Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,110 --> 00:00:09,190 PowerShell Empire Empire is a powershell 2 00:00:05,620 --> 00:00:10,750 and python post exploitation agent with 3 00:00:09,190 --> 00:00:13,780 a heavy focus on client-side 4 00:00:10,750 --> 00:00:16,890 exploitation and post exploitation of 5 00:00:13,780 --> 00:00:19,449 Active Directory deployments 6 00:00:16,890 --> 00:00:21,910 exploitation and post exploitation are 7 00:00:19,449 --> 00:00:26,289 performed using PowerShell on Windows 8 00:00:21,910 --> 00:00:28,630 and Python on Linux and Mac OS Empire 9 00:00:26,289 --> 00:00:31,560 relies on standard pre-installed 10 00:00:28,630 --> 00:00:34,420 libraries and features PowerShell 11 00:00:31,560 --> 00:00:37,629 execution requires only PowerShell 12 00:00:34,420 --> 00:00:42,550 version 2 and Linux and Mac modules 13 00:00:37,629 --> 00:00:44,410 require Python to 6 or to 7 while Empire 14 00:00:42,550 --> 00:00:46,420 seems to share many features with the 15 00:00:44,410 --> 00:00:49,329 Metasploit framework they are quite 16 00:00:46,420 --> 00:00:51,489 different in nature Metasploit has a 17 00:00:49,329 --> 00:00:54,699 vast collection of exploits geared 18 00:00:51,489 --> 00:00:57,339 towards gaining initial access on the 19 00:00:54,699 --> 00:01:00,670 other hand Empire is designed as a post 20 00:00:57,339 --> 00:01:04,089 exploitation tool targeted primarily at 21 00:01:00,670 --> 00:01:06,460 Active Directory environments Empire 22 00:01:04,089 --> 00:01:08,710 tends to leverage built-in features of 23 00:01:06,460 --> 00:01:11,830 the target operating system and its 24 00:01:08,710 --> 00:01:16,340 major applications 25 00:01:11,830 --> 00:01:18,170 installation setup and usage Empire is 26 00:01:16,340 --> 00:01:20,840 not included in the cow Linux 27 00:01:18,170 --> 00:01:23,320 repositories so we'll need to install it 28 00:01:20,840 --> 00:01:23,320 manually 29 00:01:29,720 --> 00:01:37,100 first we need to clone the github 30 00:01:32,250 --> 00:01:37,100 repository under the optech turi 31 00:01:42,080 --> 00:01:44,140 you 32 00:01:48,420 --> 00:01:53,610 we can then install Empire by running 33 00:01:51,210 --> 00:01:56,150 the install script in the Empire setup 34 00:01:53,610 --> 00:01:56,150 directory 35 00:02:01,120 --> 00:02:03,180 you 36 00:02:05,570 --> 00:02:10,800 empire allows for collaboration between 37 00:02:08,330 --> 00:02:14,849 penetration testers across multiple 38 00:02:10,800 --> 00:02:17,849 servers using shared private keys and by 39 00:02:14,849 --> 00:02:20,069 extension shared passwords since we are 40 00:02:17,849 --> 00:02:22,560 installing a single instance we'll press 41 00:02:20,069 --> 00:02:25,489 enter at the password prompt to generate 42 00:02:22,560 --> 00:02:25,489 a random password 43 00:02:27,590 --> 00:02:31,700 with the framework installed we can 44 00:02:29,569 --> 00:02:35,680 launch Empire with the aptly named 45 00:02:31,700 --> 00:02:35,680 Python script Empire 46 00:02:41,689 --> 00:02:48,540 PowerShell Empire syntax we can use help 47 00:02:46,140 --> 00:02:51,629 to list various commands available with 48 00:02:48,540 --> 00:02:55,670 an empire including listeners stagers 49 00:02:51,629 --> 00:02:55,670 agents and modules 50 00:02:55,770 --> 00:03:01,010 let's take a look at these four major 51 00:02:58,290 --> 00:03:01,010 commands 52 00:03:01,330 --> 