Hey there, me again. Preliminary discussion in #46

Short story is get_creds no longer works on the latest Windows 10 version because the update broke Mimikatz. More information here: EmpireProject/Empire#1147

I've tried changing the following line:
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')

to

$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String]))

In both invoke-reflectivepe-ps1 and invoke-mimi-ps1.
This fixed the immediate issue but showed that Mimikatz is outdated as well as the same error as described here happens:

gentilkiwi/mimikatz#146

I'm not sure how to go about swapping out the mimikatz binary to the new version, I tried just replacing the mimi64-exe file but that didn't work. Please advise.

Thanks!

Requirements.txt has iohttp==2.3.9 which can't be detected by pip. Perhaps, that specific version was removed from the repository, so what should I replace it with?

Greetings,

I have seen your product and let me tell you that you guys have done an amazing job coding such a project. I was trying to extend its functionality by add a step. The step is supposed to emulate abnormal RDP behavior, namely I want my step to be able to connect to several RDP servers (lets say 10 for example) in quick succession. I have been able to utilize the operation.execute_shell_command to run native shell command and my plan was to utilize it to run mstsc.exe to connect to the RDP server and closing it after 10-20 seconds multiple time. My problem was the fact that mstsc blocks the execution of the remaining of the action. So I was wondering is there a way to kill the mstsc process after a set amount of time.

Below is the code of the step class to show you the progress im at

class MultiRDP(Step):
    """
    Description:
        This step connects to multiple machines using RDP
    Requirements:
        This step requires: - the existance of a RAT on a host
							- creds to connect with
							- the subnet to connect to
    """
    attack_mapping = [] #TODO
    display_name = "multi_RDP"
    summary = "Connect to multiple machines using RDP"
    preconditions = [('rat', OPRat),
                     ('host', OPHost(OPVar("rat.host")))]

    postconditions = [('file_g', OPFile({'host': OPVar('rat.host')}))]
    significant_parameters = ['host']

    @staticmethod
    def description(host):
        return "Connecting using RDP"

    @staticmethod
    async def action(operation, rat, host):
        username = "admin"
        password = "admin"
        ipaddress ="x.x.x.x"
        await operation.execute_shell_command(rat, command.CommandLine(['reg', 'add', '"HKLM\Software\Microsoft\Terminal Server Client"','/v AuthenticationLevelOverride','/t REG_DWORD','/d 0']), lambda x: x == '')
        await operation.execute_shell_command(rat, command.CommandLine(['cmdkey /generic:TERMSRV/'+ipaddress+' /user:'+username+' /pass:'+password]), lambda x: x == '')
        await operation.execute_shell_command(rat, command.CommandLine(['mstsc /v:'+ipaddress]), lambda x: x == '')
        await operation.execute_shell_command(rat, command.CommandLine(['timeout /T 10 /NOBREAK']), lambda x: x == '')
        await operation.execute_shell_command(rat, command.CommandLine(['taskkill /im mstsc.exe /F']), lambda x: x == '')
        await operation.execute_shell_command(rat, command.CommandLine(['cmdkey /delete:TERMSRV/'+ipaddress]), lambda x: x == '')
        await operation.execute_shell_command(rat, command.CommandLine(['reg', 'delete', '"HKLM\Software\Microsoft\Terminal Server Client"','/v AuthenticationLevelOverride','/f']), lambda x: x == '')
        return True

    @staticmethod
    async def cleanup(cleaner, file_g):
        for fileg in file_g:
            await cleaner.delete(fileg)

Receiving the following error when trying to run caldera.py

Can someone point me in the right direction?

Hello,
First of all congratulation for this great tool, I'm just scratching the surface of it but it seems promising.
I wanted to know if you plan on releasing the API documentation soon because I was beginning to take a look at it to play with but without the documentation it make it a bit more complicated to understand.
Thanks in advance for the answer

