Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A Year in the
_______ .___ ___. .______ __ .______ _______
| ____|| / | | _  | | | _  | ____|
| |__ |  / | | |_) | | | | |...
First Things First
✣ Empire would not be possible without the
help and phenomenal work from:
PowerSploit by @mattifestatio...
Co-founder of Empire/EmPyre | PowerTools |
Veil-Framework
PowerSploit/BloodHound developer
Microsoft PowerShell MVP
@harmj...
Red teamer and Empire developer
UAC bypasser extraordinaire
Offensive PowerShell advocate
@enigma0x3
tl;dr
✣ Empire overview
✣ Empire 2.0
Motivations
New features
EmPyre integration
‘Modular’ listeners
✣ Demos
1.
Empire Overview
Release and the Year Since
✣ A full-featured PowerShell
post-exploitation agent
Released at BSides LV ‘15
✣ Core agent built in PowerShell
Module str...
✣ Started as a thought exercise!
✣ Wanted to:
bring together all the existing offensive
PowerShell tech
build a flexible p...
y u Build PowerShell
Botnet :(
(the guy who invented PowerShell)
✣ Nearly 400 commits
✣ 25+ contributors
✣ 150+ GitHub issues (most closed : )
✣ 100+ PRs
✣ Tons of new modules!
A Year of ...
#WatchDogs2
SkyWalker!
@zeroSteiner
A Meterpreter
Replacement?
Controller Client
2. return key negotiation stager.ps1 w/ shared AES staging
key
3. gen priv/pub keys, post ENCstaging(PUB...
Empire Process
Injection
*.exe
Invoke-PSInjector
ReflectivePick
.NET Assembly
Download Cradle
Still Just a Toy Language?
New Features Since
Release
✣ From 90 modules to 180!
Inveigh/Tater!
regsrv32!
MS16-032!
More TrollSploit!
KeeThief!
Lots o...
Python EmPyre
✣ A Python Empire variant built for a
customer’s heavy OS X environment
Python 2.6/2.7 compatible agent
Work...
Empire Drawbacks
✣ We’ve never built a RAT before
Mistakes were made ¯_(ツ)_/¯
✣ Only comms methods were HTTP[S]
Modules we...
Empire 2.0
Motivations
Empire/EmPyre
Integration
Wanted one single
controller for our
Python Linux/OS
X agents and
PowerShell agents....
Laying the
Foundation
✣ For future transports, agents may
need to be able figure out where to
route packets for other agen...
New Routing/Metadata Packet:
+---------+-------------------+--------------------------+
| RC4 IV | RC4s(RoutingData) | AES...
AESc(client data)
+--------+-----------------+-------+
| AES IV | Enc Packet Data | HMACc |
+--------+-----------------+--...
Newz
✣ The HTTP listener has been redone
with Flask
✣ Epoch-syncing removed
✣ PowerShell:
Staging now uses HMAC and nonces...
Newz
✣ Orphaned agent renegotiation
If agent shares a server staging key, but
isn’t in the cache, it will restage
✣ extern...
New Modules:
Improved Kerberoast
New Modules:
BloodHound
New Modules:
eventvwr UAC Bypass
3.
EmPyre Integration
PowerShell + Python Living
Together in Harm0ny ♫
EmPyre Integration
✣ EmPyre and Empire are now one code
base!
https://github.com/AdaptiveThreat/Empire
The EmPyre repo wil...
Language-Aware Menus
interact AGENT
Drops you into the
language-appropri
ate agent menu
with the same
options you’re
used to for either
project...
4.
Modular C2
i lik turtles transports
Listener
Modularization
✣ Previously, listeners were hard
integrated into the code base, adding
transports was extremely d...
Listener Modules
✣ At least two functions are required for a
listener module:
generate_comms() - generates the
communicati...
Listener Modules
✣ If you want staging supported:
generate_launcher() - generates
PowerShell/Python launcher code
generate...
listeners/http
✣ The original HTTP[S] listener
But now redone with flask!
“Routing packet” is base64’ed and stuffed
into a...
listeners/http_com
✣ Utilizes Internet Explorer COM
objects to communicate instead of
Net.WebClient
Proxy-aware/etc.!
✣ Sl...
listeners/http_foreign
✣ Simplified “foreign” Empire listeners
✣ Allows you to easily pass sessions
between control server...
listeners/http_hop
✣ Completely redone “hop” listener
Simpler (with new packet structure) and
should be more stable
✣ Uses...
listeners/meterpreter
✣ The only thing present is the
generate_launcher() method
This generates Invoke-ShellCode code
appl...
✣ The new structure allows you to
communicate (and possibly stage)
through well-known third party
websites
✣ Let your imag...
Listener Hot-Swapping
✣ The management/switch_listener
module allows you to generate the
comms for a listener, and
dynamic...
Future Listeners
✣ In the next few months:
SMB - just need to work out some of the
routing components
DNS - @enigma0x3 is ...
Demos!
Code Release!
Any questions?
https://github.com/AdaptiveThreat/Empire
http://theempire.io/
@harmj0y, @enigma0x3, @sixdub
@xorrior, @424f...
A Year in the Empire
A Year in the Empire
A Year in the Empire
Upcoming SlideShare
Loading in …5
×

A Year in the Empire

2,662 views

Published on

This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.

