Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Pwning the Enterprise With PowerShell Beau Bullock -
Overview • A dramatic increase in PowerShell-based pentesting tools • Why use PowerShell? • Signed Microsoft binary native...
whoami • Pentester at Black Hills Information Security • Have a number of SANS and OffSec certs… • CitySec Meetup Organize...
Remote Attacks Attacks Against an External Network
PowerMeta • Discover publicly available files • Extract Metadata from them • Can provide information about: • The internal...
MailSniper • Enumerate users/domain • Password spray OWA/EWS • Get Global Address List • Search email for certain terms • ...
OWA Attack Flow
Gaining A Foothold Establishing Internal Network Access
Gaining A Foothold • Phishing w/ PowerShell Payloads • PowerShell Empire – PowerShell agent with many capabilities • Stage...
Command and Control Finding Holes in Egress Filtering
Command and Control • Each of these can transfer files, establish shells, etc. • Powercat - PowerShell version of Netcat •...
Situational Awareness Perform Additional Reconnaissance As Silently As Possible
HostRecon • Performs information gathering about the local system, users and domain • Checks for common security products ...
Privilege Escalation Sometimes Admin Access Is Closer Than You Thought
PowerUp • Performs a number of local privilege escalation checks • Checks for: • Unquoted service paths • Unattended Insta...
PowerUpSQL • SQL server discovery • Audit weak configurations • Perform privilege escalation to obtain SA privileges • Fin...
Domain Exploitation Active Directory Fun Time
Invoke-Kerberoast • Request TGS tickets (as any domain user) for accounts with SPNs set • Extract the crackable hash • Cra...
Get-GPPPassword • Finds any passwords of accounts set by GPP • Usually the first thing I check • Almost always find an adm...
BloodHound • Enumerates/Gathers: • Local admins group on all systems • Active user sessions on each system • Group members...
PowerView Find-LocalAdminAccess • Find a system on the network your user is a local admin of • Author(s): Will Schroeder (...
DomainPasswordSpray • Tool for password spraying all domain users • Common Scenario: • Domain locks out accounts after a c...
Network Exploitation Abusing Network Protocols and Finding Vulnerable Systems
Inveigh • Exploit LLMNR & NBNS • By default when DNS fails Windows systems will query local network • Obtain NTLMv1/NTLMv2...
PowerView Get-ExploitableSystem • Queries Active Directory for hostnames, OS versions, and service pack levels • Cross-ref...
PowerWebShot • If escalation options are failing, might need to resort to network attacks; Web servers tend to be good tar...
Post-Exploitation Pillaging, Plundering, and Discovering Sensitive Data
Invoke-Mimikatz • Dump cleartext credentials • Avoids writing to disk • Could sneakily dump creds from LSASS dumps from ot...
PowerView Invoke-ShareFinder / Invoke-FileFinder • Sensitive files on shares? • ShareFinder then FileFinder • FileFinder w...
MailSniper • Pillage sensitive data from every user’s mailbox • Gather credentials, insider intel, network architecture in...
Obfuscating PowerShell Making the Blue Team’s Life Hard
Invoke-Obfuscation • Command line args are what most monitoring tools alert on when powershell.exe is run • ‘LeT’+’s’+’ob’...
PowerShell Without PowerShell Oh, You Disabled PowerShell? We’ll See About That.
Using C# • C# and PowerShell both are basically frontends for the .NET framework • Can use csc.exe to compile C# code cont...
PowerOps • C# application that has many PowerShell scripts built in • PowerSploit • Nishang • GPPPassword • Empire • Power...
PowerLine / PowerStripper • PowerStripper – preps ps1’s for PowerLine, encodes, strips comments • PowerLine – purely run w...
Possible Mitigations Ok, so how do I stop this madness?
Possible Mitigations • Disable cmd.exe, PowerShell.exe, & PowerShell_ISE.exe for users where possible • Logging, monitorin...
Conclusion • PowerShell is… well… Powerful • Expect more tools to be created • Expect defenders to implement more protecti...
Questions? • Black Hills Information Security • http://www.blackhillsinfosec.com/ • @BHInfoSecurity • Beau Bullock • beau@...
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Upcoming SlideShare
Loading in …5
×

Pwning the Enterprise With PowerShell

5,684 views

Published on

The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.

I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.

