Empire_exec Auth error

[Kaicastledine]

Steps to reproduce

Empire 1.5.2 with Brew on OSX High Sierra

Brew install empire  
- setup db with password  *******
Setup Empire listener called CMETest 

Setup Restfull API

empire --rest --user empireadmin --pass ******

Execute empire_exec

sudo cme 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest

RESTFul API shows post

127.0.0.1 - - [02/Jan/2018 16:17:08] "POST /api/admin/login HTTP/1.1" 401 -
127.0.0.1 - - [02/Jan/2018 16:17:18] "POST /api/admin/login HTTP/1.1" 401 -
127.0.0.1 - - [02/Jan/2018 16:17:40] "POST /api/admin/login HTTP/1.1" 401 -

Can connect no issue with curl

curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"******"}'
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 57
Server: Werkzeug/0.11.9
Date: Tue, 02 Jan 2018 16:23:00 GMT

{
  "token": "fmgvvi77rqo96egd8sdg678jowayirnkvp2yyfl0"
}kcmp:~ kaic$ 

Shows in RESTFul API as auth

127.0.0.1 - - [02/Jan/2018 16:23:00] "POST /api/admin/login HTTP/1.1" 200 -

CME verbose output (using the --verbose flag)

sudo cme 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest -debug --verbose

DEBUG                                          {'domain': 'ebug', 'wdigest': None, 'verbose': True, 'sam': False, 'cred_id': ['2'], 'module_options': ['LISTENER=CMETest'], 'fail_limit': None, 'share': 'C$', 'lusers': False, 'module': 'empire_exec', 'smb_port': 445, 'show_options': False, 'rid_brute': None, 'uac': False, 'ufail_limit': None, 'pass_pol': False, 'regex': None, 'list_modules': False, 'no_output': False, 'pattern': None, 'lsa': False, 'force_ps32': False, 'shares': False, 'content': False, 'server_host': '0.0.0.0', 'wmi': None, 'exclude_dirs': '', 'server_port': None, 'wmi_namespace': '//./root/cimv2', 'gfail_limit': None, 'mssql_query': None, 'username': [], 'hash': [], 'users': False, 'sessions': False, 'exec_method': None, 'spider': None, 'ps_execute': None, 'threads': 100, 'mssql_port': 1433, 'password': [], 'mssql': False, 'mssql_auth': 'windows', 'ntds_pwdLastSet': False, 'execute': None, 'target': ['192.168.215.104'], 'ntds_history': False, 'disks': False, 'ntds': None, 'server': 'https', 'depth': 10, 'local_auth': False, 'timeout': 20}
## CME Version (cme --version)

OS

OSX High Sierra

Target OS

Windows 7

[Kaicastledine]

Checked the cme.conf

Password is the same as the DB password

Tested by uninstalling and re-installing with brew

Also added rest_token from API

[Kaicastledine]

Edited empire_exec.py to hardcode username/password - Works !

#Pull the username and password from the config file payload = {'username': 'empireadmin', 'password': 'gH25Iv1K68@^'}

[Kaicastledine]

Issue due to password symbols ?

[Kaicastledine]

Is there a way to log or check what CME is actually trying to use to auth with the api ?

[Kaicastledine]

Installed with pipenv (version 4.0.1dev)

-Changed cme.conf to have new password in. -Setup API with same password (Also DB password)

• Tested via curl - Auth ok
• Tested via CME - Auth failed to api server

[Kaicastledine]

cme --verbose

Missing username/password pulled from config ?

sudo cme --verbose smb 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest
DEBUG Passed args:
{'clear_obfscripts': False,
 'content': False,
 'cred_id': ['2'],
 'darrell': False,
 'depth': None,
 'disks': False,
 'domain': None,
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'gfail_limit': None,
 'groups': None,
 'hash': [],
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'local_groups': None,
 'loggedon_users': False,
 'lsa': False,
 'module': 'empire_exec',
 'module_options': ['LISTENER=CMETest'],
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': False,
 'password': [],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'sessions': False,
 'share': 'C$',
 'shares': False,
 'show_module_options': False,
 'spider': None,
 'spider_folder': '.',
 'target': ['192.168.215.104'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': [],
 'users': None,
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
DEBUG Starting new HTTPS connection (1): 127.0.0.1
DEBUG https://127.0.0.1:1337 "POST /api/admin/login HTTP/1.1" 401 0
EMPIRE_E...                                         [-] Error authenticating to Empire's RESTful API server!

