SlideShare ist ein Scribd-Unternehmen logo

Introducing PS>Attack: An offensive PowerShell toolkit

Als PPTX, PDF herunterladen
J
jaredhaight

PS>Attack is designed to make it easy for Penetration Testers to incorporate PowerShell into their bag of tricks. Its a custom PowerShell console packed with some of the best offensive tools available. It's designed to be easy to use and opsec safe.

Technologie
1 von 34
PS #> Get-Content psattack.txt Making it easy to use PowerShell for evil
PS> whoami • Jared Haight • Security Engineer for Gotham Digital Science • PowerShell fanboy • Guess I’m a developer? • I enjoy long walks in the woods • Co-owner of a broken bunny.
What is PowerShell Microsoft’s attempt to get admins to use a keyboard
What is PowerShell? • Windows PowerShell (as described by Wikipedia) otask automation and configuration management framework oconsisting of a command-line shell and associated scripting language obuilt on the .NET Framework oprovides full access to COM and WMI oenabling administrators to perform administrative tasks on both local and remote Windows systems
What makes PowerShell great • Object Oriented Language • Intuitive Commands oVerb-Noun format (get-help, test-connection, etc) oSimilar switches across commands (-ComputerName, -Debug, etc) • A help system that’s actually usable • Great tab completion • Available on Windows 7 and up.
What is it being used for? • Administering all the things! oYou can administer most anything in a Domain with PowerShell • Automation oDesired State Config is the Puppet/Chef/Ansible/Salt of the Windows world. • Information Security oLot of work in DFIR oGreat for event log parsing and WMI queries. oCheck out what’s being done at http://www.invoke-ir.com/
What can Red Teams use it for?
Offensive PowerShell is Awesome • Using the admin’s tools against them oThere’s great stuff already there, live off the land. • Hard to lock down oNo real logging before PowerShell v5 oPowerShell is actually part of .NET, it’s NOT powershell.exe oNot a lot of awareness on the admin side of offensive PowerShell • A lot of advanced work being done by the community oDLL injection oWMI Abuse oMature Methodologies
The Barrier to PowerShell • Lack of interest oWindows isn’t cool • A little intimidating oLots of testers are more comfortable with *nix oWhole new language to learn oWhere do you start? • Hard to stay up on the latest and greatest oPowerShell clique on Twitter oCool stuff doesn’t always get surfaced
PS>Attack to the Rescue
What is PS>Attack • A tool that makes using Offensive PowerShell easy oCustom console designed to emulate powershell.exe oSome of the best tools available are built in oPowerful tab completion • Commands • File Paths • Parameters oSingle Executable – just download and run
What’s in PS>Attack • Over 110 Commands covering Recon, Privesc, Backdoors and Exfiltration • Including oCommands from PowerTools, PowerSploit and Nishang oInveigh – A Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay. oPowercat – Netcat, but in Powershell • Get-Attack – A command for finding the attack you’re looking for
• An attack command search tool
Not just for the lab • Embedded Payloads are encrypted to evade AV and IR teams • Payloads are decrypted straight into memory so they never touch disk. • Custom built console doesn’t rely on “powershell.exe” • Works out of the box on everything from a fresh Windows 7 install to a patched version of Windows 10.
Get-Help • PowerShell’s help system • Available for any command in PS>Attack oget-help invoke-mimikatz • Use the –Examples switch to view usage examples oget-help invoke-mimikatz -examples
Demo!
Making PS>Attack Even Better
PS>Attack Shortcomings • All versions use the same encrypted files oEasy for AV to flag • PowerShell tools are being updated daily
Enter: The PS>Attack Build Tool
What does it do? • Downloads latest release of PS>Attack • Downloads the latest versions of the modules/tools that PS>Attack uses • Encrypts everything with a unique key • Compiles everything for you • Its super easy.
How easy is it?
PS>Attack Build Tool Dependencies • .NET 3.5 Full oNeeded to build PS>Attack oProvides msbuild.exe oBackwards compatibility in .NET is all sorts of broken • .NET 4.5 (and up?) oNeeded to run Build Tool • Modules.json oJSON file containing names and urls for PowerShell modules oIncluded with the Build Tool
Getting PS>Attack • https://github.com/jaredhaight oPS>Attack: https://github.com/jaredhaight/psattack oBuild Tool: https://github.com/jaredhaight/psattackbuildtool oPrecompiled versions are available on the releases tab • https://www.psattack.com oTheres a bunch of stuff on there, some of it is related to PS>Attack
PS> get-future Where do we go from here?
What’s next? • Bug fixes • More PowerShell modules! oWithin reason.. PS>Punch is already 3mb. • Better AV/IR evasion oLess static strings, more magic • Better console emulation oScript support, Better exe support • New features oReverse Shell? Command line params? What does the community want?
How can you help? • Submit issues oLet me know what errors you run into oLet me know when things don’t work the way you expect • Submit pull requests oIf you want to implement a new feature or something, ping me and we can talk • Feedback of any kind is incredibly helpful oHit me up on twitter, email, in person.
Wrapping up
The real MVPs • @mattifestation • @sixdub • @harmj0y • @enigma0x3 • @subtee • @nikhil_mitt • @kevin_robertson
Like, Comment and Subscribe • @jaredhaight • jhaight@gdssecurity.com • https://github.com/jaredhaight • Charlotte Hackers – http://www.charlottehackers.com
Fin. • Questions?
Introducing PS>Attack: An offensive PowerShell toolkit

