KeyError -agents.py- line 1273 in handle_agent_staging -- Agent Creation Fails

[liteman]

Empire Version

2.0

OS Information (Linux flavor, Python version)

kali linux rolling - python 2.7

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

Have a listener configured, and stager.hta executed on target system. Python exception thrown during agent negotiation

Screenshot of error, embedded text output, or Pastebin link to the error

(Empire: stager/windows/hta) > [2017-06-02 13:39:26,965] ERROR in app: Exception on /admin/get.php [POST]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/bin/Empire//lib/listeners/http.py", line 798, in handle_post
dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP)
File "/usr/local/bin/Empire/lib/common/agents.py", line 1368, in handle_agent_data
dataToReturn.append((language, self.handle_agent_staging(sessionID, language, meta, additional, encData, stagingKey, listenerOptions, clientIP)))
File "/usr/local/bin/Empire/lib/common/agents.py", line 1273, in handle_agent_staging
sessionKey = self.agents[sessionID]['sessionKey']
KeyError: '72B96WFZ'

Any additional information

[xorrior]

@liteman Can you run empire with the --debug 2 flag and then re-execute? We need to see what part of the staging process is failing.

[liteman]

With --debug 2:

(Empire: stager/windows/hta) > listeners/http : [] GET request for 192.168.1.1:8080/admin/get.php from 192.168.1.1
listeners/http : [] GET cookie value from 192.168.1.1 : session=/3qHUFdfTw4Hew+bubmBXZmIYTw=
Agents : [] handle_agent_data(): sessionID 00000000 issued a STAGE0 request
listeners/http : [] Sending POWERSHELL stager (stage 1) to 192.168.1.1
listeners/http : [] POST request data length from 192.168.1.1 : 18
Agents : [!] handle_agent_data(): routingPacket wrong length: 18
listeners/http : [] POST request data length from 192.168.1.1 : 180
Agents : [*] handle_agent_data(): sessionID H1M8ANWY issued a STAGE2 request
{}
[2017-06-02 14:31:16,615] ERROR in app: Exception on /login/process.php [POST]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/bin/Empire//lib/listeners/http.py", line 798, in handle_post
dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP)
File "/usr/local/bin/Empire/lib/common/agents.py", line 1368, in handle_agent_data
dataToReturn.append((language, self.handle_agent_staging(sessionID, language, meta, additional, encData, stagingKey, listenerOptions, clientIP)))
File "/usr/local/bin/Empire/lib/common/agents.py", line 1273, in handle_agent_staging
sessionKey = self.agents[sessionID]['sessionKey']
KeyError: 'H1M8ANWY'

[xorrior]

Is this with every agent? Can you do a fresh git pull and retry?On Jun 6, 2017 1:43 PM, liteman <notifications@github.com> wrote:With --debug 2: (Empire: stager/windows/hta) > listeners/http : [] GET request for 141.190.1.7:8080/admin/get.php from 141.190.1.26 listeners/http : [] GET cookie value from 141.190.1.26 : session=/3qHUFdfTw4Hew+bubmBXZmIYTw= Agents : [] handle_agent_data(): sessionID 00000000 issued a STAGE0 request listeners/http : [] Sending POWERSHELL stager (stage 1) to 141.190.1.26 listeners/http : [] POST request data length from 141.190.1.26 : 18 Agents : [!] handle_agent_data(): routingPacket wrong length: 18 listeners/http : [] POST request data length from 141.190.1.26 : 180 Agents : [*] handle_agent_data(): sessionID H1M8ANWY issued a STAGE2 request {} [2017-06-02 14:31:16,615] ERROR in app: Exception on /login/process.php [POST] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app response = self.full_dispatch_request() File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request rv = self.dispatch_request() File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request return self.view_functionsrule.endpoint File "/usr/local/bin/Empire//lib/listeners/http.py", line 798, in handle_post dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP) File "/usr/local/bin/Empire/lib/common/agents.py", line 1368, in handle_agent_data dataToReturn.append((language, self.handle_agent_staging(sessionID, language, meta, additional, encData, stagingKey, listenerOptions, clientIP))) File "/usr/local/bin/Empire/lib/common/agents.py", line 1273, in handle_agent_staging sessionKey = self.agents[sessionID]['sessionKey'] KeyError: 'H1M8ANWY' —You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.

[liteman]

Not sure what you mean by every agent -- I haven't been able to get any agents created. This is using a fresh clone yesterday, http listener and windows/hta stager.

