linux post-exploitation framework made by linux user
ARCHIVED, this file won't be updated, please check README
emp3r0r utilizes HTTP2 (TLS enabled) for its CC communication, but you can also encapsulate it in other transports such as TOR, and CDNs. all you need to do is tell emp3r0r agent to use your proxy
also, emp3r0r has its own CA pool, agents trusts only emp3r0r's own CA (which you can generate using build.py
), making MITM attack much harder
below is a screenshot of emp3r0r's CC server, which has 3 agent coming from 3 different transports
emp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach
if an agent doesn't have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server.
in the following example, we have 3 agents, among which only one ([1]
) has internet access, and [0]
has to use the proxy passed by [2]
- a cryptor that loads agent into memory
- shellcode dropper
- everything is randomized
- one agent build for each target
every time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online
you can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes
no CC communication will happen when the agent thinks CC is offline
if it isnt:
bare HTTP2 traffic:
when using Cloudflare CDN as CC frontend:
packer encrypts agent
binary, and runs it from memory (using memfd_create
)
currently emp3r0r is mostly memory-based, if used with this packer
dropper drops a shellcode or script on your target, eventually runs your agent, in a stealth way
below is a screenshot of a python based shellcode delivery to agent execution:
currently emp3r0r uses libemp3r0r to hide its files and processes, which utilizes glibc hijacking
currently implemented methods:
- shellcode injection
- libemp3r0r
- cron
- bash profile and command injection
more will be added in the future
think it as ssh -R
, when autoproxy module doesn't work because of the firewall on the agent that provides proxy service, what can you do?
in normal circumstances, we would use ssh -R
to map our client-side port to the ssh server, so the server can connect to us to share our internet connection.
thats exactly what emp3r0r does, except it doesn't require any openssh binaries to be installed, type use reverse_proxy
to get started!
with this feature you can bring every host that you can reach to emp3r0r CC server.
inject guardian shellcode into arbitrary process, to gain persistence
this module helps you execute meterpreter or Cobalt Strike shellcode directly in emp3r0r's memory, combined with reverse_portfwd, you can use other post-exploitation frameworks right inside emp3r0r
this is not a shell, it just executes any commands you send with sh -c
and sends the result back to you
besides, it provides several useful helpers:
- file management:
put
andget
- command autocompletion
#net
shows basic network info, such asip a
,ip r
,ip neigh
#kill
processes, and a simple#ps
bash
!!! this is the real bash shell, keep on reading!
with module interactive_shell
, you can set shell
to normal bash
, sh
, busybox
, or even python
if you like!
all the shells works like you ssh
to the host, for most cases, PTY is fully enabled
this is choosing a shell to ssh
into, by default we are doing bash
you can see the bash
shell you just created in a new tmux window
and python
? you can spaw('bash')
if you like
you can open as many shells as you like!
each shell has its own port mapping, allowing you to ssh -p port localhost
directly.
with tmux you can see all of your shells organized cleanly in your current tmux session
not implemented yet
i wrote about this in my blog
currently emp3r0r supports CVE-2018-14665, agents can exploit this vulnerability if possible, and restart itself with root privilege
upload the latest:
and run them on target system, return the results
map any target addresses to CC side, using HTTP2 (or whatever transport your agent uses)
this screenshot shows a meterpreter session established with the help of emp3r0r
yes, there is a plugin system. please read the wiki for more information
- pty
- guitmz
- sektor7
- readline
- h2conn
- diamorphine
- Upgrading Simple Shells to Fully Interactive TTYs
- more can be found in
go.mod