Powershell Empire: Socks and Pivoting

This blog post is the 3rd in a series on Powershell Empire. If you have not read the first two, you can find them here and here.

In its heyday, Powershell Empire did not have great support for network pivoting, relying mostly on its large collection of modules to get things done from within Empire. As Red and Blue have leveled up their games since the release of Powershell Empire, Socks proxies have become increasingly valuable. The two main benefits to setting up a Socks proxy are:

  • More tools are available to the operator
  • Easier to evade Antivirus

Setting up a proxy to forward traffic to the operator's local machine means any tool that supports a proxy can be used. No longer is an operator constrained to only use tools inside of Empire. Additionally, no tools are actually placed on the victim computer, Antivirus will have a tougher time detecting malicious activity. No binaries on disk, extra process created, or code run through AMSI; the only Red Team artifact is the Socks proxy itself and network traffic sent through the proxy host.

Here's what a Socks proxy with Empire would look like:

Network diagram of a workstation running an Empire agent and a Socks proxy
Network diagram of a workstation running an Empire agent and a Socks proxy client

Socks or it didn't happen

I am proud to say that the experience of setting up a Socks proxy in Empire has gotten much less painful over the last few years. There are now two modules in Empire that let us set up a Socks proxy. Invoke-SocksProxy and SharpChisel.

Invoke-SocksProxy

Every Socks proxy is composed of a Socks server and a Socks client. Before starting the client, we need to start the Socks listener -- similar to how a reverse shell works. The folks from BC-SECURITY wrote a Socks server Empire plugin that we need to grab and put in the plugins folder.

Confirming we have the plugin in our plugins folder
Confirming we have the python script in our plugins folder

Once we have the socksproxyserver.py plugin file inside the plugins folder, we can start Empire and the plugin will be loaded automatically.

Empire loading our socksproxyserver plugin
Empire loading our socksproxyserver plugin

For demonstration purposes, I'm assuming we already have a live Empire agent checking in. Usually this would be the result of a successful phishing campaign, but there are other ways to spawn Empire agents on victim hosts.

Live Empire agent checkin in on a Windows 10 host
Live Empire agent checkin in on a Windows 10 host

We want to spawn a Socks proxy on this agent to enhance our operational abilities inside the agent's network. The first step is to start up our Socks server.

Starting the Socks server using our loaded plugin
Starting the Socks server using our loaded plugin

Step 2 is to run the invoke_socksproxy module.

Viewing the module options of reverse_socksproxy
Viewing the module options of reverse_socksproxy
Starting the socks proxy client on our agent
Starting the socks proxy client on our agent

There is unfortunately no notification that tells us whether or not any Socks clients have connected back to our Socks server, so some testing may be necessary to get things right. A good first step is to check that our ports are listening on the localhost.

Using nmap to verify both the handler port and the proxy port are listening for connections
Using Nmap to verify both the handler port and the proxy port are listening for connections

Assuming things look good there, we can try to test the socks proxy. We will be using the fabulous tool Proxychains through the rest of this blog to send network traffic from any tool through our Socks proxy. We need to make sure Proxychains is configured to point at our socks proxy. Edit /etc/proxychains.conf (or /usr/local/etc/proxychains.conf on Mac) and verify the proxy is configured like so:

Make sure you have `socks5 127.0.0.1 1080` at the bottom of your proxychains.conf file
Make sure you have `socks5 127.0.0.1 1080` at the bottom of your proxychains.conf file

We can do something simple to test that our socks proxy is running. I like probing SMB on the host where the proxy client is running.

Using CrackMapExec to query SMB on our agent
Using CrackMapExec to query SMB on our agent

Great! Our proxy is up and running. We should be able to talk to other hosts on the network now. Let's see if we can hit the Domain Controller.

Using CME with valid Domain Admin credentials to probe SMB on the DC
Using CME with valid Domain Admin credentials to probe SMB on the DC

Yes! We can hit other hosts on the internal network. Let's see if we can get a shell on the Domain Controller through our proxy.

Using Impacket's smbexec script as if we were inside the internal network
Using Impacket's smbexec.py script as if we were on the internal network

We connected to SMB on the Domain Controller through the proxy and can run commands on the DC. Eventually we find out this server is connected to two networks.

Command output for ipconfig on the DC
Command output for ipconfig on the DC

A dual-homed system such as this provides an opportunity to escape our current network and gain access to more hosts. Unfortunately Empire does not yet support SMB pipe agents, so if we want to keep all network traffic going out just the one host, we can't continue to proxy further.

SharpChisel

The other proxy tool included with Empire is Chisel. Chisel is an open source network tunneling client and server written in Go. Through a little bit of programming magic, we can create an embedded Powershell version of the tool. I have also created an Empire plugin for the Chisel server similar to the previous Socks proxy server plugin. Before starting the chisel server, we need to place the chisel binary in data/misc/chiselserver_linux (or data/misc/chiselserver_mac for MacOS). This only needs to be done once.

Moving the downloaded chisel binary to the correct location.
Moving the downloaded chisel binary to the correct location.

Now we can start the Chisel server.

Starting the Chisel listener using the Empire plugin 
Starting the Chisel listener using the Empire plugin 

Using the same agent as before, we can run the management/invoke_sharpchisel module to start our chisel client.

Using the sharpchisel module
Using the sharpchisel module
Viewing the sharpchisel options
Viewing sharpchisel options

Once we have our options set to match the Chisel server, we can run the module.

Running the module
Running the module

Give it a few seconds and we should be able to see a new chisel connection come in.

Viewing currently connected chisel clients
Viewing currently connected Chisel clients

We should be able to use this Socks proxy in exactly the same way as the previous one.

Checking out SMB on the Domain Controller again
Checking out SMB on the Domain Controller again

Conclusion

Getting a socks proxy set up with Empire is not as hard as it used to be. A simple 1 hop proxy can be set up in Empire in only a couple of seconds as opposed to minutes before these modules existed. However, Empire still has a long way to go in providing a mature socks proxy. I would love to see a proxy that sends data using Empire's own communication channel so that a second listener and comm channel do not have to be set up. Additionally, Empire does not yet support peer-to-peer agents which are almost a necessity to continue chaining proxies deeper into a network.

 

This article was updated on December 14, 2020