Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/EmpireProject/EmPyre

A post-exploitation OS X/Linux agent written in Python 2.7
https://github.com/EmpireProject/EmPyre

Last synced: 13 days ago
JSON representation

A post-exploitation OS X/Linux agent written in Python 2.7

Host: GitHub
URL: https://github.com/EmpireProject/EmPyre
Owner: EmpireProject
License: bsd-3-clause
Archived: true
Created: 2016-02-29T18:12:10.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2017-08-24T00:08:41.000Z (about 7 years ago)
Last Synced: 2024-05-02T01:52:44.977Z (6 months ago)
Language: Python
Homepage:
Size: 712 KB
Stars: 865
Watchers: 84
Forks: 202
Open Issues: 7
Metadata Files:
- Readme: README.md
- Changelog: changelog
- Contributing: .github/CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

        #EmPyre

EmPyre is a pure Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture. It is based heavily on the controller and communication structure of Empire.

The Diffie Hellman implementation is from Mark Loiseau's project [here](https://github.com/lowazo/pyDHE), licensed under version 3.0 of the GNU General Public License.

The AES implementation is adapted from Richard Moore's project [here](https://github.com/ricmoo/pyaes), licensed under the MIT license.

The initial Python launcher code is inspired from MSF's Python Meterpreter launcher [here](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/python/reverse_http.rb), licensed under the BSD-3-clause license.

The collection/osx/keylogger module was originally written by joev [here](https://github.com/gojhonny/metasploit-framework/blob/master/modules/post/osx/capture/keylog_recorder.rb) and licensed under the MSF_LICENSE/BSD 3-clause license.

## Key negotiation

* KEYs = staging key, set per server (used for RC4 and initial AES comms)

* KEYn = the DH-EKE negotiated key

* PUBc = the client-generated DH public key

* PUBs = the server-generated DH public key

The process is as follows:

1. client runs launcher.py that GETs stager.py from /stage0

    launcher.py implements a minimized RC4 decoding stub and negotiation key

2. server returns RC4(KEYs, stager.py) (key negotiation stager)

    stager.py contains minimized DH and AES

3. client generates DH key PUBc, and POSTs HMAC(AES(KEYs, PUBc)) posts to /stage1

    server generates a new DH key on each check in

4. server returns HMAC(AES(KEYs, nonce+PUBs))

    client calculates shared DH key KEYn

5. client POSTs HMAC(AES(KEYn, [nonce+1]+sysinfo) to /stage2

6. server returns HMAC(AES(KEYn, patched agent.py))

7. client sleeps on interval, and then GETs /tasking.uri

8. if no tasking, return standard looking page

9. if tasking, server returns HMAC(AES(KEYn, tasking))

10. client posts HMAC(AES(KEYn, tasking)) to /response.uri

EmPyre Tracker:

https://trello.com/b/NASrG4IW/empyre