empire work shop
TRANSCRIPT
![Page 1: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/1.jpg)
@haydnjohnson
“Building an Empire” PowerShell Goodness
http://www.slideshare.net/harmj0y/building-an-empire-with-powershell1
![Page 2: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/2.jpg)
@haydnjohnson
Post Exploitation● Have gained access
a. Via phishingb. Via Exploitc. Via ??
● Want to know where we are in the network● Want to know WHO we are● What PERMISSIONS do we have● Getting a shell is just the beginning :)
2
![Page 3: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/3.jpg)
@haydnjohnson
So you have gained access - Now what● What Box are you on?
○ IP address○ What platform?○ Service Pack?
● Normal User or Privileged User?○ What permissions○ What can you execute
● What else is out in the Abyss?○ Network shares○ Other boxes○ Where are the domain admins??
3
![Page 4: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/4.jpg)
@haydnjohnson
Any other things we might want to know
???
4
![Page 5: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/5.jpg)
@haydnjohnson
We want to pilfer - quietly as possible● As small a footprint as possible● Use native tools● A scripting language like bash for windows?● BATCH any good?
5
![Page 6: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/6.jpg)
@haydnjohnson
PowerShell - our best friend ● It is native - pretty much guaranteed to be available ● Full .NET access● Most likely to be whitelisted● Access to Win32 API
○ Access to Kernel
● Run things in memory!○ Even assemble binaries
For an amazing explanation read:http://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html
6
![Page 7: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/7.jpg)
@haydnjohnson
Empire comes to the rescueFree open source
Power-packed!
7
![Page 8: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/8.jpg)
@haydnjohnson
Incorporates:
● PowerSploit● Posh-SecMod● PowerShell-AD-Recon● Mimikatz
Developers:
● @harmj0y● @enigma0x3● Many others!
8
![Page 9: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/9.jpg)
@haydnjohnson
Referenceshttp://www.powershellempire.com/
Peeps to follow:
● https://twitter.com/enigma0x3● https://twitter.com/harmj0y● https://twitter.com/mattifestation● https://twitter.com/obscuresec● https://twitter.com/JosephBialek● https://twitter.com/pyrotek3● https://twitter.com/tifkin_● https://twitter.com/ben0xa● https://twitter.com/mwjcomputing
● https://github.com/leechristensen/UnmanagedPowerShell● https://github.com/PyroTek3/PowerShell-AD-Recon● https://github.com/darkoperator/Posh-SecMod
Many more +
9
![Page 10: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/10.jpg)
@haydnjohnson
Pocketful of goodies!● Create Listeners easily
○ PowerShell command straight into CMD○ VBA for excel Macros○ Ducky scripts
● Agents (C2 comms) are easy to use● Modules and more modules!
10
![Page 11: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/11.jpg)
@haydnjohnson
ListenersCommunicates with your agent (the thing that sits on your victim's machine)
11
![Page 12: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/12.jpg)
@haydnjohnson 12
![Page 13: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/13.jpg)
@haydnjohnson
Agents● Are what you tell to do things on your victim's machine!● Similar to a meterpreter session? More powerful maybe?
13
![Page 14: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/14.jpg)
@haydnjohnson 14
![Page 15: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/15.jpg)
@haydnjohnson
Modules● Numerous scripts with awesomeness● Run situational awareness scripts● Run Privilege escalation scripts
15
![Page 16: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/16.jpg)
@haydnjohnson 16
![Page 17: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/17.jpg)
@haydnjohnson
No more theory. Let's give this a try.
17
![Page 18: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/18.jpg)
@haydnjohnson
The plan1. Install PowerShell Empire2. Create a listener3. Execute an Agent on Victim4. Run modules5. Escalate to high privileged process as Admin (bypassuac)6. Look for other shares/boxes to get Domain Admin
a. If classes infrastructure has AD
18
![Page 19: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/19.jpg)
@haydnjohnson
Tutorial to Follow Part 1 - Getting Accesshttps://www.cybrary.it/0p3n/powershell-empire-stagers-1-phishing-office-macro-evading-avs/
● Covers Installation● Receiving connection via a VBA Macro
19
![Page 20: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/20.jpg)
@haydnjohnson
Install EmpireGit Clone onto your Linux machine
Got Kali?
20
![Page 21: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/21.jpg)
@haydnjohnson
Create a Listener“listeners” - switch to listeners mode
“options” | “info” - view options to configure
“set Name Test1” - Set a name for listener
“execute” - activates the listener
21
![Page 22: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/22.jpg)
@haydnjohnson
Create a macro“usestager macro Test” - create macro for the listener named Test
“options” - ensure listener is connected
“execute” - will create a file with VBA code
Add code from Macro into Victims Excel/Word document.
Execute file and receive agent
If no excel/word use “usestager launcher”, copy and paste into CMD
22
![Page 23: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/23.jpg)
@haydnjohnson
Have now gained access
23
![Page 24: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/24.jpg)
@haydnjohnson
Tutorial To Follow Part 2 - Controlling your agenthttps://www.cybrary.it/0p3n/powershell-empire-stagers-2-controlling-victims-machine/
Opened file - should have an agent
“agents” - will take you to the listing of agents
“interact ABCDEDINDF” - select the agent to interact with.
“sysinfo” - gain information about your victim
“usemodule” <tab> - gain a list of all the awesomeness
24
![Page 25: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/25.jpg)
@haydnjohnson
Useful commands● >Git clone https://github.com/PowerShellEmpire/Empire.git● >Listeners
○ List & create listeners
● >Usestager launcher○ Usestager <tab> to see other launchers :)
● >Agents○ >sysinfo - list system info agent is on
● >usemodule <tab>● Bypassuac <2nd listener>
25
![Page 26: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/26.jpg)
@haydnjohnson
GoalsFind a flag - you have local admin access, there is a flag on an open share. Find it
Get Domain Admin credentials - you may need to ‘hunt’ for a domain admin
26
![Page 27: Empire Work shop](https://reader031.vdocument.in/reader031/viewer/2022021814/58edf2c41a28ab91198b46b1/html5/thumbnails/27.jpg)
@haydnjohnson
Any other fun stuff we can do?Detailed case study:
https://enigma0x3.net/2016/01/28/an-empire-case-study/
27