During my study time for mobile application testing, I came to the realization that there are a lot of bad coding practices taking place in the mobile realm. Apps are rushed out the door in order for a company to compete with others. A lot of devs are not security minded, and I can imagine they just have to get the app done by a deadline. This is how mistakes are made.

Static analysis is a very important phase in a mobile app test. Disassembling an Android app can provide near source, making it very easy to read. That is, if you know how to read Java, or understand commonly used Android libraries and techniques. Wanting to have a deeper understanding of what I was looking at, encouraged me to learn some Android/iOS developing skills.

After playing around with some chapters in a book, I felt like I learn best, by doing. So, I decided to write a mobile GUI/app for Empire. This is possible because Will “harmj0y” Schroeder also provided us with a RESTful API for Empire.

This app is meant to be a companion to Empire, not a substitution. Operators can perform actions within the extent of the API, while AFK. I included most of the API calls, but not all. Only what I thought was feasible and usable in a mobile application. My goal was to keep things as dynamic, easy to use, and safe as possible. Getting a mobile OS to trust a self-signed cert is tricky. Since Empire uses self-signed certs and often might not be tied to a domain name, I needed to find the best way to deal with this. An alteration to the “cert.sh” script in Empire’s setup folder had to be made in order for Android/iOS to accept a self-signed cert. So make sure you pull down the latest version of Empire in order to have the correct cert.sh script. I will also supply the altered cert generation script so you can manually replace it and the certs in your current Empire installation. Note that if you have any active agents, that you will lose them if you make these cert changes. Now, during the setup phase for Empire, the installer will prompt the user for a domain name that will go into the cert. It doesn’t matter if you own this domain, or if it’s pointed at your Empire server. It just has to have one. I also added “Empire” to the organization name in the cert. This is used as a trigger word when the app looks for an installed Empire cert. If the app finds the cert, it will then pull the serial number and prompt the user to check and make sure it matches the serial number for the cert on the Empire server. For security reasons, I chose to not store anything locally to the device, and instead keep it all in memory.

Android login cert check

iOS login view

The Empire API uses token based auth, so once you authenticate, you’re provided with a token that will be used in all further requests. This is stored in a global variable and referenced when needed. The next view loaded after authentication is the listeners view. Here you can view current listeners and related info, as well as kill and create listeners.

Android get listeners

iOS create listener

The Agents button will take you to the agents view. Here you can get current agents, which will be dynamically drawn as a checkbox on Android, and a button in iOS. Selecting an Agent will populate the text view(s) to the right with important agent information you will want to view before running any shell commands or modules.

Android agent details

iOS agent details

Stale Agents will be noted in the last checkin time in Android, and on iOS, the text will display as grey when stale and green when still active.

Running shell commands is straight forward.

Android run shell command

iOS run shell command

When using the API, results are not automatically returned, instead they reside in a buffer, and can be displayed when requested. Pressing the “Get Results” button will return that agent’s buffer in a scrollable popup. For Android, pressing outside the dialogue box will dismiss it, and in iOS, pressing the “Okay” button will dismiss it.

Android results dialogue

iOS results popup

Modules are listed dynamically in the app, so you can use any module that is in your installation. All modules are split into their respective categories (Powershell, Python, Exfiltration, External). When selecting a module from the scrollable spinner, an additional request is sent to gather all available options for that module. Prior research on that module should be performed before selecting, to know exactly what the module does and what options are mandatory and which are optional. Supply the options you want. Any option fields left blank will be ignored.

Android powershell modules

iOS powershell modules

iOS module options

The other buttons in the agents view are also straight forward. They only require the agent name you want to run that task on. The “creds” button will pull any credentials you have stored in Empire, and display them in the same Android dialogue, or iOS popup view. The “Events Logged” button will perform a similar action action, but only on the agent requested.

I am supplying a compiled version of each app, along with the project source. The Android app will be signed by a self-signed cert so you can install easily. The iOS app will be an unsigned .ipa file. You will have to sign with your own Apple ID before installing with either Cydia Impactor, or Xcode. The free Apple ID will sign the app but will expire in 7 days. So you will have to re-sign/re-install every 7 days unless you pay for a developer license from Apple. There are installation instructions in the github readme page. This is a beta version, so more field testing will likely result in changes. These apps have only been tested on a few different screen sizes. So if you have an older device with a smaller screen, things may not render correctly. Party on!!!

https://github.com/EmpireProject/EmpireMobile

https://github.com/EmpireProject/Empire

https://github.com/EmpireProject/Empire/wiki/RESTful-API

http://www.cydiaimpactor.com/

https://developer.apple.com/xcode/

https://developer.apple.com/programs/

https://developer.android.com/studio/