DEBUG:app.operation.operation:starting operation
INFO:app.operation.operation:Writing commander to: 'C:\commander.exe'
WARNING:app.operation.operation:Error on bootstrap: ('AgentExceptionError', 'Tra
ceback (most recent call last):\n File "C:\Users\lpc\Desktop\caldera\calde
ra-agent\caldera_agent\async_client.py", line 117, in run_job\n success, re
sult = await self.interface.run(action, args)\n File "C:\Users\lpc\Desktop\
caldera\caldera-agent\caldera_agent\interfaces.py", line 64, in run\n outp
ut = await self._write_commander(args['path'])\n File "C:\Users\lpc\Deskto
p\caldera\caldera-agent\caldera_agent\interfaces.py", line 111, in _write_co
mmander\n return await self._run_in_caldera_subprocess("takeown /F {} /A".for
mat(path))\n File "C:\Users\lpc\Desktop\caldera\caldera-agent\caldera_age
nt\interfaces.py", line 120, in _run_in_caldera_subprocess\n return stdout.d
ecode()\nUnicodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position
2: invalid start byte\n', <Job: {'status': 'failed', 'action': {'write_commande
r': {'path': 'C:\commander.exe'}, 'exception': 'Traceback (most recent call las
t):\n File "C:\Users\lpc\Desktop\caldera\caldera-agent\caldera_agent\asy
nc_client.py", line 117, in run_job\n success, result = await self.interface.
run(action, args)\n File "C:\Users\lpc\Desktop\caldera\caldera-agent\cald
era_agent\interfaces.py", line 64, in run\n output = await self._write_comma
nder(args['path'])\n File "C:\Users\lpc\Desktop\caldera\caldera-agent\c
aldera_agent\interfaces.py", line 111, in _write_commander\n return await se
lf._run_in_caldera_subprocess("takeown /F {} /A".format(path))\n File "C:\User
s\lpc\Desktop\caldera\caldera-agent\caldera_agent\interfaces.py", line 120
, in _run_in_caldera_subprocess\n return stdout.decode()\nUnicodeDecodeError:
'utf-8' codec can't decode byte 0xb3 in position 2: invalid start byte\n', '
error': 'agents exception'}, 'agent': ObjectId('5a38dc49344fa2139ca6638b'), 'cre
ate_time': datetime.datetime(2017, 12, 19, 9, 37, 26, 111000, tzinfo=<bson.tz_ut
il.FixedOffset object at 0x00000000042BADA0>), '_id': ObjectId('5a38ddd6344fa20a
08c04c46')}>)
INFO:app.operation.operation:Operation complete: Error on bootstrap: ('AgentExce
ptionError', 'Traceback (most recent call last):\n File "C:\Users\lpc\Deskto
p\caldera\caldera-agent\caldera_agent\async_client.py", line 117, in run_job
\n success, result = await self.interface.run(action, args)\n File "C:\User
s\lpc\Desktop\caldera\caldera-agent\caldera_agent\interfaces.py", line 64,
in run\n output = await self._write_commander(args['path'])\n File "C:\U
sers\lpc\Desktop\caldera\caldera-agent\caldera_agent\interfaces.py", line
111, in _write_commander\n return await self._run_in_caldera_subprocess("take
own /F {} /A".format(path))\n File "C:\Users\lpc\Desktop\caldera\caldera-a
gent\caldera_agent\interfaces.py", line 120, in _run_in_caldera_subprocess\n
return stdout.decode()\nUnicodeDecodeError: 'utf-8' codec can't decode byte
0xb3 in position 2: invalid start byte\n', <Job: {'status': 'failed', 'action':
{'write_commander': {'path': 'C:\commander.exe'}, 'exception': 'Traceback (mos
t recent call last):\n File "C:\Users\lpc\Desktop\caldera\caldera-agent\c
aldera_agent\async_client.py", line 117, in run_job\n success, result = awai
t self.interface.run(action, args)\n File "C:\Users\lpc\Desktop\caldera\ca
ldera-agent\caldera_agent\interfaces.py", line 64, in run\n output = await
self._write_commander(args['path'])\n File "C:\Users\lpc\Desktop\caldera
\caldera-agent\caldera_agent\interfaces.py", line 111, in _write_commander\n
return await self._run_in_caldera_subprocess("takeown /F {} /A".format(path))
n File "C:\Users\lpc\Desktop\caldera\caldera-agent\caldera_agent\interfa
ces.py", line 120, in _run_in_caldera_subprocess\n return stdout.decode()\nUn
icodeDecodeError: 'utf-8' codec can't decode byte 0xb3 in position 2: invalid
start byte\n', 'error': 'agents exception'}, 'agent': ObjectId('5a38dc49344fa21
39ca6638b'), 'create_time': datetime.datetime(2017, 12, 19, 9, 37, 26, 111000, t
zinfo=<bson.tz_util.FixedOffset object at 0x00000000042BADA0>), '_id': ObjectId(
'5a38ddd6344fa20a08c04c46')}>)
DEBUG:app.api:websocket connection closed

Is caldera run correct？

C:\Caldera\caldera-master\caldera>python caldera.py
Traceback (most recent call last):
File "caldera.py", line 16, in
from app import server
File "C:\Caldera\caldera-master\caldera\app\server.py", line 10, in
import yaml
ModuleNotFoundError: No module named 'yaml'

C:\Caldera\caldera-master\caldera>

Hello,
I deployed the caldera server follow the installtion steps. Everything is OK. But when I open the web interface on browser, there are some issues:
1. The menu on the top of the web interface doesn't. When i click the buttons, the domain name in the browser changes, but the page stays unchaged.
2. When i click the login button, even the domain name doesn't change. It seems that there are no href attached to the login button.

Maybe this is a simple issue I'm overlooking, but when attempting to start the Caldera server by using docker-compose up in centOS 7 (which I was eventually able to work following advice from a previous issue here), I get the error:

"33mserver_1 | fatal: Not a git repository (or any of the parent directories): .git"
" 33mserver_1 | DEBUG: asyncio:Using selector: EpollSelector"
"33msrver_1 | INFO: app.server: Serving on 0.0.0.0:8888"

I can't seem to find the location where it's looking for a git extension, and there does not appear to be anything serving to 0.0.0.0:8888. Any help is appreciated.

Here is the output shown in the Jobs whenever i am trying to run any operation in Caldera.
[
{
"_id": "5b6d2142a15306000dfb195c",
"agent": "5b69a87aa1530600012b7c34",
"action": {
"clients": {},
"result": []
},
"create_time": "2018-08-10T05:23:14.553Z",
"status": "success"
},
{
"_id": "5b6d2142a15306000dfb195d",
"agent": "5b69a87aa1530600012b7c34",
"action": {
"write_commander": {
"path": "C:\commander.exe"
},
"result": "\r\nSUCCESS: The file (or folder): "C:\commander.exe" now owned by the administrators group.\r\n"
},
"create_time": "2018-08-10T05:23:14.758Z",
"status": "success"
},
{
"_id": "5b6d2143a15306000dfb195e",
"agent": "5b69a87aa1530600012b7c34",
"action": {
"create_process": {
"process_args": "C:\commander.exe -f",
"parent": null,
"hide": true,
"output": false
},
"error": "agents exception",
"exception": "Traceback (most recent call last):\n File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\async_client.py", line 117, in run_job\n File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\interfaces.py", line 84, in run\n File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\interfaces.py", line 159, in _create_process\n File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\foster3.py", line 861, in init\n File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\foster3.py", line 1153, in _execute_child\nOSError: [WinError 1392] The file or directory is corrupted and unreadable\n"
},
"create_time": "2018-08-10T05:23:15.955Z",
"status": "failed"
}
]

Also, Cant see the steps being executed by the caldera.

Hey,bro!
I changed my system with English region, and caldera run well. But another problem troubled me. I have one agent and one "client computer" for test, all computer join the same AD. When I create network, I just find agent, "client computer" is miss. Was my operation wrong?

reported in #16

Dears,

I have installed Caldera server on Ubuntu. To create a network, there is a drop-down menu to select "Domain". Is this meant to be Windows AD Domain ? If yes, does it need to be created in Windows DC server and then we get that Ubuntu joined to the Windows server ? IF no, what is meant by domain ?

Thanks in advance.

I am getting the following error:

Traceback (most recent call last):
File "caldera.py", line 16, in
from app import server
File "C:\Users\John\Desktop\caldera-master 2\caldera\app\server.py", line 136
async def heartbeat_init():
^

Hello,

While testing Caldera I found that when creating an adversary and selecting the steps, it could be difficult to know easily what are the steps that can fulfill the preconditions for each step without juggling between the steps description and the adversary creation.

So I was thinking it might be useful to add a message or a way to indicate what are the steps that can fulfill the preconditions for a selected step when creating an adversary.

Greetings,

I was trying to deploy caldera server in a virtual machine, but due to some security mechanisms I didn't make the virtual machine bridged to the network. I used the combination of NATing and port forwarding. I have allowed the access to port 8888/tcp through the OS (Windows) firewall and have configured the port forwarding rule to forward any traffic going to the host machine on port 8888/tcp to go directly to caldera server port 8888/tcp.

when I configured all of that, I managed to access the web interface and login, but I can't do anything else than that. I can't view operations, networks and adversaries. I also can't access any of the options in the "Debug" menu. When I click on any option nothing happens. Is there any other port I need to allow through the firewall and configure port forwarding for it in order to make the server work?

The title says it all.

After rollback to v 1.6.1.1 everything is back to normal. But you've lost most of the settings if you saved the form in the meantime. If you haven't saved the template in v 1.6.2, the settings seems to be back completely.

Not sure, wheather the condition actualy worked on fontend (until saving the form, it might be just UI problem). Didn't have the nerve to test it more, it happened to me on live site.

BTW: not sure, what version it actually is: the changelog says 1.6.2, WP says 1.6.3.

Traceback (most recent call last):
File "caldera.py", line 16, in
from app import server
File "/opt/caldera/caldera/app/server.py", line 13, in
from aiohttp import web, WSCloseCode
File "/usr/local/lib/python3.5/dist-packages/aiohttp/web.py", line 15, in
from . import (hdrs, web_exceptions, web_fileresponse, web_middlewares,
File "/usr/local/lib/python3.5/dist-packages/aiohttp/web_middlewares.py", line 5, in
from aiohttp.web_urldispatcher import SystemRoute
File "/usr/local/lib/python3.5/dist-packages/aiohttp/web_urldispatcher.py", line 20, in
from yarl import URL, unquote
ImportError: cannot import name 'unquote'

Hi there,

I just got up and running moments ago with Caldera and first just wanted to thank you as it's a great tool! I'm using it for an endpoint protection evaluation/bake-off and it's nice to be able to see how the various products respond when I throw a bunch of suspicious behavior at them.

One thing I'm noticing right away is all the "fun" seems to get stopped by endpoint protection software as they catch the commander.exe file. Is there a way I can try and obfuscate this .exe some more to see if I can get more success out of the attacks? I don't see the source commander.exe anywhere on my Linux server. I'd like to test the (likely) scenario where a user runs something that's not caught by AV. Yet I don't want to just flat out disable AV either.

Thanks,
Brian

Team,

Kudos for awesome project. I am facing some challenges starting cagent.exe from domain user with normal privileges.

Being normal domain user, we cannot start the new service. (Error)

C:\Program Files\cagent>cagent.exe --startup auto install
Installing service cagent
Error installing service: Access is denied. (5)

Trying cagent.exe under a domain users context (Error)

C:\Program Files\cagent>cagent.exe --username hackable\victim1 --password Victim@1 start
Starting service cagent
Error starting service: Access is denied.

