In our today's article we are going to discuss about Empire Framework by BC Security. Now Kali Linux and BC Security made a partnership and Kali users got exclusive early access to “Empire 3” (powershell-empire) & “StarKiller”. That's what exactly Kali developers said:
BC Security is the team who is currently maintaining the most active fork of Empire. In August 2019, the original maintainers archived the project, but with Open-source projects (as long as they don’t break software licenses) other groups can take someone else’s code and improve upon it. This is exactly what BC Security did, forking the project, to keep the flame of PowerShell Empire alive.
On our this detailed tutorial guide we are going to see how we can use Empire 3 on our Kali Linux system and exploit it.
Introduction
Empire is a post-exploitation framework, which its agents supporting various different Operating Systems (OS). Windows is purely implemented in PowerShell (without powershell.exe!), and Linux/macOS is done in Python 3. Feature rich with various options to bypass various protections (and allows for easy modification for custom evasion), Empire is often a favorite for Command and Control (C2) activity.
Empire focused solely on python with cryptographically-secure communications with the add-on of a flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe. It can promptly employ post-exploitable modules, which covers a vast range from ranging from keyloggers to mimikatz, etc. Empire framework is a combination of the PowerShell Empire and Python Empire projects BCSecurity also makes awesome up-gradation on it, which makes it user-friendly and convenient. Now we are going to use Empire on our Kali Linux.PowerShell supplies plentiful offensive benefits which additional consists of the entire entry of .NET, applock whitelisting, and straight entry to Win32. It additionally constructs malicious binaries in reminiscence. It supplies C2 performance and lets you implant the second stage after the primary one. It may also be used for lateral motion. It comes useful because it develops quickly compared to different frameworks. Additionally, because it doesn't requires PowerShell.exe, it permits us to bypass anti-viruses. Therefore, it's best to make use of the Empire.
Install Empire on Kali Linux
Installing Empire on Kali Linux is very easy now. It's comes with Kali official repository. So we just need to type following command on our terminal window:
The above command will prompt for sudo password then start downloading and installing Empire, as we can see in the following screenshot:
After the process is complete we can use Empire.Using Empire on Kali Linux
After installing Empire we need to use following command to start the framework.
Then the main screen of Empire come in front of us, as the following screenshot:
Here we can see that Empire Framework is running. Here we need to use help command to see all the options of this framework.
It will open the help of this framework as we can see in the following screenshot:
First of all we need to create a listener on our local machine. Type the following command:After running the above command, it will say that “[!] No listeners currently active”.
Don't worry, We don't have active listeners now but we are now in the listeners interface. Now in the listeners interface we type following command:
Here in the above command we type uselistener then a space, then press TAB key two times (double TAB) and it will list all the listeners that one can use, such as dbx, http, http_com, redirector, meterpreter, etc.
The most popular and commonly used listener is http and we will use the same in our guide. To use it we need to type following command:
This command will start a listener on port 80. If our port 80 is already busy then we need to stop the services (like Apache). Because this listener is a http listener, it only works on port 80.
Now we use info command, this command shows the information about the particular type of listener we want to start, as seen below.Here we can see the information about our listener. As we can see in the above screenshot that there are a variety of settings we can use to modify or customize our listener. Let’s try changing the name of our listener as it helps to remember all the listeners that are activated, if activated in bulk. So for this, we type following command:
This command will change the 'Name' of the listener to test from http.
Listeners automatically fetch 'Host' local IP (values), but in just case we need to change it we can do it by using following command:
If we wish we can check again all the information by using info command again. If everything is alright we can start the listener by using following command:
In the following screenshot we can see that our listener has been started.
Then we go back from the listener interface so that we can execute our modules by using following command:
Now we can use stagers on Empire.
Using Stagers on PowerShell Empire
Stagers in Empire are used to set the stage for the post-exploitation activities. They are very similar to payloads, which are used to create a connection back to Empire listener. Stagers can be accessed by using usestager command. We run following command to see all the available stagers.