00:03:07,280 listeners and stagers will begin our 53 00:03:05,150 --> 00:03:10,580 tour of empire with a brief discussion 54 00:03:07,280 --> 00:03:12,920 of listeners and stagers as with 55 00:03:10,580 --> 00:03:15,260 Metasploit small tea handler listeners 56 00:03:12,920 --> 00:03:18,800 accept inbound connections from various 57 00:03:15,260 --> 00:03:21,650 empire agents stagers are small pieces 58 00:03:18,800 --> 00:03:24,230 of code generated by Empire that are 59 00:03:21,650 --> 00:03:27,380 executed on the victim and connect back 60 00:03:24,230 --> 00:03:29,330 to a listener they set up a connection 61 00:03:27,380 --> 00:03:32,090 between the victim and the attacker and 62 00:03:29,330 --> 00:03:35,270 perform additional tasks to facilitate 63 00:03:32,090 --> 00:03:37,640 the transfer of a staged payload to 64 00:03:35,270 --> 00:03:41,320 begin an empire session will first enter 65 00:03:37,640 --> 00:03:41,320 the listeners context 66 00:03:42,260 --> 00:03:47,790 then we'll print available listeners 67 00:03:45,120 --> 00:03:51,269 with use listener followed by a space 68 00:03:47,790 --> 00:03:54,349 and a double tab to engage empires tab 69 00:03:51,269 --> 00:03:54,349 completion feature 70 00:03:55,990 --> 00:04:01,930 the HTTP listener is the most basic 71 00:03:59,590 --> 00:04:05,740 listener which communicates through a 72 00:04:01,930 --> 00:04:09,940 series of HTTP GET and post requests to 73 00:04:05,740 --> 00:04:12,250 simulate legitimate HTTP traffic once 74 00:04:09,940 --> 00:04:15,070 we've decided on a listener we can pass 75 00:04:12,250 --> 00:04:17,640 its name to the use listener command to 76 00:04:15,070 --> 00:04:17,640 select it 77 00:04:17,660 --> 00:04:25,510 with our listener selected we can run 78 00:04:20,270 --> 00:04:25,510 info to display information and syntax 79 00:04:26,070 --> 00:04:32,850 there are many available options but 80 00:04:28,680 --> 00:04:35,310 most are already set or are optional the 81 00:04:32,850 --> 00:04:38,460 most important parameters are host and 82 00:04:35,310 --> 00:04:41,490 port which are used to set the local IP 83 00:04:38,460 --> 00:04:44,270 address or hostname and the port number 84 00:04:41,490 --> 00:04:48,180 of the listener respectively 85 00:04:44,270 --> 00:04:52,040 we can set the host value by running set 86 00:04:48,180 --> 00:04:54,660 host followed by our local IP address 87 00:04:52,040 --> 00:04:56,790 there are additional settings worth 88 00:04:54,660 --> 00:04:59,700 noting 89 00:04:56,790 --> 00:05:02,400 default delay sets the wait interval 90 00:04:59,700 --> 00:05:05,550 callback time from the compromised host 91 00:05:02,400 --> 00:05:10,250 to the listener this feature attempts to 92 00:05:05,550 --> 00:05:13,700 simulate more legitimate HTTP traffic 93 00:05:10,250 --> 00:05:16,760 the default jitter setting is a random 94 00:05:13,700 --> 00:05:19,070 offset to default delay designed to make 95 00:05:16,760 --> 00:05:24,110 the traffic seem less programmatically 96 00:05:19,070 --> 00:05:25,850 generated setting kill date will self 97 00:05:24,110 --> 00:05:29,050 terminate the listeners on all 98 00:05:25,850 --> 00:05:31,490 compromised hosts on the specified date 99 00:05:29,050 --> 00:05:33,800 this is especially useful when 100 00:05:31,490 --> 00:05:37,010 performing clean up after a penetration 101 00:05:33,800 --> 00:05:39,200 test once the