EmPyre is a pure Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture. It is based heavily on the controller and communication structure of Empire.
The Diffie Hellman implementation is from Mark Loiseau's project here, licensed under version 3.0 of the GNU General Public License.
The AES implementation is adapted from Richard Moore's project here, licensed under the MIT license.
The initial Python launcher code is inspired from MSF's Python Meterpreter launcher here, licensed under the BSD-3-clause license.
The collection/osx/keylogger module was originally written by joev here and licensed under the MSF_LICENSE/BSD 3-clause license.
- KEYs = staging key, set per server (used for RC4 and initial AES comms)
- KEYn = the DH-EKE negotiated key
- PUBc = the client-generated DH public key
- PUBs = the server-generated DH public key
The process is as follows:
client runs launcher.py that GETs stager.py from /stage0
launcher.py implements a minimized RC4 decoding stub and negotiation key
server returns RC4(KEYs, stager.py) (key negotiation stager)
stager.py contains minimized DH and AES
client generates DH key PUBc, and POSTs HMAC(AES(KEYs, PUBc)) posts to /stage1
server generates a new DH key on each check in
server returns HMAC(AES(KEYs, nonce+PUBs))
client calculates shared DH key KEYn
client POSTs HMAC(AES(KEYn, [nonce+1]+sysinfo) to /stage2
server returns HMAC(AES(KEYn, patched agent.py))
client sleeps on interval, and then GETs /tasking.uri
if no tasking, return standard looking page
if tasking, server returns HMAC(AES(KEYn, tasking))
client posts HMAC(AES(KEYn, tasking)) to /response.uri