SlideShare a Scribd company logo

DEF CON 23 - Rich Kelley - harness powershell weaponization made easy

•
•
Felipe Prado
Felipe Prado

DEF CON 23 - Rich Kelley - harness powershell weaponization made easy

Technology
1 of 18
Download to read offline
Harness: Powershell Weaponization Made Easy (or at least easier) Rich Kelley @RGKelley5
What’s this all about anyway? • Audience: Penetration testers Red Teams Powershell activists Python enthusists • Bottom line Powershell weaponization can be somewhat cumbersome Hopefully I’ve made that a little easier with the Harness tool set
Who is this guy? • Computer science background • Prior US Air Force Communications Officer • Network engineer, software developer, penetration tester • Currently focused on application pen testing • Mostly I enjoy writing obscure utilities pyhashcat Keyboard walk generators
Why should I care? • “…Microsoft’s Post-Exploitation Language” - @obsuresec • Defenders should be more aware of the damage attackers can do with Powershell alone • We need more research into incident response related to malicious Powershell use DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating PowerShell Attacks
Powershell weaponization problem? “How do you get your [Powershell] scripts running on your target machines, and effectively get your results back?” - @harmj0y
Hasn’t this problem been solved? • Yep, but I’m a developer. Why use someone else’s solution when I can write my own (I’m kidding…sort of) • Previous solutions were not as seamless as I wanted Step 1: Gain access Step 2: ????? Step 3: Use powershell Step 4: Pwn all things! • A couple of very cool new solutions have recently been released
RDP – Copy/Paste or Import-Module
Remote shell – call powershell.exe
Metasploit – exec_powershell
Metasploit – Interactive PS Payloads
Cobalt Strike – Beacon
My Development Requirements 1. Fully interactive remote Powershell console with the same capabilities as the native Powershell.exe 2. Ability to seamlessly import modules across the wire
Demo Time!
Under the hood • Payload Requirements .NET 3.0+ Powershell 2.0 System.Management.Automation Assembly • Tested on: Windows 7 Window 8 Windows 8.1 Windows Server 2008 R2 Windows Server 2012
Under the hood • Listener/Framework Requirements Python 3.4 Asyncio Linux Tested on Kali • Why Python? Why not Ruby? Why not Metasploit? Mostly for the learning experience I prefer Python to Ruby (calm down) Should be simple enough to port to Metasploit module
Under the hood Payload Socket ps.BeginInvoke while script not valid: accumulate end PS C:> script/cmd Send results ls PS C:> ls Directory C: Mode: LastWriteTime ----- --------------------- d---- 2/2/1015 Handler PS C:> ls
Under the hood Payload Handler Socket ps.BeginInvoke Inbound script True PS C:> <rs> PS C:> ^import-module script.ps1 Send results Socket byte stream PS C:> ^import-module script.ps1 Directory C: Mode: LastWriteTime ----- --------------------- d---- 2/2/1015 while !rcvd close signal: accumulate end </rs>
Questions?

Recommended

Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
RGKelley5
 
Ansible, Idempotency, and Jenkins
Ansible, Idempotency, and JenkinsAnsible, Idempotency, and Jenkins
Ansible, Idempotency, and Jenkins
tylerturk
 
Fuzzing with Go-Fuzz
Fuzzing with Go-FuzzFuzzing with Go-Fuzz
Fuzzing with Go-Fuzz
jnewmano
 
Modernizing PowerShell Scripts
Modernizing PowerShell ScriptsModernizing PowerShell Scripts
Modernizing PowerShell Scripts
Axxes IT Consultancy
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 
Perl-Critic
Perl-CriticPerl-Critic
Perl-Critic
Jonas Brømsø
 
Easy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet BoltEasy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet Bolt
Puppet
 

Recommended

Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
RGKelley5
 
Ansible, Idempotency, and Jenkins
Ansible, Idempotency, and JenkinsAnsible, Idempotency, and Jenkins
Ansible, Idempotency, and Jenkins
tylerturk
 
Fuzzing with Go-Fuzz
Fuzzing with Go-FuzzFuzzing with Go-Fuzz
Fuzzing with Go-Fuzz
jnewmano
 