options are set we can 102 00:05:37,010 --> 00:05:41,650 start the listener with the execute 103 00:05:39,200 --> 00:05:41,650 command 104 00:05:43,040 --> 00:05:48,790 we can return to the main listener menu 105 00:05:45,920 --> 00:05:48,790 with back 106 00:05:49,639 --> 00:05:56,100 lastly we can list all available stagers 107 00:05:52,830 --> 00:05:58,790 with use stager followed by a space and 108 00:05:56,100 --> 00:05:58,790 two tabs 109 00:05:59,379 --> 00:06:06,740 Empire supports stagers for Windows 110 00:06:02,330 --> 00:06:09,620 Linux and OS X Windows stagers includes 111 00:06:06,740 --> 00:06:12,650 support for standard DLLs HTML 112 00:06:09,620 --> 00:06:15,770 applications Microsoft Office macros and 113 00:06:12,650 --> 00:06:18,650 more exotic stagers such as the USB 114 00:06:15,770 --> 00:06:21,169 rubber ducky to get an idea of how this 115 00:06:18,650 --> 00:06:23,910 works let's try out the windows of bat 116 00:06:21,169 --> 00:06:26,790 launcher stager 117 00:06:23,910 --> 00:06:30,710 after selecting the stager we can review 118 00:06:26,790 --> 00:06:30,710 the options with the info command 119 00:06:34,240 --> 00:06:39,789 we can configure the listener parameter 120 00:06:36,789 --> 00:06:43,380 with set listener followed by the name 121 00:06:39,789 --> 00:06:43,380 of the listener we just created 122 00:06:43,860 --> 00:06:50,099 finally we'll create the stager with the 123 00:06:47,019 --> 00:06:50,099 execute command 124 00:06:52,400 --> 00:06:56,479 to better understand the stager we just 125 00:06:54,710 --> 00:07:00,699 created let's take a look at the 126 00:06:56,479 --> 00:07:00,699 generated launcher dot bat file 127 00:07:03,350 --> 00:07:09,170 the stager is a base64-encoded 128 00:07:06,430 --> 00:07:11,750 PowerShell command string the 129 00:07:09,170 --> 00:07:13,970 first-stage payload will connect to the 130 00:07:11,750 --> 00:07:17,350 listener and fetch the rest of the 131 00:07:13,970 --> 00:07:17,350 Empire agent code 132 00:07:20,879 --> 00:07:27,209 the Empire agent now that we have our 133 00:07:24,929 --> 00:07:29,849 listener running and our stager prepared 134 00:07:27,209 --> 00:07:32,849 we'll need to deploy an agent on the 135 00:07:29,849 --> 00:07:35,550 victim an agent is simply the final 136 00:07:32,849 --> 00:07:37,349 payload retrieved by the stager and it 137 00:07:35,550 --> 00:07:41,069 allows us to execute commands and 138 00:07:37,349 --> 00:07:43,529 interact with the system the stager 139 00:07:41,069 --> 00:07:47,459 deletes itself and exits once it 140 00:07:43,529 --> 00:07:49,589 finishes execution once the agent is 141 00:07:47,459 --> 00:07:52,679 operational on the target it'll set up 142 00:07:49,589 --> 00:07:55,050 an aes encrypted communication channel 143 00:07:52,679 --> 00:07:59,639 with the listener using the data portion 144 00:07:55,050 --> 00:08:01,589 of the HTTP GET and post requests to 145 00:07:59,639 --> 00:08:03,839 deploy our agent we need to copy the 146 00:08:01,589 --> 00:08:06,569 launcher dot bat script to the Windows 147 00:08:03,839 --> 00:08:09,300 10 workstation and execute it from a 148 00:08:06,569 --> 00:08:11,629 command prompt we'll start by setting up 149 00:08:09,300 --> 00:08:14,629 a Python web server listening on port 150 00:08:11,629 --> 00:08:14,629 8000 151 00:08:16,240 --> 00:08:23,009 then we'll connect to the Windows 10 152 00:08:18,550 --> 00:08:23,009 client via remote desktop 153 00:08:26,740 --> 00:08:31,210 we'll use a powershell one-liner to 154 00:08:29,350 --> 00:08:33,630 download the bash file from our cali 155 00:08:31,210 --> 00:08:33,630 machine 156 00:08:36,690 --> 00:08:41,300 finally we can run the batch script 157 00:08:42,919 --> 00:08:48,819 once we run the script our command 158 00:08:45,350 --> 00:08:52,749 prompt closes which is expected behavior 159 00:08:48,819 --> 00:08:52,749 let's switch back to Empire 160 00:08:57,350 --> 00:09:03,050 back in Empire we see that we've 161 00:08:59,270 --> 00:09:05,510 received the initial agent call next we 162 00:09:03,050 --> 00:09:09,070 can use the agents command to display 163 00:09:05,510 --> 00:09:09,070 all active agents 164 00:09:09,340 --> 00:09:15,160 now we can use interact followed by the 165 00:09:12,550 --> 00:09:18,290 agent name to interact with our agent 166 00:09:15,160 --> 00:09:21,139 and execute commands 167 00:09:18,290 --> 00:09:25,029 let's run sis info to retrieve 168 00:09:21,139 --> 00:09:25,029 information about the compromised host 169 00:09:29,920 --> 00:09:36,100 note that the command does not return 170 00:09:32,529 --> 00:09:38,290 immediately this delay is caused by the 171 00:09:36,100 --> 00:09:40,300 default delay parameter which is 172 00:09:38,290 --> 00:09:44,260 currently set to the default value of 173 00:09:40,300 --> 00:09:46,960 five seconds the help command shows all 174 00:09:44,260 --> 00:09:48,970 available commands 175 00:09:46,960 --> 00:09:50,680 these include commands such as 176 00:09:48,970 --> 00:09:54,580 upload/download 177 00:09:50,680 --> 00:09:57,430 and exit which are self-explanatory in 178 00:09:54,580 --> 00:09:59,800 addition we can use shell to execute a 179 00:09:57,430 --> 00:10:02,640 command and spawn to create an 180 00:09:59,800 --> 00:10:05,980 additional agent on the same host as 181 00:10:02,640 --> 00:10:08,050 with a meterpreter payload Empire allows 182 00:10:05,980 --> 00:10:11,560 us to migrate our payload into a 183 00:10:08,050 --> 00:10:14,380 different process we can do that by 184 00:10:11,560 --> 00:10:16,890 first using PS to view all running 185 00:10:14,380 --> 00:10:16,890 processes 186 00:10:22,440 --> 00:10:24,500 you 187 00:10:27,720 --> 00:10:33,320 once we choose our target process will 188 00:10:30,630 --> 00:10:35,550 migrate the payload with PS inject 189 00:10:33,320 --> 00:10:40,610 including the name of the listener and 190 00:10:35,550 --> 00:10:40,610 the process ID as our command arguments 191 00:10:43,290 --> 00:10:47,430 it's important to note that unlike the 192 00:10:45,509 --> 00:10:50,220 migration feature of the meterpreter 193 00:10:47,430 --> 00:10:53,190 payload once the process migration is 194 00:10:50,220 --> 00:10:55,949 completed the original Empire agent 195 00:10:53,190 --> 00:10:59,630 remains active and will have to manually 196 00:10:55,949 --> 00:10:59,630 switch to the newly created one 197 00:11:05,360 --> 00:11:07,420 you 198 00:11:08,140 --> 00:11:14,830 PowerShell modules the power of empire 199 00:11:12,310 --> 00:11:17,890 agents lie in the various modules 200 00:11:14,830 --> 00:11:20,530 offered by the framework we can list all 201 00:11:17,890 --> 00:11:24,960 available modules with use module 202 00:11:20,530 --> 00:11:24,960 followed by a space and double tab 203 00:11:26,620 --> 00:11:31,300 