PowerShell Shenanigans


Published on

Powershell is something that is becoming the must-have tool for system administrators in the Microsoft world. However it has long been overlooked by those in the field, including security staff. In this talk Kieran will introduce Powershell, discuss Microsoft’s aim and rationale for its existence, and show how Microsoft’s best intentions can be turned against them by demonstrating how this automation platform can become an attack automation platform.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Hi Everyone, I am Kieran Jacobsen, I work at HP Enterprise services as a system engineer, I have never worked directly in a security role but have been fortunate to cross into that space on a few occasions. My aim today is to show you how you can turn something that was designed to reduce administration costs into a really interesting and very devious attack platform.
  • Does everyone know what PowerShell is? Quick hands up who doesn’t know what it is? <If they all know>Well let’s skip this slide, as you all know.<If people don’t>Let’s quickly talk about that it is. PowerShell, simply put, is a cross between a shell scripting language, like BASH and a formal programming language like C#. PowerShell will be replacing VBScript, in the new future, VBScript will become unsupported, and at some point be removed from Windows. Microsoft has spent a significant amount of time in its development, resulting in a huge number of built in functions and features. PowerShell runs on top of the Microsoft .Net framework, so you have full access to .Net functions and libraries. So there it is, Powershell in a nutshell.
  • To show you how PowerShell can be turned to mischievous use, I am going to work through a challenge I was previously given by a friend. His challenge was simple, in a corporate like environment, move from a “social engineered” infection on a workstation, to the domain controller and when there, extract the active directory hashes. To make matters more interesting, I was to use PowerShell where possible, today, I am down to pretty much two piece of non PowerShell code, working with schedule tasks and working with the AD database. The network that I will be showing this all on, is a fairly typical environment. We have a client, running windows 8.1, a server running Windows Server 2012 R2 which is also a domain controller, and a firewall from a fairly reputable vendor. I have setup a few things like we would expect, there is a management service running on all of the devices, unfortunately the service account it is running on is a member of the domain admins. This is something that I still see far to often. SCCM agents running as domain admin, even though Microsoft tells you not to, happens far to often. The Firewall is running with the default configuration, and it only allows HTTP, HTTPS and DNS outbound. Everything else is pretty much the default configuration, the client, the domain, the lot are all default settings. The only change really in this challenge over the past few years is around UAC, where as in 7, it was typically switched off, more and more organisations are leaving it on. UAC state isn’t a huge issue though for us today, so we don’t need to worry about it.
  • So why use PowerShell as an attack platform? To begin with, PowerShell code is easy to develop and easy to understand, allowing us to rapidly develop attack code and customise our attacks for our intended targets. Next, PowerShell’s deep windows integration and remote execution options like PowerShell remoting provides us with a lot of easy to use, ready to use code, which we can run on a large number of machines in a very quick manner. PowerShell’s aim for administration and management automation makes it’s a very good security and attack automation platform. What about our security products? AV products typically do not look at our PowerShell scripts. Right now, PowerShell code, apart from one or two cases, hasn’t been used maliciously in a significant way in the wild. Our security vendors typically do not provide many checks or balances on PowerShell scripts and modules. Another thing to consider is the human element. Your system administrators are off writing PowerShell scripts, they expect to see them on servers and workstations, they might not notice one more running on a system.Importantly though, its there by default. In Windows Vista and onwards, PowerShell has been installed by default. This gives it a pretty good reach as an attack tool within a corporate environment.
  • So I made a little script, I suppose it could be called malware, which will run on a system and allow you to have remote control over the system. If I have time, I will show you, but I am not going to go into specifics today as the code will be put up onto GitHub for you to take a look. The script is cleverly called SystemInformation.ps1, in the hope users and administrators don’t work out what it is. The script will be setup to run as a scheduled task, running as local system, every 5 minutes. There is a number of different ways we could manage to set this up, in the demo it will be occurring through an Excel macro, however you could use almost anything, as long as the script is downloaded, and the task is created. When the script executes, it will do a few things. Firstly, it will collect system information and some poorly secured credentials, it also connects to the command and control infrastructure and downloads a list of tasks to execute. Tasks can be any valid PowerShell expression, a PowerShell expression, an executable, as long as it is a valid expression. Tasks, if successfully executed will only be run once, they can also be limited to executing on a single PC.
  • So there have been some interesting changes in terms of security with the introduction of Windows PowerShell Remoting, and WinRM. PowerShell remoting allows us to remotely execute PowerShell code on one or more remote systems, based upon the WinRM or Windows Remote Management Interface. WinRM is based upon the WS-Management protocol. Remoting gives administrators a number of execution options, firstly, a large number of powershell commands have been extended to allow for their execution against remote devices directly. Next administrators can also run a powershell script block remotely, in an experience much like rexec or using ssh to run a remote command. Finally, administrators could start a remote session, much like connecting into a full blown ssh session.Security for WinRM is governed by two things, firstly, only trusted devices are allowed to connect, in a domain joined environment this is all domain members. Secondly you need the appropriate rights, typically local administrator rights. Now for the kicker of it all. Windows Server 2012, and 2012R2 introduces a new unified Windows Server Manager, trumpeted by Microsoft as an advancement of server administration, it introduces a critical flaw. The entire thing runs on WinRM, and to make things easier, Microsoft made the wonderfully helpful decision to setup, configure WinRM for you, whenever you join a server to a domain. Everytime you join a server to the domain, WinRM will be configured to allow WinRM connections from any domain member, as long as the user has admin rights. This is a huge difference from previous versions, where the enablement of WinRM required administrator intervention. Now when you join your new Windows Server 2012 R2 machine to the domain, your opening it up to any lacky with admin rights. Whilst it sounds innocent, it provides a brilliant mechanism for large scale network infections.
  • In terms of security features, it follows the usual windows security pattern. As expected, Administrative rights and UAC govern what we can and cannot do. As expected if you needed admin rights before, you will still need them, and the same goes with UAC elevation.You can protect your scripts and modules with Code Signing. Signing scripts has been made easier over the last few years, however the usual vulnerabilities still apply.An interesting aspect is that PowerShell is that it will look at the NTFS zone.identifier alternate data stream to determine the source for a script or module. This is the same functionality that causes that prompt for confirmation when you run that setup executable you downloaded off the internet.If you combine the source identification and code signing, then you have PowerShell’s Execution Policy feature. The execution policy is a feature within PowerShell that allows an administrator to control what scripts execute and what modules can be loaded into a session. It is Microsoft’s attempt at preventing malicious code. Different policy states allow and disallow scripts to run and modules to be loaded. Policy can be specified at a session, user and computer level, via the registry or group policy. Let’s take at the different policy states.
  • There are 6 different states.First we have unrestricted, this is the least secure state and allows us to run any script, no matter where it came from. Then we have remote signed, with remote signed, if a script came from a source other than the local pc, it must be signed; any script from say the internet, which is signed, will be executed. Then we have all signed, here we will not run any script, no matter the source, unless it has been signed. Then there is restricted, in this state, no scripts can run.There are two special states, undefined, which is the policy if none has been set, this actually defaults to the restricted policy, and finally bypass, which is primarily used when calling PowerShell scripts from applications, in bypass the policy processer is, well, bypassed.So, you are probably thinking, well this looks like decent security…what if I told you, I can get a script to run, no matter the execution policy specified?
  • So how can I run a PowerShell script without changing the computer or user defined policy?Well firstly, if the administrators haven’t used group policy to specify a particular policy, we can simply ask powershell to use a different one when we run it.If an administrator has specified remote signed, then we can set the zone identifier to say it hasn’t come from the internet, in effect bypassing his control.If that doesn’t work, say they set all signed or restricted. Then simply read the file in, turn it into a single executable expression, that is, not multiple lines, and then run that.Finally, and probably easier for some, simply obtain or steal a certificate.I am going to say this. Whilst administrators are probably setting one of these levels for their workstations, they probably are not doing this on their servers. Pretty much ever server I come across, will have the policy of unrestricted. I would almost bet that there is one in everyone's windows server environment.
  • Before we finish up, just two more things that should be considered.Firstly, PowerShell Web Access. This is one of the most interesting things Microsoft has done in a while. PowerShell web access allows you to connect to a server using a web browser and open a PowerShell console, with a user experience much like shell-in-a-box. Web Access gives us some interesting options, especially during the testing of externally facing windows servers. Imagine being able to install the web access on a public facing web server?Next we have Desired State Configuration. DCS is a mechanism for pushing or pulling configuration and settings on a server. This can be once off our scheduled. DCM allows you to install and configure Windows roles and features, and much more. Whilst I haven’t been fortunate to spend much time looking at DCM, it does look like an interesting persistence option, and even another possible method of gaining more privileges on a corporate network.
  • PowerShell Shenanigans

