Building an EmPyre with Python - Steve Borosh Alexander Rymdeko-Harvey, Will Schroeder

hello everybody this is building an empire with python just want to say i love b-sides las vegas i spoke here last year on powershell empire we know the names get a little weird we'll explain that at the end but i love this conference i love interacting with everybody and super stoked to be here again so my name is will schrader know if anyone was in the two o'clock talk for bloodhound but i'll be brief my handle is harm joy i'm a researcher and red teamer for the adaptive threat division of barris group i've done a lot of offensive powershell but uh this will be one of the first talks in a bit that i will not say the word powershell the

entire time so if you're if you're tired of hearing me say that you should hopefully be happy a co-founder of a few projects an active developer the veil framework powershell empire in this project i'm also a powershell mvp and an active power supply developer riding on will's coattails i'm steve uh steve porsche ferris group the prior us army infantryman kind of did a career change a few years ago decided to go from kicking indoors to breaking into security systems so i've also authored some tools worked on egress assess empire some things like that and power shuttle empire as well my name is alex from deco harvey it is a mouthful for sure my handle is kill switch gui i work for

varus group as well i'm a pen tester red teamer just like these guys are and um a few things i've helped work on were simple email and simply template cool all right that's all out of the way so what we're going to going to be talking about today so i'm going to go go a bit over the motivation for building this project and then five seconds or 10 seconds python empire is an os x and linux based malware agent that has a very similar architecture to the powershell empire project i'm going to go over the we're going to go over the background of empire the architectural decisions like kind of you know rats 101 like why we built it this

way go over some of the stagers with steve host and network triage with steve and alex lateral movement persistence and and the like and really kind of go over how this agent can facilitate the trade craft that you might be used to on windows but do it instead for os x specifically but also a bit for linux it's going to be an ongoing theme throughout the entire presentation like a few comments at the end of kind of about future plans uh combination of the code bases and things like that and all throughout the presentation we're going to have like small demos instead of one 10-minute demo at the end we're going to break it up into like

little two or three minute chunks so you don't have to hear us just talk through slides the entire time so why build this so we do a lot of engagements we do a lot of pen tests we do a lot of red teams um which we kind of define as you know like three to six week type engagements we had a particular client or a couple of clients that started having more heavy concentrations of osx machines in their environment this one particular client they're like well you know come into this engagement we did the first engagement we essentially tried to hit all the like windows virtual machines and developers and things like that because we're

really heavy windows tradecraft we hit that and we went back they're like super happy and afterwards like well okay we're gonna bring you in again but you have to hit os x it was late last year we're like oh [ __ ] you know like um os x okay um like we know a couple of things but there's not nearly as much information on osx as there is on windows right it has a much smaller market share so there's not as many attack tool sets there's some a few small pieces um fuzzy nope did a great presentation in 2014 derby con if anyone saw it i think it was red teaming back and forth five ever where he talked

about uh some of these osx postx kind of capabilities specifically but we didn't really see any kind of complete os x agents right you know there weren't a huge amount of possibilities for us so over christmas last year i spent the entire break rewrote a python malware agent for this particular client and instead of writing from scratch i don't know objective c swift whatever for osx i'm a windows dude so it's like okay there's ruby and python and scripting languages like okay i'm just going to go with the powershell empire type architecture we use a huge amount of the kind of the back in powershell empire controller which we'll go over here in a bit

and you know some of some of the stuff that's out there for osx so even though the pen testing community does not have as many tool sets there is obviously malicious osx malware out there right wire lurker for charging eyes applications x xcode ghost for xcode packages kind of originating from china hacking team with the leak and all their source code we got a really nice kind of view into these more advanced uh nate almost nation state style osx tools this is not nearly as good as that obviously because we're just a couple of dudes doing this in our spare time but again there has been malicious osx tool sets out there but there hadn't

