Evi1cg · 2016/05/17.so

0 x00 profile

As the number of OSX users grows, so does the number of attacks against OSX. The Empire team has recently released a new attack framework for OSX, Empyre. This framework is written by Python based on cryptography. Those who have used Empire should be able to use this framework quickly.

0 x01 installation

Use the following command to install:

#! EmPyre bash ☁ Desktop git clone https://github.com/adaptivethreat/EmPyre ☁ Desktop CD/setup ☁ setup [master] ./install.shCopy the code

The installation script will install some of the dependent libraries and finally execute setup_database.py to make the Settings, which can be modified manually. The reset. Sh script in the setup directory can reset EmPyre.

0 x02 use

Go to the home directory and run

#! Bash flashy [master] python EmPyreCopy the code

You can enter the main menu

It now includes 43 usable modules

Listeners

To use the Listeners, you need to create Listeners first. To access the Configuration page of Listeners, enter help to view the help, and run the info command to view detailed configuration information. The following shows a simple configuration of Listeners.

To configure the listening IP address and port, set Host

#! Bash set the Host http://192.168.74.141:8080Copy the code

After performing

#! bash (EmPyre: listeners) > executeCopy the code

Enable the listener function. Use the list function to view enabled listeners

To configure the HTTPS listener, you need to configure CertPath

#! bash set CertPath ./data/empyre.pemCopy the code

Stagers

After you’ve created the Listeners, you need to configure Stagers, which are stored in the./lib/ Stagers directory.

To see the available stagers, type usestager+ space under Listeners and press TAB. The available stagers are:

applescriptGenerated by:AppleScriptThe payload.
dylib: Generates payload of the dynamic library type. Please see how to use ithere)
hop_php: Generates the payload of PHP type.
launcher: Generates a line of Python code as payload.
macho: Generates payload of type macho (OSX executable).
macro: Generates MAC Office macros.
safari_launcher: Generates an HTML file as payload. (Trick users into running Applescript)
war: Generates the payload of the war type.

Launcher is a line of code that is run by an attacker and controlled by the attacker. Macro and Safari_launcher are two fun ways to do this:

1, the macro

The usage mode is as follows:

Generate macro code to create arbitrary Office files. Open macro Settings

Write the macro code to:

When you open the work again, you will get the following prompt:

Click the Enable macro to execute the code and the victim is controlled:

2, safari_launcher

The usage is as follows:

Save the generated HTML code to test.html and put it on the Web server. You can see that the applescript in the code is the applescript code to be executed. Visit this page as shown below:

After pressing Command+R, the following page is displayed:

Click on the new script and open the script editor with the code hidden at the bottom:

Once the run button of the triangle symbol is clicked, the victim is controlled:

Others are not introduced, interested in their own try

agents

1. Basic use

To get agents, first look at help:

The command is simple. To switch to an Agent, run the following command:

#! bash interact PI5M01QWZ4TJAUQACopy the code

If the name is difficult to remember, you can run the following command to rename agnet:

After switching to the agent, you can help to view the commands that can be executed:

To execute a system command, use a shell:

2. Module use

Empyre provides several modules that can be used. To list the currently available modules, type usemodule space followed by pressing TAB, as shown below:

Including information collection, authority promotion, maintain authority and other modules, here is not an introduction, introduce a few more interesting:

collection/osx/prompt:

This module can obtain the password used by the current user through social engineering.

After running, the AppStore will be opened and the password will be asked, as shown below:

When the user enters the password, we get the password he entered:

collection/osx/webcam:

This module can take camera photos

The collection/osx/browser_dum:

This module gets browser history

privesc/multi/sudo_spawn

This module can be used for permission promotion

First create a new Listener:

After switching to agent, use this module:

It can be seen that after entering the password (which can be obtained through prompt module or information collection), a new agent is obtained and the agent has the highest permissions, as shown below:

Other modules, I will not be introduced here, interested partners can try their own, and maintain the permission of the module has 4, or very powerful.

0 x03 summary

See this tool or very happy, this article is just a simple introduction to the use of this tool, interested in can take a look at the source code and then write their own required modules or functions, I hope this article can help you.

This article was originally published by Evi1cg and first published by Black Cloud Drops

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Introduction to OSX attack framework Empyre

0 x00 profile

0 x01 installation

0 x02 use

Listeners

Stagers

agents

0 x03 summary

Introduction to OSX attack framework Empyre

0 x00 profile

0 x01 installation

0 x02 use

Listeners

Stagers

agents

0 x03 summary

Related Posts

How to achieve architecture visualization under microservice system in one minute

Microservices DuboSpring architecture

KubeSphere Meetup Beijing station in registration | CIC carrying 2021 cloud computing summit