Powershell Empire is powershell based post-exploitation agent and has an ability to execute powershell agent without needing powershell.exe and consisting variety of modules that can be deployed on exploitable windows machine.
As of this post, I will share about Empire 3 based on Empire (refer here) which has been migrated to Python 3.x which has been actively maintain by BC-Security.
General Installation Process for Powershell-Empire
Setting up Empire is pretty straight forward and based on your liking and platform.
In Kali or Debian based OS, you can install the latest version by executing the following command:
sudo apt install powershell-empire
If you intended to clone the repository using Git, execute the following command:
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
I never try using docker to deploy Empire. But, if you prefer using a pre-built docker container, follow the following procedure:
docker pull bcsecurity/empire:{version}
docker run -it bcsecurity/empire:{version}
# with persistent storage
docker pull bcsecurity/empire:{version}
docker create -v /empire --name data bcsecurity/empire:{version}
docker run -it --volumes-from data bcsecurity/empire:{version}
# if you prefer to be dropped into bash instead of directly into empire
docker run -it --volumes-from data bcsecurity/empire:{version} /bin/bash
So, after everything has been installed, using apt will automatically make it available in your environment path so you can directly start it using the following command:
powershell-empire
Other way around is to go Empire folder and run the Empire binary
./empire
Powershell-Empire Components
In Powershell Empire, there is fundamental component you need to know such as:
- Listeners.
- Listeners is a service on Empire server that receives and handles connections from executed stagers.
- Stager.
- Payload that is executed on exploited machine to establishes connection to Empire server.
- Agents.
- Modules.
- Modules consist of scripts that automate and perform specific tasks on an infected host.
How to use Empire?
In Short story:
Start Empire -> Go to Listeners -> Select type of Listeners -> Create Listeners > Listeners created.
Go to Stager -> Select Stager -> Create Stager -> Stager created.
If (Execute Stager on exploited machine)
Go to Agents > Check if Agents connected.
if (Agents connected)
Execute modules.
else
Might be some errors or blocking.
Check for firewall on target machine.
Port conflict with other service.
Bypass AV detection.
Hands-on Guide
Environment in this guide
In this tutorial, I'm using Ubuntu 20.04.1 LTS on Windows 10 WSL. There is no much different in installation process for WSL such as mine or other platform. Usually, I'm using Kali linux in my live engagement which make installation more efficient and simple.
Just make sure you have update and upgrade your environment by using:
sudo apt update -y
sudo apt upgrade -y
Installation Process
Installing from Kali Repository : sudo apt install powershell-empire -y
Cloning from GitHub repository:
Figure 1
After cloning completed, execute following command:
cd Empire
sudo ./setup/install.sh
The installation process does take some time. You can leave it and grab some snack while the process to be completed.
Note: This step is for clone from GitHub repository. So after installation, to start it, I use sudo ./empire. If you install from apt repository (in Kali), powershell-empire command will execute Empire.
Figure 2
The first thing you will see a splash screen with the storm trooper image. Then, you will be on main as shown in figure 2. If you press Tab twice, the following command will be shown. In this tutorial, I will be covering the basics in using Empire.
Tip: Where ever you are in Empire console, you can go back to this homepage by using main command.
Configuring and Initializing Listener
As you can see in figure 2, there is no listeners is configured and agents currently active. Next, we will initialize a listener.
figure 3
To initialize a listener, type uselistener and double Tab. This will list all types of listener you can use. For the simplicity of this guide, we will use http listener.
To use listener of your choice, type uselistener <name-of-listener>. In this case, uselistener http.
info command will show all the option available for you to configure. Figure 4 is the result of the command.
Figure 4
As you can observe in figure 4, there is options available to be configure for this listeners. in 'Required' column, there is 2 value; 'True' means you can configure if you need and must have value and 'False' means you can ignore and doesn't need to be configure.
The option in the listeners that we will configure is the 'Name' and 'Port' value. To add or change the value use set command. set <Name of the option> <Value>.
(Empire: listeners/http) > set Name C2
(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > info
Figure 5
Figure 5 is result from change that has been made before. As you can see, Name has been change to 'C2' and port has been configure to be on '8080'. We are not configuring 'Host' option but it already automatically configured for us.
Next we will activate this listener by using execute command as in figure 6.
Figure 6
That's how to configure and create a listener.
Creating and Configuring Stager
For this example, we will create stager (payload) using a 'multi/launcher', which is universal. With this stager, you can paste it and execute it in command prompt, shell or make a script that execute this payload.
From any console location in Empire, type usestager and double Tab. This will list all available type of stager.
Figure 7
To use specific stager, type usestager <platform/stager> such as usestager multi/launcher.
info command will show all the option available for you to configure.
Figure 8
For this settings, we will set Listener to one that is previously created which is 'C2'.
The command to set it is as follow set Listener C2.
If you want to directly outputted the stager to a file, you can set the destination path and file name into 'OutFile' value like this :
set OutFile /home/kali/Desktop/payload.bat
It doesn't need to be .bat, it can be .txt, .ps1 or anything that fits your liking. DON'T FORGET THE FILE NAME AND EXTENSION! In this example, I'm not configuring this option.
Tips: you can auto complete the command if you double Tab after set is wrote.
Check once again by using info command. Result of changes as shown in Figure 9.
Figure 9
To generate the stager, use command generate. If not configured to be redirected to a file, the stager will be generate and display on console.
Figure 10
Next, copy and paste the stager to victim console and execute the command. The following is one of the method of payload delivery you can use.
Open a shell sessions or command prompt on your exploited machine. Paste and execute the payload. This payload will close the current sessions or command prompt window, so if your still need current session, you can use this command.
start cmd.exe /c "your-stager-payload"
This will pop up new command prompt, execute the command and close the window after command execution.
If your stager successfully executed, new agents will be registered on your Empire console as shown in figure 12.
Figure 12
Gracefully Exiting Powershell Empire
If you have to exit Empire, make sure to exiting the application gracefully so all your settings, listener and agents can be close properly.
To exit, use exit command and enter y for yes as shown in figure 13.
This is important to avoid corrupting your Empire database and other head and heart breaking issues you have to deal with when you start Empire again. Trust me.
Figure 13
Next, we will interact with our agents and explore some interesting functionality and features offered by Powershell-Empire.
That part require its own story and we will explore that quest in my next blog post. Thank you for stay tune until the end and see you again.
Till next time! Take care and stay safe everyone.
Comments
Post a Comment