    2. 2. WHAT IS POWERSHELL? • Developed by Microsoft in 2006 • Cross between a shell script and C# • Replacement for VBScript • Significant number of commands (called CMDLets) • Runs on .NET Framework
    3. 3. CHALLENGE • Move from social engineered workstation to domain controller • Where possible use only PowerShell code • Demo environment will be a “corporate like” environment
    4. 4. ADVANTAGES AS AN ATTACK PLATFORM • Code is very easy to develop • Windows integration • Remote execution offerings • Often overlooked by AV • Easily hidden from administrators • Installed by DEFAULT
    5. 5. MY POWERSHELL MALWARE • Single Script – SystemInformation.ps1 • Runs as a schedule task, every 5 minutes • Script: • Collects system information and more • Connects to C2 infrastructure, downloads a task list and executes tasks • Executes each task, if successful, task will not be rerun • Tasks can be restricted to individual computers
    6. 6. DEMO: THE ENTRY
    7. 7. WINDOWS POWERSHELL REMOTING AND WINRM • PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled commands • Remotely executed script blocks • Remote sessions • Security Model = Trusted Devices + User Credentials • WinRM is required for the Windows Server Manager • WinRM is enabled by DEFAULT on domain 2012(R2) joined servers
    8. 8. DEMO: THE DC
    9. 9. POWERSHELL SECURITY FEATURES • Administrative rights • UAC • Code Signing • Local or Remote source using zone.identifier alternate data stream • PowerShell Execution Policy
    10. 10. EXECUTION POLICY There are 6 states for the execution policy • Unrestricted All scripts can run • Remote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run • Restricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to restricted • Bypass Policy processor is bypassed
    11. 11. BYPASSING EXECUTION POLICY • Simply ask PowerShell: powershell.exe –executionpolicy unrestricted • Switch the files zone.idenfier back to local: unblock-file yourscript.ps1 • Read the script in and then execute it (may fail depending on script) • Get/Steal a certificate, sign script, run script
    12. 12. DEMO: THE HASHES
    13. 13. OTHER CONSIDERATIONS • PowerShell Web Access • Desired State Configuration
    14. 14. LINKS AND QUESTIONS • Twitter: @kjacobsen • Blog: http://aperturescience.su • Code on GitHub: http://j.mp/1i33Zrk • QuarksPWDump: http://j.mp/1kF30e9 • PowerSploit: http://j.mp/1gJORtF • Microsoft PowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 • http://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy • Practical Persistence in PowerShell: http://j.mp/1mU6fQq