[liteman]

Just did a fresh pull -- and got the same result:

(Empire) > listeners/http : [] GET request for 192.168.1.1:8080/admin/get.php from 192.168.1.1
listeners/http : [] GET cookie value from 192.168.1.1 : session=/3qHUFdfTw4Hew+bubmBXZmIYTw=
Agents : [] handle_agent_data(): sessionID 00000000 issued a STAGE0 request
listeners/http : [] Sending POWERSHELL stager (stage 1) to 192.168.1.1
listeners/http : [] POST request data length from 192.168.1.1 : 18
Agents : [!] handle_agent_data(): routingPacket wrong length: 18
listeners/http : [] POST request data length from 192.168.1.1 : 180
Agents : [*] handle_agent_data(): sessionID Z4EHU9CY issued a STAGE2 request
{}
[2017-06-02 14:46:20,850] ERROR in app: Exception on /admin/get.php [POST]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/bin/Empire//lib/listeners/http.py", line 798, in handle_post
dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP)
File "/usr/local/bin/Empire/lib/common/agents.py", line 1368, in handle_agent_data
dataToReturn.append((language, self.handle_agent_staging(sessionID, language, meta, additional, encData, stagingKey, listenerOptions, clientIP)))
File "/usr/local/bin/Empire/lib/common/agents.py", line 1273, in handle_agent_staging
sessionKey = self.agents[sessionID]['sessionKey']
KeyError: 'Z4EHU9CY'

[liteman]

Further testing -- this seems to be specific to the host executing the stager.hta. Some security getting in the way. Can anyone provide some insight into what is happening at this stage? "sessionID Z4EHU9CY issued a STAGE2 request"

[liteman]

Commented out "$ErrorActionPreference = "SilentlyContinue";" from http.ps1... First exception thrown in powershell while executing http.ps1:
New-Object : Exception calling ".ctor" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1593

Offender: $hmac = New-Object System.Security.Cryptography.HMACSHA256;

Fails in a FIPS enabled environment.

[xorrior]

This was a known issue previously. #35 . Standby, trying to find out whether or not there was a fix. @liteman

[xorrior]

@liteman This was fixed previously. The alg was changed from SHA1 to HMACSHA256. Not sure what we can do when it comes to FIPS. We'll look into it.

[majidabdul82]

I have similar Problem but with UnicodeDecodeError. I have use --debug 2: Please Help
[2017-07-30 17:43:04,640] ERROR in app: Exception on /login/process.php [GET]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/root/Desktop/Empire//lib/listeners/http.py", line 760, in handle_get
dispatcher.send("[!] Error from agents.handle_agent_data() for %s from %s: %s" % (request_uri, clientIP, results), sender='listeners/http')
UnicodeDecodeError: 'ascii' codec can't decode byte 0x81 in position 17: ordinal not in range(128)

[xorrior]

@liteman unfortunately we will not be able to support a FIPS environment at this time. Currently, this seems to only be an issue with .NET 3.5 environments. .NET 2.0 and .NET 4.0+ should be fine with the fix from #35 .

[clavoillotte]

Jumping in because I had the same issue.

While this was indeed fixed in #35 by switching from HMACMD5 to HMACSHA1, a regression (sort of) was introduced (in commit 26cd008 I believe) by switching from HMACSHA1 to HMACSHA256, which is not considered FIPS-compliant on some environments (e.g. Win7 + .NET 3.5).
It's not just a corner case: I have not tested with .NET 2.0 or 4.0, but the default .NET runtime shipping with Windows 7 is 3.5, so this should affect all Windows 7 in default configuration except for the FIPS requirement.

I think there are 3 possible ways to fix it:

• go back to using HMACSHA1
• adding an option to select HMACSHA1 in place of HMACSHA256 (and documenting the FIPS use case)
• adding some logic to try with HMACSHA256 and fallback to HMACSHA1

For pentesters: as a quick & (very) dirty workaround, one can go back to using HMACSHA1 with a few sed commands:

sed -i.bak 's/System.Security.Cryptography.HMACSHA256/System.Security.Cryptography.HMACSHA1/g' data/agent/stagers/*.ps1
sed -i.bak 's/System.Security.Cryptography.HMACSHA256/System.Security.Cryptography.HMACSHA1/g' data/agent/agent.ps1
sed -i.bak 's/hashlib.sha256/hashlib.sha1/g' lib/common/*.py
sed -i.bak 's/hashlib.sha256/hashlib.sha1/g' data/agent/stagers/*.py