The content of the article
Many have heard of Empire, a post-exploitation tool for Windows, Linux, and macOS. In the article I will touch on all aspects of working with it, as well as tell you exactly which features of the framework we often use in practice. And even if you are an experienced pentester or redtimer, I think you will notice something new and useful for yourself.
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the information in this article.
If you use Kali Linux, then to install this miracle framework you will need to run only one command:
sudo apt install powershell-empire
If your computer has a different system, you need to download the project files and install them manually.
git clone https://github.com/BC-SECURITY/Empire.gitcd Empiresudo ./setup/install.sh
That's all: the Empire framework is installed on your system.
Getting a fulcrum
Before we look at the software package itself, let's figure out the following concepts:
- Listener is a local process that expects back-connect from a remote attacked host;
- Stager – Agent’a bootloader, that is, the payload on the remote attacked host;
- Agent – a process (on a remote attacked host) that connects to our Listener’s;
- Module – code executed by the Agent’s to achieve certain goals.
Run Empire team
powershell-empire. You will see such a window.
To obtain a fulcrum, the following procedure is used: creating a Listener’a -> creating a Stager’a for this Listener’a -> starting the load on the remote host (creating Agent’a).
To create a Listener’a you need to enter the appropriate interface with the command
Now we do not have active listeners. You can create it using the command
uselistener, but let's see what types of listeners Empire can offer us.
Let me explain that here:
dbx– Dropbox-listener (good to avoid detection, but requires a token for the Dropbox API);
http– Normal HTTP / HTTPS listener;
http_com– HTTP / HTTPS listener using the IE COM object;
http_foreign– HTTP / HTTPS listener for Empire third-party load;
http_hop– HTTP / HTTPS-listener for redirecting commands to another listener, which helps to hide the source IP (requires the RedirectListener parameter);
http_mapi– HTTP / HTTPS listener for use with Liniaalthat will allow you to get control through the Exchange server;
meterpreter– HTTP / HTTPS listener for third-party load Meterpreter;
onedrive– onedrive listener (requires application registration https://apps.dev.microsoft.com)
redirector– a tool for moving from one agent to another.
We sorted out the types of listeners, and now let's see how to work with them. First, select the type (for example, take the simplest – HTTP).
You can get help on the selected listener using the command
Using a proxy will not surprise anyone, but we can set a date when the listener will be deleted, and also certain hours of operation (this is very convenient!). When using HTTPS, you must also specify the path to the certificate. But now to the main point: assign the name of the listener, the host address for the back connect and the port.
set Name l1set Host http://192.168.6.1set Port 4321
And run the listener with the command
Now, in the listeners interface, we observe the newly launched listener.
We pass to the second stage.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru