SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
1.
PowerPreter:
Post Exploitation like a boss
Nikhil “SamratAshok” Mittal
2.
Get-Host
• Hacker who goes by the handle SamratAshok
• Twitter - @nikhil_mitt
• Blog –
http://labofapenetrationtester.blogspot.com
• Creator of Kautilya and Nishang
• Interested in Offensive Information Security, new
attack vectors and methodologies to pwn
systems.
• Freelance penetration tester *hint*
• Spoken at BlackHat, Troopers, PHDays and more
2Powerpreter by Nikhil Mittal
3.
Get-Content
• Need for Post Exploitation
• PowerShell
• Why PowerShell?
• Introducing – Powerpreter
– Architecture
– Usage
– Payloads
– Capabilities
– Deployment
• Antak – The WebShell
• Limitations
• Conclusion
3Powerpreter by Nikhil Mittal
4.
Need for Post Exploitation
• The most important part of a penetration test.
• Guy who will pay you $$$ do not understand
technology (neither he wants to). A “shell” is
not what he wants from you.
• IMHO, this differentiates a good pen tester
and one-click-i-pwn-you-omg pen tester.
• Etc Etc
4Powerpreter by Nikhil Mittal
5.
PowerShell
• A shell and scripting language present by
default on new Windows machines.
• Designed to automate things and make life
easier for system admin.
• Based on .Net framework and is tightly
integrated with Windows.
5Powerpreter by Nikhil Mittal
7.
Why PowerShell?
• Provides access to almost everything in a
Windows platform which could be useful for an
attacker.
• Easy to learn and really powerful.
• Trusted by the countermeasures and system
administrators.
• Consider it bash of Windows.
• Less dependence on msf and
<insert_linux_scripting>-to-executable libraries.
7Powerpreter by Nikhil Mittal
8.
Powerpreter - Introduction
• A post exploitation tool written completely in
powershell.
• To be a part of Nishang, powershell based post
exploitation framework, written by the
speaker.
• The name is similar to meterpreter.
Powerpreter wants to be like meterpreter
after growing up :)
8Powerpreter by Nikhil Mittal
9.
Powerpreter - Architecture
• Powerpreter is a powershell module and/or
script depending on the usage.
• Payloads and features in powerpreter are
structured as functions. Separate function for
each functionality.
• It could be easily extended to include new
scripts, just add a new function and it would
be used with other options.
9Powerpreter by Nikhil Mittal
10.
Powerpreter – Usage
• Powerpreter is best used from a Powershell
Remote Session.
• It could be imported as a module and the
functionalities get loaded in the current
session.
• It could also be used with meterpreter and
“possibly” other shells as well.
10Powerpreter by Nikhil Mittal
11.
Powerpreter – Payloads
• Payloads depend on the privileges available.
• Many useful payloads.
• Better seen in the demo.
11Powerpreter by Nikhil Mittal
12.
Powerpreter – Capabilities
• Persistence
• Pivoting
• Admin to SYSTEM
• Helper functionalities
• Etc Etc
12Powerpreter by Nikhil Mittal
13.
Powerpreter – Deployment
• From a powershell session
• Using meterpreter.
• Using psexec.
• Drive-by-download
• Human Interface Device (Bare bones
preferred)
13Powerpreter by Nikhil Mittal
14.
Powerpreter - DEMO
14Powerpreter by Nikhil Mittal
15.
Antak- The Webshell
• Named after God of Death (Yamraj) in Indian
mythology….muhahaha
• Written in C#.Net (that is what I call it).
• The UI is designed to look like a powershell prompt.
• Ability to upload & download files, executing
commands.
• Scripts can be executed by using the “Encode and
Execute” option.
• If remoting is enabled, commands/scripts on remote
systems can be executed.
15Powerpreter by Nikhil Mittal
16.
BTW meet Yamraj
Powerpreter by Nikhil Mittal 16
17.
Limitations
• Yet to undergo community testing.
• Keylogger does not work from powershell
remoting session.
• Backdoors can be detected with careful traffic
analysis.
• Pivot depends upon powershell remoting.
17Powerpreter by Nikhil Mittal
18.
Conclusion
• Powershell provides much control over a
Windows system and Windows based network
• Powerpreter has been designed to derive its
power from above fact and provides (or at
least attempts to) a useful set of features for
penetration testers.
• Obviously, there are other ways to achieve
similar things. Powerpreter just makes it
easier.
18Powerpreter by Nikhil Mittal
19.
Thanks/Credit/Greetz
• Thanks to my friend Arthur Donkers for helping me to
come to Defcon.
• Thanks/Credit/Greetz/Shoutz to powershell hackers (in
no particular order)
@obscuresec, @mattifestation, @Carlos_Perez,
@Lee_Holmes, @ScriptingGuys, @BrucePayette,
@adamdiscroll, @JosephBialek, @dave_rel1k and all
bloggers and book writers.
• Go see another awesome powershell talk in Track- 2
tomorrow – “PowerPwning: Post-Exploiting By
Overpowering PowerShell by Joe Bialek“
19Powerpreter by Nikhil Mittal
20.
Thank You
• Questions?
• Insults?
• Feedback?
• Powerpreter would be available at
http://code.google.com/p/nishang/
• Follow me @nikhil_mitt
• Latest slides for this preso could be found at:
http://labofapenetrationtester.blogspot.in/p/blog-
page.html
20Powerpreter by Nikhil Mittal