SlideShare a Scribd company logo
1 of 20
Download to read offline
PowerPreter:
Post Exploitation like a boss
Nikhil “SamratAshok” Mittal
Get-Host
• Hacker who goes by the handle SamratAshok
• Twitter - @nikhil_mitt
• Blog –
http://labofapenetrationtester.blogspot.com
• Creator of Kautilya and Nishang
• Interested in Offensive Information Security, new
attack vectors and methodologies to pwn
systems.
• Freelance penetration tester *hint*
• Spoken at BlackHat, Troopers, PHDays and more
2Powerpreter by Nikhil Mittal
Get-Content
• Need for Post Exploitation
• PowerShell
• Why PowerShell?
• Introducing – Powerpreter
– Architecture
– Usage
– Payloads
– Capabilities
– Deployment
• Antak – The WebShell
• Limitations
• Conclusion
3Powerpreter by Nikhil Mittal
Need for Post Exploitation
• The most important part of a penetration test.
• Guy who will pay you $$$ do not understand
technology (neither he wants to). A “shell” is
not what he wants from you.
• IMHO, this differentiates a good pen tester
and one-click-i-pwn-you-omg pen tester.
• Etc Etc
4Powerpreter by Nikhil Mittal
PowerShell
• A shell and scripting language present by
default on new Windows machines.
• Designed to automate things and make life
easier for system admin.
• Based on .Net framework and is tightly
integrated with Windows.
5Powerpreter by Nikhil Mittal
6Powerpreter by Nikhil Mittal
Why PowerShell?
• Provides access to almost everything in a
Windows platform which could be useful for an
attacker.
• Easy to learn and really powerful.
• Trusted by the countermeasures and system
administrators.
• Consider it bash of Windows.
• Less dependence on msf and
<insert_linux_scripting>-to-executable libraries.
7Powerpreter by Nikhil Mittal
Powerpreter - Introduction
• A post exploitation tool written completely in
powershell.
• To be a part of Nishang, powershell based post
exploitation framework, written by the
speaker.
• The name is similar to meterpreter.
Powerpreter wants to be like meterpreter
after growing up :)
8Powerpreter by Nikhil Mittal
Powerpreter - Architecture
• Powerpreter is a powershell module and/or
script depending on the usage.
• Payloads and features in powerpreter are
structured as functions. Separate function for
each functionality.
• It could be easily extended to include new
scripts, just add a new function and it would
be used with other options.
9Powerpreter by Nikhil Mittal
Powerpreter – Usage
• Powerpreter is best used from a Powershell
Remote Session.
• It could be imported as a module and the
functionalities get loaded in the current
session.
• It could also be used with meterpreter and
“possibly” other shells as well.
10Powerpreter by Nikhil Mittal
Powerpreter – Payloads
• Payloads depend on the privileges available.
• Many useful payloads.
• Better seen in the demo.
11Powerpreter by Nikhil Mittal
Powerpreter – Capabilities
• Persistence
• Pivoting
• Admin to SYSTEM
• Helper functionalities
• Etc Etc
12Powerpreter by Nikhil Mittal
Powerpreter – Deployment
• From a powershell session
• Using meterpreter.
• Using psexec.
• Drive-by-download
• Human Interface Device (Bare bones
preferred)
13Powerpreter by Nikhil Mittal
Powerpreter - DEMO
14Powerpreter by Nikhil Mittal
Antak- The Webshell
• Named after God of Death (Yamraj) in Indian
mythology….muhahaha
• Written in C#.Net (that is what I call it).
• The UI is designed to look like a powershell prompt.
• Ability to upload & download files, executing
commands.
• Scripts can be executed by using the “Encode and
Execute” option.
• If remoting is enabled, commands/scripts on remote
systems can be executed.
15Powerpreter by Nikhil Mittal
BTW meet Yamraj
Powerpreter by Nikhil Mittal 16
Limitations
• Yet to undergo community testing.
• Keylogger does not work from powershell
remoting session.
• Backdoors can be detected with careful traffic
analysis.
• Pivot depends upon powershell remoting.
17Powerpreter by Nikhil Mittal
Conclusion
• Powershell provides much control over a
Windows system and Windows based network
• Powerpreter has been designed to derive its
power from above fact and provides (or at
least attempts to) a useful set of features for
penetration testers.
• Obviously, there are other ways to achieve
similar things. Powerpreter just makes it
easier.
18Powerpreter by Nikhil Mittal
Thanks/Credit/Greetz
• Thanks to my friend Arthur Donkers for helping me to
come to Defcon.
• Thanks/Credit/Greetz/Shoutz to powershell hackers (in
no particular order)
@obscuresec, @mattifestation, @Carlos_Perez,
@Lee_Holmes, @ScriptingGuys, @BrucePayette,
@adamdiscroll, @JosephBialek, @dave_rel1k and all
bloggers and book writers.
• Go see another awesome powershell talk in Track- 2
tomorrow – “PowerPwning: Post-Exploiting By
Overpowering PowerShell by Joe Bialek“
19Powerpreter by Nikhil Mittal
Thank You
• Questions?
• Insults?
• Feedback?
• Powerpreter would be available at
http://code.google.com/p/nishang/
• Follow me @nikhil_mitt
• Latest slides for this preso could be found at:
http://labofapenetrationtester.blogspot.in/p/blog-
page.html
20Powerpreter by Nikhil Mittal