Modernizing PowerShell Scripts
Modernizing PowerShell ScriptsModernizing PowerShell Scripts
Modernizing PowerShell Scripts
Axxes IT Consultancy
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 
Perl-Critic
Perl-CriticPerl-Critic
Perl-Critic
Jonas Brømsø
 
Easy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet BoltEasy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet Bolt
Puppet
 
Crafting interactive troubleshooting guides and team documentation for your K...
Crafting interactive troubleshooting guides and team documentation for your K...Crafting interactive troubleshooting guides and team documentation for your K...
Crafting interactive troubleshooting guides and team documentation for your K...
Manning Publications
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Sauce Labs
 
Robot Framework with actual robot
Robot Framework with actual robot Robot Framework with actual robot
Robot Framework with actual robot
Eficode
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
Sam Bowne
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
Pascal Larocque
 
Game Programming 00 - Exams
Game Programming 00 - ExamsGame Programming 00 - Exams
Game Programming 00 - Exams
Nick Pruehs
 
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Dakiry
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Take your CFML Legacy Apps to Modernization
Take your CFML Legacy Apps to ModernizationTake your CFML Legacy Apps to Modernization
Take your CFML Legacy Apps to Modernization
Ortus Solutions, Corp
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
Jonas Brømsø
 
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
CNIT 127 Ch 16: Fault Injection and 17: The Art of FuzzingCNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
Sam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
Xebia Nederland BV
 
Trunk Based Development in the Enterprise - Its Relevance and Economics
Trunk Based Development in the Enterprise - Its Relevance and EconomicsTrunk Based Development in the Enterprise - Its Relevance and Economics
Trunk Based Development in the Enterprise - Its Relevance and Economics
Perforce
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio Branches
Rafael Petry
 
Robot framework - Lord of the Rings
Robot framework - Lord of the RingsRobot framework - Lord of the Rings
Robot framework - Lord of the Rings
Asheesh Mehdiratta
 
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) - Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet
 
X page developer
X page developerX page developer
X page developer
Jakob Majkilde
 
Game Programming 08 - Tool Development
Game Programming 08 - Tool DevelopmentGame Programming 08 - Tool Development
Game Programming 08 - Tool Development
Nick Pruehs
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 

More Related Content

What's hot

Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Sauce Labs
 
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Dakiry
 
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) - Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet
 

What's hot (20)

Crafting interactive troubleshooting guides and team documentation for your K...
Crafting interactive troubleshooting guides and team documentation for your K...Crafting interactive troubleshooting guides and team documentation for your K...
Crafting interactive troubleshooting guides and team documentation for your K...
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
 
Robot Framework with actual robot
Robot Framework with actual robot Robot Framework with actual robot
Robot Framework with actual robot
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
 
Game Programming 00 - Exams
Game Programming 00 - ExamsGame Programming 00 - Exams
Game Programming 00 - Exams
 
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
Олександр Хотемський:”Serverless архітектура та її застосування в автоматизац...
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Take your CFML Legacy Apps to Modernization
Take your CFML Legacy Apps to ModernizationTake your CFML Legacy Apps to Modernization
Take your CFML Legacy Apps to Modernization
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
 
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
CNIT 127 Ch 16: Fault Injection and 17: The Art of FuzzingCNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
 
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
 
Trunk Based Development in the Enterprise - Its Relevance and Economics
Trunk Based Development in the Enterprise - Its Relevance and EconomicsTrunk Based Development in the Enterprise - Its Relevance and Economics
Trunk Based Development in the Enterprise - Its Relevance and Economics
 
Porque Odeio Branches
Porque Odeio BranchesPorque Odeio Branches
Porque Odeio Branches
 
Robot framework - Lord of the Rings
Robot framework - Lord of the RingsRobot framework - Lord of the Rings
Robot framework - Lord of the Rings
 
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) - Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -
 
X page developer
X page developerX page developer
X page developer
 
Game Programming 08 - Tool Development
Game Programming 08 - Tool DevelopmentGame Programming 08 - Tool Development
Game Programming 08 - Tool Development
 

