PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. It’s feels quite Metasploity with it text-driven menus, module management and execution functions, but it’s purely for generating PowerShell agents and post-exploitation evilness. Of course, Powershell being native to Windows means that AV is not a concern (for now), and Empire has some quite nifty features – but I digress. You’re here for the 5 minute quick-start guide, not a chat.
UPDATED: Tested on Kali Linux Rolling 2017.1
Installation is trivial. Clone the repo to a location of your choosing and run the setup script /opt/Empire/setup/install.sh to pull the dependencies and get it all configured:
Agree to everything. A several new packages will be downloaded and installed.
You may see an error about failure to build libcrypto, but it’s not fatal:
If anyone knows how to get this build working without this error, let me know – everything I’ve tried so far (like adding additional packages, etc) ends up killing the Empire install.
You will then be prompted to choose a key to secure the comms channel between agents and Empire listeners. Hit enter to allow a random key to be generated (you can choose a different one later if you wish). Now you’re ready to go. Fire up Empire by running ./empire from /opt/Empire:
Fire up a listener
Think of a listener as a metasploit handler. This will catch your PowerShell session that you launch on the target system. This needs to be set up first as your stager (payload) will need to know which listener it should talk to. Type listeners to navigate to the listener’s menu, then select the http listener by typing uselistener http. Typing info will give you all the configurable options:
We’ll leave everything as default and launch our listener by typing execute.
Create and deploy your stager
Think of a stager as your payload. This is what you will be executing on your target system to establish a control channel between it and your Empire listener. There are several different types of stager that Empire can generate (and multiple ways to generate them) but for the sake of brevity let’s create a simple launcher.bat file that will create our PowerShell agent to deploy
Type usestager windows/launcher_bat and set the ‘Listener’ option to match your listener name (in this case the default: http):
Running generate will dump your new empire payload in /tmp, so all that’s left is to get it onto your target box (remember, this isn’t an exploitation tool per se, it’s a post-exploitation management framework) and execute it:
Now you can interact with your active agent by heading back to the agents menu and typing interact <agentname>
Running the info command will return basic system information, and you can perform command-line tasks by typing shell followed by a native Windows command:
Don’t forget that the default settings automatically delete the bat file upon execution.
There are quite a few modules available to you, including:
– reliable persistence (critical for any engagement)
– mimikatz (no explanation required)
– privesc (such as GPP and dllhijacker)
– network tools (port scanning, reverse dns, share finding, etc)
…and many more.