1 month ago

Generating Stagers for Post Exploitation of Windows Hosts « Null Byte :: WonderHowTo

PowerShell Empire is usually an amazing framework of which is usually widely used by penetration testers for exploiting Microsoft Windows hosts. In our previous guide, we discussed why along with when the idea’s important to use, as well as some general info on listeners, stagers, agents, along with modules. right now, we will actually explore setting up listeners along with generating a stager.

Before we begin, let’s do a quick recap of what we learned last time about listeners, stages, agents, along with modules. In a future guide, we will talk about getting our first agent to connect back to us, yet right right now we’re just focused on listeners along with stagers.

  • Listeners are the channels which receive connections by our target machine.
  • Stagers are used to set the stage for the post-exploitation activities. They are similar to payloads, which are used to create a connection back to PowerShell Empire.
  • Agents are the connections which we establish with our stagers on the target machines.
  • Modules in PowerShell Empire are used to perform specific functions, such as deploy specific shellcode.

Previously: Getting commenced with Post-Exploitation of Windows Hosts in PowerShell Empire

Waiting to Hear by Our Target with ‘Listeners’

Let’s take a look at how to start a listener. In the previous post, we used the Meterpreter listener as an example. This kind of time, let’s learn how to start an HTTP listener.

Step 1: Select the Listener Type

Start PowerShell Empire by navigating to the cloned Git repository along with typing ./empire into your terminal. Next, type the listeners command to access the listeners menu. Afterward, type uselistener, press the spacebar, along with hit tab to see all the available listeners.

  • dbx listener: Starts a Dropbox listener. the idea is usually one of the coolest listeners available in PowerShell Empire since the idea interacts that has a cloud service. the idea is usually used to target those networks which allow Dropbox connections. In This kind of listener, the attacker network is usually never revealed to the victim.
  • http_com listener: Selecting This kind of option starts an HTTPS listener (PowerShell or Python) of which uses a GET/POST approach using a hidden Internet Explorer COM object. COM stands for Component Object product along with is usually a binary interface used for communication.
  • https_hop: As its name implies, This kind of listener is usually used to redirect our traffic to another active listener immediately after getting an agent. This kind of is usually quite useful when you already have a listener along with you want the completely new traffic to go to of which listener instead of starting a completely new listener. Hence the name hopping.
  • http_foreign: Starts a foreign listener. If you have a second Empire C2 server along with you want to pass your completely new sessions to of which server, then This kind of is usually the listener you have to use. All you have to do is usually set the host along with staging key information.
  • http listener: This kind of is usually a simple HTTP listener which listens on port 80 by default. the idea either runs on Python or PowerShell.
  • meterpreter listener: This kind of listener does not need any introduction. the idea starts a Meterpreter listener akin to Metasploit.

Don’t Miss: Using Payloads in Metasploit

Step 2: Set the Listener Options

In order to start the HTTP listener, type the following.

uselistener http

In order to see the options for the listener, type the info command along with the parameters will be displayed as shown below. The options may differ for each type of listener. due to This kind of listener, we need to set the attacker’s IP address (the address of Kali Linux) along with the port on which the listener runs.

As explained the previous post, the set command is usually used to set or change the options, along with unset is usually to remove them.

Step 3: Start the Listener

Set the host as shown below, along with execute the listener using the executecommand.

Step 4: View Active Listeners

We can right now view our active listeners by typing the listeners command at the main menu, as shown below.

Setting the Stage with ‘Stagers’

Stagers are the component of Empire which set the stage for post exploitation hacking. These are payloads which help us in setting up the hack. due to This kind of purpose, PowerShell Empire has many stagers. A full list of stagers along with their descriptions is usually provided at the end of the article.

Step 5: Select a Type of Stager

To see the various stagers, type the command usestager, hit space, along with press tab twice, as shown below.

Step 6: Explore Stager Info

right now, let us see how to create a stager. We will create a batch file stager for Windows. Type the usestager windows/launcher_bat command to start the stager. Type the info command to see all the options along with information about the stager.

In order for a stager to work, the idea should be assigned a listener. of which is usually the exact reason for which we commenced the listener first in PowerShell Empire. Let us assign the HTTP listener we created above to This kind of stager; Just as above, the set command is usually used to set options, along with the unset command is usually used to remove them.

Step 7: Assign Listener Type

Let us assign the HTTP listener to This kind of stager by typing set Listener http, as shown below.

Step 8: Generate the Stager

Once the listener is usually set, type the generate command to create the stager. the idea will be created from the above folder, as shown below.

along with of which’s the idea! We have successfully created a stager. right now we have to send This kind of file to our target’s machine. When the target clicks on the idea, we will successfully get an agent as shown above.

Full List of Stagers in PowerShell Empire

As promised, here is usually a full list of stagers with their descriptions.

1. MacOS Stagers

PowerShell Empire can right now interact with macOS, as well.

  • osx/applescript: This kind of stager is usually used to generate a simple AppleScript to execute the Empire stage0 launcher on our target. AppleScript is usually the native scripting language of the macOS system.
  • osx/application: This kind of stager generates a macOS application. We can also assign an icon for the application we created.
  • osx/ducky: the idea generates a macOS Ducky Script for PowerShell Empire.
  • osx/dylib : This kind of stager generates a dynamic library for macOS. A dynamic library is usually the part of the code which runs on systems during runtime along with is usually used for multiple purposes.
  • osx/jar: This kind of stager generates a JAR file, which stands for Java Archive file.
  • osx/launcher: the idea generates a one-liner stage0 launcher for PowerShell Empire.
  • osx/macho: the idea generates a Mach-O executable. Mach-O is usually short for Mach object file format, a type of executable used in macOS along that has a few some other systems.
  • osx/macro: the idea generates a macOS Office macro. A macro is usually a word file with executable script.
  • osx/pkg: Generates a pkg installer. The installer will copy a custom (empty) application to the applications folder. The post-install script will execute an Empire launcher.
  • osx/safari_launcher: A Safari launcher is usually an app of which launches Safari. This kind of stager generates an HTML payload launcher for PowerShell Empire.
  • osx/teensy: Generates a Teensy script of which runs a one-liner stage0 launcher for Empire.

2. Windows Stagers

along with right now for the Windows stagers:

  • windows/bunny: Generates a Bunny Script of which runs a one-liner stage0 launcher for Empire.
  • windows/ducky: Generates a Ducky Script of which runs a one-liner stage0 launcher for Empire.
  • windows/dll: the idea generates a PowerPick Reflective dynamic link library to inject with stager code.
  • windows/hta: This kind of generates an HTA (HyperText Application) for Internet Explorer.
  • windows/launcher_bat: This kind of generates a self-deleting batch file launcher for Empire.
  • windows/launcher_vbs: This kind of generates a Visual Basic script launcher for Empire.
  • windows/launcher_sct: This kind of generates an SCT file (COM Scriptlet).
  • windows/macro: This kind of generates an Office macro for Empire compatible with Microsoft Office ’97–2003, along with 2007 file types.
  • windows/teensy: This kind of generates a Teensy script of which runs a one-line stage0 launcher for Empire.

3. Multipurpose Stagers

Apart by OS-specific stagers, we also have stagers of which run on multiple devices.

  • multi/bash: Generates self-deleting Bash script to execute the Empire stage0 launcher.
  • multi/launcher: Generates a one-liner stage0 launcher for Empire.
  • multi/war: the idea generates a deployable WAR file, a JAR file used to serve different functions.
  • multi/pyinstaller: This kind of stager generates an ELF (executable along with linkable format) binary payload launcher for Empire using pyInstaller.

The Stage is usually Set for Your First Agent

Next, we’ll be exploring how to connect an agent along with what fun becomes possible with modules. PowerShell Empire provides a ton of options along with functionality, so be sure to check out the various different types of stagers along with listeners the idea has available for connecting a victim machine.

Until next time, my aspiring hacker ninjas! You can leave any questions from the comments below.

Cover photo by Kody/Null Byte; Screenshots by Kali Ninja/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

10 − 3 =