Setting Up PowerShell Empire

by
If you found this article interesting consider sharing it!

This is a cross-post for original content written at Errant Security. To support the original creators, please visit here:

     Setting Up PowerShell Empire

One awesome penetration testing and post-exploitation tool is PowerShell Empire. It offers a handful of modules and attacks to use on Windows hosts, and it is super handy as a Red Teamer (an individual working as “cyber threat emulation,” to be an aggressor against a defense team).

It is not installed by default on Kali Linux, so I want to showcase how we can get it up and running and even get a simple listener set up.

https://i0.wp.com/errantsecurity.com/assets/img/blog/kali_linux.png?w=950&ssl=1

With that said, I am going to assume you are running Kali Linux for commands.

Installing Empire

The best place to get a copy of Empire is, unsurprisingly, its GitHub repository.

If you don’t have Git installed, ask yourself why not, and then run this command:

apt install -y git

That should get the git command set up and ready for your use. Since you’re going to be grabbing the source for Empire and installing it all on your own, you should choose a good place in your filesystem to save it.

Personally, I like to use /opt, because it is out of the way from everything else, and I can logically place extra tools that I might need in there.

If you go that route, go ahead and clone the repository like so:

git clone "https://github.com/EmpireProject/Empire"

When that is finished, you can navigate into the new directory that it created, Empire.

https://i0.wp.com/errantsecurity.com/assets/img/blog/git_clone_empire.png?w=950&ssl=1

Inside that directory, you will find see the empire script but also a setup folder. From there, you can run ./install.sh and it will download all the dependencies necessary to run Empire.

cd setup
./install.sh

It will eventually ask you about a server password, but it will randomly generate one as the default setting if you leave the entry empty. For our purposes, I find that to be the best choice.

https://i0.wp.com/errantsecurity.com/assets/img/blog/server_negotiation_password.png?w=950&ssl=1

Now you should be able to run Empire! Move up to the parent directory and hit it with that dot-slash. :sunglasses:

Setting up a Listener

Now that you have Empire installed, you can work with it and do some damage on a remote host!

Empire works with different “pages” of input, much like how Metasploit does. You select what thing you want to work with, modify the options for that thing, and then you do that thing. Your prompt changes with whatever you are interacting with.

https://i0.wp.com/errantsecurity.com/assets/img/blog/empire_prompt.png?w=950&ssl=1

A “listener” is the specification for how a remote host will call back to you. You set it up, and it “listens” for callbacks. We will need to create that first.

Start by telling Empire you want to work with the listeners, with just the command:

listeners

Your prompt should change accordingly. It may tell you in bold red letters, “No listeners currently active,” but that’s alright: we don’t even have any listeners yet!.

So, create a listener like this:

uselistener http

uselistener is the command to create a new listern, and it follows with the listener name — so I just called this one http, because it will work over HTTP by default.

You can view the specific settings and options by entering:

info

And if you wanted to change any of those options, like the specific port or host, you can use the set command. (And check out help to see how all of those work.)

Really, the default settings will work just fine for the simple case that we are trying to do — just get a listener up and running. When you are ready to deploy the listener, just enter execute.

https://i0.wp.com/errantsecurity.com/assets/img/blog/empire_listener.png?w=950&ssl=1

Deploying the Agent

Finally, we can generate a payload that will call back to our listener as an “agent” like so:

launcher powershell

We are using launcher as the command to tell Empire we want to generate a launcher payload, and powershell as the language for it as a second argument (If you entered back and are no longer focused on one specific listener you created, you will need to specify that name as a third argument).

Empire will spit out a huge payload, that you can place in any malicious script or file you want to be used as an attack on a remote host.

https://i0.wp.com/errantsecurity.com/assets/img/blog/empire_launcher.png?w=950&ssl=1

Or, in our case, we’ll take the easy route and just copy and paste it in a prepared virtual machine. I put this on a Windows 7 box so I didn’t have to deal with the Windows Defender protection on Windows 10 (it’s like, actually good).

https://errantsecurity.com/assets/img/blog/powershell_listenerpowershell_listener.png

Once the command is run, we can see the callback reach Empire.

https://i0.wp.com/errantsecurity.com/assets/img/blog/callback.png?w=950&ssl=1

Now we can view the agents. Note the “Name” column on the far left, that is the unique identifier we will need to use to specify that individual agent.

https://i0.wp.com/errantsecurity.com/assets/img/blog/agents.png?w=950&ssl=1

Enter the command:

interact <AGENT_NAME>

… to work with the agent and send commands to the remote system.

You can now interact it through the Empire shell. Check out the help command to see what you can do — there is a lot of really cool stuff! upload and download files, psinject into different processes, steal_tokens to impersonate user accounts, bypassuac, load_mimikatz to pull creds and even injectshellcode. Definitely one awesome utility.

https://i0.wp.com/errantsecurity.com/assets/img/blog/whoami.png?w=950&ssl=1

Thanks for reading! We will do some more cool things with PowerShell Empire very soon!


If you found this article interesting consider sharing it!
Advertisements