been something super open source and public and with a modular architecture that we're used to operating in as as open source legitimate pen testers and red teamers we're going to again we're going to touch on this throughout the entire presentation but osx to us at least presents a good number of challenges versus windows there aren't nearly as many public os x attack tool sets because the market share in particular there's a few things that are really kind of pain points for us for osx from a pin tester perspective initial access vectors are they're just not that many of them with windows you have htas and macros and like the reg the reg sct type stuff you

know it seems like every few weeks there's new access access vector you can have for windows initial access through phishing for osx there we didn't really see many vectors like at all so we ended up kind of creating a a macro based approach which afterwards some people came out of the word work and like oh yeah this has been public but it just wasn't publicized so we're not claiming we invented this stuff we were just trying to develop solutions on the fly for engagement so we could be effective lateral spread is also really annoying for us if your windows you pass the hash and all this really fun stuff and domain delegated access with os x you might

have ssh you might not but other than that it's it's a lot more difficult for sure and steve will cover some of that stuff in a later section so bratz 101 just a few of the kind of thoughts we had when we started designing the architecture of this whole project so we want staging flexibility and by that we mean we want an easy way to generate a large number of stagers stagers i mean the first little bit of code that's executed on a system that starts the staging process for the entire rat with empire or python empire as well as powershell empire we don't give you unless you really want to the entire racked and one

malicious block we have like key exchange and all this type of stuff so you can run just a small little one-liner snippet in a variety of ways to get the entire agent staged into memory a modularity just like the powershell empire project you want people we want to give people the ability to build their own modules and actually the talk right after this they're dropping some live python empire modules i haven't seen them at all they they develop some awesome stuff i don't actually know the contents of the modules they're dropping so we're pretty excited and also we care a lot about crypto we don't want self-signed ssl certificates to be the only thing that

protects the communications for our clients environments and these really high security clients they they care about crypto as well so if we can demo to them like look we have encrypted key exchange perfect forward secrecy and all this stuff to show that we thought through it hopefully that makes them a bit more at ease and also i'll touch just briefly on the staging problem somehow your malicious code has to get to the target whether you package it all up and send it to them you know in one initial payload you can do that but somehow this code has to traverse the network to get to the client so there's a lot of things that kind of come into play with that

so the solution we built python empire that was our last minute uh now slightly regrettable naming scheme because everyone's like empire empire like what the hell are you talking about but uh you know we thought it was clever at the time in kind of a sleep deprived and caffeine-fueled end of the development cycle this is the interface just kind of show you guys it should look very familiar to powershell empire because it uses 95 percent of the same back-end code base it's a text-based driven tool we also have a wrestle api which i'll touch in kind of right at the end where people have started to build front-end gui's for these types of tool sets that we're building because a

restful api provides the ability to do so so we're excited about the future possibilities if anyone wants to talk about that later we'll be out for a little bit in the main room i'd love to talk shop so the background again python pure python based agent it's it's python 2.7 and 2.6 compatible so it'll work on most linux systems and it will definitely work on osx systems this isn't just a poc tool that where we developed you know a couple months ago we used this on engagements more than once it's been extremely effective for us so we're happy to share it with everybody and heavily based on the the powershell empire project it has an asynchronous

communication model so the client will request a tasking over http or https at the moment we're hoping to incorporate more transport mechanism mechanisms in the future the server returns an encrypted blob but you know with this instead of a an established type of connection that's kept persistent this is all asynchronous so reach out get the tasking process it post the results back and you can have delay intervals anywhere from five seconds to hours we have a secret uh we also have diffie-hellman bass encrypted key exchange i won't go into all the guts of this stuff i find it really fascinating but i know most people don't the the point with this is diffie-hellman eke gives us perfect forward secrecy

with a different session keeper client so if instant responders image a particular box and pull out the key they can decrypt that client's communications but they cannot decrypt any other agent communications they see in their network i think eka is awesome we have a variety of post exploitation modules some of which we'll be covering during the presentation in depth module development just like powershell empire the development for this project is extremely quick due to the modular structure and the use of a scripting language so instead of having something completely compiled and you're like i want to modify x you have to go through x code and recompile all this stuff and it gets pretty difficult with binary

