Empire C&C server detection

Posted on by : Lion Tags: , ,

While currently attending SANS SEC660 we did play a lot with empire post exploitation framework on the second day. So i used the time between the lab challenges today to play a bit with the C&C server.

Detect Empire C&C Server

Turns out that, like described here (Page 11), the Empire C&C server tries to hide itself. It shows the banner “IIS 7.5” and the IIS default page. While there a ways described to detect that its not an IIS server, its still not clear what it is instead. The mentioned methods can be looked up in the link before.

Nmap scan of a empire listener in default configuration

So how can we identify that its a python web server after all? Fuzzing the web server allowed me to find a weak spot in the cloak. I don’t really know if this is documented somewhere already, but if not take a look.

Sending the server the following request will do the trick:

Check the Cookie value, that’s what it takes to already crash the thread. However, the server does keep running after the thread crash.

The HTTP-Response is a server error that gives light in the dark.

There might be more techniques available, but this one is fairly simple.

Company Reviews

Leave a Reply

Your email address will not be published. Required fields are marked *