![](/uploads/1/2/5/7/125735790/921503730.jpeg)
Liniaal allows for the creation of a C2 channel for Empire agents, through an Exchange server. All communication is done through MAPI/HTTP or RPC/HTTP and directly between the Liniaal agent and the Exchange server. No traffic traverses the traditional network boundary as plain HTTP, bypassing most network based detection and blocking.
Liniaal allows Empire to be used as usual, through a high latency, stealthy channel.
A full-end-to-end example is available on YouTube and an outline can be found in the SensePost blog.
Liniaal depends heavily on the libraries created by Ruler. To interface with Powershell Empire you will require version 2.0.
Dependencies:
- Empire version 2.0
Find liniaal stock images in HD and millions of other royalty-free stock photos, illustrations and vectors in the Shutterstock collection. Thousands of new.
The simpliest way to get Liniaal is to use
go get
:Alternatively you can
git clone
the relevant components into your GOPATH:Building
You can build your own binaries using Go:
Pre-built Binaries
Compiled binaries for Linux, OSX and Windows are available. Find these in Releases
![Liniaal Liniaal](http://i.ytimg.com/vi/AxJwB9wuoss/maxresdefault.jpg)
Note:Outlook will need to be open on your target's host! The Empire agent uses the MAPI end-points exposed by Outlook and these are only available while Outlook is running
Firstly copy the stager and listener to the relevant directories within Empire.
Setting up Empire listener
To setup the listener within Empire:
There are two new options Folder and EmailAddress, of which only Folder is mandatory. Folder allows you to specify a name for the hidden folder used for communication. The default folder name is Liniaal.The EmailAddress is used to provide an email address for Liniaal to use on the client-side. This may be required in instances where users have multiple mailboxes. If this is set, the agent will locate the correct mailbox and use that for communication. If EmailAddress is left blank, the agent will use the primary mailbox. This should be sufficient in most cases and provides you with a generic listener, which can be used with multiple targets.
Change these to a custom values if you wish and then execute the listener.
Now create your launcher: Liniaal only supports powershell agents!
Setup Liniaal
Now that Empire is up and running, you need to setup the Liniaal agent to translate/transfer requests between Empire and Exchange.
The interface is similar to Empire and allows you to set the required fields. These are similar to those used in Ruler. THe important fields are:
- EmailAddress
- Username (except for Office365/Outlook domains)
- Password
- Folder
- Host
Ensure that the Folder is the same as set in Empire.Host is our Empire listener address.
Once the required values are set, start the Liniaal agent:
The agent's status/actions will be shown and dynamically updated.
Get your shell
Now your communication channel is setup, you can execute the powershell launcher (generated through Empire) on your target. How you do this depends fully on you. You could even pop it through Ruler.
The channel is slow, it can take upto two minutes for the Empire agent to be come active and usable through Empire. You should see the following while the agent is communicating through Liniaal:
Once the agent is setup you can use the agent through the Empire inteface as you normally would.
As noted before, Liniaal requires Outlook to be running. You will also require valid credentials for the target user. And it is assumed you have a way to run code on the target host.
The Powershell agent does not have any persistence or ability to respawn itself. It is also dumb at the moment; if Outlook stops running, the agent stops running and you will need to get it back manually (PR requests with a fix are welcome!)
![](/uploads/1/2/5/7/125735790/921503730.jpeg)