Published in: Internet
no profile picture user

  • Login to see the comments

Show More

Pwning the Enterprise With PowerShell

  1. 1. Pwning the Enterprise With PowerShell Beau Bullock -
  2. 2. Overview • A dramatic increase in PowerShell-based pentesting tools • Why use PowerShell? • Signed Microsoft binary native to Windows systems • Can execute code in memory avoiding AV detection • Allows us to “Live off the land” • Going to detail: • A complete attack cycle using PowerShell • Remote Attacks, C2, Privilege Escalation, Domain/Network/Post Exploitation • Techniques for running PowerShell in locked down environments • Some possible mitigations
  3. 3. whoami • Pentester at Black Hills Information Security • Have a number of SANS and OffSec certs… • CitySec Meetup Organizer • CigarCitySec – (Tampa, FL) • CitrusSec – (Orlando, FL) • Guitarist • Avid OWA enthusiast
  4. 4. Remote Attacks Attacks Against an External Network
  5. 5. PowerMeta • Discover publicly available files • Extract Metadata from them • Can provide information about: • The internal username schema • System names • Domain info • Author(s) • Beau Bullock (@dafthack) • https://github.com/dafthack/PowerMeta
  6. 6. MailSniper • Enumerate users/domain • Password spray OWA/EWS • Get Global Address List • Search email for certain terms • Find VPN info • Reset 2FA keys or add new device • Author(s) • Beau Bullock (@dafthack) • https://github.com/dafthack/MailSniper
  7. 7. OWA Attack Flow
  8. 8. Gaining A Foothold Establishing Internal Network Access
  9. 9. Gaining A Foothold • Phishing w/ PowerShell Payloads • PowerShell Empire – PowerShell agent with many capabilities • Stagers/payloads, Lateral movement, persistence, etc. • Author(s): Will Schroeder (@harmj0y), Justin Warner (@sixdub), & Matt Nelson (@enigma0x3) • Unicorn – Generate PowerShell- based payloads that inject shellcode into memory • Author(s): Dave Kennedy (@HackingDave)
  10. 10. Command and Control Finding Holes in Egress Filtering
  11. 11. Command and Control • Each of these can transfer files, establish shells, etc. • Powercat - PowerShell version of Netcat • Author(s): Mick Douglas (@besimorhino), Luke Baggett & Jesse Davis (@secabstraction) • https://github.com/secabstraction/PowerCat • Invoke-PowerShellIcmp – C2 channel over ICMP echoes and replies • Author(s): Nikhil Mittal (@samratashok) • https://github.com/samratashok/nishang/blob/master/Shells/Invoke- PowerShellIcmp.ps1 • Dnscat2-PowerShell – C2 channel over DNS requests • Author(s): Luke Baggett & dnscat2 server by Ron Bowes (@iagox86) • https://github.com/lukebaggett/dnscat2-powershell
  12. 12. Situational Awareness Perform Additional Reconnaissance As Silently As Possible
  13. 13. HostRecon • Performs information gathering about the local system, users and domain • Checks for common security products • Can check egress port filtering • Doesn’t use any system commands like ‘net’, ‘ipconfig’, ‘netstat’, ‘whoami’, etc. • Author(s): • Beau Bullock(@dafthack) • https://github.com/dafthack/HostRecon
  14. 14. Privilege Escalation Sometimes Admin Access Is Closer Than You Thought
  15. 15. PowerUp • Performs a number of local privilege escalation checks • Checks for: • Unquoted service paths • Unattended Install Files • Service Permissions • …and more. • Author(s): • Will Schroeder (@harmj0y) • https://github.com/PowerShellMafia/PowerSploit/tr ee/master/Privesc
  16. 16. PowerUpSQL • SQL server discovery • Audit weak configurations • Perform privilege escalation to obtain SA privileges • Find sensitive data at scale • Author(s): • Scott Sutherland (@_nullbind) • https://github.com/NetSPI/PowerUpSQL
  17. 17. Domain Exploitation Active Directory Fun Time
  18. 18. Invoke-Kerberoast • Request TGS tickets (as any domain user) for accounts with SPNs set • Extract the crackable hash • Crack hashes offline • Author(s): • Will Schroeder (@harmj0y), Matan Hart (@machosec), credit for original research to Tim Medin (@timmedin) • https://gist.github.com/HarmJ0y/cc1004307157e37 2fc5bd3f89e553059
  19. 19. Get-GPPPassword • Finds any passwords of accounts set by GPP • Usually the first thing I check • Almost always find an admin password here • Author(s): • Chris Campbell (@obscuresec) • https://github.com/PowerShellMafia/PowerSploit/b lob/master/Exfiltration/Get-GPPPassword.ps1
  20. 20. BloodHound • Enumerates/Gathers: • Local admins group on all systems • Active user sessions on each system • Group membership information • Domain trusts info • Find a path to domain admin • Authors(s): • Andrew Robbins (@_wald0), Will Schroeder (@harmj0y), and Rohan Vazarkar (@CptJesus) • https://github.com/BloodHoundAD/BloodHound