Debugging cagent.exe under a domain users context (Error)

C:\Program Files\cagent>cagent.exe --username hackable\victim1 --password Victim@1 debug
Debugging service cagent - press Ctrl+C to stop.
Info 0x400000FF - Created WinSvcLogHandler
Info 0x40001002 - The cagent service has started.
Error 0xC00000FF - ERROR:caldera_agent.async_client:Caught unhandled exception while running job:
Traceback (most recent call last):
  File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\async_client.py", line 117, in run_job
  File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\interfaces.py", line 64, in run
  File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\interfaces.py", line 108, in _write_commander
PermissionError: [Errno 13] Permission denied: 'C:\\commander.exe'

All above check were performed using "Active User" option.

I also tried scenario running cmd with Admin privileges on client end and on Caldera server with Starting user as "Active User" option, got below error.

C:\Program Files\cagent>cagent.exe --username hackable\victim1 --password Victim@1 debug
Debugging service cagent - press Ctrl+C to stop.
Info 0x400000FF - Created WinSvcLogHandler
Info 0x40001002 - The cagent service has started.
Error 0xC00000FF - ERROR:caldera_agent.async_client:Caught unhandled exception while running job:
Traceback (most recent call last):
  File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\async_client.py", line 117, in run_job
  File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\interfaces.py", line 94, in run
  File "C:\Gitlab Runner\builds\f8e514af\0\caldera\caldera-agent\caldera_agent\interfaces.py", line 141, in _create_process_as_active_user
pywintypes.error: (1314, 'WTSQueryUserToken', 'A required privilege is not held by the client.')

But if I start cagent.exe service with Administrator privileges (on client) and on Caldera Server with Starting user as SYSTEM, everything runs smooth. But this wont be scenario in actual corporate environment. Also every domain user cannot be local admin.

Please guide me, if I am missing anything or ideal way to test in corporate environment.

I saw build.bat in git, but seems that Linux can't use it.

Windows 10 64 Bit, Same Problem on Win7 64 Bit
Py2Exe cannot find module multiprocessing.SimpleQueue

Totally clueless after hours of search :(
Will now try with Win 8.1 :(

PS C:\Users\Mallory\caldera-agent\caldera_agent> .\make.bat

C:\Users\Mallory\caldera-agent\caldera_agent>python setup.py clean --all
running clean
removing 'build\temp.win-amd64-3.5' (and everything under it)
removing 'build\lib.win-amd64-3.5' (and everything under it)
'build\bdist.win-amd64' does not exist -- can't clean it
'build\scripts-3.5' does not exist -- can't clean it
removing 'build'

C:\Users\Mallory\caldera-agent\caldera_agent>del _foster3*.pyd

C:\Users\Mallory\caldera-agent\caldera_agent>python setup.py build_ext --inplace
running build_ext
building '_foster3' extension
creating build
creating build\temp.win-amd64-3.5
creating build\temp.win-amd64-3.5\Release
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\x86_amd64\cl.exe /c /nologo /Ox /W3 /GL /DNDEBUG /MD -IC:\Use
rs\Mallory\AppData\Local\Programs\Python\Python35\include -IC:\Users\Mallory\AppData\Local\Programs\Python\Python35\incl
ude "-IC:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\INCLUDE" "-IC:\Program Files (x86)\Windows Kits\10\include
\10.0.10240.0\ucrt" "-IC:\Program Files (x86)\Windows Kits\8.1\include\shared" "-IC:\Program Files (x86)\Windows Kits\8.
1\include\um" "-IC:\Program Files (x86)\Windows Kits\8.1\include\winrt" /Tc_foster3.c /Fobuild\temp.win-amd64-3.5\Releas
e_foster3.obj
_foster3.c
_foster3.c(326): warning C4133: 'function': incompatible types - from 'STARTUPINFOEXW *' to 'LPSTARTUPINFOW'
foster3.c(495): warning C4133: 'function': incompatible types - from 'STARTUPINFOEXW *' to 'LPSTARTUPINFOW'
creating C:\Users\Mallory\caldera-agent\caldera_agent\build\lib.win-amd64-3.5
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\BIN\x86_amd64\link.exe /nologo /INCREMENTAL:NO /LTCG /DLL /MANIFE
ST:EMBED,ID=2 /MANIFESTUAC:NO /LIBPATH:C:\Users\Mallory\AppData\Local\Programs\Python\Python35\libs /LIBPATH:C:\Users\Ma
llory\AppData\Local\Programs\Python\Python35\PCbuild\amd64 "/LIBPATH:C:\Program Files (x86)\Microsoft Visual Studio 14.0
\VC\LIB\amd64" "/LIBPATH:C:\Program Files (x86)\Windows Kits\10\lib\10.0.10240.0\ucrt\x64" "/LIBPATH:C:\Program Files (x
86)\Windows Kits\8.1\lib\winv6.3\um\x64" advapi32.lib /EXPORT:PyInit__foster3 build\temp.win-amd64-3.5\Release_foster3.
obj /OUT:build\lib.win-amd64-3.5_foster3.cp35-win_amd64.pyd /IMPLIB:build\temp.win-amd64-3.5\Release_foster3.cp35-win
amd64.lib
_foster3.obj : warning LNK4197: export 'PyInit__foster3' specified multiple times; using first specification
Creating library build\temp.win-amd64-3.5\Release_foster3.cp35-win_amd64.lib and object build\temp.win-amd64-3.5\Rel
ease_foster3.cp35-win_amd64.exp
Generating code
c:\users\mallory\caldera-agent\caldera_agent_foster3.c(564) : warning C4700: uninitialized local variable 'target_handl
e' used
Finished generating code
copying build\lib.win-amd64-3.5_foster3.cp35-win_amd64.pyd ->

C:\Users\Mallory\caldera-agent\caldera_agent>python setup.py py2exe
Building self-contained .exe
running py2exe
running build_ext

1 missing Modules

? multiprocessing.SimpleQueue imported from concurrent.futures.process
Building 'dist\cagent.exe'.
Copy DLL C:\Users\Mallory\AppData\Local\Programs\Python\Python35\VCRUNTIME140.dll to dist
PS C:\Users\Mallory\caldera-agent\caldera_agent> python -V
Python 3.5.4
PS C:\Users\Mallory\caldera-agent\caldera_agent>

I followed the documentation and am basically at the last step, running python3 caldera.py, but it always hangs in this step:
INFO:app.updates:Updating logical definition of step: 'XCopy'

We're using an Ubuntu VM.

Any possible reason, logs to check?

Hello,

When I try to run caldera with pyhton3 I got this :

DEBUG:app.server:Planner has started
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/bin/caldera/caldera/app/server.py", line 165, in sigint_handler
target()
File "/usr/local/bin/caldera/caldera/app/server.py", line 295, in planner_process
rebuild_mappings = AttackTechnique.objects.count() == 0
File "/home/hunter/.local/lib/python3.6/site-packages/mongoengine/queryset/manager.py", line 37, in get
queryset = queryset_class(owner, owner._get_collection())
File "/home/hunter/.local/lib/python3.6/site-packages/mongoengine/document.py", line 197, in _get_collection
cls.ensure_indexes()
File "/home/hunter/.local/lib/python3.6/site-packages/mongoengine/document.py", line 877, in ensure_indexes
collection.create_index(fields, background=background, **opts)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/collection.py", line 1571, in create_index
self.__create_index(keys, kwargs)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/collection.py", line 1459, in __create_index
with self._socket_for_writes() as sock_info:
File "/usr/lib/python3.6/contextlib.py", line 81, in enter
return next(self.gen)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/mongo_client.py", line 868, in _get_socket
server = self._get_topology().select_server(selector)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/topology.py", line 214, in select_server
address))
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/topology.py", line 189, in select_servers
self._error_message(selector))
pymongo.errors.ServerSelectionTimeoutError: No replica set members available for replica set name "caldera"
ERROR:app.server:No replica set members available for replica set name "caldera"
Traceback (most recent call last):
File "/usr/local/bin/caldera/caldera/app/server.py", line 124, in run
web_process(settings, debug)
File "/usr/local/bin/caldera/caldera/app/server.py", line 229, in web_process
if Setting.objects.count() < 1:
File "/home/hunter/.local/lib/python3.6/site-packages/mongoengine/queryset/queryset.py", line 133, in count
return super(QuerySet, self).count(with_limit_and_skip)
File "/home/hunter/.local/lib/python3.6/site-packages/mongoengine/queryset/base.py", line 389, in count
return self._cursor.count(with_limit_and_skip=with_limit_and_skip)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/cursor.py", line 727, in count
return self.__collection._count(cmd, self.__collation)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/collection.py", line 1344, in _count
with self._socket_for_reads() as (sock_info, slave_ok):
File "/usr/lib/python3.6/contextlib.py", line 81, in enter
return next(self.gen)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/mongo_client.py", line 904, in _socket_for_reads
with self._get_socket(read_preference) as sock_info:
File "/usr/lib/python3.6/contextlib.py", line 81, in enter
return next(self.gen)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/mongo_client.py", line 868, in _get_socket
server = self._get_topology().select_server(selector)
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/topology.py", line 214, in select_server
address))
File "/home/hunter/.local/lib/python3.6/site-packages/pymongo/topology.py", line 189, in select_servers
self._error_message(selector))
pymongo.errors.ServerSelectionTimeoutError: No replica set members available for replica set name "caldera"

Someone know how to fix that ?

system: ubuntu 14.04

gunal@ubuntu:~/caldera$ sudo docker-compose up
Building server
Step 1/10 : FROM python:3.6
3.6: Pulling from library/python
55cbf04beb70: Already exists
1607093a898c: Download complete
 10.74MB/10.74MBwnload complete
d4eee24d4dac: Downloading [==========>                                        ]  10.14MB/50.06MBiting
b023afffd10b: Waiting
4d4eb448d315: Waiting
c4eb58602129: Waiting
598629fb90fc: Waiting
Traceback (most recent call last):
  File "bin/docker-compose", line 6, in <module>
  File "compose/cli/main.py", line 71, in main
  File "compose/cli/main.py", line 124, in perform_command
  File "compose/cli/main.py", line 959, in up
  File "compose/project.py", line 452, in up
  File "compose/service.py", line 324, in ensure_image_exists
  File "compose/service.py", line 972, in build
  File "compose/progress_stream.py", line 18, in stream_output
  File "compose/utils.py", line 61, in split_buffer
  File "compose/utils.py", line 37, in stream_as_text
  File "site-packages/docker/api/client.py", line 304, in _stream_helper
  File "site-packages/urllib3/response.py", line 401, in read
  File "contextlib.py", line 35, in __exit__
  File "site-packages/urllib3/response.py", line 320, in _error_catcher
urllib3.exceptions.ProtocolError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
Failed to execute script docker-compose

Some operations are not starting. They show no activity - no steps, no jobs, etc.

