Identifying Empire HTTP Listeners

Empire is a popular open source post-exploitation framework. The framework can very roughly be broken down into two parts: agents and listeners. An agent is an implant that lives on the victim’s computer. A listener resides on the attacker’s command and control server and handles communication with the agent. A lot of work has gone into making agents difficult to find. Less has been done to hide listeners. In this write up, I point out mistakes that have been made in Empire’s HTTP listeners and then look at some listeners found in the wild. Empire has five different HTTP-based listeners. From a network point of view, they’re similar in that a request to “/” results in a 404 Not Found error. albinolobster@ubuntu:~$ curl -i http://192.168.1.204/ HTTP/1.0 404 NOT FOUND Content-Type: text/html Content-Length: 233 Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Server: Microsoft-IIS/7.5 Date: Thu, 16 Nov 2017 21:36:21 GMT <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>404 Not Found</title> <h1>Not Found</h1> <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p> Perhaps that response doesn’t look interesting, but it’s enough to fingerprint an Empire HTTP listener. Creating the Shodan Filter One of the important things to know about...
Read more