code it's a scripting language it's just python so if you want to extend something in the field which we've done several times it's really easy to do so if you know what you're doing modules here are essentially metadata containers for an embedded python script just like powershell empire and we have nice little options like whether or not the module needs administrative access with sudo whether it's opsec safe which we care about a lot meaning does it drop a file to disk or display something to the user whether or not you want to save file output to a particular format when things are the results are kind of sent back and we it was really kind of fun designing our

own rat and building all the little things into it that we always wanted like kill dates working hours like all all those nice little options cool so steve is going to talk about some of the stagers initial phishing access all right thanks will so stagers will talked about getting our initial malicious code execution on the target host so that's what we're going to talk about here uh the first stager that we built for operating on some of our clients were the macros typically we think about windows when we think about office macros well we can do the same thing for osx targets as well microsoft and osx have office in them as well but we have to change how the macro

works a little bit and we'll talk about that so this blob of text right here is a generated macro that empire creates you give it the listener where it's going to call back to and it generates this blob this is the actual macro that you stick in the office document that you're going to send to the target it's kind of hard to see down here but at the bottom it's actually calling python it's taking this entire base64 encoded blob echoing it to python and the reason we echo to python is that way incident responders can't see the agent running as a process in memory they just see python we found out during development that just calling python to decode the basics

before encrypted blob actually showed the entire uh string of the agent in memory so just like we got away from that yeah so you would have you know python-c equivalent to like powershell dash encoded command or dash c but if you just echo components to a python binary it accepts anything on standard in as code and executes it thanks well i'll go mock object file format for executables so windows we have executables we can execute batch files we can execute htas a whole other range of executable formats this is what we use for os x and what we do is we hot patch a binary with the empire stager it actually includes the entire python

library interpreter we use that actually on engagements client can have like casper jam and they can push our binary out to the target machines if they don't actually want to go through a fishing exercise you can just push it out execute it on the remote system and get your callback we also have die lib hijacking much like dll hijacking in windows this research was based off of patrick wardle he has a great pdf right there all about it i won't get into the details too much because it's a bit complicated but it's basically abusing search order loading if a program wants to load a die lib or something like dll it has to go into order of directories

to find that and we can abuse that we also use this as a method of persistence in empire this is the hijack scanner module this was also based off of patrick wardle what this does is it scans much like if you've used power up in windows it scans for possible hijack locations you have r path which loads load order hijacking like dlls and windows we also can look for weak die libs which means that that dialog doesn't actually exist in the directory then if we create one put it in that directory when that program is launched it'll launch our stager instead so we can find the hijackable point and then when with empire we can create a

hijack module run it on the target system and when that is executed we get our callback so at the top here you see a little bit of green text it's kind of fuzzy i'm sorry about that but that's the actual agent coming back what we did in this case we installed xcode on the target system and xcode by default has a weak dye lab problem so we're able to hijack that when the user double clicks on xcode and launches the program it launches our stager and then launches xcode and gold's going to spool up a quick demo on fishing with the office macro i think that's pretty cool we have you guys probably won't be able to hear

it but oh okay here we go i know the text is a little bit small but okay we're starting up python empire we're going to create a listener just like powershell empire you have your working hours default delay redirection loss limit those types of things these options are what are patched into the initial agent as soon as an agent is staged from this particular listener we're going to create a macro for this listener this is uh this is this oh just want to talk about so an option right here set little snitch to false on an engagement we found out that some of our target users were using little snitch and that actually got us

burned because we launched our agent on the remote system as soon as it tried to call out it alerted the user that our agent was calling out through python and they alerted their ir team so what we found out was that a lot of the developers don't use little snitch and we entered in an option to turn that check off so it checks to see if little snitch is running if little snitch is running the agent just dies but it won't call back yeah that's pretty much if we're on a red team when we're trying to be stealthy uh we can get by that protection again that is not an exploit little snitch it's just a check and then