They show a status of pending.

After clicking and confirming the cancel button they remain with a status of 'start'.

I have tried to click on the x to delete the operation, but after clicking ok, the stuck operation remains.

I have rebooted the target system and restarted the caldera service, but they remain.

When this happens I am unable to start a campaign using that Starting host.

Hi,
i'm following the installation for Windows server, and have troubles:
when running "pip install -r requirements.txt"

error received:

creating build\temp.win-amd64-3.7\Release\build\temp.win-amd64-3.7\Release
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\bin\HostX86\x64\cl.exe /c /nologo /Ox /W3 /GL /DNDEBUG /MD "-Ic:\program files\python37\include" "-Ic:\program files\python37\include" "-IC:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\ATLMFC\include" "-IC:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\include" "-IC:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\include\um" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\ucrt" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\shared" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\um" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\winrt" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\cppwinrt" "-IC:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\ATLMFC\include" "-IC:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\include" "-IC:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\include\um" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\ucrt" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\shared" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\um" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\winrt" "-IC:\Program Files (x86)\Windows Kits\10\include\10.0.17134.0\cppwinrt" /Tcbuild\temp.win-amd64-3.7\Release_openssl.c /Fobuild\temp.win-amd64-3.7\Release\build\temp.win-amd64-3.7\Release_openssl.obj
_openssl.c
build\temp.win-amd64-3.7\Release_openssl.c(493): fatal error C1083: Cannot open include file: 'openssl/opensslv.h': No such file or directory
error: command 'C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.14.26428\bin\HostX86\x64\cl.exe' failed with exit status 2

----------------------------------------

Rolling back uninstall of cryptography
Command ""c:\program files\python37\python.exe" -u -c "import setuptools, tokenize;file='C:\Users\ADMINI1\AppData\Local\Temp\pip-install-8bgzz5oc\cryptography\setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record C:\Users\ADMINI1\AppData\Local\Temp\pip-record-5tqvv8hp\install-record.txt --single-version-externally-managed --compile" failed with error code 1 in C:\Users\ADMINI~1\AppData\Local\Temp\pip-install-8bgzz5oc\cryptography\

Hi to everyone,

I've installed Caldera Agent in two Windows Server 2012 R2 and at first glance, seems to work the same way as using Windows 10 machines.

I'd like to know the risks, limitations or impact of running Caldera Agent in a server instead of a regular win10 image. The documentations say that the cagent.exe works in Win7, 8 and 10, but why not to mention servers as well?

Hostname: testwin64
Command Line: powershell -command -
StdIn: [[powerview]] Get-NetLocalGroupMember -ComputerName testwin7x64-2
StdOut:

why did this?below jobs:
{
"_id": "5ae9caed463377156c0d95e7",
"agent": "5ae9839746337714403fda76",
"action": {
"rats": {
"hostname": "testwin64",
"name": 5536,
"function": "execute",
"parameters": {
"command_line": "powershell -command -",
"stdin": "[[powerview]] Get-NetLocalGroupMember -ComputerName testwin7x64-2"
}
},
"result": {
"pid": "2724",
"stdout": ""
}
}

does hostname differ matter?

Hi, Thank your sharing great tool.

I tried to build cagent at my side at my side, however I cannot find modified version of py2exe.
I thought py2exe-0.9.2.2-py3.5.egg was in CALDERA repository, but I have no luck to find it.
Can you advise me where I can get it?

Hello everyone!

I'm trying to get the service_manipluation(sc binpath) step to work. I've started a vulnerable service on the target machine. I also run the privilege_escalation(service) step beforehand. This step runs the powerup script successfully (at least it looks like typical powerup output and it finds the vulnerable service) however it says CanRestart: False, which means the service manipulation step cannot be started as a restartable service is a prerequisite. However this is incorrect info because the user under which I'm manually launching the RAT can indeed restart services. In fact I manually launched the PowerUp script from that user and it correctly says CanRestart: True. I turned on logging and see that the powershell process launched by the Caldera RAT does indeed start under the correct user. What can be the cause of this issue?

Thanks in advance.

Is there any documentation available explaining how to add new tools and steps?
Looking at the code, it's fairly hard for me to fully understand the data model and configurations needed to add new stuff on my own.

Hello, thank you for this great project!

When an implant is copied from one workstation to another using pass the hash, the schtasks step is then run to start this new Rat.

The problem is that the schtasks step schedules a task to start 1 day before the current date.
So for example, when net_time will rightly detect that the current time and date is 20 March 15:00 on every workstation, schtasks will schedule the Rat to start on 19 March 15:03 (approximately) .

