A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
2. Hi, I’m Jared.
Sysadmin for 10 years
Likes to take pictures
Likes to break things
I write stuff occasionally here: https://words.photosandtext.com
I twitter stuff @jaredhaight
4. What is Powershell?
Powershell is an object oriented scripting language
Kind of a mix between C# and bash
It is the default method to manage a lot of Windows services now
Two components included
Powershell.exe – The shell
Powershell_ise.exe – The IDE
5. How do I use it?
Variable assignment
$foo = ‘bar’
For loops
ForEach ($obj in $list) {write-host $obj}
Logic
If ($obj –eq “cha-ha.com”) {write-host “those guys are pretty cool”}
RTFM
Get-help command
Get-help command -examples
6. Why do I want to know this crap?
Powershell is what admins are using to manage their boxes now (the good ones
at least)
It actually is powerful
Full access to .NET objects
Can interpret C# code
7. Quick and Dirty Powershell Web Server
#Courtesy of ObsecureSec (http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-
webserver.html)
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8000/")
$Hso.Start()
While ($Hso.IsListening)
{
$HC = $Hso.GetContext()
$HRes = $HC.Response
$HRes.Headers.Add("Content-Type","text/plain")
$Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl)))
$HRes.ContentLength64 = $Buf.Length
$HRes.OutputStream.Write($Buf,0,$Buf.Length)
$HRes.Close()
}
$Hso.Stop()
12. Veil PowerTools
https://github.com/Veil-Framework/PowerTools
Part of the Veil Framework
Components
PewPewPew – Run command against a list of servers without touching the HDD
PowerBreach – Offers a variety of ways to trigger backdoor code
PowerPick – Allows the execution of PS code without powershell.exe
PowerUp – Assists with local escalation
PowerView – Network awareness tool
13. Cool stuff in Powertools
PowerView
Invoke-SearchFiles – File search on local or remote hosts
Get-NetDomainControllers
Get-NetGroup – Gets members of a specified group
Get-NetLoggedon – Get users logged into a server
Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions from
specific users accounts
Invoke-FindLocalAdminAccess – Finds machines that the current account has admins rights on
Get-ExploitableSystems – Cross references systems against common metasploit payloads
14. Cool stuff in Powertools
PowerUp
Get-ServiceEXEPerms – finds services where the user has write access to the exe
Invoke-ServiceUserAdd – Generates an exe that adds a given user to a local group and replaces
a service exe with it.
PowerBreach
Inoke-DeadUserBackdoor – Triggers a payload if a given user account is deleted
Invoke-EventLogBackdoor – Triggers a payload if a specific user fails an RDP login
15. Cool stuff in Powertools
PewPewPew
My favorite name for anything ever.
Invoke-MassCommand – Runs a given command against a bunch of servers
Invoke-MassMimikatz – Runs mimikatz against all the things.
17. Cool things in Powersploit
Exfiltration
Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume and parsing NTFS structures
Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t touch disk when run against a
remove computer.
Get-Keystrokes – Keystroke logger
Get-GPPPassword – Browses Group Policy and finds passwords
Get-TimedScreenshot – Takes screenshots on an interval
Code Execution
Invoke-Shellcode – Inject shellcode into a specified process
18. Cool things in Powersploit
Mayhem
Set-MasterBootRecord – Writes a string to the MBR
Set-CriticalProcess - BSOD
20. Cool things about Nishang
Client
Out-Word – Creates a word file (or infect an existing one) with a macro that downloads and runs
a powershell script
Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java
Backdoors
DNS_Txt_Pwnage – A backdoor that receives commands through DNS TXT queries
Gupt-Backdoor – A backdoor that receives commands from WLAN SSIDs (without connecting)
21. .DESCRIPTION
Gupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable
networks. It matches first four characters of each SSID with the parameter MagicString.
On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a
command and executed. If the 5th character is a 'u', rest of the SSID is considered the
id part of Google URL Shortener and a script is downloaded and executed in memory from
the URL. See examples for usage.
22.
23. Cool things about Nishang
Gather
Copy-VSS – Copy SAM, SECURITY and AD database using Volume Shadow Copy
Get-PassHashes – Dumps local hashes
Invoke-MimikatzWdigestDowngrade – Downgrades wdigest settings so that plain text passwords
can be retrieved from LSA memory (to bypass protections implemented in Windows 2012 and 8.1)
Shells
Invoke-PSGcat – Executes commands stored in a gmail account
Invoke-PowerShellTCP – Interactive bind or reverse shell
Utility
Do-Exfiltration – Send data to Pastebin, Gmail, Webserver or out as DNS TXT query
25. The Situation
Loki is a disgruntled web developer
Thor also works here, but he’s not part of this demo
Also Tony Stark is the IT guy.
26. Getting local admin
Loki is an unprivileged user on his computer (He’s just in the “Domain Users” group)
Because Loki is a webdev, he has a local development environment installed on his
machine.
This environment was installed with XAMPP, an easy to use package of PHP, MySQL and
Apache.
In the following video, Loki finds that the Apache exe is writable. He then overwrites the
Apache exe with an exe that creates a new local admin account.
Finally he restarts his computer to force the service to restart.
27. Dumping hashes, exfiltrating and
escalating
Now that Loki has a local admin account (“mshackman”) he can dump the hashes for
the local computer
He then exfiltrates this data to pastbin
Finally he disables the wdigest protections in Windows 8.1 in preparation for tricking IT into
logging into his computer.
28. Dumping Active Directory
Loki convinced Tony Stark to login into his computer and is now able to dump Starks
password using mimikatz
With Domain Admin credentials, Loki copies “Copy-VSS.ps1” to a Domain Control and
then proceeds to dump the Active Directory database for offline assessment.
This presentation is designed to cover why Powershell is important to us red teamers and to give an overview of what people are doing with Powershell in the pentesting community.
Windows admins are learning that powershell is the way to manage growing infrastructure. This means that it will be prevalent in the environments that we come across. We should learn how to use it for our needs.
An example of how powerful and flexible PS is. A webserver in 13 lines of code.
Mimikatz is a tool used to dump hashes and credentials out of memory on a Windows box. Invoke-MassMimikatz runs mimikatz in memory so as not to trip most AV.