6 days ago
32 Views

How to Use Stagers in Powershell Empire for Post Exploitation of Windows Hosts « Null Byte :: WonderHowTo

Welcome back! This kind of will be the second tutorial for Powershell Empire, an amazing framework in which will be widely used by penetration testers for exploiting Microsoft Windows Hosts. In This kind of guide, we explore setting up listeners, generating a stager, as well as also also getting our first agent to connect back to us.

within the previous post we learned how to install Powershell Empire as well as also also discussed the purpose of modules, listeners, stagers, as well as also also agents. Before we begin, let’s recap what we learned last time:

  • Listeners are the channels which receive connections coming from our target machine.
  • Stagers are used to set the stage for the post-exploitation activities. They are similar to payloads, which are used to create a connection back to Empire.
  • Agents are the connections which we establish with our stagers on the target machines.
  • Modules in Empire are used to perform specific functions, such as deploy specific shell code.

We will today discuss Listeners & Stagers.

Waiting to Hear coming from Our Target with “Listeners”

Let’s take a look at how to start a listener. within the previous post, we used the meterpreter listener as an example. This kind of time let’s learn how to start a HTTP listener.

Step 1: Select the Listener Type

Start Empire by navigating to the cloned git repository as well as also also typing ./empire into your terminal.

Next, type the listenerscommand to access the listeners menu. Next, type uselistener, press the space bar, as well as also also hit tab to see all the available listener.

1. dbx listener: starts a dropbox listener. the item will be one of the coolest listeners available in Empire since the item interacts which has a cloud service. the item will be used to target those networks which allow dropbox connections. In This kind of listener, the attacker network will be never revealed to the victim.

2.http_com listener: Selecting This kind of option starts a HTTPS listener (PowerShell or Python) in which uses a GET/POST approach using a hidden Internet Explorer COM object. COM stands for Component Object product as well as also also will be a binary interface used for communication.

3. https_hop: As its name implies, This kind of listener will be used to redirect our traffic to another active listener immediately after getting an agent. This kind of will be quite useful when you already have a listener as well as also also you want the brand new traffic to go to in which listener instead of starting a brand new listener. Hence the name hopping.

4. http_foreign: starts a foreign listener. If you have a second Empire C2 server as well as also also you want to pass your brand new sessions to in which server, then This kind of will be the listener you have to use. All you have to do will be set the Host as well as also also Staging Key information.

5. http listener: will be a simple HTTP listener which listens on port 80 by default. the item either runs on Python or Powershell.

6. Meterpreter listener: This kind of listener does not need any introduction. the item starts a Meterpreter listener akin to Metasploit.

Step 2: Set the Listener Options

In order to start the HTTP listener type the following.

uselistener http

In order to see the options for the listener type the info command as well as also also the parameters will be displayed as shown below. The options may differ for each type of listener. just for This kind of listener, we need to set the attacker’s IP address (the address of Kali Linux) as well as also also the port on which the listener runs.

As explained the previous post, the set command will be used to set or change the options as well as also also unset to remove them.

Step 3: Start the Listener

Set the Host as shown below as well as also also execute the listener using the executecommand.

Step 4: View Active Listeners

We can today view our active listeners by typing the listeners command at the main menu as shown below.

Setting the Stage with “Stagers”

Stagers are the component of Empire which set the stage for post exploitation hacking. These are payloads which help us in setting up the hack. just for This kind of purpose, Empire has many stagers. A full list of stagers along with their descriptions will be provided at the end of the article.

Step 1: Select a Type of Stager

To see the various stagers, type command usestager hit space as well as also also press tab twice, as shown below.

Step 2: Explore Stager Info

today let us see how to create a stager. We will create a batch file stager for Windows. Type the “usestager windows/launcher_bat” command to start the stager. Type the info command to see all the options as well as also also information about the stager.

In order for a stager to work, the item should be assigned a listener. in which will be the exact reason for which we commenced the listener first in Empire. Let us assign the HTTP listener we created above to This kind of stager, Just as above, the set command will be used to set options as well as also also unset command will be used to remove them.

