Emp3r0r Linux Post-Exploitation Framework
Emp3r0r Linux Post-Exploitation Framework

Emp3r0r: Linux Post-Exploitation Framework

Why another post-exploitation tool?

why not? i dont see many post-exploitation frameworks for linux systems, even if there were, they are nothing like mine

as a linux user, the most critical thing for remote administration is terminal. if you hate the garbage reverse shell experience (sometimes it aint even a shell), take a look at emp3r0r, you will be impressed

yes i just want to make a post-exploitation tool for linux users like me, who want better experience in their hacking

another reason is compatibility. as emp3r0r is mostly written in Go, and fully static (so are all the plugins used by emp3r0r), it will run everywhere (tested on Linux 2.6 and above) you want, regardless of the shitty environments. in some cases you wont even find bash on your target, dont worry, emp3r0r uploads its own bash and many other useful tools

why is it called emp3r0r? because theres an empire

i hope this tool helps you, and i will add features to it as i learn new things

What does it do

Glance

  • beautiful terminal UI
  • perfect reverse shell (true color, key bindings, custom bashrc, custom bash binary, etc)
  • auto persistence via various methods
  • post-exploitation tools like nmap, socat, are integreted with reverse shell
  • credential harvesting
  • process injection
  • shellcode injection and dropper
  • ELF patcher
  • hide processes and files via libc hijacking
  • port mapping, socks5 proxy
  • auto root
  • LPE suggest
  • system info collecting
  • file management
  • log cleaner
  • stealth connection
  • anti-antivirus
  • internet access checker
  • autoproxy for semi-isolated networks
  • all of these in one HTTP2 connection
  • can be encapsulated in any external proxies such as TOR, and CDNs
  • interoperability with metasploit / Cobalt Strike
  • and many more…

Core features

Transports

emp3r0r utilizes HTTP2 (TLS enabled) for its CC communication, but you can also encapsulate it in other transports such as TOR, and CDNs. all you need to do is tell emp3r0r agent to use your proxy

also, emp3r0r has its own CA pool, agents trusts only emp3r0r’s own CA (which you can generate using build.py), making MITM attack much harder

below is a screenshot of emp3r0r’s CC server, which has 3 agent coming from 3 different transports

Transports
Transports

Auto proxy for agents without direct internet access

emp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach

if an agent doesn’t have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server.

in the following example, we have 3 agents, among which only one ([1]) has internet access, and [0] has to use the proxy passed by [2]

Auto proxy
Auto proxy

Anti-antivirus (or anti-whateveryoucallthem)

  • a cryptor that loads agent into memory
  • shellcode dropper
  • everything is randomized
  • one agent build for each target

Agent traffic

Every time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online

You can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes

No CC communication will happen when the agent thinks CC is offline

If it isnt:

bare HTTP2 traffic:

Agent traffic
Agent traffic

Packer – start agent in memory

packer encrypts agent binary, and runs it from memory (using memfd_create)

Currently emp3r0r is mostly memory-based, if used with this packer

packer of emp3r0r
packer of emp3r0r

dropper – pure memory based agent launching

dropper drops a shellcode or script on your target, eventually runs your agent, in a stealth way

below is a screenshot of a python based shellcode delivery to agent execution:

dropper of emp3r0r
dropper of emp3r0r

Hide processes and files

currently emp3r0r uses libemp3r0r to hide its files and processes, which utilizes glibc hijacking

Persistence

currently implemented methods: (more will be added in the future)

  • shellcode injection
  • libemp3r0r
  • cron
  • bash profile and command injection

Modules

Shellcode injection

Inject guardian shellcode into arbitrary process, to gain persistence

Shellcode injection
Shellcode injection

Shellcode loader

This module helps you execute meterpreter or Cobalt Strike shellcode directly in emp3r0r’s memory, combined with reverse_portfwd, you can use other post-exploitation frameworks right inside emp3r0r

Shellcode loader
Shellcode loader

Basic command shell

this is not a shell, it just executes any commands you send with sh -c and sends the result back to you

besides, it provides several useful helpers:

  • file management: put and get
  • command autocompletion
  • #net shows basic network info, such as ip aip rip neigh
  • #kill processes, and a simple #ps
  • bash !!! this is the real bash shell, keep on reading!

Fully interactive and stealth bash shell

A reverse bash shell, started with custom bash binary and bashrc, leaving no trace on the system shell

Reverse bash shell
Reverse bash shell

emp3r0r’s terminal supports everything your current terminal supports, you can use it just like an openssh session

but wait, it’s more than just a reverse bash shell, with module vaccine, you can use whatever tool you like on your target system

Credential harvesting

Not implemented yet

Auto root

Currently emp3r0r supports CVE-2018-14665, agents can exploit this vulnerability if possible, and restart itself with root privilege

Supports CVE-2018-14665
Supports CVE-2018-14665

LPE suggest

upload the latest:

and run them on target system, return the results

Port mapping

Map any target addresses to CC side, using HTTP2 (or whatever transport your agent uses)

Reverse port mapping (interoperability with other frameworks)

This screenshot shows a meterpreter session established with the help of emp3r0r

Reverse port mapping
Reverse port mapping

Plugin system

yes, there is a plugin system. please read the wiki for more information

More Stories
Vajra Automated Web Hacking Framework for Pentesting
Vajra: Automated Web Hacking Framework for Pentesting