This presentation covers Python EmPyre, a Python post-exploitation agent based on the PowerShell Empire architecture. It was given at BSidesLV '16.

1. Building an
Empyre with
Python

2. @harmj0y
× Researcher/red teamer for the Adaptive Threat
Division
× Co-founder/active developer of the Veil-Framework |
PowerView | PowerUp | Empire
× Microsoft CDM/PowerShell MVP and active
PowerSploit developer

3. @424f424f
× U.S. Army Infrantry combat veteran
× Red teamer/Penetration Tester for the Adaptive
Threat Division
× Instructor for ATD’s “Adaptive Penetration Testing”
course

4. @killswitch_gui
× Previous US Army Soldier
× Red teamer/Penetration Tester for the Adaptive
Threat Division
× Developed SimplyEmail / SimplyTemplate

5. tl;dr
× Overview/”Why Build This”/RATs 101
× EmPyre
× Stagers
× Host/network triage
× Lateral movement
× Persistence
× The Future
× Demos throughout!

6. Why Build
this?

7. Motivations
× A high-security client wanted a penetration
test against their corporate infrastructure
× which was 80% OS X …
× We did our research and found very few options
for ‘complete’ OS X agents
× though small post-exploitation pieces did exist

8. Adversarial OS X
× WireLurker (Trojanized applications, Infects connected
ios devices)
× XcodeGhost (Infected xcode package in China)
× Hacking Team (Remote Code Systems compromise
platform)
× OceanLotus (Flash Dropper, download Mach-O binary)
× KeRanger (Ransomware, infected transmission package)

9. OS X Challenges
× Not nearly as many public OS X attack toolsets
out there as there are for Windows
× Access vectors are significantly more limited
than Windows as well
× Lateral spread is complicated a bit (no pth!)

10. RATS 101
× We have a number of broad design goals for our
solution:
× Staging flexibility
× Modularity
× (Reasonably) strong crypto
× The “Staging problem”
× Your malicious code has to SOMEHOW get to the target

11. Empyre

13. background
× Python agent and controller
× heavily based on the PowerShell Empire project
× OS X/Linux 2.7 and 2.6 compatible/“living off the land”
× Asynchronous communications (HTTP[s])
× Diffie-Hellman based Encrypted Key Exchange
× Variety of post-exploitation modules

14. Module development
× Like Empire, development is quick due to the
modular structure and use of a scripting
language
× Modules == metadata containers for an
embedded Python script
× Things like option sets, needs admin, opsec safe, save
file output, etc

15. stagers

16. OS X MAcros
× Works on
Office 2011
and below,
otherwise,
we’re stuck
in the...

18. Mach-o binaries
× Mach object file format for executables, object
code, shared libraries, dynamically-loaded code
and core dumps
× We hot-patch a binary with the EmPyre stager
code
× Binary contains the python interpreter

19. Dylib Hijacking
× Ported from @patrickwardle research
× https://www.virusbulletin.com/uploads/pdf/magazin
e/2015/vb201503-dylib-hijacking.pdf
× Abuses search-order loading
× Also a method of persistence in EmPyre

20. Hijack Scanner

21. Dylib Hiijacker

22. Demo: Phishing with EmPyre

23. Host
triage

24. Privilege escalation
× Users often run as admin
× Two prompt modules for credential collection:
× Mac app prompting - osascript
× Screensaver alleyoop - osascript / security
× Elevate using sudo_spawn to spawn a new
EmPyre agent

25. Privilege escalation

26. Chainbreaker
× Keychaindump (juuso)
× Keychain exploitable prior to OS X yosemite to
recover master key from memory
× Decrypt keychain store using master key candidate
× Keychaindump_chainbreaker (n0fate)
× Allows masterkey and password input for decryption
of entire keychain.
× Fully ported to allow on target dumps rather offline

