Empire (v2) Hooks via REST

bluescreenofjeff is doing amazing stuff with automating tasks in Cobalt Strike (CS), and I must admit quite a bit of CS jealousy from the first time I was introduced to it. Aggressor scripts are the shiz-nit. We’re all doing similar tasks in this offensive security field, and automation is a big part of it. Doing something once is fine, doing the same exact manual operation multiple times is heresy.

Wanting this same kind of automation in Empire, I started digging into the REST API which would allow some control over Empire via a web interface using POST/GET/DELETE requests. There was also this post by Black Hills Infosec   about automating Empire on startup, the idea being the immediate startup of a listener when you launch Empire. Their method uses “screen” and sends commands to a screen session. While cool in itself, I was looking for more than just starting listeners.

Unfortunately, the API was mostly broken in v2. Undaunted, I dove into the code to figure out why. Within an hour or so it was clear that the API was broken due to database schema and code changes. The queries, and more importantly the mapped fields, either no longer existed, changed names, or change field types. Some methods no longer existed, or changed names. For instance, many of the listener options have been serialized with Pickle and stored as a “blob” type in the SQLite3 database. Displaying the options back to the user required deserializing the database object. These changes and more have been merged into Empire v2 and now all should work as expected. 

Undaunted, I spent my Saturday refactoring the API code. Most of the GET features were pretty straightforward, and should be working once that pull request is merged (assuming I didn’t fuck something up, which would reject it :/ ). The POST and DELETE features are going to be a bit more challenging as I’m having a difficult time unravelling the data flows and checks within Empire itself.

But for now, querying for information from Empire via its REST API will probably be usable for the masses soon, here’s “agents”:

Screen Shot 2017-04-22 at 10.45.10 PM

Once I got the API working well enough, I pivoted over to hooking Empire into Slack. I’m only scratching the surface here, and barely that. Once the POST and DELETE API functions are working, you could (not that I recommend it) turn Slack into a simple interface for Empire. You know, for pwning systems from your iPhone while sitting in Starbucks.

Anyway, here’s the gist if you want to take it for a spin and get started. You’ll have to setup a webhook in Slack to get it done. Check out bluescreenofjeff’s excellent post on all this. I don’t need to repeat it here.

Screen Shot 2017-04-22 at 10.35.55 PM

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s