Step 3: Assign Listener Type

Let us assign the HTTP listener to This kind of stager by typing “set Listener http” as shown below.

Step 4: Generate the Stager

Once the listener will be set, type the generate command to create the stager. the item will be created within the above folder as shown below.

as well as also also in which’s the item! We have successfully created a stager. today we have to send This kind of file to our target’s machine. When the target clicks on the item, we will successfully get an agent as shown above.

As promised, here will be a full list of stagers with their descriptions.

OSX stagers

Powershell Empire can today interact with MacOS as well! Below will be a list of stagers available for OS X:

  1. osx/applescript :This kind of stager will be used to generate a simple applescript to execute empire stage0 launcher on our target. Applecript will be the native scripting language of the OSX system.
  2. osx/application : This kind of stager generates an OSX application. We can also assign an icon for the application we created.
  3. osx/ducky : the item generates a OSX ducky script for empire.
  4. osX/dylib : This kind of stager generates a dynamic library for OSX. A dynamic library will be the part of the code which runs on systems during runtime as well as also also will be used for multiple purposes.
  5. osx/jar : This kind of stager generates a JAR file. Jar file stands for Java Archive file.
  6. osx/launcher : the item generates a one-liner stage0 launcher for Empire.
  7. osx/macho : the item generates a macho executable.Macho will be short for MAch object file format, will be a type of executable used in macOS as well as also also few various other systems.
  8. osx/macro : the item generates an OSX office macro. A macro will be a word file with executable script.
  9. Osx/pkg : Generates a pkg installer. The installer will copy a custom (empty) application to the applications folder. The postinstall script will execute an Empire launcher.
  10. Osx/safari_launcher : A safari launcher will be an app in which launches safari. This kind of stager generates an HTML payload launcher for EmPyre.
  11. Osx/teensy : Generates a Teensy script in which runs a one-liner stage0 launcher for EmPyre.

as well as also also today for the Windows stagers:

  1. Windows/bunny : Generates a bunny script in which runs a one-liner stage0 launcher for Empire.
  2. Windows/ducky : Generates a ducky script in which runs a one-liner stage0 launcher for Empire.
  3. Windows/dll : the item generates a PowerPick Reflective dynamic link library to inject with stager code.
  4. Windows/ hta : This kind of generates an HTA (HyperText Application) For Internet Explorer
  5. Windows/launcher_bat : This kind of generates a self-deleting batch file launcher for Empire.
  6. Windows/launcher_vbs : This kind of generates a visual basic script launcher for Empire.
  7. Windows/launcher_sct : This kind of generates an sct file (COM Scriptlet).
  8. Windows/macro : This kind of generates an office macro for Empire compatible with office 97-2003, as well as also also 2007 file types.
  9. Windows/teensy : This kind of generates a Teensy script in which runs a one-line stage0 launcher for Empire.

Multi-Purpose stagers

Apart coming from OS specific stagers, we also have stagers in which run on multiple devices in Empire.

  1. Multi/bash : Generates self-deleting Bash script to execute the Empire stage0 launcher.
  2. Multi/launcher : Generates a one-liner stage0 launcher for Empire.
  3. Multi/war : the item generates a deployable War file. A WAR file will be JAR file used to serve different functions.
  4. Multi/pyinstaller : This kind of stager generates an ELF (executable as well as also also linkable format) binary payload launcher for EmPire using pyInstaller.

The Stage will be Set for Your First Agent

Next, we’ll be exploring connecting an agent as well as also also what fun becomes possible with modules! Empire provides a ton of options as well as also also functionality, so be sure to check out the various different types of stagers as well as also also listeners Empire has available for connecting a victim machine.

Until next time my aspiring hacker ninjas!

You can leave any questions within the comments below.

Cover photo by Kody / Null Byte
Screenshots by KaliNinja / Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

three × three =