  21. 21. PowerView Find-LocalAdminAccess • Find a system on the network your user is a local admin of • Author(s): Will Schroeder (@harmj0y) • https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
  22. 22. DomainPasswordSpray • Tool for password spraying all domain users • Common Scenario: • Domain locks out accounts after a certain number of failed logins • Can’t brute force • Solution: • Try a number of passwords less than the domain lockout policy against EVERY account in the domain • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/DomainPasswordSpray
  23. 23. Network Exploitation Abusing Network Protocols and Finding Vulnerable Systems
  24. 24. Inveigh • Exploit LLMNR & NBNS • By default when DNS fails Windows systems will query local network • Obtain NTLMv1/NTLMv2 hashes • Crack hashes offline • Author(s): • Kevin Robertson (@kevin_robertson) • https://github.com/Kevin-Robertson/Inveigh
  25. 25. PowerView Get-ExploitableSystem • Queries Active Directory for hostnames, OS versions, and service pack levels • Cross-references those with common Metasploit modules • Author(s): • Scott Sutherland (@_nullbind), Will Schroeder (@harmj0y) • https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
  26. 26. PowerWebShot • If escalation options are failing, might need to resort to network attacks; Web servers tend to be good targets • Default Creds • Not patched internally • etc… • Analyze a large number of web servers quickly • Inspiration and thanks goes to Chris Truncer for EyeWitness • Author(s): • Beau Bullock (@dafthack)
  27. 27. Post-Exploitation Pillaging, Plundering, and Discovering Sensitive Data
  28. 28. Invoke-Mimikatz • Dump cleartext credentials • Avoids writing to disk • Could sneakily dump creds from LSASS dumps from other systems • Author(s): • Joe Bialek (@JosephBialek), & Benjamin Delpy (@gentilkiwi) • https://raw.githubusercontent.com/PowerShel lMafia/PowerSploit/master/Exfiltration/Invoke -Mimikatz.ps1
  29. 29. PowerView Invoke-ShareFinder / Invoke-FileFinder • Sensitive files on shares? • ShareFinder then FileFinder • FileFinder will find files with the following strings in their title: • ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’ • Author(s): • Will Schroeder (@harmj0y)
  30. 30. MailSniper • Pillage sensitive data from every user’s mailbox • Gather credentials, insider intel, network architecture info, etc. • Search all mailboxes as admin or current user’s as non-admin • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/MailSniper
  31. 31. Obfuscating PowerShell Making the Blue Team’s Life Hard
  32. 32. Invoke-Obfuscation • Command line args are what most monitoring tools alert on when powershell.exe is run • ‘LeT’+’s’+’ob’+’FusCa’+’te’ • Encode, concatenate, reorder, etc. • Author(s): • Daniel Bohannon (@danielbohannon) • https://github.com/danielbohannon/Invoke- Obfuscation
  33. 33. PowerShell Without PowerShell Oh, You Disabled PowerShell? We’ll See About That.
  34. 34. Using C# • C# and PowerShell both are basically frontends for the .NET framework • Can use csc.exe to compile C# code containing ps1 script • Results in standalone EXE • Props to Brian Fehrman (@fullmetalcache) • http://www.blackhillsinfosec.com/?p=5257
  35. 35. PowerOps • C# application that has many PowerShell scripts built in • PowerSploit • Nishang • GPPPassword • Empire • PowerCat • …and more • Author(s): • Rui Reis (@fdiskyou) • https://github.com/fdiskyou/PowerOPS
  36. 36. PowerLine / PowerStripper • PowerStripper – preps ps1’s for PowerLine, encodes, strips comments • PowerLine – purely run with cmd-line args • Works with Meterpreter and Empire shells • Author(s): • Brian Fehrman (@fullmetalcache) • https://github.com/fullmetalcache/PowerLine • https://github.com/fullmetalcache/PowerStripp er
  37. 37. Possible Mitigations Ok, so how do I stop this madness?
  38. 38. Possible Mitigations • Disable cmd.exe, PowerShell.exe, & PowerShell_ISE.exe for users where possible • Logging, monitoring, alerting • Utilize enhanced logging in PowerShell v5.0 • Remove PSv2 to prevent logging bypass • Use Sysmon to monitor and alert for system.management.automation DLL • Ensure network and host-based IDS engines are tuned correctly • Could possibly disable csc.exe compilation tool (be careful) • Use AppWhitelisting (but know that there are still bypasses)
  39. 39. Conclusion • PowerShell is… well… Powerful • Expect more tools to be created • Expect defenders to implement more protections • Expect attackers to find bypasses for those protections Slide from Jeffrey “Father of PowerShell” Snover’s keynote at Derbycon 6.0
  40. 40. Questions? • Black Hills Information Security • http://www.blackhillsinfosec.com/ • @BHInfoSecurity • Beau Bullock • beau@blackhillsinfosec.com • @dafthack

×