Listeners

Listeners 101

The first thing you need to do it set up a local listeners. The listeners command will jump you to the listener management menu. Any active listeners will be displayed, and this information can be redisplayed at any time with the list command. The info command will display the currently set listener options.

empire_listeners_menu

The info command will display the currently configured listener options. Set your host/port by doing something like set Host http://192.168.52.142:8081. This is tab-completable, and you can also use domain names here). The port will automatically be pulled out, and the backend will detect if you’re doing a HTTP or HTTPS listener. For HTTPS listeners, you must first set the CertPath to be a local .pem file. The provided ./setup/cert.sh script will generate a self-signed cert and place it in ./data/empire.pem.

Set optional and WorkingHours, KillDate, DefaultDelay, and DefaultJitter for the listener, as well as whatever name you want it to be referred to as. You can then type execute to start the listener. If the name is already taken, a nameX variant will be used, and Empire will alert you if the port is already in use.

The defaults for options such as KillDates, WorkingHours, etc. can be set in the backend sqlite database located at ./data/empire.db. These options can be set in the ./setup/setup_database.py file that is run on initial start up and through ./setup/reset.sh.

Pivot Listeners

Pivot listeners will open up a port on an agent’s machine that redirects to an existing listener, allowing you to stage new agents on a network through your pivot. You will need administrative privileges on a machine in order to open up a pivot.

To set up a pivot listener, from an agent menu type usemodule management/redirector. Set the port for the agent with something like set ListenPort 1234, and set an existing listener to redirect to with set Listener listener_name. Listener names should be tab-completable. Then type execute, and your agent should display a message like “[+] successfully added redirector on port 1234 to http://192.168.52.142:8080” after it checks in.

Jump back to the listeners menu with listeners, and your pivot should now be exposed as a listener. The Name will be the agent ID/name, and the Redirect Target will have the listener name the pivot is redirecting to. The delay/killdate/etc. options will be cloned from the listener you’re redirecting to.

You can create launchers/macros/dlls/etc. for the listener just like any other (e.g. launcher NAME). If you want to kill it with kill NAME, Empire will task the appropriate agent in the background to kill the pivot.

Hop listeners

Hop listeners utilize a hop.php file similar to the Reverse Hop HTTP Stager in Metasploit. First you need to generate a hop.php file that redirects to an existing listener. After you’re started an existing listener, generate hop.php through its stager. Place this hop.php file in some location in your jump server. Then jump back to the listeners menu, set the Type to hop, set your host to the full URI hop.php location, and set the RedirectTarget to your original listener. Then execute it.

You can now use this listener to generate launchers/stagers/etc. like a ‘normal’ listener, and all traffic will be redirected through your hop.php location and back to your original listener.

Foreign Listeners

If you have a second Empire C2 server that you want to easily be able to pass sessions to, complete the relevant Host and Staging Key information, and then set the listener type to foreign. This prevents the listener from actually being started on your C2 server. You can now use the listener’s alias to inject or spawn additional agents as desired. There’s more on this in the Session Passing section.