a year in the empire
TRANSCRIPT
A Year in the _______ .___ ___. .______ __ .______ _______ | ____|| \/ | | _ \ | | | _ \ | ____| | |__ | \ / | | |_) | | | | |_) | | |__ | __| | |\/| | | ___/ | | | / | __| | |____ | | | | | | | | | |\ \----.| |____ |_______||__| |__| | _| |__| | _| `._____||_______|
First Things First
✣ Empire would not be possible without the help and phenomenal work from:� PowerSploit by @mattifestation, @obscuresec
and @JosephBialek� Posh-SecMod by @Carlos_Perez� UnmanagedPowerShell by @tifkin_� Mimikatz by @gentilkiwi and Vincent LE
TOUX✣ Everyone who contributed modules, bugs,
fixes, and time! You all rock!
Co-founder of Empire/EmPyre | PowerTools | Veil-Framework
PowerSploit/BloodHound developerMicrosoft PowerShell MVP
@harmj0y
Red teamer and Empire developerUAC bypasser extraordinaire
Offensive PowerShell advocate
@enigma0x3
tl;dr
✣ Empire overview✣ Empire 2.0
� Motivations� New features� EmPyre integration� ‘Modular’ listeners
✣ Demos
1.Empire Overview
Release and the Year Since
✣ A full-featured PowerShell post-exploitation agent� Released at BSides LV ‘15
✣ Core agent built in PowerShell� Module structure implements various
post-exploitation actions✣ Controller built in Python
� Backend sqlite database� UI focus
Teh Empire
✣ Started as a thought exercise!
✣ Wanted to:� bring together all the existing offensive
PowerShell tech� build a flexible platform that’s easily
customizable in the field� train defenders on how to stop and
respond to PowerShell “attacks”
y u Build PowerShell Botnet :(
y u Build PowerShell Botnet :(
(the guy who invented PowerShell)
✣ Nearly 400 commits✣ 25+ contributors✣ 150+ GitHub issues (most closed : )✣ 100+ PRs✣ Tons of new modules!
A Year of Development
#WatchDogs2
SkyWalker!@zeroSteiner
A Meterpreter Replacement?
Controller Client
2. return key negotiation stager.ps1 w/ shared AES staging key
3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1>
5. decrypt, post ENCsession(nonce+1 | sysinfo) to /<stage2>
6. return ENCsession(agent.ps1). Agent starts beaconing.
1. GET /<stage0>
4. return ENCpub(nonce+ AES session key)
Empire Staging/Crypto
Empire Process Injection
*.exeInvoke-PSInjector
ReflectivePick
.NET AssemblyDownload Cradle
Still Just a Toy Language?
New Features Since Release
✣ From 90 modules to 180!� Inveigh/Tater!� regsrv32!� MS16-032!� More TrollSploit!� KeeThief!� Lots of UAC bypasses!� Tons more!
✣ A RESTful API interface✣ Autoruns, lost limits, and more.
Python EmPyre
✣ A Python Empire variant built for a customer’s heavy OS X environment� Python 2.6/2.7 compatible agent� Works on Linux too!
✣ Controller/architecture HEAVILY adopted from Empire
✣ Released publicly at HackMiami� Presented on at BSides LV ‘16
Empire Drawbacks
✣ We’ve never built a RAT before� Mistakes were made ¯\_(ツ)_/¯
✣ Only comms methods were HTTP[S]� Modules were expandable, transports
weren’t✣ Separate projects for Empire/EmPyre
� Name/project confusion� Separate codebases ==
Empire 2.0
Motivations
Empire/EmPyreIntegrationWanted one single controller for our Python Linux/OS X agents and PowerShell agents.
Modularize C2Expandable listeners that you can drag/drop into the framework for additional transports.
Code RotFix our past mistakes and build a foundation for the future viability of the project.