killing the agent it keeps it from staging so uh here we're going to take that macro paste it into an excel notebook and speed up just a little bit in the interest of time you know paste it into just like windows right paste it in you see what's echoed the python and open this click enable macros because i totally trust this whatever totally not phishing email that we that i sent myself and at that moment as soon as that enable macros is clicked an agent will be staged that was kind of cool macros are not just a windows problem cool now alex is going to talk a bit about host triage appreciate it just like on the window side uh the

first things we generally go through are some type of situational awareness uh maybe some host surveying scripts so we're gonna get into that part um obviously one of the first things that generally take place on engagement after doing some basic situational awareness is we want to know if we can escalate there's specific modules within empire that are obviously going to require an elevated context so on the mac side uh you're not going to see as many let's say privilege escalation vulnerabilities out there and if they are they're generally updated pretty decently fast so just like on the windows side on our tradecraft where we generally have to either find passwords maybe gpp or some other type of like

share or logon script or any type of like escalation method we can go through using powerup we would see the same kind of methodology applied on the osx side i don't know how many osx users are out here or mac users but on just a show of hands how many of you guys actually run as admin on your os xbox okay so few few out there some people do separate privilege uh you know privilege separation properly some don't on the development side as developers obviously in an organization where you're installing pushing code and and doing these types of activities you would often see users as a local admin so that that kind of gives us somewhere

to start with in this case we have two different ways that we're actually going to talk on there's a few different privilege escalation checks you can go through but two that have been really successful for us are prompting in os script you can actually call an application to prompt the box so we've used this method on in live engagements to gather credentials so the the first one is the mac app prompting so you can tell the let's say app the app store to open up a application saying hey i need your password please trust me and give it to me the second one that we came up with uh was the alley-oop method just like on

windows where you can pump a uac bypass and you could do this same exact method but there's an interesting uh caveat to this on the osx side there's a tool called security with the security tool you can force an unlock of the keychain so using this method you can prompt the screen saver force the user to go to the screen saver not allow them to exit out take the password check it against the keychain if it doesn't unlock you're not going to get through it will say please enter your password correctly if you do enter it correctly it will unlock the keychain and the logic will basically allow you to log back into the windows spot back into the os x box so

that's kind of mean uh definitely not opsec safe but you can gather credentials this way in an evil fashion and once those credentials are gathered just like you would potentially elevate on the windows side you could do the same thing with the pseudospawn to get a root context agent uh agent so here's a horrible horrible screenshots that just sadly didn't come in well but at the top you're basically as you can actually see right at the top it actually tells you the text return was password one two three four that was with the basic one and then actually on this we'll see in the demo as well we see two bad passwords entered and then

obviously the correct password which unlocked the keychain and that's just a kind of a small example of that taking place so once you have your password uh generally developers are inside an internal environment they might have tons of different resources that they have access to they might have a password for citrix and they might have a password for an employee portal that we need to get access to they usually use some type of password storage it's too easy to just use the building keychain unfortunately that building keychain originally had some issues with where it stored the master key in memory so we actually ported over well actually will ported over a full port of it

from c and was actually able to implement in python and we're basically able to decrypt uh the key store in memory using um using yoso's poc code which is really cool but it only applies to osx isn't it so that's kind of kind of like a hard point so while most of us like update as normal users as you would see in a windows environment you're still seeing people in windows 7 let alone you're still possibly seeing windows xp boxes out there so while you would think as a normal os x user you might be upgrading on a consistent basis and this might not apply to you we will still see this and the next one would be the keychain

dump or chain breaker we actually did a full port of that as well that allows for a master password or just a standard password that you gathered and you're able to basically dump the entire keychain right inside the agent in memory uh the next thing obviously hash dumping while on os x side the hashes are quite strong they use quite a cipher to basically build this hash and it could take some time but we do get lucky and one reason why you would want to do a hash dump is in a corporate environment you may see built-in accounts that basically are used for remote administration and we'll talk a little bit about this more on the ssh side

