Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Powerpreter: Post Exploitation like a Boss


Published on

Slides of my talk at Defcon 21

Published in: Business, Technology

Powerpreter: Post Exploitation like a Boss

  1. 1. PowerPreter: Post Exploitation like a boss Nikhil “SamratAshok” Mittal
  2. 2. Get-Host • Hacker who goes by the handle SamratAshok • Twitter - @nikhil_mitt • Blog – • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Freelance penetration tester *hint* • Spoken at BlackHat, Troopers, PHDays and more 2Powerpreter by Nikhil Mittal
  3. 3. Get-Content • Need for Post Exploitation • PowerShell • Why PowerShell? • Introducing – Powerpreter – Architecture – Usage – Payloads – Capabilities – Deployment • Antak – The WebShell • Limitations • Conclusion 3Powerpreter by Nikhil Mittal
  4. 4. Need for Post Exploitation • The most important part of a penetration test. • Guy who will pay you $$$ do not understand technology (neither he wants to). A “shell” is not what he wants from you. • IMHO, this differentiates a good pen tester and one-click-i-pwn-you-omg pen tester. • Etc Etc 4Powerpreter by Nikhil Mittal
  5. 5. PowerShell • A shell and scripting language present by default on new Windows machines. • Designed to automate things and make life easier for system admin. • Based on .Net framework and is tightly integrated with Windows. 5Powerpreter by Nikhil Mittal
  6. 6. 6Powerpreter by Nikhil Mittal
  7. 7. Why PowerShell? • Provides access to almost everything in a Windows platform which could be useful for an attacker. • Easy to learn and really powerful. • Trusted by the countermeasures and system administrators. • Consider it bash of Windows. • Less dependence on msf and <insert_linux_scripting>-to-executable libraries. 7Powerpreter by Nikhil Mittal
  8. 8. Powerpreter - Introduction • A post exploitation tool written completely in powershell. • To be a part of Nishang, powershell based post exploitation framework, written by the speaker. • The name is similar to meterpreter. Powerpreter wants to be like meterpreter after growing up :) 8Powerpreter by Nikhil Mittal
  9. 9. Powerpreter - Architecture • Powerpreter is a powershell module and/or script depending on the usage. • Payloads and features in powerpreter are structured as functions. Separate function for each functionality. • It could be easily extended to include new scripts, just add a new function and it would be used with other options. 9Powerpreter by Nikhil Mittal
  10. 10. Powerpreter – Usage • Powerpreter is best used from a Powershell Remote Session. • It could be imported as a module and the functionalities get loaded in the current session. • It could also be used with meterpreter and “possibly” other shells as well. 10Powerpreter by Nikhil Mittal
  11. 11. Powerpreter – Payloads • Payloads depend on the privileges available. • Many useful payloads. • Better seen in the demo. 11Powerpreter by Nikhil Mittal
  12. 12. Powerpreter – Capabilities • Persistence • Pivoting • Admin to SYSTEM • Helper functionalities • Etc Etc 12Powerpreter by Nikhil Mittal
  13. 13. Powerpreter – Deployment • From a powershell session • Using meterpreter. • Using psexec. • Drive-by-download • Human Interface Device (Bare bones preferred) 13Powerpreter by Nikhil Mittal
  14. 14. Powerpreter - DEMO 14Powerpreter by Nikhil Mittal
  15. 15. Antak- The Webshell • Named after God of Death (Yamraj) in Indian mythology….muhahaha • Written in C#.Net (that is what I call it). • The UI is designed to look like a powershell prompt. • Ability to upload & download files, executing commands. • Scripts can be executed by using the “Encode and Execute” option. • If remoting is enabled, commands/scripts on remote systems can be executed. 15Powerpreter by Nikhil Mittal
  16. 16. BTW meet Yamraj Powerpreter by Nikhil Mittal 16
  17. 17. Limitations • Yet to undergo community testing. • Keylogger does not work from powershell remoting session. • Backdoors can be detected with careful traffic analysis. • Pivot depends upon powershell remoting. 17Powerpreter by Nikhil Mittal
  18. 18. Conclusion • Powershell provides much control over a Windows system and Windows based network • Powerpreter has been designed to derive its power from above fact and provides (or at least attempts to) a useful set of features for penetration testers. • Obviously, there are other ways to achieve similar things. Powerpreter just makes it easier. 18Powerpreter by Nikhil Mittal
  19. 19. Thanks/Credit/Greetz • Thanks to my friend Arthur Donkers for helping me to come to Defcon. • Thanks/Credit/Greetz/Shoutz to powershell hackers (in no particular order) @obscuresec, @mattifestation, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @adamdiscroll, @JosephBialek, @dave_rel1k and all bloggers and book writers. • Go see another awesome powershell talk in Track- 2 tomorrow – “PowerPwning: Post-Exploiting By Overpowering PowerShell by Joe Bialek“ 19Powerpreter by Nikhil Mittal
  20. 20. Thank You • Questions? • Insults? • Feedback? • Powerpreter would be available at • Follow me @nikhil_mitt • Latest slides for this preso could be found at: page.html 20Powerpreter by Nikhil Mittal