Using Empire with a Reverse Proxy
Here is an example of how I use Empire, in this example I won't be running through setting up HTTPS but will only document the HTTP approach. I am using Ubuntu 16.04 LTS and cloning Empire from the master branch.
Installing and Configuring LXC
I prefer to host Empire on an LXC container, saves installing additional packages on the host. Also it’s light enough to use on a VPS so don’t need to worry about resources.
First off you need to install LXC; apt install lxd
.
Once installed ensure you have run through the initial setup accepting defaults; lxd init
.
You then need to create a new container I have named mine EmpireC; lxc launch ubuntu:16.04 EmpireC
.
Once created you can now configure Empire.
Installing and Configuring Empire
So, you need to ensure that you are interfacing with the container and not installing Empire on the host. At this point I launch screen
then execute an interactive bash shell on the container use the following command lxc exec EmpireC -- /bin/bash
.
With the screen session running I can detach (
CTRL + A + D
) and attach it (screen -x
) again to gain easy access back to the container, it also keeps Empires listener active too.
Use the container like normal perform apt updates and the usual preparations you like to do for Empire. Then clone and install Empire using the following commands:
git clone https://github.com/EmpireProject/Empire.git
cd Empire/setup
./install.sh
I got an error with urllib3 on launch of Empire so you might need to use the following commands to fix this:
apt remove python-urllib3
pip install 'urllib3<1.23,>=1.21.1'
Once you have launched Empire start a HTTP listener as per the normal process, however, ensure that the Host option is set to your external DNS name. I use Cloudflare to manage my DNS so I can quickly amend the IP if it gets blocked on engagements.
Setting up Wordpress
We are looking to mask Empire with a fully functioning WordPress site in front of it, so let’s install Linux, Nginx, MySQL and PHP (LEMP stack). Ensure you have exited from the container before proceeding.
I follow the guide at https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04, as it covers every step for the LEMP stack installation.
Then follow the instructions at https://codex.wordpress.org/Installing_WordPress to install WordPress.
Configure the Reverse Proxy
Once a WordPress site is fully functioning you will need to grab the IP of the container and then reverse proxy to the Empire instance. You can grab the IP from the container by issuing the following command; ip addr
if you are still interacting with the container or lxc exec EmpireC -- ip addr
if you are not interacting with the container.
With the IP address obtained you then need to update the nginx configuration file for the default site with the additional lines below, however, ensure the user agent matches that of the Empire listener:
error_page 404 = @notfound;
location @notfound {
if ($http_user_agent != "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"){
return 302 /;
}
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.144.249.182;
}
Final Adjustments
As the agent is checking in via a reverse proxy the true IP address is lost. However, if you ammend the Flask functions check_ip
, handle_get
and handle_post
within lib/listeners/http.py
and replace the ClientIP
variable with the below snippet then the true IP should be recorded.
if request.headers.getlist("X-Forwarded-For"):
clientIP = request.headers.getlist("X-Forwarded-For")[0]
else:
clientIP = request.remote_addr
clientIP = clientIP.encode('utf-8')
I have also submitted this as a pull request to the Empire project.
There you go you should now have a fully functioning WordPress site that directs traffic with the correct user agent to the Empire instance within the container.