Do you even PowerShell?

Posted: August 16th, 2015 ˑ Filled under: Infosec ˑ  No Comments

Last week, Justin Warner and Will Schroeder presented a talk at BSidesLV about a new post-exploitation framework called PowerShell Empire.

The PowerShell Empire site describes the framework as “… a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”

I am always keen to test out new tools, so let’s take a quick look.

Building the empire

Setup is painless, which is always a good start. Clone the repository and run the install script:

git_empire_setup
git_empire_complete

Let’s rock!

From the location you installed Empire, execute ./empire

startup

To view the possible menus, issue the help command:

help_menu

Navigation of the menus feels very metasploity to me, which is great as it’s a familiar interface and just makes sense.

The basic process for using the framework is simple and goes a little something like this: listener->stager->agent->module

Target acquired

For this exercise we’ll attack a Windows 7 system, running all the latest patches as well as an updated enterprise AV enabled. Remember that PowerShell Empire is a post-exploitation framework, so you will already need to have a foothold on your target.

win7box

Shhhh…. Listener

Let’s start with the listener. Just like meterpreter, the listener will capture our PowerShell session allowing us to deploy a stager.

listeners_options

There are some interesting options in there, such as KillDate and WorkingHours.. nice. Note the name of the listener, in this case test.

I’m happy with the defaults for this demo, so we’ll simply execute. We can use the list command to show current listeners.

listener_exec_list

Enter Stager Left

With our listener waiting, we now move onto the stager. For those of you familiar with metasploit, you can think of the stager as a payload.

stager_bat

I have chosen to use the launcher_bat stager, which is a self-deleting batch file.

launcher_bat

I exploited the victim via a simple phishing campaign which included the launcher_bat code. Luckily for us our friendly victim quite happily executed the batch file; how polite. ;)

active_agent

Note that AV didn’t stop the PowerShell from being executed.

Mr Smith

Next up, agents. Now that we have an active agent, let’s take a closer look.

agent_initial_info

You can see I have renamed the agent to initialagent to make it easier to identify my agent. Calling the info command shows us further details about our victim machine.

Modules.. there’s not just one of them!

The PowerShell Empire framework comes with plenty of modules for your enjoyment:

modules

First thing’s first… let’s test if we can elevate our privileges on the victim machine:

bypassuac

Too easy.. you can see by the asterisk next to the second username that we now have a privileged account. Once again, I rename the agent for ease of use.

Did you notice that mimikatz was an available module!!??

mimikatz

BAM!! User hashes and plaintext passwords exposed, just like that.

… and for some shits and giggles let’s use the keylogger…

use_keylogger

keylogger_text

There you have it…. A quick and dirty look at the new PowerShell Empire framework. For me, the framework looks outstanding and will definitely be complementing my pentest kit. Nice work to all involved, and especially to @sixdub and @harmj0y.

Tags: , ,