Published in: Internet
  • Be the first to comment

A Year in the Empire

  1. 1. A Year in the _______ .___ ___. .______ __ .______ _______ | ____|| / | | _ | | | _ | ____| | |__ | / | | |_) | | | | |_) | | |__ | __| | |/| | | ___/ | | | / | __| | |____ | | | | | | | | | | ----.| |____ |_______||__| |__| | _| |__| | _| `._____||_______|
  2. 2. First Things First ✣ Empire would not be possible without the help and phenomenal work from: PowerSploit by @mattifestation, @obscuresec and @JosephBialek Posh-SecMod by @Carlos_Perez UnmanagedPowerShell by @tifkin_ Mimikatz by @gentilkiwi and Vincent LE TOUX ✣ Everyone who contributed modules, bugs, fixes, and time! You all rock!
  3. 3. Co-founder of Empire/EmPyre | PowerTools | Veil-Framework PowerSploit/BloodHound developer Microsoft PowerShell MVP @harmj0y
  4. 4. Red teamer and Empire developer UAC bypasser extraordinaire Offensive PowerShell advocate @enigma0x3
  5. 5. tl;dr ✣ Empire overview ✣ Empire 2.0 Motivations New features EmPyre integration ‘Modular’ listeners ✣ Demos
  6. 6. 1. Empire Overview Release and the Year Since
  7. 7. ✣ A full-featured PowerShell post-exploitation agent Released at BSides LV ‘15 ✣ Core agent built in PowerShell Module structure implements various post-exploitation actions ✣ Controller built in Python Backend sqlite database UI focus Teh Empire
  8. 8. ✣ Started as a thought exercise! ✣ Wanted to: bring together all the existing offensive PowerShell tech build a flexible platform that’s easily customizable in the field train defenders on how to stop and respond to PowerShell “attacks” y u Build PowerShell Botnet :(
  9. 9. y u Build PowerShell Botnet :(
  10. 10. (the guy who invented PowerShell)
  11. 11. ✣ Nearly 400 commits ✣ 25+ contributors ✣ 150+ GitHub issues (most closed : ) ✣ 100+ PRs ✣ Tons of new modules! A Year of Development
  12. 12. #WatchDogs2
  13. 13. SkyWalker! @zeroSteiner
  14. 14. A Meterpreter Replacement?
  15. 15. Controller Client 2. return key negotiation stager.ps1 w/ shared AES staging key 3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1> 5. decrypt, post ENCsession(nonce+1 | sysinfo) to /<stage2> 6. return ENCsession(agent.ps1). Agent starts beaconing. 1. GET /<stage0> 4. return ENCpub(nonce+ AES session key) Empire Staging/Crypto
  16. 16. Empire Process Injection *.exe Invoke-PSInjector ReflectivePick .NET Assembly Download Cradle
  17. 17. Still Just a Toy Language?
  18. 18. New Features Since Release ✣ From 90 modules to 180! Inveigh/Tater! regsrv32! MS16-032! More TrollSploit! KeeThief! Lots of UAC bypasses! Tons more! ✣ A RESTful API interface ✣ Autoruns, lost limits, and more.
  19. 19. Python EmPyre ✣ A Python Empire variant built for a customer’s heavy OS X environment Python 2.6/2.7 compatible agent Works on Linux too! ✣ Controller/architecture HEAVILY adopted from Empire ✣ Released publicly at HackMiami Presented on at BSides LV ‘16
  20. 20. Empire Drawbacks ✣ We’ve never built a RAT before Mistakes were made ¯_(ツ)_/¯ ✣ Only comms methods were HTTP[S] Modules were expandable, transports weren’t ✣ Separate projects for Empire/EmPyre Name/project confusion Separate codebases ==
  21. 21. Empire 2.0
  22. 22. Motivations Empire/EmPyre Integration Wanted one single controller for our Python Linux/OS X agents and PowerShell agents. Modularize C2 Expandable listeners that you can drag/drop into the framework for additional transports. Code Rot Fix our past mistakes and build a foundation for the future viability of the project.
  23. 23. Laying the Foundation ✣ For future transports, agents may need to be able figure out where to route packets for other agents ✣ All Empire comms are not wrapped in ‘routing’ packets encrypted w/ the staging key ✣ All individual agent comms still use the negotiated agent key
  24. 24. New Routing/Metadata Packet: +---------+-------------------+--------------------------+ | RC4 IV | RC4s(RoutingData) | AESc(client packet data) | +---------+-------------------+--------------------------+ | 4 | 16 | RC4 length | +---------+-------------------+--------------------------+ RC4s(RoutingData): +-----------+------+------+-------+--------+ | SessionID | Lang | Meta | Extra | Length | +-----------+------+------+-------+--------+ | 8 | 1 | 1 | 2 | 4 | +-----------+------+------+-------+--------+ RC4s = RC4 w/ the shared staging key HMACs = SHA1 HMAC w/ shared staging AESc = AES w/ client's session key HMACc = first 10 bytes of a SHA256 HMAC using the client's session key
