Pwning with powershell

Post on 18-Aug-2015

208 views 5 download

Transcript of Pwning with powershell

Pwning with Powershell

Using Powershell for recon, shells and escalation

Hi, I’m Jared.

Sysadmin for 10 years

Likes to take pictures

Likes to break things

I write stuff occasionally here:

I twitter stuff @jaredhaight

What is Powershell?

And how do I use it?

What is Powershell?

Powershell is an object oriented scripting language Kind of a mix between C# and bash

It is the default method to manage a lot of Windows services now

Two components included Powershell.exe – The shell

Powershell_ise.exe – The IDE

How do I use it?

Variable assignment $foo = ‘bar’

For loops ForEach ($obj in $list) {write-host $obj}

Logic If ($obj –eq “”) {write-host “those guys are pretty cool”}

RTFM Get-help command

Get-help command -examples

Why do I want to know this crap?

Powershell is what admins are using to manage their boxes now (the good ones at least)

It actually is powerful Full access to .NET objects

Can interpret C# code

Quick and Dirty Powershell Web Server

#Courtesy of ObsecureSec ($Hso = New-Object Net.HttpListener $Hso.Prefixes.Add("http://+:8000/") $Hso.Start() While ($Hso.IsListening) { $HC = $Hso.GetContext() $HRes = $HC.Response $HRes.Headers.Add("Content-Type","text/plain") $Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl))) $HRes.ContentLength64 = $Buf.Length $HRes.OutputStream.Write($Buf,0,$Buf.Length) $HRes.Close() } $Hso.Stop()

“PowerShell: Microsoft's post-exploitation language”

-Sun Tzu

“PowerShell: Microsoft's post-exploitation language”


What is being done with Powershell in Infosec?

Everything Recon





Incident Response


Reverse Engineering

Big focus on “in memory” attacks. Payloads don’t touch the disk.

Pentesting Frameworks

The fun stuff

Veil PowerTools

Part of the Veil Framework

Components PewPewPew – Run command against a list of servers without touching the HDD

PowerBreach – Offers a variety of ways to trigger backdoor code

PowerPick – Allows the execution of PS code without powershell.exe

PowerUp – Assists with local escalation

PowerView – Network awareness tool

Cool stuff in Powertools

PowerView Invoke-SearchFiles – File search on local or remote hosts


Get-NetGroup – Gets members of a specified group

Get-NetLoggedon – Get users logged into a server

Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions from specific users accounts

Invoke-FindLocalAdminAccess – Finds machines that the current account has admins rights on

Get-ExploitableSystems – Cross references systems against common metasploit payloads

Cool stuff in Powertools

PowerUp Get-ServiceEXEPerms – finds services where the user has write access to the exe

Invoke-ServiceUserAdd – Generates an exe that adds a given user to a local group and replaces a service exe with it.

PowerBreach Inoke-DeadUserBackdoor – Triggers a payload if a given user account is deleted

Invoke-EventLogBackdoor – Triggers a payload if a specific user fails an RDP login

Cool stuff in Powertools

PewPewPew My favorite name for anything ever.

Invoke-MassCommand – Runs a given command against a bunch of servers

Invoke-MassMimikatz – Runs mimikatz against all the things.


Modules AV Bypass

Code Execution





Script Modification – Modifies scripts to act as payloads (encoding, encryption)

Cool things in Powersploit

Exfiltration Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume and parsing NTFS


Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t touch disk when run against a remove computer.

Get-Keystrokes – Keystroke logger

Get-GPPPassword – Browses Group Policy and finds passwords

Get-TimedScreenshot – Takes screenshots on an interval

Code Execution Invoke-Shellcode – Inject shellcode into a specified process

Cool things in Powersploit

Mayhem Set-MasterBootRecord – Writes a string to the MBR

Set-CriticalProcess - BSOD


Modules Too many to list








Cool things about Nishang

Client Out-Word – Creates a word file (or infect an existing one) with a macro that downloads and

runs a powershell script

Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java

Backdoors DNS_Txt_Pwnage – A backdoor that receives commands through DNS TXT queries

Gupt-Backdoor – A backdoor that receives commands from WLAN SSIDs (without connecting)

.DESCRIPTIONGupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable networks. It matches first four characters of each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and executed. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and executed in memory from the URL. See examples for usage.

Cool things about Nishang

Gather Copy-VSS – Copy SAM, SECURITY and AD database using Volume Shadow Copy

Get-PassHashes – Dumps local hashes

Invoke-MimikatzWdigestDowngrade – Downgrades wdigest settings so that plain text passwords can be retrieved from LSA memory (to bypass protections implemented in Windows 2012 and 8.1)

Shells Invoke-PSGcat – Executes commands stored in a gmail account

Invoke-PowerShellTCP – Interactive bind or reverse shell

Utility Do-Exfiltration – Send data to Pastebin, Gmail, Webserver or out as DNS TXT query

Now a demo

Taped before a live home audience.

The Situation

Loki is a disgruntled web developer

Thor also works here, but he’s not part of this demo

Also Tony Stark is the IT guy.

Getting local admin

Loki is an unprivileged user on his computer (He’s just in the “Domain Users” group)

Because Loki is a webdev, he has a local development environment installed on his machine.

This environment was installed with XAMPP, an easy to use package of PHP, MySQL and Apache.

In the following video, Loki finds that the Apache exe is writable. He then overwrites the Apache exe with an exe that creates a new local admin account.

Finally he restarts his computer to force the service to restart.

Dumping hashes, exfiltrating and escalating

Now that Loki has a local admin account (“mshackman”) he can dump the hashes for the local computer

He then exfiltrates this data to pastbin

Finally he disables the wdigest protections in Windows 8.1 in preparation for tricking IT into logging into his computer.

Dumping Active Directory

Loki convinced Tony Stark to login into his computer and is now able to dump Starks password using mimikatz

With Domain Admin credentials, Loki copies “Copy-VSS.ps1” to a Domain Control and then proceeds to dump the Active Directory database for offline assessment.

Who to watch

@harmj0y – Veil PowerTools

@sixdub – Veil Powertools

@mattifestation (Matt Graeber)– PowerSploit

@obscuresec – Misc. Awesomeness

@clymb3r – Misc. Awesomeness

@nikhil_mitt – Nishang

@jaredcatkinson – Invoke-IR


