PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.
Boost Fertility New Invention Ups Success Rates.pdf
Introducing PS>Attack: An offensive PowerShell toolkit
1. PS #> Get-Content psattack.txt
Making it easy to use PowerShell for evil
2. PS> whoami
• Jared Haight
• Security Engineer for Gotham Digital Science
• PowerShell fanboy
• Guess I’m a developer?
• I enjoy long walks in the woods
• Co-owner of a broken bunny.
5. What is PowerShell?
• Windows PowerShell (as described by Wikipedia)
otask automation and configuration management framework
oconsisting of a command-line shell and associated scripting
language
obuilt on the .NET Framework
oprovides full access to COM and WMI
oenabling administrators to perform administrative tasks on
both local and remote Windows systems
6. What makes PowerShell great
• Object Oriented Language
• Intuitive Commands
oVerb-Noun format (get-help, test-connection, etc)
oSimilar switches across commands (-ComputerName, -Debug,
etc)
• A help system that’s actually usable
• Great tab completion
• Available on Windows 7 and up.
7. What is it being used for?
• Administering all the things!
oYou can administer most anything in a Domain with
PowerShell
• Automation
oDesired State Config is the Puppet/Chef/Ansible/Salt of the
Windows world.
• Information Security
oLot of work in DFIR
oGreat for event log parsing and WMI queries.
oCheck out what’s being done at http://www.invoke-ir.com/
9. Offensive PowerShell is Awesome
• Using the admin’s tools against them
oThere’s great stuff already there, live off the land.
• Hard to lock down
oNo real logging before PowerShell v5
oPowerShell is actually part of .NET, it’s NOT powershell.exe
oNot a lot of awareness on the admin side of offensive
PowerShell
• A lot of advanced work being done by the community
oDLL injection
oWMI Abuse
oMature Methodologies
10. The Barrier to PowerShell
• Lack of interest
oWindows isn’t cool
• A little intimidating
oLots of testers are more comfortable with *nix
oWhole new language to learn
oWhere do you start?
• Hard to stay up on the latest and greatest
oPowerShell clique on Twitter
oCool stuff doesn’t always get surfaced
12. What is PS>Attack
• A tool that makes using Offensive PowerShell easy
oCustom console designed to emulate powershell.exe
oSome of the best tools available are built in
oPowerful tab completion
• Commands
• File Paths
• Parameters
oSingle Executable – just download and run
13. What’s in PS>Attack
• Over 110 Commands covering Recon, Privesc,
Backdoors and Exfiltration
• Including
oCommands from PowerTools, PowerSploit and Nishang
oInveigh – A Windows PowerShell LLMNR/NBNS spoofer with
challenge/response capture over HTTP(S)/SMB and NTLMv2
HTTP to SMB relay.
oPowercat – Netcat, but in Powershell
• Get-Attack – A command for finding the attack you’re
looking for
15. Not just for the lab
• Embedded Payloads are
encrypted to evade AV and
IR teams
• Payloads are decrypted
straight into memory so
they never touch disk.
• Custom built console doesn’t
rely on “powershell.exe”
• Works out of the box on
everything from a fresh
Windows 7 install to a
patched version of
Windows 10.
16. Get-Help
• PowerShell’s help system
• Available for any command in PS>Attack
oget-help invoke-mimikatz
• Use the –Examples switch to view usage examples
oget-help invoke-mimikatz -examples
21. What does it do?
• Downloads latest release of PS>Attack
• Downloads the latest versions of the modules/tools that
PS>Attack uses
• Encrypts everything with a unique key
• Compiles everything for you
• Its super easy.
24. PS>Attack Build Tool Dependencies
• .NET 3.5 Full
oNeeded to build PS>Attack
oProvides msbuild.exe
oBackwards compatibility in .NET is all sorts of broken
• .NET 4.5 (and up?)
oNeeded to run Build Tool
• Modules.json
oJSON file containing names and urls for PowerShell modules
oIncluded with the Build Tool
25.
26. Getting PS>Attack
• https://github.com/jaredhaight
oPS>Attack: https://github.com/jaredhaight/psattack
oBuild Tool: https://github.com/jaredhaight/psattackbuildtool
oPrecompiled versions are available on the releases tab
• https://www.psattack.com
oTheres a bunch of stuff on there, some of it is related to
PS>Attack
28. What’s next?
• Bug fixes
• More PowerShell modules!
oWithin reason.. PS>Punch is already 3mb.
• Better AV/IR evasion
oLess static strings, more magic
• Better console emulation
oScript support, Better exe support
• New features
oReverse Shell? Command line params? What does the
community want?
29. How can you help?
• Submit issues
oLet me know what errors you run into
oLet me know when things don’t work the way you expect
• Submit pull requests
oIf you want to implement a new feature or something, ping
me and we can talk
• Feedback of any kind is incredibly helpful
oHit me up on twitter, email, in person.