Building an Empyre with

Python

@harmj0y× Researcher/red teamer for the Adaptive Threat

Division

× Co-founder/active developer of the Veil-Framework | PowerView | PowerUp | Empire

× Microsoft CDM/PowerShell MVP and active PowerSploit developer

@424f424f× U.S. Army Infrantry combat veteran

× Red teamer/Penetration Tester for the Adaptive Threat Division

× Instructor for ATD’s “Adaptive Penetration Testing” course

@killswitch_gui× Previous US Army Soldier

× Red teamer/Penetration Tester for the Adaptive Threat Division

× Developed SimplyEmail / SimplyTemplate

tl;dr

× Overview/”Why Build This”/RATs 101× EmPyre

× Stagers× Host/network triage× Lateral movement× Persistence

× The Future× Demos throughout!

Why Build this?

Motivations

× A high-security client wanted a penetration test against their corporate infrastructure× which was 80% OS X …

× We did our research and found very few options for ‘complete’ OS X agents

× though small post-exploitation pieces did exist

Adversarial OS X

× WireLurker (Trojanized applications, Infects connected ios devices)

× XcodeGhost (Infected xcode package in China)× Hacking Team (Remote Code Systems compromise

platform)× OceanLotus (Flash Dropper, download Mach-O binary)× KeRanger (Ransomware, infected transmission package)

OS X Challenges

× Not nearly as many public OS X attack toolsets out there as there are for Windows

× Access vectors are significantly more limited than Windows as well

× Lateral spread is complicated a bit (no pth!)

RATS 101

× We have a number of broad design goals for our solution:

× Staging flexibility× Modularity× (Reasonably) strong crypto

× The “Staging problem”× Your malicious code has to SOMEHOW get to the target

Empyre

background

× Python agent and controller× heavily based on the PowerShell Empire project× OS X/Linux 2.7 and 2.6 compatible/“living off the land”

× Asynchronous communications (HTTP[s])× Diffie-Hellman based Encrypted Key Exchange

× Variety of post-exploitation modules

Module development

× Like Empire, development is quick due to the modular structure and use of a scripting language

× Modules == metadata containers for an embedded Python script

× Things like option sets, needs admin, opsec safe, save file output, etc

stagers

OS X MAcros

× Works on Office 2011 and below, otherwise, we’re stuck in the...

Mach-o binaries

× Mach object file format for executables, object code, shared libraries, dynamically-loaded code and core dumps

× We hot-patch a binary with the EmPyre stager code

× Binary contains the python interpreter

Dylib Hijacking

× Ported from @patrickwardle research× https://www.virusbulletin.com/uploads/pdf/magazin

e/2015/vb201503-dylib-hijacking.pdf

× Abuses search-order loading

× Also a method of persistence in EmPyre

Hijack Scanner

Dylib Hiijacker

Demo: Phishing with EmPyre

Host triage

Privilege escalation

× Users often run as admin

× Two prompt modules for credential collection:× Mac app prompting - osascript × Screensaver alleyoop - osascript / security

× Elevate using sudo_spawn to spawn a new EmPyre agent

Privilege escalation

Chainbreaker

× Keychaindump (juuso)× Keychain exploitable prior to OS X yosemite to

recover master key from memory × Decrypt keychain store using master key candidate

× Keychaindump_chainbreaker (n0fate)× Allows masterkey and password input for decryption

of entire keychain.× Fully ported to allow on target dumps rather offline

Hashdumping

× Built in hashdump module:× Sudo required of course× Output is hashcat ready

× Hash format is unique to different OS X series× 10.8 + uses Salted-SHA512-PBKDF2× Password -> Iterations -> salt -> hash_pbkd2 × Ultimately very slow hash to crack (H/S)

Hashdumping

Keylogging

× Uses ruby adapted code from MSF:× Captures and logs keystrokes to a file currently× Runs as a separate ruby process

screenshots

× Currently supports two separate methods:× Native - screenshot builtin tool× Python - using Quartz API call’s

× Environment can dictate the use of native tools

× CGImageDestinationCreateWithUR() and screenshot only allows a output path for image

Clipboard theft

× Great way to target and collect credentials

× Output to file or pipeline:× Timed collection allows continues monitoring using

background jobs× Uses non-native method via AppKit API:

× Native pbpaste may be signatured by Carbon Black

Demo: Host Triage with EmPyre

Network situational awareness

OS X is on the Domain Too!

× Admins want/need to:× Enforce corporate policy via Group Policy× Manage resources× Manage users× Advertise resources such as printers

× Benefit from single sign-on access to Active Directory resources through Kerberos

OS X and LDAP

× ldapsearch tool× opens a connection to an LDAP server, binds, and

performs a search using specified parameters

× dig -t SRV _ldap._tcp.example.com

PowerView, OS X Style

× Wanted to mimic the features of PowerSploit’s PowerView to enumerate Active Directory

× Using ldapsearch, we can mimic “most” features

× Unfortunately, creates a log entry for every connection

Situational Awareness, AD Enumeration× get_computers× get_domaincontrollers× get_fileservers× get_groupmembers× get_groupmemberships× get_groups× get_ous× get_userinformation× get_users

PowerView, OS X Style

Overpass-THE-HASH× Original research by @gentilkiwi and

@obscuresec and OS X research by @passingthehash

× Upgrading an NT hash into a full Kerberos ticket!

× Utilities× kinit - acquire initial Kerberos credentials× klist - list Kerberos credentials × kdestroy - remove Kerberos credentials

Demo: Domain Enumeration with EmPyre

Lateral Movement

Os x vs windows

× Common Windows lateral movement methods:× WMI, PSEXEC, WinRM, Remote Desktop

× OS X disappoints a bit on this front...× SSH is available but disabled by default× WinEXE installed through HomeBrew are possible

× EmPyre modules:× ssh_command / ssh_launcher

Web Service Exploitation

× JBoss exploit× Pass exploit to Empire server

Persistence

Os x vs windows× Common Windows persistence methods:

× Registry keys× Startup folders× WMI × DLL hijacks× Backdoor accounts

× OS X is also quite fruitful:× Crontabs× Loginhooks× Daemons × Dylib Hijacking

Crontabs, Daemons, and Login Hooks× Login Hook - User Context

× Bash / Applescript / binary execution × User or any user logon executes payload× Sets com.apple.loginwindow

× Crontabs - User Context× Requires Bash / Applescript / binary × Timed execution of payload× Great for continued access

× Launch Daemons - Root Context× Requires sudo × Spawns determined by XML manifest (reboot)× Daemons (services) once started will restart upon agent loss

Persistence with Dylib Hijacking× EmPyre implements @patrickwardle research

to scan for hijackable Dylibs!× rPath search, WeakLib import search

× CreateHijacker module × allows for quick exploitation× ease of generating payload × patching in the path to the legitimate Dylib for proper

execution

Questions?@harmj0y / will [at] harmj0y.net

@424f424f / steveborosh [at] gmail.com

@killswitch_gui / a.rymdekoharvey [at] gmail.com