the modules are divided into multiple 204 00:11:28,600 --> 00:11:34,360 categories but also include basic 205 00:11:31,300 --> 00:11:38,070 features such as key logging screenshots 206 00:11:34,360 --> 00:11:38,070 and file downloads 207 00:11:38,509 --> 00:11:43,620 situational awareness let's take a look 208 00:11:42,000 --> 00:11:46,379 at a few modules to see what they 209 00:11:43,620 --> 00:11:49,110 consist of will target the dedicated 210 00:11:46,379 --> 00:11:52,290 Active Directory lab environment in this 211 00:11:49,110 --> 00:11:55,050 section to begin let's explore the 212 00:11:52,290 --> 00:11:57,089 situational awareness category while 213 00:11:55,050 --> 00:11:59,250 there are many methods and commands for 214 00:11:57,089 --> 00:12:01,620 performing network enumeration the 215 00:11:59,250 --> 00:12:04,250 primary focus of this category is on 216 00:12:01,620 --> 00:12:06,990 local client and Active Directory 217 00:12:04,250 --> 00:12:11,120 enumeration for example let's 218 00:12:06,990 --> 00:12:11,120 investigate the get user module 219 00:12:11,720 --> 00:12:18,390 will issue the info command to display 220 00:12:14,810 --> 00:12:20,850 information about the module 221 00:12:18,390 --> 00:12:23,210 first let's take a look at the header 222 00:12:20,850 --> 00:12:23,210 section 223 00:12:25,200 --> 00:12:32,339 the name module and language fields are 224 00:12:28,500 --> 00:12:34,649 self-explanatory if the script requires 225 00:12:32,339 --> 00:12:38,089 local administrator permissions the 226 00:12:34,649 --> 00:12:40,380 needs admin field will be set to true if 227 00:12:38,089 --> 00:12:42,839 we wish to avoid leaving behind 228 00:12:40,380 --> 00:12:44,970 indicators of compromise such as 229 00:12:42,839 --> 00:12:48,510 temporary disk files or new user 230 00:12:44,970 --> 00:12:52,350 accounts we set the OPSEC safe field to 231 00:12:48,510 --> 00:12:54,839 true this stealth driven approach has a 232 00:12:52,350 --> 00:12:58,620 greater likelihood of evading endpoint 233 00:12:54,839 --> 00:13:01,199 protection mechanisms the min language 234 00:12:58,620 --> 00:13:03,360 version field describes the minimum 235 00:13:01,199 --> 00:13:05,790 version of PowerShell required to 236 00:13:03,360 --> 00:13:08,399 execute the script this is especially 237 00:13:05,790 --> 00:13:12,209 relevant when working with Windows 7 or 238 00:13:08,399 --> 00:13:14,930 Windows Server 2008 r2 targets as they 239 00:13:12,209 --> 00:13:17,130 ship with PowerShell version 2 240 00:13:14,930 --> 00:13:19,230 background tells us if the module 241 00:13:17,130 --> 00:13:22,529 executes in the background without 242 00:13:19,230 --> 00:13:25,500 visibility for the victim while the 243 00:13:22,529 --> 00:13:28,350 output extension tells us the output 244 00:13:25,500 --> 00:13:31,800 format if the module returns output to a 245 00:13:28,350 --> 00:13:34,339 file several options follow the header 246 00:13:31,800 --> 00:13:34,339 fields 247 00:13:34,420 --> 00:13:39,519 in this particular module all of these 248 00:13:36,850 --> 00:13:42,300 are optional except agent which is 249 00:13:39,519 --> 00:13:42,300 already set 250 00:13:43,420 --> 00:13:48,990 this module will work as is enumerate 251 00:13:46,510 --> 00:13:51,520 all users in the target Active Directory 252 00:13:48,990 --> 00:13:53,710 we could set any number of filtering 253 00:13:51,520 --> 00:13:56,700 options but we'll simply run the module 254 00:13:53,710 --> 00:13:56,700 with execute 255 00:14:00,540 --> 00:14:05,100 in addition to the enumeration tools in 256 00:14:03,000 --> 00:14:07,500 the Power View subcategory the 257 00:14:05,100 --> 00:14:10,170 situational awareness category also 258 00:14:07,500 --> 00:14:13,190 includes a wide variety of network and 259 00:14:10,170 --> 00:14:13,190 port scanners 260 00:14:13,559 --> 00:14:19,209 credentials and privilege escalation 261 00:14:16,619 --> 00:14:22,179 privilege escalation modules are found 262 00:14:19,209 --> 00:14:23,949 in the Prive ask category one of the 263 00:14:22,179 --> 00:14:27,750 more interesting modules in this group 264 00:14:23,949 --> 00:14:30,750 is power up all checks 265 00:14:27,750 --> 00:14:33,750 it uses several techniques based on Miss 266 00:14:30,750 --> 00:14:36,720 configurations such as unquoted service 267 00:14:33,750 --> 00:14:40,850 paths improper permissions on service 268 00:14:36,720 --> 00:14:40,850 executables and much more 269 00:14:46,860 --> 00:14:52,829 this module can reveal some very useful 270 00:14:49,829 --> 00:14:52,829 information 271 00:14:53,960 --> 00:15:00,110 the bypass UAC Fahd helper module is 272 00:14:57,800 --> 00:15:03,640 quite useful if we have access to a 273 00:15:00,110 --> 00:15:03,640 local administrator account 274 00:15:03,670 --> 00:15:09,560 depending on the local Windows version 275 00:15:06,080 --> 00:15:14,220 this module can bypass UAC and launch a 276 00:15:09,560 --> 00:15:16,650 high integrity PowerShell Empire agent 277 00:15:14,220 --> 00:15:19,940 before running this module we need to 278 00:15:16,650 --> 00:15:19,940 configure our listener 279 00:15:23,970 --> 00:15:31,170 when we run execute Empire warns us that 280 00:15:27,629 --> 00:15:33,949 the module is not OPSEC safe and asks us 281 00:15:31,170 --> 00:15:33,949 to confirm the operation 282 00:15:38,170 --> 00:15:43,420 once we have a high integrity session we 283 00:15:41,350 --> 00:15:46,510 can perform actions that require local 284 00:15:43,420 --> 00:15:49,120 administrator or system rights such as 285 00:15:46,510 --> 00:15:51,660 executing Mimi cats to dump cached 286 00:15:49,120 --> 00:15:51,660 credentials 287 00:15:52,480 --> 00:15:56,919 the credentials category contains 288 00:15:54,489 --> 00:16:00,299 multiple Mimi cats commands that have 289 00:15:56,919 --> 00:16:00,299 been ported into Empire 290 00:16:00,580 --> 00:16:06,220 the commands marked with an asterisk 291 00:16:02,470 --> 00:16:09,399 require a high integrity Empire agent 292 00:16:06,220 --> 00:16:11,589 Mimi Katz is implemented in Empire by 293 00:16:09,399 --> 00:16:15,130 using an injection technique called 294 00:16:11,589 --> 00:16:17,800 reflective DLL injection in which the 295 00:16:15,130 --> 00:16:21,250 Mimi Katz library is loaded into the 296 00:16:17,800 --> 00:16:23,440 agent directly from memory the primary 297 00:16:21,250 --> 00:16:25,110 reason for this approach lies in the 298 00:16:23,440 --> 00:16:28,779 fact that most endpoint protection 299 00:16:25,110 --> 00:16:31,720 systems analyze all files located on 300 00:16:28,779 --> 00:16:34,420 disk and loading a malicious executable 301 00:16:31,720 --> 00:16:37,899 file directly from memory reduces the 302 00:16:34,420 --> 00:16:40,660 risk of detection this method is custom 303 