Closed Kaicastledine closed 4 years ago
Checked the cme.conf
Password is the same as the DB password
Tested by uninstalling and re-installing with brew
Also added rest_token from API
Edited empire_exec.py to hardcode username/password - Works !
#Pull the username and password from the config file payload = {'username': 'empireadmin', 'password': 'gH25Iv1K68@^'}
Issue due to password symbols ?
Is there a way to log or check what CME is actually trying to use to auth with the api ?
Installed with pipenv (version 4.0.1dev)
-Changed cme.conf to have new password in. -Setup API with same password (Also DB password)
cme --verbose
Missing username/password pulled from config ?
sudo cme --verbose smb 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest
DEBUG Passed args:
{'clear_obfscripts': False,
'content': False,
'cred_id': ['2'],
'darrell': False,
'depth': None,
'disks': False,
'domain': None,
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'gfail_limit': None,
'groups': None,
'hash': [],
'jitter': None,
'list_modules': False,
'local_auth': False,
'local_groups': None,
'loggedon_users': False,
'lsa': False,
'module': 'empire_exec',
'module_options': ['LISTENER=CMETest'],
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': False,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': False,
'share': 'C$',
'shares': False,
'show_module_options': False,
'spider': None,
'spider_folder': '.',
'target': ['192.168.215.104'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': [],
'users': None,
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
DEBUG Starting new HTTPS connection (1): 127.0.0.1
DEBUG https://127.0.0.1:1337 "POST /api/admin/login HTTP/1.1" 401 0
EMPIRE_E... [-] Error authenticating to Empire's RESTful API server!
Added rest_token=**** in cme.conf
Tested but still getting auth failed. Not seeing rest_token in debug as value.
Checked and empire_exec.py is outdated in latest version installed via pipenv
FIX COMMIT https://github.com/byt3bl33d3r/CrackMapExec/commit/04c4e3de6460d93119f43e50f7cb2690700b7b55
Changes made to empire_exec.py + cme.conf
debug
(CrackMapExec-KK60ewK1) bash-3.2$ sudo cme --verbose smb 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest
DEBUG Passed args:
{'clear_obfscripts': False,
'content': False,
'cred_id': ['2'],
'darrell': False,
'depth': None,
'disks': False,
'domain': None,
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'gfail_limit': None,
'groups': None,
'hash': [],
'jitter': None,
'list_modules': False,
'local_auth': False,
'local_groups': None,
'loggedon_users': False,
'lsa': False,
'module': 'empire_exec',
'module_options': ['LISTENER=CMETest'],
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': False,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': False,
'share': 'C$',
'shares': False,
'show_module_options': False,
'spider': None,
'spider_folder': '.',
'target': ['192.168.215.104'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': [],
'users': None,
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
Traceback (most recent call last):
File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/bin/cme", line 11, in <module>
load_entry_point('crackmapexec==4.0.1.dev0', 'console_scripts', 'cme')()
File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/crackmapexec.py", line 160, in main
module = loader.init_module(props['path'])
File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/loaders/module_loader.py", line 96, in init_module
module.options(context, module_options)
File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/modules/empire_exec.py", line 37, in options
token = context.conf.get('Empire', 'rest_token')
File "/usr/local/Cellar/python/2.7.13_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", line 618, in get
raise NoOptionError(option, section)
ConfigParser.NoOptionError: No option 'rest_token' in section: 'Empire'
Brew installing old version of empire
Installed updated Empire v 2.3
-Setup http listener called CMETest
-- Setup headless api
No log ??
-- Tested via curl - OK
-- CME connect - Auth failed
Now I'm out of ideas haha
Works via curl with API key
Empire might have changed their API again... I'll take a look at this when i get a chance.
Closing since we don't support Empire python2 anymore, maybe we shoud use https://github.com/BC-SECURITY/Empire/ but it's another issue
Steps to reproduce
Empire 1.5.2 with Brew on OSX High Sierra
Setup Restfull API
empire --rest --user empireadmin --pass ******
Execute empire_exec
sudo cme 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest
RESTFul API shows post
Can connect no issue with curl
Shows in RESTFul API as auth
127.0.0.1 - - [02/Jan/2018 16:23:00] "POST /api/admin/login HTTP/1.1" 200 -
CME verbose output (using the --verbose flag)
OS
OSX High Sierra
Target OS
Windows 7