Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building an EmPyre with Python

3,692 views

Published on

This presentation covers Python EmPyre, a Python post-exploitation agent based on the PowerShell Empire architecture. It was given at BSidesLV '16.

Published in: Internet
  • Be the first to comment

Building an EmPyre with Python

  1. 1. Building an Empyre with Python
  2. 2. @harmj0y × Researcher/red teamer for the Adaptive Threat Division × Co-founder/active developer of the Veil-Framework | PowerView | PowerUp | Empire × Microsoft CDM/PowerShell MVP and active PowerSploit developer
  3. 3. @424f424f × U.S. Army Infrantry combat veteran × Red teamer/Penetration Tester for the Adaptive Threat Division × Instructor for ATD’s “Adaptive Penetration Testing” course
  4. 4. @killswitch_gui × Previous US Army Soldier × Red teamer/Penetration Tester for the Adaptive Threat Division × Developed SimplyEmail / SimplyTemplate
  5. 5. tl;dr × Overview/”Why Build This”/RATs 101 × EmPyre × Stagers × Host/network triage × Lateral movement × Persistence × The Future × Demos throughout!
  6. 6. Why Build this?
  7. 7. Motivations × A high-security client wanted a penetration test against their corporate infrastructure × which was 80% OS X … × We did our research and found very few options for ‘complete’ OS X agents × though small post-exploitation pieces did exist
  8. 8. Adversarial OS X × WireLurker (Trojanized applications, Infects connected ios devices) × XcodeGhost (Infected xcode package in China) × Hacking Team (Remote Code Systems compromise platform) × OceanLotus (Flash Dropper, download Mach-O binary) × KeRanger (Ransomware, infected transmission package)
  9. 9. OS X Challenges × Not nearly as many public OS X attack toolsets out there as there are for Windows × Access vectors are significantly more limited than Windows as well × Lateral spread is complicated a bit (no pth!)
  10. 10. RATS 101 × We have a number of broad design goals for our solution: × Staging flexibility × Modularity × (Reasonably) strong crypto × The “Staging problem” × Your malicious code has to SOMEHOW get to the target
  11. 11. Empyre
  12. 12. background × Python agent and controller × heavily based on the PowerShell Empire project × OS X/Linux 2.7 and 2.6 compatible/“living off the land” × Asynchronous communications (HTTP[s]) × Diffie-Hellman based Encrypted Key Exchange × Variety of post-exploitation modules
  13. 13. Module development × Like Empire, development is quick due to the modular structure and use of a scripting language × Modules == metadata containers for an embedded Python script × Things like option sets, needs admin, opsec safe, save file output, etc
  14. 14. stagers
  15. 15. OS X MAcros × Works on Office 2011 and below, otherwise, we’re stuck in the...
  16. 16. Mach-o binaries × Mach object file format for executables, object code, shared libraries, dynamically-loaded code and core dumps × We hot-patch a binary with the EmPyre stager code × Binary contains the python interpreter
  17. 17. Dylib Hijacking × Ported from @patrickwardle research × https://www.virusbulletin.com/uploads/pdf/magazin e/2015/vb201503-dylib-hijacking.pdf × Abuses search-order loading × Also a method of persistence in EmPyre
  18. 18. Hijack Scanner
  19. 19. Dylib Hiijacker
  20. 20. Demo: Phishing with EmPyre
  21. 21. Host triage
  22. 22. Privilege escalation × Users often run as admin × Two prompt modules for credential collection: × Mac app prompting - osascript × Screensaver alleyoop - osascript / security × Elevate using sudo_spawn to spawn a new EmPyre agent
  23. 23. Privilege escalation
  24. 24. Chainbreaker × Keychaindump (juuso) × Keychain exploitable prior to OS X yosemite to recover master key from memory × Decrypt keychain store using master key candidate × Keychaindump_chainbreaker (n0fate) × Allows masterkey and password input for decryption of entire keychain. × Fully ported to allow on target dumps rather offline
