Empire（一）基础使用

夜yesec

已于 2022-09-12 21:26:32 修改

阅读量1.1k

点赞数 1

分类专栏：安全工具安全 empire学习文章标签：安全 web安全

于 2022-09-12 20:30:09 首次发布

本文链接：https://blog.csdn.net/qq_56426046/article/details/126821419

版权

安全同时被 3 个专栏收录

98 篇文章 11 订阅

订阅专栏

安全工具

35 篇文章 4 订阅

订阅专栏

empire学习

5 篇文章 1 订阅

订阅专栏

一.简介

后渗透框架这个框架渗透内网渗透，主要针对windows内网渗透，这个框架集合了很多powershell内网渗透脚本，它支持域内网渗透，宏钓鱼，内网横行扩展，权限维持，后门生成等

二.基本使用

1.开启powershell-empire服务

powershell-empire server

2.启动客户端

powershell-empire client

目前加载的模块 409

监听器

当前活动代理可以理解当前会话

3.帮助文档

help

agents            Jump to the Agents menu. 跳转到代理菜单

creds             Add/display credentials to/from the database. 从数据库中添加/显示凭据。

exit              Exit Empire

help              Displays the help menu. 显示“帮助”菜单。

interact          Interact with a particular agent. 与特定的代理交互。

list              Lists active agents or listeners. 列出活动代理或侦听器

listeners         Interact with active listeners. 与活跃的听众互动。

load              Loads Empire modules from a non-standard folder. 从非标准文件夹加载Empire模块

plugin            Load a plugin file to extend Empire. 加载插件文件以扩展Empire。

plugins           List all available and active plugins. 列出所有可用的和活动的插件

preobfuscate      Preobfuscate PowerShell module_source files 预混淆PowerShell模块源文件

reload            Reload one (or all) Empire modules. 重新加载一个(或所有)empire模块

report            Produce report CSV and log files: sessions.csv, credentials.csv, 生成报告CSV和日志文件:会话。csv、credentials.csvmaster.log

reset             Reset a global option (e.g. IP whitelists). 重置全局选项(例如IP白名单)

resource          Read and execute a list of Empire commands from a file. 从文件中读取并执行empire命令列表

searchmodule      Search Empire module names/descriptions. 搜索帝国模块名称/描述。

set               Set a global option (e.g. IP whitelists). 设置一个全局选项(例如IP白名单)。

show              Show a global option (e.g. IP whitelists). 显示一个全局选项(例如IP白名单)

usemodule         Use an Empire module. 使用empire模块

usestager         Use an Empire stager.

4.设置监听器

listeners 进入监听器按TAB键可以补全命令

uselistener 后边会有提示选择什么监听器

这里可以选择9种监听器，设置http监听器

uselistener http 选择http监听器

info 查询http模块的描述

监听器模块里带有 true的属性必须填写。这些属性必存在，而且有时候会存在默认值，可以通过命令set 和unset 更改或去掉内容。

5.设置监听器名

执行监听器

exectute

删除监听器

kill 监听器名

6.tager生成后门

usestager

这里提供了很多后门的模块，支持宏 windows mac linux系统。

选择 window/launcher.bat 作为演示。

set Listener [监听器名]

set Listener yesir

OutFile 导出的位置

这个bat需要攻击者诱导客户去打开。

7．agents活动代理

agents 查看当前的活动代理（也就是当前会话）

interact 选择一个当前会话

rename 重命名(现在的版本好像没有了)

Agent Commands

==============

Help Options
Name Description Usage

display Display an agent property display <property_name>

download Tasks an the specified agent to download <file_name>
download a file.

help Display the help menu for the help
current menu

history Display last number of task results history [<number_tasks>]
received.

info Display agent info. info

killdate Set an agent's killdate killdate <kill_date>
(01/01/2020)

proxy Proxy management menu for proxy
configuring agent proxies

script_command "Execute a function in the shell_command <script_cmd>
currently imported PowerShell
script."

script_import Uploads a PowerShell script to the script_import
server and runs it in memory on the <local_script_location>
agent. Use '-p' for a file
selection dialog.

shell Tasks an the specified agent to shell <shell_cmd>
execute a shell command.

sleep Tasks an the specified agent to sleep <delay> <jitter>
update delay (s) and jitter (0.0 -
1.0)

update_comms Update the listener for an agent. update_comms <listener_name>

upload Tasks an the specified agent to upload <local_file_directory>
upload a file. Use '-p' for a file
selection dialog.

view View specific task and result view <task_id>

vnc Launch a VNC server on the agent vnc
and spawn a VNC client

vnc_client Launch a VNC client to a remote vnc_client <address> <port>
server <password>

workinghours Set an agent's working hours workinghours <working_hours>
(9:00-17:00)

whoami Tasks an agent to run the shell whoami
command 'whoami'

ps Tasks an agent to run the shell ps
command 'ps'

sc Tasks the agent to run module sc
powershell/collection/screenshot.
Default parameters include: Ratio:
80

keylog Tasks the agent to run module keylog
powershell/collection/keylogger.
Default parameters include: Sleep:
1

sherlock Tasks the agent to run module sherlock
powershell/privesc/sherlock.

mimikatz Tasks the agent to run module power mimikatz
shell/credentials/mimikatz/logonpas
swords.

psinject Tasks the agent to run module psinject <Listener> <ProcId>
powershell/management/psinject.

revtoself Tasks the agent to run module revtoself
powershell/credentials/tokens.
Default parameters include:
RevToSelf: True

shinject Tasks the agent to run module shinject <Listener> <ProcId>
powershell/management/shinject.

spawn Tasks the agent to run module spawn <Listener>
powershell/management/spawn.

steal_token Tasks the agent to run module steal_token <ProcessID>
powershell/credentials/tokens.
Default parameters include:
ImpersonateUser: True

bypassuac Tasks the agent to run module power bypassuac <Listener>
shell/privesc/bypassuac_eventvwr.

8.简单的终端命令

Name Description Usage

add_notes Add user notes (use quotes) add_notes <notes>

clear_notes Clear user notes clear_notes

create_user Create user account for Empire create_user <username> <password>

delete_malleable_profile Delete malleable c2 profile from the database delete_malleable_profile <profile_name>

disable_user Disable user account for Empire disable_user <user_id>

download Download a file from the server to /empire/client/downloads download <filename>

enable_user Enable user account for Empire enable_user <user_id>

help Display the help menu for the current menu help

keyword_obfuscation Add key words to to be obfuscated from commands. Empire will keyword_obfuscation <keyword>
generate a random word if no replacement word is provided. [replacement]

load_malleable_profile Load malleable c2 profile to the database load_malleable_profile
<profile_directory> [profile_category]

malleable_profile View malleable c2 profile malleable_profile <profile_name>

notes Display your notes notes

obfuscate Turn on obfuscate all future powershell commands run on all obfuscate <obfucate_bool>
agents.

obfuscate_command Set obfuscation technique to run for all future powershell obfuscate_command <obfucation_type>
commands run on all agents.

preobfuscate Preobfuscate modules on the server. preobfuscate <force_reobfuscation>
<obfuscation_command>

report Produce report CSV and log files: sessions.csv, report
credentials.csv, master.log

upload Upload a file to the server from /empire/client/downloads. upload <file_directory>
Use '-p' for a file selection dialog.

user_list Display all Empire user accounts user_list

help agentcmds

ls, dir, rm, del, cp, copy, pwd, cat, cd, mkdir,

rmdir, mv, move, ipconfig, ifconfig, route,

reboot, restart, shutdown, ps, tasklist, getpid,

whoami, getuid, hostname

使用终端命令

shell 命令

模块命令使用

sc截图命令

searchmodule 搜索模块

usemodule 使用模块

code_execution代码执行

collection收集浏览器、剪切板、keepass、文件浏览记录等信息

credentials密码凭据的获取和转储

exfiltration信息渗出

exploitation漏洞溢出

lateral_movement横向运动移动

management用来执行些系统设置，和邮件信息的收集

persistence权限维持

privesc本机权限提升

recon侦察

situational_awareness评估主机运行环境，网络运行环境

trollsploit恶作剧