When Empire was initially launched by @harmj0y and @sixdub at BSidesLV, I was immediately excited about the possibilities that a pure PowerShell RAT would bring to the offensive community. With what little free time I have, I’ve been working to add a few modules that have been inspired by recent engagements I’ve been on. This post will cover how to enumerate and exploit an internal web service through a deployed Empire agent without port scanning.
In this demonstration, I have an empire agent running on a Windows 7 host. The plan is to quietly enumerate the network for vulnerable web services and exploit one to move laterally.
First, I load the recon/find_fruit module and set the required options. The find_fruit module accepts CIDR ranges as well as single hosts. The module is also multi-threaded with a default setting of ten threads. One thing that makes this module great for red teaming or quieter penetration testing, is that unlike port-scanning, it uses legitimate web requests to check for web services that we commonly target such as Apache Tomcat, JBoss, Cold Fusion and more. The module will also accept a custom dictionary if desired. Kicking off the module I quickly find some “low hanging fruit” on a host in my target range.
Next, I want to create a payload and exploit the JMX-Console. Thanks to a stager by @ch33kyf3ll0w, Empire has the ability to generate java .war files for deploying agents. If you’re doing this outside of Empire, you can also generate a .war file using another @harmj0y script at https://gist.github.com/HarmJ0y/aecabdc30f4c4ef1fad3
Here I host the .war file with the python SimpleHTTPServer module. This is necessary as the jmx-console exploit will reach out to grab this file and deploy it on the target server.
Finally, I load the exploitation/exploit_jboss module and set the required options. I start by setting the JMXConsole switch to “true”. Next, The AppName needs to match the AppName I used when generating the .war file. I point the WarFile to my Python hosted file. Since I am tunnelling this exploit through an already deployed agent, I need to set the Agent option to deploy the exploit from. Empire will also let you know if this module is “opsec safe”, meaning it drops a file to disk.
Once the exploit is launched, I first see the HTTP request from the target server to grab the hosted .war file. After a few seconds, I am greeted by a new Empire agent!
If you’re looking for a way to enumerate and exploit internal web services without the noise of port-scanning, give this a try. The standalone Find-Fruit and Exploit-JBoss PowerShell scripts may be found on my github repository as well.