Notes: PS - Powershell, PSE - Powershell Empire
But before going into details, I'll say right away follow me, because next there will be a systematic and understandable analysis of everything related to the pentest
of the web, networks, tunnels, traffic interception, physical access, attacks on wireless networks and not only, in short, the full range and delights of cyber operations.
I'm just saying, to the point, without too much water.
We continue. Many people will have questions, what is it?
PSE is a post-exploitation framework written in PowerShell and Python. It is designed to conveniently manage a compromised system without worrying too much. It will also gain a foothold in the system after successful login. It is convenient, beautiful and centralized.
Let's talk about some of the best skills of PSE:
- I think the most important thing for many in PSE is bypass (bypass) antivirus using "pure" PS code.
- The second skill is also not unimportant, it is to raise the reverse of the shells to maintain a constant connection to your C2 or panel, whatever you want to call it.
- The third is complete freedom of action over the infected machine, we can execute commands, download files, take screenshots, intercept logins, collect password dumps, and so on.
- Fourth, work through many protocols, HTTPS, SMB, TCP
- Install and prepare the framework for attack.
- Basic PSI modules for exploration, anchoring and post-operation.
And also learn how to:
- Look for vulnerabilities in networks using various methods.
- Exploit Windows vulnerabilities.
PSE is particularly well suited for attacks on Windows systems, although some work on macOS and Linux.
The main feature is file-free attacks. Everything is loaded directly into RAM, nothing is saved to disk.
The result? Less likely to be detected by antivirus or other protection systems
The architecture is as follows:
The server and client for Linux/macOS are written in Python.
The Windows client is written in PowerShell.
But Empire is not only used for post-exploitation, it is also used for phishing, network intelligence, antivirus circumvention, and AD attacks.*
* To work with Active Directory, DeathStar is included, which is a powerful Python script that breaks through the entire AD network via the API. All you need is to get at least some access to AD and then everything is automatic.
Important! Of the possibilities:
- Integration with Metasploit and other frameworks
- Collecting information over the network and downloading the necessary data
- Screenshots, keyloggers, microphone recording
- Pulling passwords and hashes from Windows
- Increasing rights
- Anchoring in the system
- Reverse shells, agent management.
Bash:
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.shA more convenient installation method is available in Kali Linux via sudo apt install powershell-empire. And after installation, you must first start the server with the command powershell-empire server.
And after that, the client
Bash:
./ps-empire clientThe server is up on ports 1337 and 5000!
To gain a foothold in the system using PowerShell Empire, a listener is first created and launched, this is a process that waits for incoming connections from victims.
Then a stager is prepared, which is a script or file that runs an agent associated with the lister on the victim's side.
Next, this stager is delivered and launched on the remote machine, after which the agent is automatically connected back to the lister, creating a reverse connection. After establishing a connection, you can download the modules and perform further actions.
It all looks simple, but it requires care at every stage. To start working with the listers, use the uselistener command with auto-completion. Among the popular options: dbx and onedrive are for clouds, they require API tokens, but they are worse detected.: http is the simplest and most frequently used, suitable for most tasks, meterpreter is used when interacting with Metasploit, redirector is used as an intermediary. Details for each listener can be found through the info command.
For example, http is usually chosen because it is clear, versatile, and easy to configure. To use it, set the attack address, the name of the listener, and run the execute command. All parameters, as in other Empire sections, are configured via set. If HTTPS is required, you must specify an SSL certificate. You can check the running listers using the list command. The next step is to create a stager that will be used to launch the agent. To view the list of available stagers, use the usestager command. The stages are divided by operating system, and are selected in the OS/name format. For example, multi/bash is a bash script, windows/launcher_bat is a one-line batch file, osx/applescript is AppleScript, and so on. Some, like windows/dll, allow integration with other tools such as Metasploit.
!!!! Example of setting up a stager based on a batch file: !!!!
the desired option is selected via the usestager, then the parameters are specified. Important parameters are Obfuscate (enables obfuscation, hiding the contents of the script) and Delete (automatic deletion after startup). Obfuscation is important for hiding traces in PowerShell logs. You can also set which listener to use via set Listener. After configuration, you can save the upload file with the execute command, specifying the path via OutFile.
The finished stager must be delivered to the victim's car. The delivery method can be any, phishing, exploiting vulnerabilities, tunnels. Empire itself has a built-in server that can be started if interaction via API or WebSocket is required. The command for this is sudo poetry run python empire.py the server.
After launching the stager, the agent establishes a connection with the listener. This means that the reverse shell is active and the target machine can be controlled. The list of active agents is displayed via the agents command. The interact command is used to manage a specific agent. All actions turn into tasks, the result of which can be viewed with the view command with the task number.
Frequently used commands include: whoami = information about the current user, display = system information, download and upload = file transfer, sleep = command interval setting, shell = command execution, ps = process list, keylog = keylogger activation, sherlock = vulnerability search, script_import = PS script download, bypass = UAC elevation control bypass, mimikatz = credential extraction, psinject = embedding in another process, steal_token = stealing another process's token. Modules are connected via the usemodule command, the list of which can also be viewed with auto-completion.
Also, PSE includes a fairly extensive database of modules that can be used right out of the box. This database is regularly updated, and you can also expand it with third-party modules. Modules can be written in PS or Python, and each module has its own set of functions depending on the section it belongs to. To connect the module to Empire, use the usemodule <> command. After that, the module is activated and can be started using the execute command. However, it is worth remembering that some modules can generate signatures that can be detected by security systems, such as IDS. When you try to run such a module, Empire will warn you about potential risks, Module is not opsec safe, run? [y, N]. This means that the module can be easily fixed by security systems, and you need to be careful when launching it. Modules in Empire are classified according to several criteria. Module names usually consist of several parts: 1) The programming language in which the module is written (usually PS or python, but you don't have to specify them, as they are implied),
2) The section where the module is located
3) The name of a specific tool or team.
Example of the full name of the module: powershell/management/mailraider/disable_security = a module for managing security in PS, powershell/situational_awareness/network/powerview/get_subnet = a module for obtaining information about subnets, python/collection/osx/clipboard = a module for working with the clipboard on macOS, python/collection/linux/sniffer = a module for sniffing network traffic on Linux. By the way, Empire supports not only Windows, but also macOS and Linux, although the number of available modules for these systems is much smaller and is often limited by information collection. The principle of working with modules for macOS and Linux is similar to Windows, but Python is used instead of PS, and the scriptimport module is replaced by pythonscript. Thus, PSE offers a flexible and extensible post-exploitation platform that supports multiple operating systems and provides a variety of tools for various types of attacks and intelligence.
FINALLY,:
The web interface has been returned since Empire 3.1.+. The new web interface is called Starkiller and can be found on GitHub. https://github.com/BC-SECURITY/Starkiller .
To install Starkiller on Kali Linux: sudo apt install starkiller.
To launch : ./starkiller-<version>.AppImage --no-sandbox. The following credentials are used: login: empireadmin, password: password123.
