One of the lesser-known features in Empire is the ability to use alternative Command and Control (C2) methods. Specifically, we can leverage the Dropbox API as a C2 channel, which can utilize existing architecture inside a network and obfuscate web traffic. If you are interested in checking other listener options, you learn more by reading previous blog posts on the Malleable HTTP C2 and OneDrive listeners. For this walkthrough, we will be using our upcoming Empire 4.0 release. Which is currently in closed beta for our Sponsors and will be released for open beta soon on Kali. (You can still follow along with the current version of Empire in our git repo as the steps remain unchanged)
The Dropbox listener requires two distinct steps, setting up the listener in Empire and then configuring an application to use the Dropbox API. This is slightly more complicated than a basic HTTP listener but will be broken down step-by-step below. The first step is to launch the listener inside of Empire by typing:
Entering the listener menu will provide info (if any is documented) about the listener and options for configuration. If you notice, the only option displayed for the Dropbox listener that is required and not configured is the APIToken which will require setting up a Dropbox developer account.
Dropbox Account Creation
You will have to navigate to the Dropbox developer page and setup an account to access this feature. We recommend that you setup a new account for using an Empire listener since Dropbox may disable your account, and you would lose access to your data. Luckily, they offer a 2 GB basic plan which is FREE.
Warning: Use at your own risk, we take no responsibility if your Dropbox account becomes disabled.
Once you have an account setup, you will be able to access the developer options, and you will need to click on the App Console tab at the top of the screen.
From the App Console, you will be given the option to create a new application, click on Create app.
Dropbox migrated their API from v1 to v2 a few years ago, so this may look unfamiliar if you haven’t accessed this page (relatively) recently. You now have to select a scoped access application and then give it access to all files and folders in a user’s Dropbox. More permissions will be required, so this gives us an easy starting place. Then name the application with something that won’t give itself away instantly (e.g., totally_not_empire).
Now you will create the application and will be presented with configuration options. The first thing we will do is update the permissions so that a user can make modifications to files and folders.
Specifically, you will be granting access to the following options. Just a note, you need to change all of these permissions before generating an access token.
- Files.metadata.write – View and edit information about your Dropbox files and folders
- Files.metadata.read – View information about your Dropbox files and folders
- Files.content.write – Edit content of your Dropbox files and folders
- Files.content.read – View content of your Dropbox files and folders
Next, you will need to return to the settings page and enable additional users. This will ensure that the Empire server can communicate to Dropbox and that your agents can also communicate through Dropbox to your Empire server.
Now you can generate your access token (APIToken). Be sure to select no expiration for your access token. Otherwise, it will expire after 4 hours, and you will need to reconfigure your listener and agents with a new token.
Empire Dropbox C2
Now that we have gone through configuring Dropbox, you can set your APIToken for the Dropbox listener. This can be done by typing:
set APIToken <your_token>
Assuming everything went according to plan, you will see a notification that the Dropbox listener successfully started. We recommend generating a new token if you receive an error since the permissions sometimes don’t update properly for the Dropbox access token. Once you have an active listener, you can next generate a launcher to try out the C2 channel. For this example, we will be using the multi/launcher, which can be accessed by:
Technically you only need to set the listener to generate this launcher. However, the default Empire payload has been extensively signatured and will be instantly caught by most Antiviruses. You will have to do some custom obfuscation to get the payload through, but for testing purposes, it is easiest to disable real-time protection and run the payload directly in your PowerShell terminal. If you are interested in learning more about obfuscation, you can check out our recent webinar that explores basic .NET and PowerShell obfuscation techniques: Evading Detection: A Beginner’s Guide to Obfuscation.
Once you deploy your launcher, you will receive a few notifications and warnings. These aren’t anything to worry about and are purely informational.
Empire updates the Dropbox directories to be used as a C2 during the agent’s initial staging. This is done by creating a series of folders and text documents that will be used to transfer information. For example, the staging folder will be used for sending Stage 2 of the agent, the taskings folder is used for sending tasks (e.g., Mimikatz, Seatbelt, etc.) to the agent, and results returns the information from the ran tasks.
Finally, after all the architecture stuff, you can interact with your agent and try out your new infrastructure. Keep in mind that the default beacon time is 60 seconds, so responses may feel slow compared to the default HTTP listener. You can update this when you setup your listener, however, if the purpose of this is to look like Dropbox traffic then you should keep the default beaconing.
Just to make sure this is covered again, you are using this at your own risk, and we do not take responsibility if your Dropbox account becomes disabled. In addition, this tool is purely for testing and educational purposes only with the system owner’s permission and should not be used maliciously. With that said, enjoy adding the Dropbox listener as part of your red team infrastructure. If you are looking to learn more advanced red team infrastructure techniques, then checkout out Advanced Threat Emulation: Red Teams. Sign-ups at Black Hat USA 2021 are now available.
The post Empire Dropbox C2 Listener appeared first on BC Security.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.