  25. 25. AESc(client data) +--------+-----------------+-------+ | AES IV | Enc Packet Data | HMACc | +--------+-----------------+-------+ | 16 | % 16 bytes | 10 | +--------+-----------------+-------+ Client data decrypted: +------+--------+--------------------+----------+---------+-----------+ | Type | Length | total # of packets | packet # | task ID | task data | +------+--------+--------------------+--------------------+-----------+ | 2 | 4 | 2 | 2 | 2 | <Length> | +------+--------+--------------------+----------+---------+-----------+ RC4s = RC4 w/ the shared staging key HMACs = SHA1 HMAC w/ shared staging AESc = AES w/ client's session key HMACc = first 10 bytes of a SHA256 HMAC using the client's session key
  26. 26. Newz ✣ The HTTP listener has been redone with Flask ✣ Epoch-syncing removed ✣ PowerShell: Staging now uses HMAC and nonces RC4 implemented for first stage PowerShell obfuscation @mattifestation’s AMSI bypass added to the PowerShell stager
  27. 27. Newz ✣ Orphaned agent renegotiation If agent shares a server staging key, but isn’t in the cache, it will restage ✣ external/* modules For things that don’t rely on an agent external/generate_agent will generate a “fully-staged” agent
  28. 28. New Modules: Improved Kerberoast
  29. 29. New Modules: BloodHound
  30. 30. New Modules: eventvwr UAC Bypass
  31. 31. 3. EmPyre Integration PowerShell + Python Living Together in Harm0ny ♫
  32. 32. EmPyre Integration ✣ EmPyre and Empire are now one code base! https://github.com/AdaptiveThreat/Empire The EmPyre repo will be deprecated Python/PowerShell agents can communicate on the same listener/port! ✣ We also now have a 5 person “full-time” dev team: @harmj0y, @enigma0x3, @424f424f, @xorrior, @tifkin_
  33. 33. Language-Aware Menus
  34. 34. interact AGENT Drops you into the language-appropri ate agent menu with the same options you’re used to for either project. Interface Integration stagers/* Now broken out into OS-applicable folders (Windows/OS X/Linux). usemodule [tab] Executed from an agent, only tab-completes language-appropri ate modules.
  35. 35. 4. Modular C2 i lik turtles transports
  36. 36. Listener Modularization ✣ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult ✣ Now listeners are encapsulated in self-contained modules Allows you to drag/drop modules into the framework!
  37. 37. Listener Modules ✣ At least two functions are required for a listener module: generate_comms() - generates the communication functions patched for the given listener start() - starts the server component of the listener ✣ Agents are responsible for language support
  38. 38. Listener Modules ✣ If you want staging supported: generate_launcher() - generates PowerShell/Python launcher code generate_stager() - generates the key-negotiation code generate_agent() - generates the complete patched agent code
  39. 39. listeners/http ✣ The original HTTP[S] listener But now redone with flask! “Routing packet” is base64’ed and stuffed into a new cookie value ✣ Generates Python and PowerShell launchers, staging, and agent code ✣ You can easily modify the cookie used/transforms on the data itself to change up indicators!
  40. 40. listeners/http_com ✣ Utilizes Internet Explorer COM objects to communicate instead of Net.WebClient Proxy-aware/etc.! ✣ Slightly different communication structure (data is base64’ed, etc.) Example of modifying basic C2 indicators
  41. 41. listeners/http_foreign ✣ Simplified “foreign” Empire listeners ✣ Allows you to easily pass sessions between control servers, given the staging keys are the same
  42. 42. listeners/http_hop ✣ Completely redone “hop” listener Simpler (with new packet structure) and should be more stable ✣ Uses a .php redirector to tunnel comms through a third site ✣ We’re looking for more lanugage-based redirectors! .ASP/.JSP/etc.
  43. 43. listeners/meterpreter ✣ The only thing present is the generate_launcher() method This generates Invoke-ShellCode code applicable for the given Meterpreter listener specification ✣ Allows you to easily spawn Meterpreter/Cobalt Strike sessions from Empire!
  44. 44. ✣ The new structure allows you to communicate (and possibly stage) through well-known third party websites ✣ Let your imagination run with it… * don’t break any terms of service, we’re not lawyers Third Party Listeners
  45. 45. Listener Hot-Swapping ✣ The management/switch_listener module allows you to generate the comms for a listener, and dynamically update a running agent with new comms! ✣ You can switch from HTTP -> Dropbox -> IE_COM -> Dropbox, even en masse!
  46. 46. Future Listeners ✣ In the next few months: SMB - just need to work out some of the routing components DNS - @enigma0x3 is working as we speak ✣ Ideas?
  47. 47. Demos!
  48. 48. Code Release!
  49. 49. Any questions? https://github.com/AdaptiveThreat/Empire http://theempire.io/ @harmj0y, @enigma0x3, @sixdub @xorrior, @424f424f, @tifkin_

×