Powershell Empire is one of our all time favourite tools for engagements where targeting users is in scope, however we generally use a combination of Metasploit and Empire to get the job done, using browser exploits in conjunction with the standard stagers included with Empire.
On a recent test we did not have the option to use MSF, instead we hacked together a new stager for Empire which would leverage CVE-2016-0189 (also known as vbscript_godmode) to target users of Internet explorer 9 – 11. This has been our go-to exploit for 6 or so months and has recently started hitting exploit kits. If successful, powershell will be launched and an agent will connect back to Empire. Nothing will be dropped on disk.
First we will grab Empire, available on Github.
Now we have Empire downloaded, we will install apache2 so we can throw the index page out directly to /var/www/html. This step is optional as most will want to alter the output, obfuscating it to evade AV’s or similar.
Time to add our new stager, these are located in /lib/stagers and running the Empire install.sh script to get it up and running. If you are running Ubuntu, you will need to manually install pip before running this script.
Now we are ready to start Empire for the first time. If everything is well we should be able to “usestager ms16”, set our output file to /var/www/html/index.html and be ready to direct targets to it. More advanced users may want to set up something slightly more elaborate to serve different vectors to different clients or obfuscate the exploit, this is outside the scope of this article however.
My personal preference is to set the listener to port 443 in hopes of bypassing certain firewalls and evading some detection mechanisms.
Now to generate our malicious HTML.
Now when your server is visited by somebody with a vulnerable browser, the exploit should trigger and you will be presented with a new agent in Empire. It is normally a good idea to use the persistence modules to create a scheduled task or similar to ensure you do not lose access on reboot. These can be set to automatically run as a new client connects by setting the Agent to autorun.