emp3r0r

A post-exploitation framework for Linux/Windows

emp3r0r-reverse-proxy-demo.mp4

More Screenshots and videos

---

Motivation

Initially, emp3r0r was developed as one of my weaponizing experiments. It was a learning process for me trying to implement common Linux adversary techniques and some of my original ideas.

So, what makes emp3r0r different? First of all, it is the first C2 framework that targets Linux platform including the capability of using any other tools through it. Take a look at the features for more valid reasons to use it.

To support third-party modules, emp3r0r has complete python3 support, included in vaccine module, 15MB in total, with necessary third party packages such as Impacket, Requests and MySQL.

---

Features

• Beautiful Terminal UI
  • Use tmux for window management
• Stealth
  • Automatically changes argv so you won't notice it in ps listing
  • Hide files and PIDs via Glibc hijacking (patcher in get_persistence)
  • Built-in Elvish Shell with the same disguise as main process
  • Bring Your Own Shell or any interactive programs via custom modules such as bettercap
  • All C2 communications made in HTTP2/TLS
  • Defeat JA3 fingerprinting with UTLS
  • Painlessly encapsulated in Shadowsocks and KCP
  • Able to encapsulate in any external proxies such as TOR and CDNs
  • C2 relaying via SSH
• Staged Payload Delivery for both Linux and Windows
  • HTTP Listener with AES and compression
  • DLL agent, Shellcode agent for Windows targets and Shared Library stager for Linux
• Automatically bridge agents from internal networks to C2 using Shadowsocks proxy chain
  • For semi-isolated networks, where agents can negotiate and form a proxy chain
• Any reachable targets can be (reverse) proxied out via SSH and stealth KCP tunnel
  • Bring any targets you can reach to C2
  • Useful when targets can't establish outgoing connections but can accept incoming requests
• Multi-Tasking
  • Don't have to wait for any commands to finish
• Module Support
  • Provides python3 environment that can easily run your exploits/tools on any Linux host
  • Custom Modules
• Perfect Shell Experience via SSH with PTY support
  • Compatible with any SSH client and available for Windows
• Bettercap
• Auto persistence via various methods
• Post-exploitation Tools
  • Nmap, Socat, Ncat, Bettercap, etc
• Credential Harvesting
  • OpenSSH password harvester
• Process Injection
• Shellcode Injection
• ELF Patcher for persistence
• Packer
  • Encrypts and compresses agent binary and runs agent in a covert way
• Hide processes and files and get persistence via shared library injection
• Networking
  • Port Mapping
    • From C2 side to agent side, and vice versa
    • TCP/UDP both supported
  • Agent Side Socks5 Proxy with UDP support
• Auto Root
• LPE Suggest
• System Info Collect
• File Management
  • Enables resumable downloads/uploads
  • SFTP support: browse remote files with any SFTP client, including your local GUI file manager
• Log Cleaner
• Screenshot
• Anti-Antivirus
• Internet Access Checker
• and many more :)