Empfohlen

Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go home
jaredhaight
 

Empfohlen

Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go home
jaredhaight
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
Rob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
Rob Fuller
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
Ravikanth Chaganti
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
Will Schroeder
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
Rob Fuller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
Rob Fuller
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 

Weitere ähnliche Inhalte

Was ist angesagt?

Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Rob Fuller
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
Rob Fuller
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
Rob Fuller
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 

Was ist angesagt? (20)

Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 

Andere mochten auch

PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
Concentrated Technology
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
Rob Dunn
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
Concentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Don Reese
 

Andere mochten auch (20)

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
 
Automating ad with powershell
Automating ad with powershellAutomating ad with powershell
Automating ad with powershell
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
 
From VB Script to PowerShell
From VB Script to PowerShellFrom VB Script to PowerShell
From VB Script to PowerShell
 
PS scripting and modularization
PS scripting and modularizationPS scripting and modularization
PS scripting and modularization
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
 
Implementing dr w. hyper v clustering
Implementing dr w. hyper v clusteringImplementing dr w. hyper v clustering
Implementing dr w. hyper v clustering
 
Introduction to powershell
Introduction to powershellIntroduction to powershell
Introduction to powershell
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
 
PowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointPowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepoint
 
Server Core2
Server Core2Server Core2
Server Core2
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
 
Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!
 

Ähnlich wie Introducing PS>Attack: An offensive PowerShell toolkit

2010 za con_jameel_haffejee
2010 za con_jameel_haffejee2010 za con_jameel_haffejee
2010 za con_jameel_haffejee
Johan Klerk
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
Bryan Cafferky
 

Ähnlich wie Introducing PS>Attack: An offensive PowerShell toolkit (20)

Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
 
Holy PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionHoly PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood edition
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 
Professional Help for PowerShell Modules
Professional Help for PowerShell ModulesProfessional Help for PowerShell Modules
Professional Help for PowerShell Modules
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Power shell basics day 2
Power shell basics day 2Power shell basics day 2
Power shell basics day 2
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 
Introduction to PowerShell and getting started
Introduction to PowerShell and getting startedIntroduction to PowerShell and getting started
Introduction to PowerShell and getting started
 
2010 za con_jameel_haffejee
2010 za con_jameel_haffejee2010 za con_jameel_haffejee
2010 za con_jameel_haffejee
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to Command LineChapter 1: Introduction to Command Line
Chapter 1: Introduction to Command Line
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to Command LineChapter 1: Introduction to Command Line
Chapter 1: Introduction to Command Line
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Introducing PS>Attack: An offensive PowerShell toolkit