Configuration:

• Environment with 1 DC (Windows Server 2016) and 2 Workstations (Windows 10), caldera installed on each of them

• CALDERA is installed in Ubuntu 16.04 LTS

• The starting victim is a workstation, and the Rat is started as a logon user.

Install CraterMain.exe
The CraterMain.exe binary needs to be accessible to CALDERA. It should be placed in: caldera/dep/crater/crater/CraterMain.exe on the computer that the CALDERA server is installed on.

I saw this description in installation. I install server on Ubuntu 14.04. But I can't find Crater. Could you help me?

Hostname: win8
Command Line: powershell -command -
StdIn: [[powerkatz]] Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonPasswords exit"
StdOut:
Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
At line:886 char:6

•     $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddr ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : AmbiguousMatchException

Hello,
I setup a caldera server and agent following the installation steps. But i can't find it in caldera web interface. I can see the cagent service has started in Windows Task Manger. Can someone point me in the right direction?
Thanks!

The CALDERA requirements list includes a Domain Controller running Windows Server.
Does this machine need to be online during the CALDERA tool execution?
I want to use a production Windows Enterprise network enviroment, after the startup of the hosts and the login is it possible to segregate the CALDERA server and agent hosts in a dedicated network by disconnecting them from the Domain Controller host?

Thank you for your support

Best regards

Roberta

Whenever I attempt to start the server usign docker-compose up, I receive two issues in the Traceback:
1) FileNotFoundError [Errno 2] for /opt/caldera/caldera/app/../conf/settings.yaml. The file is
settings.yaml.default by default.
2) PermissionError [Errno 13] for the same file.

I attempted to rename the file to settings.yaml, however I still received the permission denied error when doing so. I am running on centOS.

Any help is appreciated.

Thanks

First of all, thank you very much for this nice project.
I open a issue because the psexec_move operation was not working for me and I somehow figured out how to fix the issue.
I saw in the logs that psexec module was looking for the RAT at ../dep/crater/crater/cratermain.exe and that file was missing.
The issue is that my caldera instance does not accept to start unless it finds the RAT at ./dep/crater/crater/CraterMain.exe, so I cannot simply rename it to cratermain.exe
What I did instead is to symlink CraterMain.exe to cratermain.exe, but I think a better solution would be to fix this name consistency directly in the code, maybe through a configuration variable.

Regards,

reported in #16

I created new operation, but I don't want to use it any more. I clicked delete in view operations tab, but nothing happend. I don't know how delete it, who can help me ?　Error like blow.
File "C:\Users\lpc\Desktop\caldera\caldera\app\engine\objects.py", line 153,
n wait_till_completed
await waiter_task
File "C:\Users\lpc\AppData\Local\Programs\Python\Python35\lib\asyncio\future
py", line 381, in iter
yield self # This tells Task to wait for completion.
File "C:\Users\lpc\AppData\Local\Programs\Python\Python35\lib\asyncio\tasks.
", line 310, in _wakeup
future.result()
File "C:\Users\lpc\AppData\Local\Programs\Python\Python35\lib\asyncio\future
py", line 286, in result
raise CancelledError
concurrent.futures._base.CancelledError
Traceback (most recent call last):
File "C:\Users\lpc\Desktop\caldera\caldera\app\api.py", line 122, in entrypo
t
resp = await decorated(req, token, req.match_info)
File "C:\Users\lpc\Desktop\caldera\caldera\app\api.py", line 84, in decorate
results = await f(req, **kwargs)
File "C:\Users\lpc\Desktop\caldera\caldera\app\api.py", line 732, in generat
_dispatcher
await job.wait_till_completed()
File "C:\Users\lpc\Desktop\caldera\caldera\app\engine\objects.py", line 153,
n wait_till_completed
await waiter_task
File "C:\Users\lpc\AppData\Local\Programs\Python\Python35\lib\asyncio\future
py", line 381, in iter
yield self # This tells Task to wait for completion.
File "C:\Users\lpc\AppData\Local\Programs\Python\Python35\lib\asyncio\tasks.
", line 310, in _wakeup
future.result()
File "C:\Users\lpc\AppData\Local\Programs\Python\Python35\lib\asyncio\future
py", line 286, in result
raise CancelledError

Repro steps:

1. Enrolled 3 hosts with cagent and confirmed they show up in the debug console
2. Created a network that includes all 3 hosts
3. Created an operation that bootstraps a rat, is given hardcoded credentials, and begins the operation on a single host

The python exception I receive (multiple times) is as follows:

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/aiohttp/helpers.py", line 554, in __get__
    return inst._cache[self.name]
KeyError: 'remote'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/aiohttp/helpers.py", line 521, in log
    for key, value in fmt_info:
  File "/usr/local/lib/python3.5/dist-packages/aiohttp/helpers.py", line 513, in <genexpr>
    for key, method in self._methods)
  File "/usr/local/lib/python3.5/dist-packages/aiohttp/helpers.py", line 473, in _format_a
    ip = request.remote
  File "/usr/local/lib/python3.5/dist-packages/aiohttp/helpers.py", line 556, in __get__
    val = self.wrapped(inst)
  File "/usr/local/lib/python3.5/dist-packages/aiohttp/web_request.py", line 321, in remote
    peername = transport.get_extra_info('peername')
  File "/usr/lib/python3.5/asyncio/sslproto.py", line 306, in get_extra_info
    return self._ssl_protocol._get_extra_info(name, default)
  File "/usr/lib/python3.5/asyncio/sslproto.py", line 537, in _get_extra_info
    return self._transport.get_extra_info(name, default)
AttributeError: 'NoneType' object has no attribute 'get_extra_info'

