Post on 14-Jan-2017
Building an Empyre with
Python
@harmj0y× Researcher/red teamer for the Adaptive Threat
Division
× Co-founder/active developer of the Veil-Framework | PowerView | PowerUp | Empire
× Microsoft CDM/PowerShell MVP and active PowerSploit developer
@424f424f× U.S. Army Infrantry combat veteran
× Red teamer/Penetration Tester for the Adaptive Threat Division
× Instructor for ATD’s “Adaptive Penetration Testing” course
@killswitch_gui× Previous US Army Soldier
× Red teamer/Penetration Tester for the Adaptive Threat Division
× Developed SimplyEmail / SimplyTemplate
tl;dr
× Overview/”Why Build This”/RATs 101× EmPyre
× Stagers× Host/network triage× Lateral movement× Persistence
× The Future× Demos throughout!
Why Build this?
Motivations
× A high-security client wanted a penetration test against their corporate infrastructure× which was 80% OS X …
× We did our research and found very few options for ‘complete’ OS X agents
× though small post-exploitation pieces did exist
Adversarial OS X
× WireLurker (Trojanized applications, Infects connected ios devices)
× XcodeGhost (Infected xcode package in China)× Hacking Team (Remote Code Systems compromise
platform)× OceanLotus (Flash Dropper, download Mach-O binary)× KeRanger (Ransomware, infected transmission package)
OS X Challenges
× Not nearly as many public OS X attack toolsets out there as there are for Windows
× Access vectors are significantly more limited than Windows as well
× Lateral spread is complicated a bit (no pth!)
RATS 101
× We have a number of broad design goals for our solution:
× Staging flexibility× Modularity× (Reasonably) strong crypto
× The “Staging problem”× Your malicious code has to SOMEHOW get to the target
Empyre
background
× Python agent and controller× heavily based on the PowerShell Empire project× OS X/Linux 2.7 and 2.6 compatible/“living off the land”
× Asynchronous communications (HTTP[s])× Diffie-Hellman based Encrypted Key Exchange
× Variety of post-exploitation modules
Module development
× Like Empire, development is quick due to the modular structure and use of a scripting language
× Modules == metadata containers for an embedded Python script
× Things like option sets, needs admin, opsec safe, save file output, etc
stagers
OS X MAcros
× Works on Office 2011 and below, otherwise, we’re stuck in the...
Mach-o binaries
× Mach object file format for executables, object code, shared libraries, dynamically-loaded code and core dumps
× We hot-patch a binary with the EmPyre stager code
× Binary contains the python interpreter
Dylib Hijacking
× Ported from @patrickwardle research× https://www.virusbulletin.com/uploads/pdf/magazin
e/2015/vb201503-dylib-hijacking.pdf
× Abuses search-order loading
× Also a method of persistence in EmPyre
Hijack Scanner
Dylib Hiijacker
Demo: Phishing with EmPyre
Host triage
Privilege escalation
× Users often run as admin
× Two prompt modules for credential collection:× Mac app prompting - osascript × Screensaver alleyoop - osascript / security
× Elevate using sudo_spawn to spawn a new EmPyre agent
Privilege escalation
Chainbreaker
× Keychaindump (juuso)× Keychain exploitable prior to OS X yosemite to
recover master key from memory × Decrypt keychain store using master key candidate
× Keychaindump_chainbreaker (n0fate)× Allows masterkey and password input for decryption
of entire keychain.× Fully ported to allow on target dumps rather offline
Hashdumping
× Built in hashdump module:× Sudo required of course× Output is hashcat ready
× Hash format is unique to different OS X series× 10.8 + uses Salted-SHA512-PBKDF2× Password -> Iterations -> salt -> hash_pbkd2 × Ultimately very slow hash to crack (H/S)
Hashdumping
Keylogging
× Uses ruby adapted code from MSF:× Captures and logs keystrokes to a file currently× Runs as a separate ruby process
screenshots
× Currently supports two separate methods:× Native - screenshot builtin tool× Python - using Quartz API call’s
× Environment can dictate the use of native tools
× CGImageDestinationCreateWithUR() and screenshot only allows a output path for image
Clipboard theft
× Great way to target and collect credentials
× Output to file or pipeline:× Timed collection allows continues monitoring using
background jobs× Uses non-native method via AppKit API:
× Native pbpaste may be signatured by Carbon Black
Demo: Host Triage with EmPyre
Network situational awareness
OS X is on the Domain Too!
× Admins want/need to:× Enforce corporate policy via Group Policy× Manage resources× Manage users× Advertise resources such as printers
× Benefit from single sign-on access to Active Directory resources through Kerberos
OS X and LDAP
× ldapsearch tool× opens a connection to an LDAP server, binds, and
performs a search using specified parameters
× dig -t SRV _ldap._tcp.example.com
PowerView, OS X Style
× Wanted to mimic the features of PowerSploit’s PowerView to enumerate Active Directory
× Using ldapsearch, we can mimic “most” features
× Unfortunately, creates a log entry for every connection
Situational Awareness, AD Enumeration× get_computers× get_domaincontrollers× get_fileservers× get_groupmembers× get_groupmemberships× get_groups× get_ous× get_userinformation× get_users
PowerView, OS X Style
Overpass-THE-HASH× Original research by @gentilkiwi and
@obscuresec and OS X research by @passingthehash
× Upgrading an NT hash into a full Kerberos ticket!
× Utilities× kinit - acquire initial Kerberos credentials× klist - list Kerberos credentials × kdestroy - remove Kerberos credentials
Demo: Domain Enumeration with EmPyre
Lateral Movement
Os x vs windows
× Common Windows lateral movement methods:× WMI, PSEXEC, WinRM, Remote Desktop
× OS X disappoints a bit on this front...× SSH is available but disabled by default× WinEXE installed through HomeBrew are possible
× EmPyre modules:× ssh_command / ssh_launcher
Web Service Exploitation
× JBoss exploit× Pass exploit to Empire server
Persistence
Os x vs windows× Common Windows persistence methods:
× Registry keys× Startup folders× WMI × DLL hijacks× Backdoor accounts
× OS X is also quite fruitful:× Crontabs× Loginhooks× Daemons × Dylib Hijacking
Crontabs, Daemons, and Login Hooks× Login Hook - User Context
× Bash / Applescript / binary execution × User or any user logon executes payload× Sets com.apple.loginwindow
× Crontabs - User Context× Requires Bash / Applescript / binary × Timed execution of payload× Great for continued access
× Launch Daemons - Root Context× Requires sudo × Spawns determined by XML manifest (reboot)× Daemons (services) once started will restart upon agent loss
Persistence with Dylib Hijacking× EmPyre implements @patrickwardle research
to scan for hijackable Dylibs!× rPath search, WeakLib import search
× CreateHijacker module × allows for quick exploitation× ease of generating payload × patching in the path to the legitimate Dylib for proper
execution
Questions?@harmj0y / will [at] harmj0y.net
@424f424f / steveborosh [at] gmail.com
@killswitch_gui / a.rymdekoharvey [at] gmail.com