[Kaicastledine]

147

Added rest_token=**** in cme.conf

Tested but still getting auth failed. Not seeing rest_token in debug as value.

Checked and empire_exec.py is outdated in latest version installed via pipenv

FIX COMMIT https://github.com/byt3bl33d3r/CrackMapExec/commit/04c4e3de6460d93119f43e50f7cb2690700b7b55

[Kaicastledine]

Changes made to empire_exec.py + cme.conf

debug

(CrackMapExec-KK60ewK1) bash-3.2$ sudo cme --verbose smb 192.168.215.104 -id 2 -M empire_exec -o LISTENER=CMETest
DEBUG Passed args:
{'clear_obfscripts': False,
 'content': False,
 'cred_id': ['2'],
 'darrell': False,
 'depth': None,
 'disks': False,
 'domain': None,
 'exclude_dirs': '',
 'exec_method': None,
 'execute': None,
 'fail_limit': None,
 'force_ps32': False,
 'gen_relay_list': None,
 'gfail_limit': None,
 'groups': None,
 'hash': [],
 'jitter': None,
 'list_modules': False,
 'local_auth': False,
 'local_groups': None,
 'loggedon_users': False,
 'lsa': False,
 'module': 'empire_exec',
 'module_options': ['LISTENER=CMETest'],
 'no_output': False,
 'ntds': None,
 'obfs': False,
 'only_files': False,
 'pass_pol': False,
 'password': [],
 'pattern': None,
 'port': 445,
 'protocol': 'smb',
 'ps_execute': None,
 'regex': None,
 'rid_brute': None,
 'sam': False,
 'server': 'https',
 'server_host': '0.0.0.0',
 'server_port': None,
 'sessions': False,
 'share': 'C$',
 'shares': False,
 'show_module_options': False,
 'spider': None,
 'spider_folder': '.',
 'target': ['192.168.215.104'],
 'threads': 100,
 'timeout': None,
 'ufail_limit': None,
 'username': [],
 'users': None,
 'verbose': True,
 'wmi': None,
 'wmi_namespace': 'root\\cimv2'}
Traceback (most recent call last):
  File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/bin/cme", line 11, in <module>
    load_entry_point('crackmapexec==4.0.1.dev0', 'console_scripts', 'cme')()
  File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/crackmapexec.py", line 160, in main
    module = loader.init_module(props['path'])
  File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/loaders/module_loader.py", line 96, in init_module
    module.options(context, module_options)
  File "/Users/kaic/.local/share/virtualenvs/CrackMapExec-KK60ewK1/lib/python2.7/site-packages/crackmapexec-4.0.1.dev0-py2.7.egg/cme/modules/empire_exec.py", line 37, in options
    token = context.conf.get('Empire', 'rest_token')
  File "/usr/local/Cellar/python/2.7.13_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", line 618, in get
    raise NoOptionError(option, section)
ConfigParser.NoOptionError: No option 'rest_token' in section: 'Empire'

[Kaicastledine]

Brew installing old version of empire

• Installing new version manually

[Kaicastledine]

Installed updated Empire v 2.3

-Setup http listener called CMETest

-- Setup headless api

No log ??

-- Tested via curl - OK

-- CME connect - Auth failed

Now I'm out of ideas haha

[Kaicastledine]

Works via curl with API key

[byt3bl33d3r]

Empire might have changed their API again... I'll take a look at this when i get a chance.

[mpgn]

Closing since we don't support Empire python2 anymore, maybe we shoud use https://github.com/BC-SECURITY/Empire/ but it's another issue