just a quick example of us just dumping some hashes in the hashcat ready format so you can easily crack them just as on the window side i'm sure a lot of you have used the the capability of key logging it's it's fruitful we generally can collect a ton of information whether it be passwords in the background just keep it rolling as the agent's going all day you can gather all types of information that may be able to help you in post exploitation or potentially gather credentials like let's say from a putty session or something of a sort and this actually is implemented from the msf side and is a full port uh and it actually uses ruby hopefully in the

future um we'll be making a progression to move it to full python version and of course our screenshots definitely helpful for identifying what the user's up to for situational awareness methods a quick note we do support two different screenshot modules we'll talk about that in a second the first one is the native this built-in screenshot tool which is a command line option which we'll output to a file and then we'll also use a pure python version of it using the quartz apis call which is implemented in python so again which one i actually don't know that answered that one i would have to get back with you so i would not be giving you correct uh false information

but i every time i've done it i've never got the sound as i was saying before uh the environment can dictate heavily on what tool set you use if you're in environment like we've seen before with carbon black with hips and devices they will catch these built-in methods and you could potentially get flagged very easily in an environment that's potentially being monitored so that's something that you have to identify in the beginning of the host survey of what tool sets that you're willing to use so you don't make the mistake of using the built-in screenshot as well as pb copy for a clipboard and this actually leads us into clipboard theft a really solid way of potentially

grabbing passwords from let's say like a lastpass instance where they're using copy and paste uh consistently cool thing about this is you can basically set it up on a timed interval let it run for about an hour and you can gather all the credentials that you need while they're doing the work and this is also like i mentioned before this could also be signatured from the pb copy command line version just a small example of it actually taking place in just different time stamps all right demo time yeah now we're going to do alex is going to talk through a quick demo on host-based

yeah so we're just going to go through a few of the three of the actual things we just talked about uh just like i wouldn't actually show you this one because it's quite interesting which is the screen server alley-oop i'm actually just going to set this to a small x account um which you can specify so you don't force the user to consistently like go for 15 times straight depending on what you would feel comfortable doing as you can see it actually brings up the screen saver to the person it's not the same exact login prompt but it may be trick it may trick them but it will definitely force them to potentially give you the credentials

uh it does lock the keychain so when the user comes back in for any application using that keychain they may actually have to go back and unlock the keychain once credentials are actually gathered i first first take a time i missed i actually removed the pseudospawn but i'm actually changing my agent over to the uh to a a different agent that's on my secondary box and i'm actually going to use a collection module for gathering for the keychain that we talked about before in this case it's a 10.11 osx instance so i'm not going to use the keychain dump but i'm use the chain breaker module which allows me to dump the passwords uh basically forensically sound target

side and again with that the general tradecraft is prompt the user for the password use that to then respawn a high integrity or sudo agent so you can do the interesting post exploitation options or effects like hash numbing so in a second here we should hopefully get some credentials back can you see the opsec check you know so we're doing things that may or may not prompt the user or modify the system so it's just a nice little reminder once it comes back it should spit out all the actual private keys certificates passwords the whole shebang and this actually works for not only the login keychain but also the system keychain for messages for the imessaging yahoo

accounts and all that stuff so that's quite cool uh capability of this uh once passwords are gathered uh we know we have a proper password remember if you do a pseudospawn and you mess up the password you could potentially be flagging so just keep that in mind so i like to actually test this that's a really cool um like thing about the keychain is you can actually test it against the keychain and it does generate a log but it's not generally um signatured on and this is actually just a quick hash dump like we talked about before outputting and this is actually the end of the demo you're up next so with that hash dump what we what we

did on a client engagement was dump the hashes crack the password and since it's in a corporate environment they used the same password and had ssh enabled on all of the hosts so we were then able to laterally spread to every house we could get into network situational awareness what do we do once we're on the host what's around us what can we see what can we do and yes os x is on the domain too in our engagements we've found that admins need to admin they need to enforce corporate policy be a group policy they have to manage their resources their users objects advertise resources such as printers and they benefit from the single sign-on

