Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
This tutorial is not for those who have no idea how to Linux, or those who are not efficient with common Linux commands. You have been warned. I will not be showing you how to install Empire. It is up to you to install Empire and it’s dependencies. Again, this tutorial is VERY basic, and expects basic Linux knowledge.
Download: https://github.com/powershellempire/empire
Before we start I’m going to give you a rundown on what Empire actually is. Empire is a python script that can embed reverse HTTP connections in a Windows Powershell script. Sounds pretty boring right? WRONG.This Powershell method is a very sneaky and hard to stop attack. This is because Powershell has immense power when it comes to moving around a Windows AD environment. It is also native to windows.
Step 1: After you have Empire installed from the given repository we are going to want to navigate to the directory it is installed to. [cd /home/Empire-master]
![[Image: 59V09IA.png]](http://i.imgur.com/59V09IA.png)
Step 2: Once we are in the directory, we are going to start the script up [python empire]
![[Image: zEgVWsH.png]](http://i.imgur.com/zEgVWsH.png)
Step 3: Once Empire has started and is running you will see the above screen. From here we have a few different options. Using the help command, we can see what our options are.
![[Image: f3bb666824218fcf8bc5429c7385d980.png]](https://i.gyazo.com/f3bb666824218fcf8bc5429c7385d980.png)
Step 4: Ok, now this is where the fun starts, we are going to type “listeners” to see the listening modules currently active. In our case since this is a fresh install there should be none, and we get the response “[!] No listeners currently active”. We are going to then type execute. Typing execute should start up a default listener and using the “list” command we can see that the listener module has started.
![[Image: 08edf1c6e90d17f40e13bd88a5c254d8.png]](https://i.gyazo.com/08edf1c6e90d17f40e13bd88a5c254d8.png)
Step 5: From here, we can type help again and see listener-module specific options we can use to configure our listening web server.
Step 6: Using the command “back” we can be taken back to the main menu.
Step 7: OK! Finally! This is where things start to get really interesting and you have to pay attention to what you are doing and the options you are setting. We are going to type the command usestager[SPACE]<tab key> this will show us all relevant stager options, and should look like this.
![[Image: ed7ba065e3c03fdaf44aafef4511bb4d.png]](https://i.gyazo.com/ed7ba065e3c03fdaf44aafef4511bb4d.png)
Step 8: Once you have selected a stager module, we are going to set it’s configuration by typing the command “options”. This will show us the different options(obviously) we can set to our liking.
![[Image: 1299da7f18284c5bf8399ded5f3f7806.png]](https://i.gyazo.com/1299da7f18284c5bf8399ded5f3f7806.png)
Step 9: I will be using the launcher_bat module for my example in this tutorial. Assuming that we have left the default config for our listener module, the name should be “test”. From the “stager/launcher_bat >” menu we type “set Listener test”.
This will set the payload/module to auto-configure itself to connect back to that specific listener. This is especially handy if you have multiple hosts of different categories, as you can keep them separate in different listeners.
Also for this step don’t forget to double check and type options again after configuration to make sure it is set how you want it.
Step 10: EXECUTE! We are going to type the execute command while still in the stager/launcher_bat menu and it should show you were it has put the .bat file. The default location is /tmp/launcher.bat.
YOU DID IT! Now we should have a batch file, that when executed results in this:
![[Image: 9XAZJBK.png]](http://i.imgur.com/9XAZJBK.png)
Conclusion: The same methods can be used for the other modules. Further Documentation on things I have not explained here can be found on GitHub. From here you can take a look around at the other modules that come with it, along with the POST exploitation modules that come with it for persistence and all the other goodies that would normally have to involve two separate pieces of software. You may want to poke around in the modules to see what this has to offer.
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India