00:16:37,899 --> 00:16:43,600 coded into the agent as Windows does not 304 00:16:40,660 --> 00:16:45,779 expose any official api's that would 305 00:16:43,600 --> 00:16:48,370 allow us to achieve the same objective 306 00:16:45,779 --> 00:16:53,700 let's take a look at a high integrity 307 00:16:48,370 --> 00:16:53,700 access module such as logon passwords 308 00:16:59,680 --> 00:17:04,850 this output is identical to me me cats 309 00:17:02,810 --> 00:17:06,939 but the collected credentials are also 310 00:17:04,850 --> 00:17:11,439 written into the credential store 311 00:17:06,939 --> 00:17:11,439 enumerated with the creds command 312 00:17:11,490 --> 00:17:18,829 we can also manually enter credentials 313 00:17:14,040 --> 00:17:18,829 into the credential store with creds ad 314 00:17:23,769 --> 00:17:30,139 lateral movement once we gain valid user 315 00:17:27,889 --> 00:17:32,509 credentials we can begin to use these 316 00:17:30,139 --> 00:17:35,330 credentials to attempt to login to other 317 00:17:32,509 --> 00:17:38,059 systems in a process known as lateral 318 00:17:35,330 --> 00:17:40,490 movement in our labs the domain 319 00:17:38,059 --> 00:17:43,009 controller is located on an internal 320 00:17:40,490 --> 00:17:46,070 network meaning we cannot reach it from 321 00:17:43,009 --> 00:17:48,139 our Kali VM to demonstrate the mechanics 322 00:17:46,070 --> 00:17:50,210 of lateral movement with Empire we'll 323 00:17:48,139 --> 00:17:52,759 obtain another shell on the Windows 10 324 00:17:50,210 --> 00:17:55,820 client in the context of a different 325 00:17:52,759 --> 00:17:58,490 user although this example is simplified 326 00:17:55,820 --> 00:18:00,409 because of the single target VM the 327 00:17:58,490 --> 00:18:02,720 mechanics of the process are the same 328 00:18:00,409 --> 00:18:06,320 when moving to a different remote host 329 00:18:02,720 --> 00:18:08,299 in a real-world situation there are 330 00:18:06,320 --> 00:18:10,610 various vectors in the lateral movement 331 00:18:08,299 --> 00:18:15,039 category that we can use to invoke an 332 00:18:10,610 --> 00:18:15,039 empire agent on a remote host 333 00:18:15,080 --> 00:18:21,590 as an example we'll try out the invoke 334 00:18:18,019 --> 00:18:26,230 SMB exact module 335 00:18:21,590 --> 00:18:26,230 this module requires several parameters 336 00:18:26,390 --> 00:18:32,590 we'll set computer name to the host name 337 00:18:29,210 --> 00:18:35,590 of the Windows 10 client and listener to 338 00:18:32,590 --> 00:18:35,590 http 339 00:18:37,450 --> 00:18:43,330 we'll also set the username domain and 340 00:18:40,510 --> 00:18:46,390 hash parameters using the relevant data 341 00:18:43,330 --> 00:18:49,470 from the Jeff admin user account found 342 00:18:46,390 --> 00:18:49,470 in the previous section 343 00:18:53,790 --> 00:18:58,610 let's execute this module and see what 344 00:18:56,220 --> 00:18:58,610 happens 345 00:19:00,710 --> 00:19:08,330 excellent the agent was successfully 346 00:19:03,720 --> 00:19:08,330 deployed and we can now interact with it 347 00:19:13,010 --> 00:19:15,070 you 348 00:19:20,410 --> 00:19:26,960 switching between Empire and Metasploit 349 00:19:23,470 --> 00:19:29,570 the Empire agent supports many features 350 00:19:26,960 --> 00:19:31,550 however there are often times we need to 351 00:19:29,570 --> 00:19:34,310 use features that are only found in 352 00:19:31,550 --> 00:19:36,200 Metasploit since we can have both Empire 353 00:19:34,310 --> 00:19:38,930 and Metasploit shells on the same 354 00:19:36,200 --> 00:19:41,200 compromised host this is actually quite 355 00:19:38,930 --> 00:19:41,200 easy 356 00:19:42,110 --> 00:19:48,270 first we'll use MSF venom to create a 357 00:19:45,750 --> 00:19:50,900 meterpreter reverse shell as an 358 00:19:48,270 --> 00:19:50,900 executable 359 00:19:54,540 --> 00:20:00,100 next we'll set up a Metasploit listener 360 00:19:57,220 --> 00:20:04,050 using the multi handler module and the 361 00:20:00,100 --> 00:20:04,050 same settings we used for our payload 362 00:20:07,310 --> 00:20:11,950 will select the multi handler module 363 00:20:12,420 --> 00:20:18,170 set the payload to a reverse HTTP 364 00:20:15,630 --> 00:20:18,170 meterpreter 365 00:20:18,559 --> 00:20:23,980 and set the values for L port and L host 366 00:20:26,210 --> 00:20:31,509 with our settings configured will launch 367 00:20:28,759 --> 00:20:31,509 the module 368 00:20:31,740 --> 00:20:39,260 now we'll switch back to our PowerShell 369 00:20:34,380 --> 00:20:39,260 empire shell and upload the executable 370 00:20:43,389 --> 00:20:48,759 after uploading the executable will 371 00:20:46,029 --> 00:20:52,649 issue the PWD command to reveal its 372 00:20:48,759 --> 00:20:52,649 location and then execute it 373 00:20:58,390 --> 00:21:03,470 with the executable running we'll switch 374 00:21:01,550 --> 00:21:07,300 back to our meterpreter listener and 375 00:21:03,470 --> 00:21:07,300 find the incoming shell 376 00:21:12,519 --> 00:21:14,580 you 377 00:21:15,140 --> 00:21:19,320 reversing this process to connect to an 378 00:21:17,580 --> 00:21:22,890 empire agent from an existing 379 00:21:19,320 --> 00:21:24,450 meterpreter session is also simple we 380 00:21:22,890 --> 00:21:27,290 can create a launcher and use 381 00:21:24,450 --> 00:21:30,090 meterpreter to upload and execute it 382 00:21:27,290 --> 00:21:32,660 first we'll create the launcher using 383 00:21:30,090 --> 00:21:32,660 Empire 384 00:21:39,140 --> 00:21:47,660 we simply set the listener which in our 385 00:21:42,120 --> 00:21:50,090 case is HTTP then upload and execute it 386 00:21:47,660 --> 00:21:52,720 we'll first upload the file through the 387 00:21:50,090 --> 00:21:52,720 meterpreter shell 388 00:21:55,399 --> 00:22:01,509 then we'll run the shell command and 389 00:21:57,889 --> 00:22:01,509 execute our batch script 390 00:22:05,280 --> 00:22:11,450 now we should receive an empire agent 391 00:22:08,130 --> 00:22:11,450 from the compromised host 392 00:22:12,620 --> 00:22:16,580 using these techniques we can switch 393 00:22:14,870 --> 00:22:19,659 between frameworks on the same 394 00:22:16,580 --> 00:22:19,659 compromised host 395 00:22:22,340 --> 00:22:27,980 wrapping up in this module we covered 396 00:22:25,400 --> 00:22:31,090 the basic syntax and functionality of 397 00:22:27,980 --> 00:22:35,320 PowerShell Empire such as listeners 398 00:22:31,090 --> 00:22:35,320 stagers and agents 399 00:22:36,570 --> 00:22:41,549 we also explored various modules to 400 00:22:39,210 --> 00:22:45,539 perform enumeration obtain credentials 401 00:22:41,549 --> 00:22:47,549 and perform lateral movement lastly we 402 00:22:45,539 --> 00:22:51,830 looked at how PowerShell Empire and 403 00:22:47,549 --> 00:22:51,830 Metasploit can be used together 29332