  • 1. PS #> Get-Content psattack.txt Making it easy to use PowerShell for evil
  • 2. PS> whoami • Jared Haight • Security Engineer for Gotham Digital Science • PowerShell fanboy • Guess I’m a developer? • I enjoy long walks in the woods • Co-owner of a broken bunny.
  • 3.
  • 4. What is PowerShell Microsoft’s attempt to get admins to use a keyboard
  • 5. What is PowerShell? • Windows PowerShell (as described by Wikipedia) otask automation and configuration management framework oconsisting of a command-line shell and associated scripting language obuilt on the .NET Framework oprovides full access to COM and WMI oenabling administrators to perform administrative tasks on both local and remote Windows systems
  • 6. What makes PowerShell great • Object Oriented Language • Intuitive Commands oVerb-Noun format (get-help, test-connection, etc) oSimilar switches across commands (-ComputerName, -Debug, etc) • A help system that’s actually usable • Great tab completion • Available on Windows 7 and up.
  • 7. What is it being used for? • Administering all the things! oYou can administer most anything in a Domain with PowerShell • Automation oDesired State Config is the Puppet/Chef/Ansible/Salt of the Windows world. • Information Security oLot of work in DFIR oGreat for event log parsing and WMI queries. oCheck out what’s being done at http://www.invoke-ir.com/
  • 8. What can Red Teams use it for?
  • 9. Offensive PowerShell is Awesome • Using the admin’s tools against them oThere’s great stuff already there, live off the land. • Hard to lock down oNo real logging before PowerShell v5 oPowerShell is actually part of .NET, it’s NOT powershell.exe oNot a lot of awareness on the admin side of offensive PowerShell • A lot of advanced work being done by the community oDLL injection oWMI Abuse oMature Methodologies
  • 10. The Barrier to PowerShell • Lack of interest oWindows isn’t cool • A little intimidating oLots of testers are more comfortable with *nix oWhole new language to learn oWhere do you start? • Hard to stay up on the latest and greatest oPowerShell clique on Twitter oCool stuff doesn’t always get surfaced
  • 12. What is PS>Attack • A tool that makes using Offensive PowerShell easy oCustom console designed to emulate powershell.exe oSome of the best tools available are built in oPowerful tab completion • Commands • File Paths • Parameters oSingle Executable – just download and run
  • 13. What’s in PS>Attack • Over 110 Commands covering Recon, Privesc, Backdoors and Exfiltration • Including oCommands from PowerTools, PowerSploit and Nishang oInveigh – A Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay. oPowercat – Netcat, but in Powershell • Get-Attack – A command for finding the attack you’re looking for
  • 14. • An attack command search tool
  • 15. Not just for the lab • Embedded Payloads are encrypted to evade AV and IR teams • Payloads are decrypted straight into memory so they never touch disk. • Custom built console doesn’t rely on “powershell.exe” • Works out of the box on everything from a fresh Windows 7 install to a patched version of Windows 10.
  • 16. Get-Help • PowerShell’s help system • Available for any command in PS>Attack oget-help invoke-mimikatz • Use the –Examples switch to view usage examples oget-help invoke-mimikatz -examples
  • 17. Demo!
  • 19. PS>Attack Shortcomings • All versions use the same encrypted files oEasy for AV to flag • PowerShell tools are being updated daily
  • 20. Enter: The PS>Attack Build Tool
  • 21. What does it do? • Downloads latest release of PS>Attack • Downloads the latest versions of the modules/tools that PS>Attack uses • Encrypts everything with a unique key • Compiles everything for you • Its super easy.
  • 22. How easy is it?
  • 23.
  • 24. PS>Attack Build Tool Dependencies • .NET 3.5 Full oNeeded to build PS>Attack oProvides msbuild.exe oBackwards compatibility in .NET is all sorts of broken • .NET 4.5 (and up?) oNeeded to run Build Tool • Modules.json oJSON file containing names and urls for PowerShell modules oIncluded with the Build Tool
  • 25.
  • 26. Getting PS>Attack • https://github.com/jaredhaight oPS>Attack: https://github.com/jaredhaight/psattack oBuild Tool: https://github.com/jaredhaight/psattackbuildtool oPrecompiled versions are available on the releases tab • https://www.psattack.com oTheres a bunch of stuff on there, some of it is related to PS>Attack
  • 27. PS> get-future Where do we go from here?
  • 28. What’s next? • Bug fixes • More PowerShell modules! oWithin reason.. PS>Punch is already 3mb. • Better AV/IR evasion oLess static strings, more magic • Better console emulation oScript support, Better exe support • New features oReverse Shell? Command line params? What does the community want?
  • 29. How can you help? • Submit issues oLet me know what errors you run into oLet me know when things don’t work the way you expect • Submit pull requests oIf you want to implement a new feature or something, ping me and we can talk • Feedback of any kind is incredibly helpful oHit me up on twitter, email, in person.
  • 31. The real MVPs • @mattifestation • @sixdub • @harmj0y • @enigma0x3 • @subtee • @nikhil_mitt • @kevin_robertson
  • 32. Like, Comment and Subscribe • @jaredhaight • jhaight@gdssecurity.com • https://github.com/jaredhaight • Charlotte Hackers – http://www.charlottehackers.com

Hinweis der Redaktion

  1. Powershell Conventions like –Verbose, etc
  2. Windows is only useful when we’re breaking it Massive frameworks, which frameworks to use?
  3. * Powercat from PS>Attack includes all of the PS>Attack Tools
  4. G