More Related Content

What's hot

Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 

What's hot (20)

Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 

Viewers also liked

Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for MaemoBlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for MaemoVDVsx
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
Interfacing bluetooth with arduino
Interfacing bluetooth with arduinoInterfacing bluetooth with arduino
Interfacing bluetooth with arduinoJairaj Jangle
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 

Viewers also liked (20)

Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
How to hack anywhere
How to hack anywhereHow to hack anywhere
How to hack anywhere
 
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for MaemoBlueMaemo - Bluetooth HID mouse & keyboard for Maemo
BlueMaemo - Bluetooth HID mouse & keyboard for Maemo
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
Interfacing bluetooth with arduino
Interfacing bluetooth with arduinoInterfacing bluetooth with arduino
Interfacing bluetooth with arduino
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Honey pots
Honey potsHoney pots
Honey pots
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 

Similar to Powerpreter: Post Exploitation like a Boss

Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Full Stack Automation with Katello & The Foreman
Full Stack Automation with Katello & The ForemanFull Stack Automation with Katello & The Foreman
Full Stack Automation with Katello & The ForemanWeston Bassler
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceCodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Codemotion
 
iSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National PoliceiSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Bert Jan Schrijver
 
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceDublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
JavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National PoliceJavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Microservices in action at the Dutch National Police
Microservices in action at the Dutch National PoliceMicroservices in action at the Dutch National Police
Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...Bert Jan Schrijver
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using MeterpreterShubham Mittal
 
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceDevoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
GeekOut 2017 - Microservices in action at the Dutch National Police
GeekOut 2017 -  Microservices in action at the Dutch National PoliceGeekOut 2017 -  Microservices in action at the Dutch National Police
GeekOut 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
J-Spring 2017 - Microservices in action at the Dutch National Police
J-Spring 2017 - Microservices in action at the Dutch National PoliceJ-Spring 2017 - Microservices in action at the Dutch National Police
J-Spring 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Continuous Delivery Amsterdam - Microservices in action at the Dutch National...
Continuous Delivery Amsterdam - Microservices in action at the Dutch National...Continuous Delivery Amsterdam - Microservices in action at the Dutch National...
Continuous Delivery Amsterdam - Microservices in action at the Dutch National...Bert Jan Schrijver
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?GetInData
 

Similar to Powerpreter: Post Exploitation like a Boss (20)

Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Full Stack Automation with Katello & The Foreman
Full Stack Automation with Katello & The ForemanFull Stack Automation with Katello & The Foreman
Full Stack Automation with Katello & The Foreman
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceCodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
 
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
 
iSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National PoliceiSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National Police
 
Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...
 
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceDublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
 
JavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National PoliceJavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National Police
 
Microservices in action at the Dutch National Police
Microservices in action at the Dutch National PoliceMicroservices in action at the Dutch National Police
Microservices in action at the Dutch National Police
 
OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
 
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceDevoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National Police
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoT
 
GeekOut 2017 - Microservices in action at the Dutch National Police
GeekOut 2017 -  Microservices in action at the Dutch National PoliceGeekOut 2017 -  Microservices in action at the Dutch National Police
GeekOut 2017 - Microservices in action at the Dutch National Police
 
J-Spring 2017 - Microservices in action at the Dutch National Police
J-Spring 2017 - Microservices in action at the Dutch National PoliceJ-Spring 2017 - Microservices in action at the Dutch National Police
J-Spring 2017 - Microservices in action at the Dutch National Police
 
Continuous Delivery Amsterdam - Microservices in action at the Dutch National...
Continuous Delivery Amsterdam - Microservices in action at the Dutch National...Continuous Delivery Amsterdam - Microservices in action at the Dutch National...
Continuous Delivery Amsterdam - Microservices in action at the Dutch National...
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?
 