access to active directory through kerberos it's pretty easy to set up i'm just showing a picture of the directory utility in os x and how it attaches to the domain you see the option for allow administration by typically it's domain admins and enterprise admins if you found other users in there maybe you could start targeting them os x and ldap os x has a and most linux distributions have a tool built in called ldap search this is what we use in empire to bind to active directory and then perform the search that we're trying to do and get the data back this bottom line here is just a quick way to find out where the domain

controller is or ldap server is in the network so how many people have used power view powershell power view awesome good to see you guys don't count you're all on our team so we wanted to port some of those features of power view over to the empire python version as well because even though we're operating in an osx environment active directory can provide us with a lot of information perhaps what computers to target next what users to target next we talked about bloodhound finding funding paths so we're going to go along that that route to find our next targets with a power view style unfortunately there's a caveat to this it does create a logon entry in

event viewer for every time an ldap connection connects to active directory some of the things we ported over get computers tell us what's what computers are on the network what domain controllers are on the network our file servers those might be good places to hide because they have high up time group memberships group members what groups are out there a lot of times stuff are nested in ous get user information actually just grabs all the information for a specific user and we can list out all of the users in active directory as well one thing that we found that we haven't been able to do yet is enumerate session data remotely from os x so unlike if you saw the bloodhound

stuff earlier we could figure out who's logged in where we don't have that ability in empire right now if any of you know how to do that come see me so this is a shot of power view osx style basically we're doing a situational awareness trying to get the computers that are in active directory we set our bind name this time we're going to use the user jfrank at hackme.com of course he's a manager so his password is management for life and the ldap address that's the domain controller we're going to execute and it pops out just a nice list of all the computer objects that are in active directory all from os x overpass the hash this is some pretty

slick research done by uh gentile kiwi and obscure sec and then we ported that over a tweet from the guy passing the hash he actually did this in os x and then we figured out we can port this into our empire basically what this allows us to do is if we grab hashes on the domain we can upgrade those to kerberos tickets and then authenticate in anywhere in the domain with that hash without having the password some of the utilities that are with kerberos or k k list on the target to see what kerberos credentials exist on that target and then you can use k destroy if we want to remove any credentials from the target site

ouch all right this fuzzy blob is overpass the hash basically we have a nt hash that we found on the network we run overpass the hash it generates us a kerberos ticket and then we can ls the domain controller cool now steve is going to talk through a cool little demo with some domain enumeration this will be the the last demo for the talk

so we've got our empire server running we've got one listener one agent currently active you can see it's on a macbox internal ip address the user jay frank we're going to use a module to pull out we're pulling out here get ou's i believe so there's a list if you tab complete through here everything is tab completable it'll list what's next we're gonna do group members because we're gonna find uh who the domain admins are we wanna know where our domain admins are so we can start targeting them enter our authentication stuff to bind with ldap search execute and then it pulls back all the users of the domain administrator group all from osx which is pretty cool

now i think it's the oes now we're going to get on to enumerating ou's a lot of times uh there's some juicy information in there all right good i thought we were wigging out same thing we want to use module it's tab completable we start typing situational awareness tab complete out and pull out information for the ou's in the active directory schema

so now we have an ou for domain controllers two service account ous and the it admin ous so then we can take that information and perhaps start enumerating further to gain some more situational awareness on where we want to go next in the network

still me all right cool uh lateral movement we started this off by uh prefacing that lateral movement is hard on the osx side and linux side windows we have great tools like pass the hash wmi we can ps exec winrm if it's enabled we can remote desktop and just log right in if we need to os x disappoints us a lot on this front there's typically ssh and for most stand-alone systems ssh is disabled by default a lot of you are nodding your heads on that one but in a corporate environment admins got an admin so they typically have ssh enabled there is a win exe package through home brew but on a client engagement we're not going to install

stuff and you know enter more vulnerable services on a target host if we can keep from it so it would be nice if we can port this over we've been working on it but haven't had any success yet to have a win exe type thing to do past the hash on the osx side hopefully we'll have that in the future we do have empire modules we actually have an ssh launcher module so what it'll do is authenticate to the remote system it'll run python in memory with our launcher string callback grab our stager and execute it in memory on the remote host we also have an ssh command where we can run a command on the remote