Similar to DEF CON 23 - Rich Kelley - harness powershell weaponization made easy

Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Php com con-2011
Php com con-2011Php com con-2011
Php com con-2011
LB Denker
 

Similar to DEF CON 23 - Rich Kelley - harness powershell weaponization made easy (20)

Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Professional Help for PowerShell Modules
Professional Help for PowerShell ModulesProfessional Help for PowerShell Modules
Professional Help for PowerShell Modules
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Frontend testing of (legacy) websites
Frontend testing of (legacy) websitesFrontend testing of (legacy) websites
Frontend testing of (legacy) websites
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Php com con-2011
Php com con-2011Php com con-2011
Php com con-2011
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
30 days or less: New Features to Production
30 days or less: New Features to Production30 days or less: New Features to Production
30 days or less: New Features to Production
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
PHP 4? OMG! A small vademecum for obsolete software migration.
PHP 4? OMG! A small vademecum for obsolete software migration.PHP 4? OMG! A small vademecum for obsolete software migration.
PHP 4? OMG! A small vademecum for obsolete software migration.
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for Distro
 
Continuous feature-development
Continuous feature-developmentContinuous feature-development
Continuous feature-development
 
Chaos Engineering Talk at DevOps Days Austin
Chaos Engineering Talk at DevOps Days AustinChaos Engineering Talk at DevOps Days Austin
Chaos Engineering Talk at DevOps Days Austin
 

More from Felipe Prado

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

DEF CON 23 - Rich Kelley - harness powershell weaponization made easy

  • 1. Harness: Powershell Weaponization Made Easy (or at least easier) Rich Kelley @RGKelley5
  • 2. What’s this all about anyway? • Audience: Penetration testers Red Teams Powershell activists Python enthusists • Bottom line Powershell weaponization can be somewhat cumbersome Hopefully I’ve made that a little easier with the Harness tool set
  • 3. Who is this guy? • Computer science background • Prior US Air Force Communications Officer • Network engineer, software developer, penetration tester • Currently focused on application pen testing • Mostly I enjoy writing obscure utilities pyhashcat Keyboard walk generators
  • 4. Why should I care? • “…Microsoft’s Post-Exploitation Language” - @obsuresec • Defenders should be more aware of the damage attackers can do with Powershell alone • We need more research into incident response related to malicious Powershell use DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating PowerShell Attacks
  • 5. Powershell weaponization problem? “How do you get your [Powershell] scripts running on your target machines, and effectively get your results back?” - @harmj0y
  • 6. Hasn’t this problem been solved? • Yep, but I’m a developer. Why use someone else’s solution when I can write my own (I’m kidding…sort of) • Previous solutions were not as seamless as I wanted Step 1: Gain access Step 2: ????? Step 3: Use powershell Step 4: Pwn all things! • A couple of very cool new solutions have recently been released
  • 7. RDP – Copy/Paste or Import-Module
  • 8. Remote shell – call powershell.exe
  • 12. My Development Requirements 1. Fully interactive remote Powershell console with the same capabilities as the native Powershell.exe 2. Ability to seamlessly import modules across the wire
  • 14. Under the hood • Payload Requirements .NET 3.0+ Powershell 2.0 System.Management.Automation Assembly • Tested on: Windows 7 Window 8 Windows 8.1 Windows Server 2008 R2 Windows Server 2012
  • 15. Under the hood • Listener/Framework Requirements Python 3.4 Asyncio Linux Tested on Kali • Why Python? Why not Ruby? Why not Metasploit? Mostly for the learning experience I prefer Python to Ruby (calm down) Should be simple enough to port to Metasploit module
  • 16. Under the hood Payload Socket ps.BeginInvoke while script not valid: accumulate end PS C:> script/cmd Send results ls PS C:> ls Directory C: Mode: LastWriteTime ----- --------------------- d---- 2/2/1015 Handler PS C:> ls
  • 17. Under the hood Payload Handler Socket ps.BeginInvoke Inbound script True PS C:> <rs> PS C:> ^import-module script.ps1 Send results Socket byte stream PS C:> ^import-module script.ps1 Directory C: Mode: LastWriteTime ----- --------------------- d---- 2/2/1015 while !rcvd close signal: accumulate end </rs>