Not Your Grandfather’s Empire I’ve wanted to put this blog together since returning home from DEFCON. Anytime we ran into someone who recognized our swag, they mentioned how much they loved Empire back in the day and didn’t realize it was being actively maintained. This made me reflect on all [...]
Last week we announced a new partnership with Kali for Starkiller and Empire. You can read up more about that in our previous post. The purpose of this post is to outline the new features in Empire and Starkiller.
Starkiller
For those who may have missed the last announcement, Starkiller is now easier than ever to install and run from Kali. Simply run apt install starkiller to install and starkiller to run!
Starkiller 1.6 brings a small revamp to the agent screen. The old UI had a lot of wasted horizontal real-estate. We really didn’t need the input fields to go across the entire screen. So, we’ve changed the task viewer to be on the right side of the screen, and it makes better use of the space.
On the agent screen, we have added a new tasks tab. This screen’s information is the same info that you see on the right-side task viewer, but in a neater table format that matches the reporting screen, filtered to the current agent.
At long last, we bring the upload and download features to Starkiller. On the top right of the agents view, there are two new buttons. For uploads, select the file on your local machine and a destination on the target machine. For downloads, just enter the source file from the target machine. Downloads work for both PowerShell and Python agents. Unfortunately, some recent changes broke uploads on Python agents, but a fix is in the works.
A new Plugins page has been added to Starkiller. From the sidebar, click Plugins. This will give a list of all the plugins that are active on the server. Clicking into one brings up that plugin’s options and allows the user to execute it. The example below uses the SOCKS Proxy Server Plugin to start a SOCKS proxy server.
Sponsors-Only
The sponsors build of Starkiller gets another feature! In addition to the current features: file browser and chat widget, operators now have access to an interactive agent shell that replaces the task viewer that is available in the public build of Starkiller. The interactive agent shell works for both PowerShell and Python agents. You can now quickly navigate directories, enumerate processes, and cat files to the terminal while still being able to queue more complex modules on the left-hand side of the screen. If you have used the new Empire-CLI, the shell will feel fairly familiar to you. This will be in a sponsors build in the next 1-2 weeks.
Empire
CLI Submodule
The new Empire-CLI will remain in its own repository, but will now be packaged with the rest of Empire as a submodule. This means you can pull down Empire-CLI as if it’s a part of the Empire repo by adding --recursive to your git clone command, or if you already have Empire cloned git submodule update --recursive. In an upcoming release, we will be deprecating the old server CLI. Don’t worry, it’s going to stick around at least until the next major release of Empire (4.0). If you haven’t already seen the new CLI, here is a demo and walk-through from last month.
Database Management Refactor
All database interaction within the server now goes through SQLAlchemy ORM. SQLAlchemy provides an abstraction over the database that simplifies a lot of the existing codebase and allows for more options in the underlying database system. Right now, only SQLite is supported, but coming in a future release – you will have the ability to swap in high-performance databases like MySQL or Postgres with little effort.
Conclusion
We are looking forward to continuing iterating on Empire and Starkiller. If you want to discuss any of the upcoming changes, you can find us in the BC Security Discord or send us an e-mail at info@BC-Security.org.
Beginning January, we will be granting Kali users and Sponsors 30-day exclusive early access to Empire and Starkiller before the code gets publicly released to our repositories, you can check ...