Emp3R0R – Linux Post-Exploitation Framework Made By Linux User

[sc name=”ad_1″]

linux post-exploitation framework made by linux user

Still under active development

what to expect (in future releases)

packer: cryptor + memfd_create
packer: use shm_open in older Linux kernels
dropper: shellcode injector – python
injector: inject shellcode into another process, using GDB
port mapping: forward from CC to agents, so you can use encapsulate other tools (such as Cobalt Strike) in emp3r0r’s CC tunnel
dropper: shellcode injector – dd
dropper: downloader (stage 0) shellcode
network scanner
passive scanner, for host/service discovery
exploit kit
conservative weak credentials scanner
auto pwn using weak credentials and RCEs

why another post-exploitation tool?

why not? i dont see many post-exploitation frameworks for linux systems, even if there were, they are nothing like mine

as a linux user, the most critical thing for remote administration is terminal. if you hate the garbage reverse shell experience (sometimes it aint even a shell), take a look at emp3r0r, you will be impressed

yes i just want to make a post-exploitation tool for linux users like me, who want better experience in their hacking

another reason is compatibility. as emp3r0r is mostly written in Go, and fully static (so are all the plugins used by emp3r0r), it will run everywhere (tested on Linux 2.6 and above) you want, regardless of the shitty environments. in some cases you wont even find bash on your target, dont worry, emp3r0r uploads its own bash and many other useful tools

why is it called emp3r0r? because theres an empire

i hope this tool helps you, and i will add features to it as i learn new things

what does it do

glance

beautiful terminal UI
perfect reverse shell (true color, key bindings, custom bashrc, custom bash binary, etc)
auto persistence via various methods
post-exploitation tools like nmap, socat, are integreted with reverse shell
credential harvesting
process injection
ELF patcher
hide processes and files via libc hijacking
port mapping, socks5 proxy
auto root
LPE suggest
system info collecting
file management
log cleaner
stealth connection
internet access checker
autoproxy for semi-isolated networks
all of these in one HTTP2 connection
can be encapsulated in any external proxies such as TOR, and CDNs
and many more…

core features

transports

emp3r0r utilizes HTTP2 (TLS enabled) for its CC communication, but you can also encapsulate it in other transports such as TOR, and CDNs. all you need to do is tell emp3r0r agent to use your proxy

also, emp3r0r has its own CA pool, agents trusts only emp3r0r’s own CA (which you can generate using build.py), making MITM attack much harder

below is a screenshot of emp3r0r’s CC server, which has 3 agent coming from 3 different transports

auto proxy for agents without direct internet access

emp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach

if an agent doesn’t have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server.

in the following example, we have 3 agents, among which only one ([1]) has internet access, and [0] has to use the proxy passed by [2]

agent traffic

every time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online

you can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes

no CC communication will happen when the agent thinks CC is offline

if it isnt:

bare HTTP2 traffic: