A Year in the Empire

1,096 views

Published on

This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.

Published in: Internet
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,096
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
60
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

A Year in the Empire

  1. 1. A Year in the _______ .___ ___. .______ __ .______ _______ | ____|| / | | _ | | | _ | ____| | |__ | / | | |_) | | | | |_) | | |__ | __| | |/| | | ___/ | | | / | __| | |____ | | | | | | | | | | ----.| |____ |_______||__| |__| | _| |__| | _| `._____||_______|
  2. 2. First Things First ✣ Empire would not be possible without the help and phenomenal work from: PowerSploit by @mattifestation, @obscuresec and @JosephBialek Posh-SecMod by @Carlos_Perez UnmanagedPowerShell by @tifkin_ Mimikatz by @gentilkiwi and Vincent LE TOUX ✣ Everyone who contributed modules, bugs, fixes, and time! You all rock!
  3. 3. Co-founder of Empire/EmPyre | PowerTools | Veil-Framework PowerSploit/BloodHound developer Microsoft PowerShell MVP @harmj0y
  4. 4. Red teamer and Empire developer UAC bypasser extraordinaire Offensive PowerShell advocate @enigma0x3
  5. 5. tl;dr ✣ Empire overview ✣ Empire 2.0 Motivations New features EmPyre integration ‘Modular’ listeners ✣ Demos
  6. 6. 1. Empire Overview Release and the Year Since
  7. 7. ✣ A full-featured PowerShell post-exploitation agent Released at BSides LV ‘15 ✣ Core agent built in PowerShell Module structure implements various post-exploitation actions ✣ Controller built in Python Backend sqlite database UI focus Teh Empire
  8. 8. ✣ Started as a thought exercise! ✣ Wanted to: bring together all the existing offensive PowerShell tech build a flexible platform that’s easily customizable in the field train defenders on how to stop and respond to PowerShell “attacks” y u Build PowerShell Botnet :(
  9. 9. y u Build PowerShell Botnet :(
  10. 10. (the guy who invented PowerShell)
  11. 11. ✣ Nearly 400 commits ✣ 25+ contributors ✣ 150+ GitHub issues (most closed : ) ✣ 100+ PRs ✣ Tons of new modules! A Year of Development
  12. 12. #WatchDogs2
  13. 13. SkyWalker! @zeroSteiner
  14. 14. A Meterpreter Replacement?
  15. 15. Controller Client 2. return key negotiation stager.ps1 w/ shared AES staging key 3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1> 5. decrypt, post ENCsession(nonce+1 | sysinfo) to /<stage2> 6. return ENCsession(agent.ps1). Agent starts beaconing. 1. GET /<stage0> 4. return ENCpub(nonce+ AES session key) Empire Staging/Crypto
  16. 16. Empire Process Injection *.exe Invoke-PSInjector ReflectivePick .NET Assembly Download Cradle
  17. 17. Still Just a Toy Language?
  18. 18. New Features Since Release ✣ From 90 modules to 180! Inveigh/Tater! regsrv32! MS16-032! More TrollSploit! KeeThief! Lots of UAC bypasses! Tons more! ✣ A RESTful API interface ✣ Autoruns, lost limits, and more.
  19. 19. Python EmPyre ✣ A Python Empire variant built for a customer’s heavy OS X environment Python 2.6/2.7 compatible agent Works on Linux too! ✣ Controller/architecture HEAVILY adopted from Empire ✣ Released publicly at HackMiami Presented on at BSides LV ‘16
  20. 20. Empire Drawbacks ✣ We’ve never built a RAT before Mistakes were made ¯_(ツ)_/¯ ✣ Only comms methods were HTTP[S] Modules were expandable, transports weren’t ✣ Separate projects for Empire/EmPyre Name/project confusion Separate codebases ==
  21. 21. Empire 2.0
  22. 22. Motivations Empire/EmPyre Integration Wanted one single controller for our Python Linux/OS X agents and PowerShell agents. Modularize C2 Expandable listeners that you can drag/drop into the framework for additional transports. Code Rot Fix our past mistakes and build a foundation for the future viability of the project.
  23. 23. Laying the Foundation ✣ For future transports, agents may need to be able figure out where to route packets for other agents ✣ All Empire comms are not wrapped in ‘routing’ packets encrypted w/ the staging key ✣ All individual agent comms still use the negotiated agent key
  24. 24. New Routing/Metadata Packet: +---------+-------------------+--------------------------+ | RC4 IV | RC4s(RoutingData) | AESc(client packet data) | +---------+-------------------+--------------------------+ | 4 | 16 | RC4 length | +---------+-------------------+--------------------------+ RC4s(RoutingData): +-----------+------+------+-------+--------+ | SessionID | Lang | Meta | Extra | Length | +-----------+------+------+-------+--------+ | 8 | 1 | 1 | 2 | 4 | +-----------+------+------+-------+--------+ RC4s = RC4 w/ the shared staging key HMACs = SHA1 HMAC w/ shared staging AESc = AES w/ client's session key HMACc = first 10 bytes of a SHA256 HMAC using the client's session key