27. Hashdumping
× Built in hashdump module:
× Sudo required of course
× Output is hashcat ready
× Hash format is unique to different OS X series
× 10.8 + uses Salted-SHA512-PBKDF2
× Password -> Iterations -> salt -> hash_pbkd2
× Ultimately very slow hash to crack (H/S)

28. Hashdumping

29. Keylogging
× Uses ruby adapted code from MSF:
× Captures and logs keystrokes to a file currently
× Runs as a separate ruby process

30. screenshots
× Currently supports two separate methods:
× Native - screenshot builtin tool
× Python - using Quartz API call’s
× Environment can dictate the use of native tools
× CGImageDestinationCreateWithUR() and
screenshot only allows a output path for image

31. Clipboard theft
× Great way to target and collect credentials
× Output to file or pipeline:
× Timed collection allows continues monitoring using
background jobs
× Uses non-native method via AppKit API:
× Native pbpaste may be signatured by Carbon Black

33. Demo: Host Triage with EmPyre

34. Network
situational
awareness

35. OS X is on the Domain Too!
× Admins want/need to:
× Enforce corporate policy via Group Policy
× Manage resources
× Manage users
× Advertise resources such as printers
× Benefit from single sign-on access to Active
Directory resources through Kerberos

37. OS X and LDAP
× ldapsearch tool
× opens a connection to an LDAP server, binds, and
performs a search using specified parameters
× dig -t SRV _ldap._tcp.example.com

38. PowerView, OS X Style
× Wanted to mimic the features of PowerSploit’s
PowerView to enumerate Active Directory
× Using ldapsearch, we can mimic “most”
features
× Unfortunately, creates a log entry for every
connection

39. Situational Awareness, AD Enumeration
× get_computers
× get_domaincontrollers
× get_fileservers
× get_groupmembers
× get_groupmemberships
× get_groups
× get_ous
× get_userinformation
× get_users

40. PowerView, OS X Style

41. Overpass-THE-HASH
× Original research by @gentilkiwi and
@obscuresec and OS X research by
@passingthehash
× Upgrading an NT hash into a full Kerberos ticket!
× Utilities
× kinit - acquire initial Kerberos credentials
× klist - list Kerberos credentials
× kdestroy - remove Kerberos credentials

43. Demo: Domain Enumeration with EmPyre

44. Lateral
Movement

45. Os x vs windows
× Common Windows lateral movement methods:
× WMI, PSEXEC, WinRM, Remote Desktop
× OS X disappoints a bit on this front...
× SSH is available but disabled by default
× WinEXE installed through HomeBrew are possible
× EmPyre modules:
× ssh_command / ssh_launcher

46. Web Service Exploitation
× JBoss exploit
× Pass exploit to Empire server

48. Persistence

49. Os x vs windows
× Common Windows persistence methods:
× Registry keys
× Startup folders
× WMI
× DLL hijacks
× Backdoor accounts
× OS X is also quite fruitful:
× Crontabs
× Loginhooks
× Daemons
× Dylib Hijacking

50. Crontabs, Daemons, and Login Hooks
× Login Hook - User Context
× Bash / Applescript / binary execution
× User or any user logon executes payload
× Sets com.apple.loginwindow
× Crontabs - User Context
× Requires Bash / Applescript / binary
× Timed execution of payload
× Great for continued access
× Launch Daemons - Root Context
× Requires sudo
× Spawns determined by XML manifest (reboot)
× Daemons (services) once started will restart upon agent loss

51. Persistence with Dylib Hijacking
× EmPyre implements @patrickwardle research
to scan for hijackable Dylibs!
× rPath search, WeakLib import search
× CreateHijacker module
× allows for quick exploitation
× ease of generating payload
× patching in the path to the legitimate Dylib for proper
execution

52. Questions?
@harmj0y / will [at] harmj0y.net
@424f424f / steveborosh [at] gmail.com
@killswitch_gui / a.rymdekoharvey [at] gmail.com