Post Exploitation: Empire
You may be able to learn how to exploit a system from a few articles but if you don’t know what you’re going to do after you’ve hacked, there’s no special meaning in hacking it at all. In this article, I’ll talk about an excellent exploitation framework called Empire.
Empire is a great post exploitation tool that contains python and powershell modules. Let’s get to the examples without further ado.
Let’s start by creating a listener.
With the uselistener command the http connection point opens. You can check the connection settings with the info command.
Connection point is created with the execute command.
Let’s get to the real point. A powershell code is created with the launcher powershell command. When we run this code in the target system we’ll get the shell.
We can see the machines we’re connected to with agents command. As you can see, we got a session when we ran the code in the target system. We can list the machines with list command. We can connect to the machine with interact command. And if you’ve noticed, there’s an asterisk in front of the username. This means we have admin authorities in the target machine.
After connecting to the target machine with interact command, we check the machine’s data with info command and then we can see that high_integrity is 1 which means that we’re an admin.
What would we have to do if we weren’t an admin?
We can jump on the admin authorities with bypassuac [listener name] command.
Let’s get the user passwords with mimikatz command.
We can see it more organized with creds command.
We can persist in the target machine using Empire.
We can also scan the network our target machine is using.
As you can see there’s a machine in the network. We can also find the Domain Controller if we’d like.