Recently uploaded

Implementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptxImplementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptxRich Reba
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems:  Assembling the industrial metaverseInteroperability and ecosystems:  Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseSiemens
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
Exploring Elite Translation Services in Your Vicinity
Exploring Elite Translation Services in Your VicinityExploring Elite Translation Services in Your Vicinity
Exploring Elite Translation Services in Your VicinityThe Spanish Group
 
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh JiPsychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Jiastral oracle
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckHajeJanKamps
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Roman Kyslyi: Використання та побудова LLM агентів (UA)
Roman Kyslyi: Використання та побудова LLM агентів (UA)Roman Kyslyi: Використання та побудова LLM агентів (UA)
Roman Kyslyi: Використання та побудова LLM агентів (UA)Lviv Startup Club
 
Entrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextEntrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextP&CO
 
Fundamentals Welcome and Inclusive DEIB
Fundamentals Welcome and  Inclusive DEIBFundamentals Welcome and  Inclusive DEIB
Fundamentals Welcome and Inclusive DEIBGregory DeShields
 
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptxGo for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptxRakhi Bazaar
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Customizable Contents Restoration Training
Customizable Contents Restoration TrainingCustomizable Contents Restoration Training
Customizable Contents Restoration TrainingCalvinarnold843
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Vladyslav Fliahin: Applications of Gen AI in CV (UA)
Vladyslav Fliahin: Applications of Gen AI in CV (UA)Vladyslav Fliahin: Applications of Gen AI in CV (UA)
Vladyslav Fliahin: Applications of Gen AI in CV (UA)Lviv Startup Club
 
Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)
Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)
Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)Lviv Startup Club
 
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdfSherl Simon
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansNugget Global
 
Neha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and CareerNeha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and Careerr98588472
 

Recently uploaded (20)

Implementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptxImplementing Exponential Accelerators.pptx
Implementing Exponential Accelerators.pptx
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems:  Assembling the industrial metaverseInteroperability and ecosystems:  Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverse
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
Exploring Elite Translation Services in Your Vicinity
Exploring Elite Translation Services in Your VicinityExploring Elite Translation Services in Your Vicinity
Exploring Elite Translation Services in Your Vicinity
 
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh JiPsychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deck
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Roman Kyslyi: Використання та побудова LLM агентів (UA)
Roman Kyslyi: Використання та побудова LLM агентів (UA)Roman Kyslyi: Використання та побудова LLM агентів (UA)
Roman Kyslyi: Використання та побудова LLM агентів (UA)
 
Entrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextEntrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider context
 
Fundamentals Welcome and Inclusive DEIB
Fundamentals Welcome and  Inclusive DEIBFundamentals Welcome and  Inclusive DEIB
Fundamentals Welcome and Inclusive DEIB
 
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptxGo for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
Go for Rakhi Bazaar and Pick the Latest Bhaiya Bhabhi Rakhi.pptx
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Authentically Social - presented by Corey Perlman
Authentically Social - presented by Corey PerlmanAuthentically Social - presented by Corey Perlman
Authentically Social - presented by Corey Perlman
 
Customizable Contents Restoration Training
Customizable Contents Restoration TrainingCustomizable Contents Restoration Training
Customizable Contents Restoration Training
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Vladyslav Fliahin: Applications of Gen AI in CV (UA)
Vladyslav Fliahin: Applications of Gen AI in CV (UA)Vladyslav Fliahin: Applications of Gen AI in CV (UA)
Vladyslav Fliahin: Applications of Gen AI in CV (UA)
 
Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)
Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)
Kyryl Truskovskyi: Training and Serving Open-Sourced Foundational Models (UA)
 
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business Loans
 
Neha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and CareerNeha Jhalani Hiranandani: A Guide to Her Life and Career
Neha Jhalani Hiranandani: A Guide to Her Life and Career
 

