Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust HTTP listeners' responses to resemble IIS 7.5 more #277

Merged
merged 5 commits into from Aug 12, 2020
Merged

Adjust HTTP listeners' responses to resemble IIS 7.5 more #277

merged 5 commits into from Aug 12, 2020

Conversation

adamczi
Copy link

@adamczi adamczi commented Aug 10, 2020

Hi, so inspired by a video of Polish security vlogger about how to detect Empire listeners, I compared responses from IIS 7.5 with http/http_com listeners and fixed some inconsistencies. From the most to least important:

  • in a situation when a request with no cookie and routing packet comes in, changed 200 code to 404 as listener returns a 404 page
  • added an error handler and a template for 405 Method Not Allowed page (before there was Werkzeug's error page)
  • moved /welcome.png routing into the main catch-all routing to enable Windows-like case-insensitivity (e.g. /wELCome.png works on Windows, not on Linux)
  • switched from /index.html (nonexistent in IIS by default) to /iisstart.htm (default)
  • did minor character changes in the responses so they match byte by byte (except for header_offset)

Cx01N and others added 5 commits August 4, 2020 23:44
@Cx01N
Merge pull request BC-SECURITY#270 from BC-SECURITY/dev
d00626a 
Empire 3.3.2 Release
@adamczi
HTTP listeners - make welcome.png case-insensitive
4a1d307 
Signed-off-by: adamczi <adamczi@users.noreply.github.com>
@adamczi
HTTP listeners - imitate 405 response page
b0c3e98 
Signed-off-by: adamczi <adamczi@users.noreply.github.com>
@adamczi
HTTP listeners - adapt to resemble IIS more
a12825a 
- fixed 200 to 404 code in http.py when no cookie is passed
- minor changes in HTML responses to make alike to original IIS pages
- bump Werkzeug's HTTP version header from 1.0 to 1.1 for the same reason

Signed-off-by: adamczi <adamczi@users.noreply.github.com>
@adamczi
HTTP listeners - route to default IIS iisstart.htm
af44e0d 
Signed-off-by: adamczi <adamczi@users.noreply.github.com>
@vinnybod vinnybod merged commit b8afdeb into BC-SECURITY:dev Aug 12, 2020
@Cx01N Cx01N mentioned this pull request Aug 12, 2020
Merged
@adamczi adamczi mentioned this pull request Sep 9, 2020
Merged
vinnybod added a commit that referenced this pull request Jan 25, 2022
@vinnybod
Merge pull request #277 from BC-SECURITY/sponsors-dev
d60f36d 
4.3.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@adamczi @vinnybod @Cx01N