Empire 3 is a post-exploitation framework that includes a pure-PowerShell Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture.

PowershellEmpire: 5 minute quick-start guide (featuring Kali Linux and/or  Debian 8.0) – sw1tch.net

Documentation

GitHub: https://github.com/BC-SECURITY/Empire

Client: https://github.com/BC-SECURITY/Starkiller

Installation

Server

1. Download the Github repository into the server, and run the installation script

  • git clone https://github.com/BC-SECURITY/Empire.git
  • cd Empire
  • sudo ./setup/install.sh

(OPTIONAL) You need to install the requirements, in this case I got those already, that is within Empire/setup

  • sudo pip3 install -r requirements.txt

2. You will be prompted to enter a password, this time I will use Pass123

  • Pass123

3. After that the installation completes for the server.

4. We now need to start the service, within Empire directory

  • sudo ./empire –rest –username vk9sec –password Pass12345

Client

On the client we need StarKiller to access Empire

1. Download the client app

  • sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.3.2/starkiller-1.3.2.AppImage

2. change file permissions, add execute

  • sudo chmod +x starkiller-1.3.2.AppImage
  • ls -l starkiller-1.3.2.AppImage

3. Run the application

  • ./starkiller-1.3.2.AppImage –no-sandbox

4. Now connect to Empire C2 server by using the credentials created at run time and the Server IP (./empire –rest –username vk9sec –password Pass12345)

  • URL https://192.168.0.21:1337
  • Username vk9sec
  • Password Pass12345

How to use Starkiller

1. In the left you can see the menu

Each option contains its data, first we need to start a listener, then run the stager, and have it executed at the target machine.

2. Create a Listener (Any active listeners will be displayed)

  • Click on Listeners
  • Create listener

3. You can choose one of multiple types of listeners, in this case I would use http, and fill some info, the rest I leave it as default.

  • Name: test_listener
  • Host: http:192.168.0.21:443
  • Port: 443
  • Click on submit (at the bottom)

4. I go back to the Listeners page; I can see now the listener created

5. Now that we have the Listener we need to generate a stager, so we go to Stagers

  • Click on Stagers
  • Generate Stager

6. We need to choose the type of stager; I’d choose this time Windows/launcher_bat

  • Type: windows/launcher_bat
  • Listener: test_listener
  • Language: Powershell
  • (OPTIONAL) optional fields (I leave them as default)
  • Click on Submit

7. Visit the stagers main page, and you will see it listed

  • Stagers

8. You can Download it, under “Actions”, then, you can deliver it via your preferred method.

  • Click on Download icon

9. Once, executed on the target machine, the connection will be listed under “Agents”

  • Agents

10. You need to Select the session you want to work on

11. Within that session, we can execute system commands

  • Shell Command: dir

12. You can also, run modules

  • Execute Module: powershell/trollsploit/message

13. You can modify the contents of the payload

14. Execute it, then the victim would get a pop message like this

  • Submit

15. Under “Modules”, you can find all the modules contained and see a description

16. If you click on the play icon under “Actions”, you can execute the module

  • Choose the session name

17. Click on submit

18. Under Reporting, you can find the history of commands