After using double TAB we can see all the stagers in the following screenshot:
On the above screenshot we can there are lots of modules for Windows and OSX (macOS) also there are some stagers for multi purpose works. Those multi stagers works on any platform.
Here for an example we assume that target is a Windows PC and we use launcher_bat to exploit our target. So we use following command:
This command will set the launcher_bat stager for our target. We set our listener here by using following command:
Now we just need to execute command to execute.
These above commands will execute our exploit after setting the listener test and creating /tmp/launcher.bat file. Now we need to send this bat file to victim's Windows system anyhow (We can use social engineering tricks). Here we are on our local network and sending this file to our own Windows PC by using simpleHTTP server of Python.
After sending and running the bat file on our target Windows PC we got session on our listener, as we can see in the following screenshot:
Agents of Empire
When we send the stager to our target system and the machine executes it, we get a reverse connection back. This is known as an agent.
We can see our agents by simply using agents command:
We can see our active agents in the following screenshot.
Now we are in agents menu and we can check agents help by using help command.
If the name of the agent not looks easy to remember we can change the name of the agent by simply using following command:
We have changed our agents name as shown in the following screenshot:
Now we can interact with our agent (we renamed it Agent1 for example) by using following command:
After applying the command we can interact with our agent as seen in the following screenshot:
Here also we can press double TAB (TAB TAB) to view all the options in the shell. We got many options which will be very helpful for post exploitation, such as info, job, list and etc as shown in the following screenshot:
Here for an example we run info command to check the information about our target, as shown in the following screenshot:
Now at this point we got session. But to get admin session we need to run bypassuac <listenerName>:The above command will add another agent here, as we can see in the following screenshot:
We can hit enter after sending stage2 agent to get back our console. Now again we can see all our agents list by using agents command, we also renamed our new agent as 'Agent2', as shown in the following screenshot:
Our new agent(Agent2) got admin privilege, now we can interact with our new agent by simply using interact <agentname> command:
For help we also can press <TAB><TAB>(double TAB)here. We can see all options that we can run. We also can run mimikatz here to get the password of our target user on Windows system. We knows that mimikatz will not run in a guest user shell. It requires admin shell, it will be proved here that we got admin access here that's why we can run mimikatz here.
To run mimikatz we just use following command:
Mimikatz will run if our agent have admin privileges, and we can see it on the following screenshot:
On the above screenshot we can see that our mimikatz is working fine and we got NTLM hash if we were lucky then we also can get plaintext Windows login password here. otherwise we can crack this NTLM hash using RainbowTables or we can use online cracking tools.
Cracked the NTLM hash online using CrackStation |
Modules on Empire
We also can run various modules using Empire. We can access modules using the usemodule command. We need to type usemodule <Space> <tab> <tab> means, we need to use tab twice after space to see all the modules.
We can use all these modules to perform activities on target system. We can create persistence backdoor on infected system, keylooggers, even we can prank the system user by showing some text or changing wallpaper.
We will learn more about different modules in a later tutorial. First, let's take a look at how to use modules in Empire. Let's use the "external/generate_agent" as an example. We need to type following command:
The above command will load the module. Once the required module is loaded, type help command to see all the commands we can use with the module.
Then we need to set our Listener by using set Listener <listenerName> command:
Then we need to set the language for the module to run by using following command:
Then we just need to run execute command to execute it. Simple.
This is how we can use Empire Framework on our Kali Linux system. As we learned on this article Empire can do almost anything on the effected system. The agents and modules opens many more new way for an attacker. Previously this known as PowerShell Empire (archived) now it's under BCSecurity and it is called Empire, So we can tell "Empire Strikes Back". This tool is in development stage so some errors may encounter.
Disclaimer:- All the information provided on this article are for educational purposes only. The site is no way responsible for any misuse of the information. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done.
Love our articles? Make sure to follow our free email subscription to get all our articles directly on inbox. We are also available on Twitter and GitHub, we post article updates there.
To join our family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity.
For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.