  25. 25. Hashdumping × Built in hashdump module: × Sudo required of course × Output is hashcat ready × Hash format is unique to different OS X series × 10.8 + uses Salted-SHA512-PBKDF2 × Password -> Iterations -> salt -> hash_pbkd2 × Ultimately very slow hash to crack (H/S)
  26. 26. Hashdumping
  27. 27. Keylogging × Uses ruby adapted code from MSF: × Captures and logs keystrokes to a file currently × Runs as a separate ruby process
  28. 28. screenshots × Currently supports two separate methods: × Native - screenshot builtin tool × Python - using Quartz API call’s × Environment can dictate the use of native tools × CGImageDestinationCreateWithUR() and screenshot only allows a output path for image
  29. 29. Clipboard theft × Great way to target and collect credentials × Output to file or pipeline: × Timed collection allows continues monitoring using background jobs × Uses non-native method via AppKit API: × Native pbpaste may be signatured by Carbon Black
  30. 30. Demo: Host Triage with EmPyre
  31. 31. Network situational awareness
  32. 32. OS X is on the Domain Too! × Admins want/need to: × Enforce corporate policy via Group Policy × Manage resources × Manage users × Advertise resources such as printers × Benefit from single sign-on access to Active Directory resources through Kerberos
  33. 33. OS X and LDAP × ldapsearch tool × opens a connection to an LDAP server, binds, and performs a search using specified parameters × dig -t SRV _ldap._tcp.example.com
  34. 34. PowerView, OS X Style × Wanted to mimic the features of PowerSploit’s PowerView to enumerate Active Directory × Using ldapsearch, we can mimic “most” features × Unfortunately, creates a log entry for every connection
  35. 35. Situational Awareness, AD Enumeration × get_computers × get_domaincontrollers × get_fileservers × get_groupmembers × get_groupmemberships × get_groups × get_ous × get_userinformation × get_users
  36. 36. PowerView, OS X Style
  37. 37. Overpass-THE-HASH × Original research by @gentilkiwi and @obscuresec and OS X research by @passingthehash × Upgrading an NT hash into a full Kerberos ticket! × Utilities × kinit - acquire initial Kerberos credentials × klist - list Kerberos credentials × kdestroy - remove Kerberos credentials
  38. 38. Demo: Domain Enumeration with EmPyre
  39. 39. Lateral Movement
  40. 40. Os x vs windows × Common Windows lateral movement methods: × WMI, PSEXEC, WinRM, Remote Desktop × OS X disappoints a bit on this front... × SSH is available but disabled by default × WinEXE installed through HomeBrew are possible × EmPyre modules: × ssh_command / ssh_launcher
  41. 41. Web Service Exploitation × JBoss exploit × Pass exploit to Empire server
  42. 42. Persistence
  43. 43. Os x vs windows × Common Windows persistence methods: × Registry keys × Startup folders × WMI × DLL hijacks × Backdoor accounts × OS X is also quite fruitful: × Crontabs × Loginhooks × Daemons × Dylib Hijacking
  44. 44. Crontabs, Daemons, and Login Hooks × Login Hook - User Context × Bash / Applescript / binary execution × User or any user logon executes payload × Sets com.apple.loginwindow × Crontabs - User Context × Requires Bash / Applescript / binary × Timed execution of payload × Great for continued access × Launch Daemons - Root Context × Requires sudo × Spawns determined by XML manifest (reboot) × Daemons (services) once started will restart upon agent loss
  45. 45. Persistence with Dylib Hijacking × EmPyre implements @patrickwardle research to scan for hijackable Dylibs! × rPath search, WeakLib import search × CreateHijacker module × allows for quick exploitation × ease of generating payload × patching in the path to the legitimate Dylib for proper execution
  46. 46. Questions? @harmj0y / will [at] harmj0y.net @424f424f / steveborosh [at] gmail.com @killswitch_gui / a.rymdekoharvey [at] gmail.com

×