Powerpreter: Post Exploitation like a Boss

  • 1. PowerPreter: Post Exploitation like a boss Nikhil “SamratAshok” Mittal
  • 2. Get-Host • Hacker who goes by the handle SamratAshok • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.blogspot.com • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Freelance penetration tester *hint* • Spoken at BlackHat, Troopers, PHDays and more 2Powerpreter by Nikhil Mittal
  • 3. Get-Content • Need for Post Exploitation • PowerShell • Why PowerShell? • Introducing – Powerpreter – Architecture – Usage – Payloads – Capabilities – Deployment • Antak – The WebShell • Limitations • Conclusion 3Powerpreter by Nikhil Mittal
  • 4. Need for Post Exploitation • The most important part of a penetration test. • Guy who will pay you $$$ do not understand technology (neither he wants to). A “shell” is not what he wants from you. • IMHO, this differentiates a good pen tester and one-click-i-pwn-you-omg pen tester. • Etc Etc 4Powerpreter by Nikhil Mittal
  • 5. PowerShell • A shell and scripting language present by default on new Windows machines. • Designed to automate things and make life easier for system admin. • Based on .Net framework and is tightly integrated with Windows. 5Powerpreter by Nikhil Mittal
  • 7. Why PowerShell? • Provides access to almost everything in a Windows platform which could be useful for an attacker. • Easy to learn and really powerful. • Trusted by the countermeasures and system administrators. • Consider it bash of Windows. • Less dependence on msf and <insert_linux_scripting>-to-executable libraries. 7Powerpreter by Nikhil Mittal
  • 8. Powerpreter - Introduction • A post exploitation tool written completely in powershell. • To be a part of Nishang, powershell based post exploitation framework, written by the speaker. • The name is similar to meterpreter. Powerpreter wants to be like meterpreter after growing up :) 8Powerpreter by Nikhil Mittal
  • 9. Powerpreter - Architecture • Powerpreter is a powershell module and/or script depending on the usage. • Payloads and features in powerpreter are structured as functions. Separate function for each functionality. • It could be easily extended to include new scripts, just add a new function and it would be used with other options. 9Powerpreter by Nikhil Mittal
  • 10. Powerpreter – Usage • Powerpreter is best used from a Powershell Remote Session. • It could be imported as a module and the functionalities get loaded in the current session. • It could also be used with meterpreter and “possibly” other shells as well. 10Powerpreter by Nikhil Mittal
  • 11. Powerpreter – Payloads • Payloads depend on the privileges available. • Many useful payloads. • Better seen in the demo. 11Powerpreter by Nikhil Mittal
  • 12. Powerpreter – Capabilities • Persistence • Pivoting • Admin to SYSTEM • Helper functionalities • Etc Etc 12Powerpreter by Nikhil Mittal
  • 13. Powerpreter – Deployment • From a powershell session • Using meterpreter. • Using psexec. • Drive-by-download • Human Interface Device (Bare bones preferred) 13Powerpreter by Nikhil Mittal
  • 15. Antak- The Webshell • Named after God of Death (Yamraj) in Indian mythology….muhahaha • Written in C#.Net (that is what I call it). • The UI is designed to look like a powershell prompt. • Ability to upload & download files, executing commands. • Scripts can be executed by using the “Encode and Execute” option. • If remoting is enabled, commands/scripts on remote systems can be executed. 15Powerpreter by Nikhil Mittal
  • 16. BTW meet Yamraj Powerpreter by Nikhil Mittal 16
  • 17. Limitations • Yet to undergo community testing. • Keylogger does not work from powershell remoting session. • Backdoors can be detected with careful traffic analysis. • Pivot depends upon powershell remoting. 17Powerpreter by Nikhil Mittal
  • 18. Conclusion • Powershell provides much control over a Windows system and Windows based network • Powerpreter has been designed to derive its power from above fact and provides (or at least attempts to) a useful set of features for penetration testers. • Obviously, there are other ways to achieve similar things. Powerpreter just makes it easier. 18Powerpreter by Nikhil Mittal
  • 19. Thanks/Credit/Greetz • Thanks to my friend Arthur Donkers for helping me to come to Defcon. • Thanks/Credit/Greetz/Shoutz to powershell hackers (in no particular order) @obscuresec, @mattifestation, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @adamdiscroll, @JosephBialek, @dave_rel1k and all bloggers and book writers. • Go see another awesome powershell talk in Track- 2 tomorrow – “PowerPwning: Post-Exploiting By Overpowering PowerShell by Joe Bialek“ 19Powerpreter by Nikhil Mittal
  • 20. Thank You • Questions? • Insults? • Feedback? • Powerpreter would be available at http://code.google.com/p/nishang/ • Follow me @nikhil_mitt • Latest slides for this preso could be found at: http://labofapenetrationtester.blogspot.in/p/blog- page.html 20Powerpreter by Nikhil Mittal