This may be related to me using a different version of aiohttp detailed in this PR: #13

As below:

INFO:app.operation.operation:Running step timestomp
INFO:app.server:Planner closed
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "/home/user/caldera/caldera/app/server.py", line 165, in sigint_handler
target()
File "/home/user/caldera/caldera/app/server.py", line 306, in planner_process
loop.run_until_complete(start_operations(rebuild_mappings))
File "/usr/lib/python3.6/asyncio/base_events.py", line 467, in run_until_complete
return future.result()
File "/home/user/caldera/caldera/app/updates.py", line 127, in start_operations
await s.loop()
File "/home/user/caldera/caldera/app/operation/operation.py", line 299, in loop
await self._perform_next_step()
File "/home/user/caldera/caldera/app/operation/operation.py", line 612, in _perform_next_step
success = await next_step.action(*args)
File "/home/user/caldera/caldera/app/operation/operation_steps.py", line 453, in action
if results["TimestampModified"] == "True":
KeyError: 'TimestampModified'

JSON for the job:
{
"_id": "5a2a786d1d41c807b5a8c248",
"agent": "5a250ff31d41c80a1fa300b8",
"action": {
"rats": {
"hostname": "win8calderavictim",
"name": 3708,
"function": "execute",
"parameters": {
"command_line": "powershell -command -",
"stdin": "[[timestomper]] Perform-Timestomp -FileLocation "C:\Users\All Users\Microsoft\User Account Pictures\Administrator.dat" -Verbose None"
}
},
"result": {
"pid": "2104",
"stdout": "Perform-Timestomp : A positional parameter cannot be found that accepts \r\nargument 'None'.\r\nAt line:1 char:2\r\n+ Perform-Timestomp -FileLocation "C:\Users\All Users\Microsoft\User Account \r\nPict ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n~~~\r\n + CategoryInfo : InvalidArgument: (:) [Perform-Timestomp], Parame \r\n terBindingException\r\n + FullyQualifiedErrorId : PositionalParameterNotFound,Perform-Timestomp\r\n \r\n"
}
},
"create_time": "2017-12-08T11:33:01.718Z",
"status": "success"
}
]

First of all, thank you for this amazing project. I have a problem when I select an adversary with techniques such as persistence (like task or service) or lateral movement (WMI or PSExec). These techniques are not executed or showed during the operation in the "stepts" tab. Any other technique like enum, systeminfo, etc is shown in the "stepts" tab and it is executed (successfully or not) during the operation (I know that it is executed as I have Sysmon with Splunk in each host).

Configuration:

• I have an environment with 2 windows 7 and 2 win 2012 (one DC) caldera installed in both of them.
• Caldera is installed in Ubuntu LTS 16.04 with mongo 3.6 from the official mongo repository
• The starting victim is always one Windows 7.
• I have tried different types of credentials: local admin credentials, domain controller admin user, and domain user account not admin.

As an example, I created an adversary with only the technique "schtasks_persist". Then, I have created a new Operation using domain controller admin credentials in the windows 7. However, when I run the operation no STEP is observed in the "Operation Details" information.

Sysmon:

date | host | user | parent | process | command line argument:
2018-01-14 01:11:22.649 | John-PC.test.local | NT AUTHORITY\SYSTEM | C:\Windows\System32\cmd.exe | takeown /F C:\commander.exe /A
2018-01-14 01:11:22.649 | John-PC.test.local | NT AUTHORITY\SYSTEM | C:\Program Files\cagent\cagent.exe | C:\Windows\system32\cmd.exe /c "takeown /F C:\commander.exe /A"

Thank you!

i created 3 machine; Ubuntu 14.04 (Caldera server) , Windows 7 Pro (Caldera agent) , Windows 2012 Server.
Firstly, i created active directory on windows 2012 server and joined to network with ubuntu 14.04 and win7. Then, I build docker on ubuntu 14.04 like this docker-compose up and did instructions for agent. When i check web interface i am still seeing Total connected: 0

CALDERA Agent No connection is successful
No message in Debug>Connected Agents tab.
What is the possible cause
thanks

When I attempt to start caldera on a Windows 2012 R2 server, I get the error Microsoft Visual C++ is required.

However Visual C++ 14.0 Build Tools is installed

Can anyone provide some ideas/guidance?

Thx

round([%arena_length%+%arena_width%+%sand_to_fiber_rate04%+%divided_by_bale_weight%] /3 ,2) In php that formula work , but when i use in static forms is show me in round number white out decimals? I am limited because whit out "round" show 15 decimals.

Is there any documentation on installing CraterMain.exe to OpenSuse? If so can you please help me out.

Thank you