emp3r0r

A post-exploitation framework for Linux/Windows

Status

• emp3r0r C2 (Linux/Windows) is ready for testing. Please report bugs if you find any.
• Read wiki to get started
• Download from here
• Write modules for emp3r0r with your favorite languages
• SSH harvester is ready for use
• Windows support is ready with fully-interactive shell

Motivation

Initially, emp3r0r was developed as one of my weaponizing experiments. It was a learning process for me trying to implement common Linux adversary techniques and some of my original ideas.

So, what makes emp3r0r different? First of all, it is the first C2 framework that targets Linux platform including the capability of using any other tools through it. Take a look at the features for more valid reasons to use it.

To support third-party modules, emp3r0r has complete python3 support, included in vaccine module, 15MB in total, with necessary third party packages such as Impacket, Requests and MySQL.

Features

• Beautiful Terminal UI
  • Use tmux for window management
• Stealth
  • Automatically changes argv so you won't notice it in ps listing
  • Hide files and PIDs via Glibc hijacking (patcher in get_persistence)
  • Built-in Elvish Shell with the same disguise as main process
  • All C2 communications made in HTTP2/TLS
  • Defeat JA3 fingerprinting with UTLS
  • Painlessly encapsulated in Shadowsocks and KCP
  • Able to encapsulate in any external proxies such as TOR and CDNs
• Multi-Tasking
  • Don't have to wait for any commands to finish
• Module Support
  • Provides python3 environment that can easily run your exploits/tools on any Linux host
  • Custom Modules
• Perfect Shell Experience via SSH with PTY support
  • Compatible with any SSH client and available for Windows
• Bettercap
• Auto persistence via various methods
• Post-exploitation Tools
  • Nmap, Socat, Ncat, Bettercap, etc
• Credential Harvesting
  • OpenSSH password harvester
• Process Injection
• Shellcode Injection
• ELF Patcher (WIP)
• Packer
  • Encrypts and compresses agent binary and runs agent in a covert way
• Hide processes and files (WIP)
• Networking
  • Port Mapping
    • From C2 side to agent side, and vice versa
    • TCP/UDP both supported
  • Agent Side Socks5 Proxy with UDP support
• Auto Root
• LPE Suggest
• System Info Collect
• File Management
  • Enables resumable downloads/uploads
  • SFTP support: browse remote files with any SFTP client, including your local GUI file manager
• Log Cleaner
• Screenshot
• Anti-Antivirus
• Internet Access Checker
• Automatically bridge agents from internal networks to C2
  • For semi-isolated networks
• Proxy via agent to agent SSH connection
  • To bring any targets you can reach to C2
• Interoperability with Metasploit/Cobalt Strike
• and many more :)