system and then just get the output back so if you just wanted to check kernel version do you name tac a or something like that you could run that and then get the information back all through empire web service exploitation we've actually used this to pivot to the windows side from the osx side one example of that is to exploit jboss my favorite thing ever and we can pass that exploit to an empire server uh powershell so here we've loaded up the um jboss exploit module and what that does is abuses the jboss flaw in the jmx invoker servlet and instead of executing python on the remote system because it's running windows it executes our stager that we

loaded up for powershell empire and we get a call back and now have pivoted to the window side so we're starting to get into mixed environments and we'll talk about that a little bit at the end and what we're going to do to fix that problem there you go staying on the box yep so the next obvious uh you know progression in an opera operation is to potentially install persistence so this point you've gathered all your credentials you need you've gathered all the elevated contacts you need now you just need to know how to stay overnight just like you would with a mac they're often they're often laptops so persistence turned out to be a really critical thing

for us so on the window side there is so much research out there and there are so many places to hide the registry itself i don't know if anybody truly understands it there's tons of research on wimmy dll hijacks backdoor accounts startup folders there's tons of ways to go about staying but also on this front osx actually surprised us quite a bit there's a few really popular public you know persistence methods out there mainly because it is at the end of the day a knicks device uh so you can use cron tabs they have their own built-in login hooks damien stylip hijacking all these can be really used and effective on engagement uh the first one we'll

start with is login hooks login hooks are something mac developers in place i think it was almost in 10.1 or something of the sort it's actually technically now deprecated as in its unsupported functionality some of the reasons why you may not want to use this is the fact that it is blocking so if you fail or if your persistence module fails to execute you could potentially stop the user from logging in the one reason why this may be successful for you is let's say you don't have root access yet maybe staying in user context is the way to go so in this case any user or any user on the box can be applied at login

hook another unfortunate con about this is you can only have one login hook per user so if that's already being used you're kind of out of luck uh the next thing that steve actually used quite often was cron tabs in case you want a beacon every hour well you can make that happen no problem uh so same as you would uh with any other one you can set up an applescript binary or just even a bash or python script and you can have it executed right from the cron tab itself timed execution and payload and it's great for continued access in case they're restarting consistently or sleeping the box and in case your agent dies

and there may be bugs out there so you never know what's going to happen the next one is launch daemons this is this does require root obviously uh but there we'll talk about this in a second there is potential for user contacts as well um the interesting thing about launch daemons is they're started during system startup before the login prompt is presented actually uh so inetd actually starts these up they're a p-list file that is then taken through key values and executed so in this case you basically can set up a couple different cool keys out there you can basically give it a start interval you can keep it running so in case that p-list file actually daemon's actually

stopped it will actually restart itself i think like just like a windows service in this case so it'd be like an auto start per se so that's a really cool benefit of these and there's also potential for us to move over onto user contact side we're using launch agents and the cool thing is as i talked about before if the system's taxed and login hooks fail you could potentially lock a user out with this it doesn't have that um that that potential con but it will basically stay it'll basically launch once the system is has enough resources to launch your daemon in that case so that's that's quite cool obviously uh like we talked about before

uh packer wardle uh did this great research on the the hijacking die libs um it's something that we've used a few times and i've tested a couple times but this can also be deployed for a more stealthier version of persistence of course but the only obvious concern is that it's only when you start that application is when you're going to get that agent back so that's something you have to keep in mind as we talked about before there's the scanner but there's also the crate hijack module which actually goes through all the headache of actually generating the module patching it and then actually deploying and overwriting and creating the secondary pass for the follow on so the program does

launch successfully after you've uh hijacked the uh dialep um so i'll speak just a quick second i know we're about at a time future plans for the project everyone's like well empire empire powershell empire whatever was this mean we're going to combine both code bases within the next few weeks so we'll have one command and control platform that allows you to attack windows systems and osx systems and we'll have some of those nice bits that he talked about about passing agents between the two and kind of that cross-platform attack kind of approach that'll be much much nicer we also really want to get socks pivoting in that's one of our biggest to-do's we'll see if alex stops being lazy and

actually finishes all the code but uh it's uh it's a it's been a really fun project we've had a blast doing it the code's been out there for a couple a couple months it's on github we forgot to put this up there github slash adaptive threat slash empyre if you just search for the project name you should be able to find it we also have a large number of blog posts that talk about usage phishing we have a ton of documentation on this stuff so with that thank you and are there any questions there's there's one actually one thing i want to note before we get too crazy in the questions um he talked about the fact that it's os x and

um and windows we've actually successfully i've actually got to successfully use this on a linux red hat installation and that's why we actually went back to 2.6 so this is truly not only just os x and uh windows this can actually be deployed in an agent scenario where you need linux yes what's required on the olympic site so the question is what's required on the linux side what dependencies the core agent is 2.62.6 compatible so you need at least python 2.6 but otherwise every single component of the core agent depends on the standard python library so the standard lib there's uh you don't have to install any packages you know whatever else it's everything that's

automatically comes with the stock installations for 2.6 and 2.7 yes can we use cyclone sorry what was the question actually can you can use microphones yep

can we compile the framework with cython i i haven't looked into that have you guys have we touched that yet no because we want to keep this like non like you don't have to compile it because it runs on linux as it is we don't support running on osx like launching the server on os x as well a lot of people asked us that but we keep it as an open framework uh haven't compiled it that way yep so we don't have it now but uh if if you would like to try to do that pull request and you that would be awesome yes also uh are you aware that you can uh thinking about your uh gathering

credentials are you guys aware that you can dump uh wi-fi passwords and plain text you might want to add that on yeah yeah uh and it's essentially in the system key chain file uh that the chain breaker file actually the chain breaker module not the not the key dump exploitable one that actually does dump you can actually pass it a specific path for the key chain and it will you can actually dump the system to keychain and get

yeah we should definitely talk quite interesting any other questions just come up to microphone please

um you mentioned patrick audience stuff um which yes uh yeah um like uh goes through everything that's in launch agents and all that jazz to show things with a big assistant just right if we're on an engagement you asked if uh knock knock is installed right

will show the persistence modules that we have uh currently if we're on an engagement and knock knock is installed maybe we disable it first if we have the access to what i mean how is not getting sued it's just right well get rid of it or move it or hide it for the time it depends if you're on a red team or what your scope is what can you do on that yeah do you have ways of evading this uh if knock knock is run with the persistence installed it will detect it okay i guess at the end of the day you just have to find a new method yeah yeah oh okay i guess at the end of the day you have

to develop something to just that's not his tool set great thank you on the linux side um you know a lot of stuff you showed was capturing the passwords yeah what modules you have for the similar on the linux side so the question is what types of modules do we have on the linux side so the framework was originally built for a couple of clients and engagements that were that were osx specific so that was where our focus was to kind of get everything done we really want to expand the linux side instead of just the os x side and like sorry the majority of it is osx but we are one of our goals in the next

few months is to expand the linux post exploitation for example if you stay in this room for the next presentation i believe they're dropping some linux type uh osx post exploitation modules i'm hoping they'll do a pull request in in the next few weeks yeah i think we have four modules right now just to quickly list them off we have the hash done pillage user uh the linux privex checker and the unix privex checker and also a uh pure in memory pcapp sniffer yes you guys mentioned you're looking at different cnc methods i'm wondering if that's something like hey what you're looking into and be if that's something you've had a hard time with or if you

find that http usually works and it's not a problem yeah so one of our goals with both the the first thing the next week we want to combine powershell empire and python empire into one framework and after that one of the goals right after that is to expand and modularize the command and control components for both projects so we want to build the architecture that you could easily build a module to drop in cool yeah all right i think that's about it we'll be out here for about 10 20 minutes if you guys want to have a few more questions thank you thank you