  25. 25. AESc(client data) +--------+-----------------+-------+ | AES IV | Enc Packet Data | HMACc | +--------+-----------------+-------+ | 16 | % 16 bytes | 10 | +--------+-----------------+-------+ Client data decrypted: +------+--------+--------------------+----------+---------+-----------+ | Type | Length | total # of packets | packet # | task ID | task data | +------+--------+--------------------+--------------------+-----------+ | 2 | 4 | 2 | 2 | 2 | <Length> | +------+--------+--------------------+----------+---------+-----------+ RC4s = RC4 w/ the shared staging key HMACs = SHA1 HMAC w/ shared staging AESc = AES w/ client's session key HMACc = first 10 bytes of a SHA256 HMAC using the client's session key
  26. 26. Newz ✣ The HTTP listener has been redone with Flask ✣ Epoch-syncing removed ✣ PowerShell: Staging now uses HMAC and nonces RC4 implemented for first stage PowerShell obfuscation @mattifestation’s AMSI bypass added to the PowerShell stager
  27. 27. Newz ✣ Orphaned agent renegotiation If agent shares a server staging key, but isn’t in the cache, it will restage ✣ external/* modules For things that don’t rely on an agent external/generate_agent will generate a “fully-staged” agent
  28. 28. New Modules: Improved Kerberoast
  29. 29. New Modules: BloodHound
  30. 30. New Modules: eventvwr UAC Bypass
  31. 31. 3. EmPyre Integration PowerShell + Python Living Together in Harm0ny ♫
  32. 32. EmPyre Integration ✣ EmPyre and Empire are now one code base! https://github.com/AdaptiveThreat/Empire The EmPyre repo will be deprecated Python/PowerShell agents can communicate on the same listener/port! ✣ We also now have a 5 person “full-time” dev team: @harmj0y, @enigma0x3, @424f424f, @xorrior, @tifkin_
  33. 33. Language-Aware Menus
  34. 34. interact AGENT Drops you into the language-appropri ate agent menu with the same options you’re used to for either project. Interface Integration stagers/* Now broken out into OS-applicable folders (Windows/OS X/Linux). usemodule [tab] Executed from an agent, only tab-completes language-appropri ate modules.
  35. 35. 4. Modular C2 i lik turtles transports
  36. 36. Listener Modularization ✣ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult ✣ Now listeners are encapsulated in self-contained modules Allows you to drag/drop modules into the framework!
  37. 37. Listener Modules ✣ At least two functions are required for a listener module: generate_comms() - generates the communication functions patched for the given listener start() - starts the server component of the listener ✣ Agents are responsible for language support
  38. 38. Listener Modules ✣ If you want staging supported: generate_launcher() - generates PowerShell/Python launcher code generate_stager() - generates the key-negotiation code generate_agent() - generates the complete patched agent code
  39. 39. listeners/http ✣ The original HTTP[S] listener But now redone with flask! “Routing packet” is base64’ed and stuffed into a new cookie value ✣ Generates Python and PowerShell launchers, staging, and agent code ✣ You can easily modify the cookie used/transforms on the data itself to change up indicators!
  40. 40. listeners/http_com ✣ Utilizes Internet Explorer COM objects to communicate instead of Net.WebClient Proxy-aware/etc.! ✣ Slightly different communication structure (data is base64’ed, etc.) Example of modifying basic C2 indicators
  41. 41. listeners/http_foreign ✣ Simplified “foreign” Empire listeners ✣ Allows you to easily pass sessions between control servers, given the staging keys are the same
  42. 42. listeners/http_hop ✣ Completely redone “hop” listener Simpler (with new packet structure) and should be more stable ✣ Uses a .php redirector to tunnel comms through a third site ✣ We’re looking for more lanugage-based redirectors! .ASP/.JSP/etc.
  43. 43. listeners/meterpreter ✣ The only thing present is the generate_launcher() method This generates Invoke-ShellCode code applicable for the given Meterpreter listener specification ✣ Allows you to easily spawn Meterpreter/Cobalt Strike sessions from Empire!
  44. 44. ✣ The new structure allows you to communicate (and possibly stage) through well-known third party websites ✣ Let your imagination run with it… * don’t break any terms of service, we’re not lawyers Third Party Listeners
  45. 45. Listener Hot-Swapping ✣ The management/switch_listener module allows you to generate the comms for a listener, and dynamically update a running agent with new comms! ✣ You can switch from HTTP -> Dropbox -> IE_COM -> Dropbox, even en masse!
  46. 46. Future Listeners ✣ In the next few months: SMB - just need to work out some of the routing components DNS - @enigma0x3 is working as we speak ✣ Ideas?
  47. 47. Demos!
  48. 48. Code Release!
  49. 49. Any questions? https://github.com/AdaptiveThreat/Empire http://theempire.io/ @harmj0y, @enigma0x3, @sixdub @xorrior, @424f424f, @tifkin_

×