Laying the Foundation
✣ For future transports, agents may need to be able figure out where to route packets for other agents
✣ All Empire comms are not wrapped in ‘routing’ packets encrypted w/ the staging key
✣ All individual agent comms still use the negotiated agent key
New Routing/Metadata Packet: +---------+-------------------+--------------------------+
| RC4 IV | RC4s(RoutingData) | AESc(client packet data) |
+---------+-------------------+--------------------------+
| 4 | 16 | RC4 length |
+---------+-------------------+--------------------------+
RC4s(RoutingData): +-----------+------+------+-------+--------+
| SessionID | Lang | Meta | Extra | Length |
+-----------+------+------+-------+--------+
| 8 | 1 | 1 | 2 | 4 |
+-----------+------+------+-------+--------+
RC4s = RC4 w/ the shared staging keyHMACs = SHA1 HMAC w/ shared stagingAESc = AES w/ client's session keyHMACc = first 10 bytes of a SHA256 HMAC using the client's session key
AESc(client data) +--------+-----------------+-------+
| AES IV | Enc Packet Data | HMACc |
+--------+-----------------+-------+
| 16 | % 16 bytes | 10 |
+--------+-----------------+-------+
Client data decrypted: +------+--------+--------------------+----------+---------+-----------+
| Type | Length | total # of packets | packet # | task ID | task data |
+------+--------+--------------------+--------------------+-----------+
| 2 | 4 | 2 | 2 | 2 | <Length> |
+------+--------+--------------------+----------+---------+-----------+
RC4s = RC4 w/ the shared staging keyHMACs = SHA1 HMAC w/ shared stagingAESc = AES w/ client's session keyHMACc = first 10 bytes of a SHA256 HMAC using the client's session key
Newz
✣ The HTTP listener has been redone with Flask
✣ Epoch-syncing removed✣ PowerShell:
� Staging now uses HMAC and nonces� RC4 implemented for first stage
PowerShell obfuscation� @mattifestation’s AMSI bypass added to
the PowerShell stager
Newz
✣ Orphaned agent renegotiation� If agent shares a server staging key, but
isn’t in the cache, it will restage
✣ external/* modules� For things that don’t rely on an agent� external/generate_agent will generate a
“fully-staged” agent
New Modules: Improved Kerberoast
New Modules: BloodHound
New Modules: eventvwr UAC Bypass
3.EmPyre Integration
PowerShell + Python Living Together in Harm0ny ♫
EmPyre Integration
✣ EmPyre and Empire are now one code base!� https://github.com/AdaptiveThreat/Empire � The EmPyre repo will be deprecated� Python/PowerShell agents can
communicate on the same listener/port!✣ We also now have a 5 person “full-time”
dev team:� @harmj0y, @enigma0x3, @424f424f,
@xorrior, @tifkin_
Language-Aware Menus
interact AGENTDrops you into the language-appropriate agent menu with the same options you’re used to for either project.
Interface Integration
stagers/*Now broken out into OS-applicable folders (Windows/OS X/Linux).
usemodule [tab]Executed from an agent, only tab-completes language-appropriate modules.
4.Modular C2i lik turtles transports
Listener Modularization
✣ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult
✣ Now listeners are encapsulated in self-contained modules� Allows you to drag/drop modules into the
framework!
Listener Modules
✣ At least two functions are required for a listener module:� generate_comms() - generates the
communication functions patched for the given listener
� start() - starts the server component of the listener
✣ Agents are responsible for language support
Listener Modules
✣ If you want staging supported:� generate_launcher() - generates
PowerShell/Python launcher code� generate_stager() - generates the
key-negotiation code� generate_agent() - generates the complete
patched agent code
listeners/http
✣ The original HTTP[S] listener� But now redone with flask!� “Routing packet” is base64’ed and stuffed
into a new cookie value✣ Generates Python and PowerShell
launchers, staging, and agent code✣ You can easily modify the cookie
used/transforms on the data itself to change up indicators!
listeners/http_com
✣ Utilizes Internet Explorer COM objects to communicate instead of Net.WebClient� Proxy-aware/etc.!
✣ Slightly different communication structure (data is base64’ed, etc.)� Example of modifying basic C2 indicators
listeners/http_foreign
✣ Simplified “foreign” Empire listeners
✣ Allows you to easily pass sessions between control servers, given the staging keys are the same
listeners/http_hop
✣ Completely redone “hop” listener� Simpler (with new packet structure) and
should be more stable✣ Uses a .php redirector to tunnel
comms through a third site✣ We’re looking for more
lanugage-based redirectors!� .ASP/.JSP/etc.
listeners/meterpreter
✣ The only thing present is the generate_launcher() method� This generates Invoke-ShellCode code
applicable for the given Meterpreter listener specification
✣ Allows you to easily spawn Meterpreter/Cobalt Strike sessions from Empire!
✣ The new structure allows you to communicate (and possibly stage) through well-known third party websites
✣ Let your imagination run with it…� * don’t break any terms of service, we’re not
lawyers
Third Party Listeners
Listener Hot-Swapping
✣ The management/switch_listener module allows you to generate the comms for a listener, and dynamically update a running agent with new comms!
✣ You can switch from HTTP -> Dropbox -> IE_COM -> Dropbox, even en masse!
Future Listeners
✣ In the next few months:� SMB - just need to work out some of the
routing components� DNS - @enigma0x3 is working as we speak
✣ Ideas?
Demos!
Code Release!
Any questions?
https://github.com/AdaptiveThreat/Empirehttp://theempire.io/
@harmj0y, @enigma0x3, @sixdub
@xorrior, @424f424f, @tifkin_