss  -  Mark about PtH
mubix commented 9 years ago

Seems like the Invoke-Mimikatz powershell automatically puts anything with a space on a new command line.

enigma0x3 commented 9 years ago

Yea, this is something with the quoting. We will play around with it and get back to you. Groups without a space should work however, Invoke-Mimikatz will take groups with a space and drop them on separate lines.

HarmJ0y commented 9 years ago

This gets tricky as Mimikatz uses CommandLineToArgvW (which is notoriously annoying) to do its parsing, and we're trying to pass a single PowerShell literal string (with 's) with spacing and quotes escaped within it. That said, pretty sure I have a workaround, and will try to get the code up tomorrow after some testing.

enigma0x3 commented 9 years ago

@mubix, If you do a pull, this bug should be fixed. Due to the way it interprets spacing, you will get an error in the mimikatz output followed by the correct command and result. The commit is here: https://github.com/PowerShellEmpire/Empire/commit/4ceafec807178c445c2da22fda7fac5c8e4a4734

Thanks for the report.