An Introduction to Starkiller

Vincent Rose | Jacob Krasnov | Anthony Rose

Today we are excited to announce the release of Starkiller! Our multi-user GUI application for interfacing with the Empire C2 server from any computer. Starkiller represents a huge step forward for red teams trying to operate together on engagements. It comes with a lot of functionality that we will get into shortly, first let’s give a shout out to Vinnybod. He has been a core member of the BC-Security team and leads the development of Starkiller from behind the scenes. Now let’s get into all the features that are packed into our new application.

Setting Up Empire

In order to utilize Starkiller with Empire, you have to start the server slightly different than usual. The standard way to start Empire is to simply run ./empire from the Empire folder. To setup the RESTful API with Empire, you will run ./empire –rest. This will start a command line instance of Empire on the C2 server as well as the RESTful API.

The default port that the API starts on is 1337 with the default username: empireadmin and password: password123. The username and password can be changed using –username <username> and –password <password>. The empire instance can also be run in a headless configuration without the command line by running ./empire –headless.

For full documentation on the various options, see the Wiki. It should also be noted that a minimum Empire version of 3.1.1 is recommended for the best user experience.

Setting up Starkiller

Now that we have the Empire instance started up properly, let’s get into setting up Starkiller. You can either download a pre-compiled version off of the releases page or clone the repo and run in development mode. Detailed install instructions can be found on the Starkiller Github.

Launch Starkiller with ./starkiller-1.0.0.AppImage –no-sandbox on Linux or by using the .dmg or .exe for Mac and Windows, respectively.

If you have set up a different username or are running from a host other than locally, then update those fields. Upon login, you will land at the Listeners menu. If any listeners were started from the command line, they would automatically be displayed by Starkiller.

Creating a New Listener

To launch a new listener, click the button in the upper right-hand corner. This will open a menu with a drop-down for the type of listener you would like to create. In our example, we are going to create a new HTTP listener. You will select a listener type and the window will update with all the mandatory fields that must be filled for the launcher to be executed. Most of these will have prefilled values, but a port number will need to be provided. This can be any port that’s not already in use, as of right now, Empire still only supports one listener per port. If you scroll down to the bottom, there will also be an expansion table labeled optional. If you click on this, it will expand to show the additional options. This feature is common across Starkiller for listeners, modules, and stagers.

When you hit submit, Starkiller will ask you to confirm and then take you back to the listener menu, where there will now be a new listener displayed as active. If you click on a listener, it will show all the current settings.

Generating a Stager

To create a stager for a running listener, simply click on the suitcase icon below the listener icon. This will take you to the stager menu and any previously built stagers will appear here for future use.

Just like in the listener menu, new stagers can be added by clicking on the top right button. The layout for the stagers is identical to that of listeners. There is a provided drop-down that allows you to select the type of stager that you want to generate. Then a menu will auto-populate with the required options filled out. Once you hit submit, you will be prompted to confirm and then the stager will be displayed after it’s generated (some stagers take longer than others).

Next to the stager will be a green and red icon. The green icon will either copy the stager to your clipboard or prompt you for a file location to download the stager depending on the stager type (the green button will have either a paperclip or download icon). The red button will delete the stager from Starkiller’s database.

Interacting with an Agent

Clicking on the interlocked links icon will take you to the Agents menu. Here you will see all the agents that have checked in. If an agent has failed to check-in within the lost limit, it will turn red as shown above. Clicking on an agent will open a window with multiple tabs, the first tab displays all the info related to the agent such as the user context the agent is running in, the process integrity level and other relevant details. The bottom half of the window displays the commands and results that have been previously run. Each command is also tagged with the user that ran the command, commands ran from the server directly are tagged as unknown.

The interact tab allows you to run shell commands from within the agent. These commands will be run on the compromised host and commands can not be run on the server from Starkiller. The execute module tab allows the user to search for the module desired. Once the module has been selected, the required fields will be populated. Underneath the module name, the module author will be displayed. Clicking on this will provide additional information on the module, such as if the module is opsec safe or requires admin privileges.

The other tabs are actions that can be completed by the agent. As their names imply, they will clear all the queued tasks, kill the agent, or remove the agent from the database. Pressing the x in the top right corner will exit the agent window and take you back to the list of agents.

Modules Menu

The modules menu provides a quick way to look at all the available modules in Empire and look for key conditions such as requiring admin privileges, whether it is opsec safe or what language the module is for. It also has a search bar in the top right to quickly find a module you may be interested in. Agents cannot be tasked from this menu.

Credentials Menu

Starkiller includes a credentials management page so that all users can have access to the same list of users and passwords. The database is automatically populated from modules ran, such as Mimikatz.

User Management

Empire 3.1 expands the functionality of the REST API to include a new user management interface. Previously, Empire did not allow for multiple users to collaborate and all activity was tracked as a single user. The new multi-user collaboration features added the ability to have multiple users interacting with the C2 server while tracking their individual taskings.

Starkiller leverages the new API by allowing the admins to create and manage user accounts for the Empire C2 server. Multiple users can now login for remote locations and share agents through the interface. The advantage of multiple accounts is that reports can be generated for individuals or the entire team, depending on your goals.

The username defined when starting the REST API is automatically made the server admin. They have the sole capability to add users and can turn off accounts when necessary. To add or manage users click on the Users tab.

Wrap-up

Starkiller represents a major step forward for the use of Empire during Red Team engagements. Multi-user support has been needed for some time and collaboration has become a central tenant for modern engagement. We plan to continue developing and improving Starkiller alongside Empire and look forward to hearing feedback from the community. If you encounter a bug or have a feature recommendation please open an issue on the Git repo.

The post An Introduction to Starkiller appeared first on BC Security.