We’re releasing the new version of Core Impact shortly, with some exciting new features. I can’t speak for anyone but myself but the single most exciting new feature in Impact 2017 is our new ability to launch Powershell natively on target systems. PowerShell is an incredibly well-designed tool for exploiting Windows systems.
When you have an agent on a system that supports Powershell (and has it installed), all you have to do is right click on the Agent, and select PowerShell Shell from the context menu to get a full remote PowerShell on the target.
You can also type #help to figure out what you’re doing.
This also presents me the opportunity to present something else that’s awesome. There is a most-excellent pure-Powershell post-exploitation tool called Powershell Empire. With this version of Impact, we’re also releasing the capability to pass a session from an Impact agent to a Powershell Empire agent. Since Powershell Empire’s command and control functionality doesn’t run on Windows, we’re going to have to build a Virtual Machine for it which I’ve documented step by step for you.
First, go ahead and download Ubuntu 14.04.5 LTS from http://releases.ubuntu.com/14.04/. Though this isn’t the latest and greatest version, this is the base build that our Quality Assurance team has validated it on. When I get a moment, I’ll write up instructions for successfully operating on the newer release.
Go ahead and spin up a virtual machine on the platform of your choice, and start the installation. It’s important to understand that your Impact system needs to be able to communicate with BOTH the Empire system and the target, and the target must be able to communicate back to the Impact system and the Empire system. So, if something doesn’t want to talk to something else, please check your network configuration for NATing first.
Since I’m using VMware Workstation as my virtualization platform, I get to cheat and grab a caffeinated beverage while it does the hard work of installing Ubuntu with the default settings, and installing open-vm-tools so that it plays nicely with the hypervisor. If you aren’t leveraging similar automation, make sure that you run sudo apt-get install open-vm-tools and reboot to make sure that the VM knows it’s a VM. (Yes, I’ve spent hours troubleshooting crappy VM performance before I realized that I forgot to install the tools. Please take a moment to laugh, and learn from my personal misfortune as part of your continued professional development.
Once you’ve completed the installation, pop a terminal window with Ctrl-Alt-T, and run the command sudo apt-get update.
Go grab another beverage and enjoy it while you wait.
sudo apt-get install python-pip
tar -xzvf 1.5.tar.gz
At this point, the install script will prompt you for permission to install dependencies. I suggest you say “Yes” if you want a functional installation at the end of the exercise. In fact, it’ll ask you several times. So don’t wander off for a long lunch while this is brewing…
When it finishes, it’ll prompt you for a server password, which you will want to remember.
Now for the hard part: We need to apply patches to the default Powershell Empire 1.5 installation so that our session passing will work. Thankfully, these are two single line changes.
First, we’re going to fire up our preferred text editor and look at lib/common/stagers.py, and go to line 127:
You need to update the line to look like this:
def generate_stager_hop(self, server, key, encrypt=True, encode=False):
The second file is data/agent/stager_hop.ps1
The final line needs to be updated so that it reads:
} Start-Negotiate -s “REPLACE_SERVER” -SK ‘REPLACE_STAGING_KEY’ -UA $u;
Finally, you’ll want to set the permissions on the entire Empire-1.5 directory. chmod -R 777 Empire-1.5
Now we’re ready to start up the Empire console and server. You’ll want to start another terminal session in the VM, so that you have both components available to watch.
In the first, you’ll navigate to the Empire-1.5 directory, then run ./empire
In the second, also make sure that you’re in the Empire-1.5 directory, and run ./empire —rest —password Password
Pick your own password, of course…
powershell empire coding steps
Inside the Empire console, enter the following commands:
set Name StartingListener
Now, we can pop back over into Impact where I’ve already placed an Impact agent a Windows 2008 Server with Powershell installed. I’ll go ahead and drag the Deploy Powershell Empire Agent module onto the target server.
After a few moments, if nothing goes wrong, you’ll see a success message in the Module Log:
core impact powershell example
And over on the Powershell Empire machine you’ll see a message in the console like so:
powershell empire machine
From the Empire console, type agents to go into the agents menu.
To work with the Empire agent, type interact <agentname>. Protip: You can use tab completion to fill in the agent name, or rename it to be something more readily memorable.