emp3r0r

A post-exploitation framework for Linux/Windows

ssh-harvester-demo.mp4

More Screenshots and videos

---

How to use

curl -sSL https://raw.githubusercontent.com/jm33-m0/emp3r0r/refs/heads/master/install.sh | bash

Read the wiki to get started. Please also consider contributing your own documentation there to help others.

Motivation

Initially, emp3r0r was developed as one of my weaponizing experiments. It was a learning process for me trying to implement common Linux adversary techniques and some of my original ideas.

So, what makes emp3r0r different? First of all, it is the first C2 framework that targets Linux platform including the capability of using any other tools through it. Take a look at the features for more valid reasons to use it.

To support third-party modules, emp3r0r has complete python3 support, included in vaccine module, 15MB in total, with necessary third party packages such as Impacket, Requests and MySQL.

---

Features

• Feature-Rich CLI
  • console and cobra for CLI infrastructure
  • Auto-completion for commands and arguments, with syntax highlighting
  • Multi-Tasking support provided by tmux
• Stealth
  • Automatically change argv so you won't notice it in ps listing
  • Hide files and PIDs via Glibc hijacking (patcher in get_persistence)
  • Bring Your Own Shell such as elvish or any interactive programs via custom modules such as bettercap
• All C2 communications made in HTTP2/TLS
  • Defeat JA3 fingerprinting with UTLS
  • Painlessly encapsulated in KCP fast multiplexed UDP tunnel
  • Able to encapsulate in any external proxies such as TOR and CDNs
  • C2 relaying via SSH
• Cross-platform memory dumping, dumping mini-dumps from Windows to be compatible with pypykatz
• Staged Payload Delivery for both Linux and Windows
  • HTTP Listener with AES and compression
  • DLL agent, Shellcode agent for Windows targets and Shared Library stager with compression and encryption for Linux
• Automatically bridge agents from internal networks to C2 using Shadowsocks proxy chain
  • For semi-isolated networks, where agents can negotiate and form a proxy chain
• Any reachable targets can be (reverse) proxied out via SSH and stealth KCP tunnel
  • Bring any targets you can reach to C2
  • Useful when targets can't establish outgoing connections but can accept incoming requests
• Multi-Tasking
  • Don't have to wait for any commands to finish
• Module Support
  • Provides python3 environment that can easily run your exploits/tools on any Linux host
  • Custom Modules
  • Supports various modules formats: exe, elf, python, powershell, bash, dll, and so
  • Ability to run a module as an interactive shell, eg. bettercap, elvish.
  • In-memory execution for modules: bash, powershell, python, and even ELF executables (CGO ELF loader)
• Perfect Shell Experience via SSH with PTY support
  • Compatible with any SSH client and available for Windows
• Bettercap
• Auto persistence via various methods
• Post-exploitation Tools
  • Nmap, Socat, Ncat, Bettercap, etc
• Credential Harvesting
  • OpenSSH password harvester
• Process Injection
• Shellcode Injection
• ELF Patcher for persistence
• Hide processes and files and get persistence via shared library injection
• Networking
  • Port Mapping
    • From C2 side to agent side, and vice versa
    • TCP/UDP both supported
  • Agent Side Socks5 Proxy with UDP support
• Auto Root
• LPE Suggest
• System Info Collect
• File Management
  • Resumable downloads/uploads with integrity verification
  • Recursive downloads with regex filter support
  • Transparent zstd compression for data exfiltration
  • SFTP support: browse remote files with any SFTP client, including your local GUI file manager
• Log Cleaner
• Screenshot
• Anti-Antivirus
• Internet Access Checker
• and many more :)