SlideShare ist ein Scribd-Unternehmen logo
1 von 34
PS #> Get-Content psattack.txt
Making it easy to use PowerShell for evil
PS> whoami
• Jared Haight
• Security Engineer for Gotham Digital Science
• PowerShell fanboy
• Guess I’m a developer?
• I enjoy long walks in the woods
• Co-owner of a broken bunny.
What is PowerShell
Microsoft’s attempt to get admins to use a keyboard
What is PowerShell?
• Windows PowerShell (as described by Wikipedia)
otask automation and configuration management framework
oconsisting of a command-line shell and associated scripting
language
obuilt on the .NET Framework
oprovides full access to COM and WMI
oenabling administrators to perform administrative tasks on
both local and remote Windows systems
What makes PowerShell great
• Object Oriented Language
• Intuitive Commands
oVerb-Noun format (get-help, test-connection, etc)
oSimilar switches across commands (-ComputerName, -Debug,
etc)
• A help system that’s actually usable
• Great tab completion
• Available on Windows 7 and up.
What is it being used for?
• Administering all the things!
oYou can administer most anything in a Domain with
PowerShell
• Automation
oDesired State Config is the Puppet/Chef/Ansible/Salt of the
Windows world.
• Information Security
oLot of work in DFIR
oGreat for event log parsing and WMI queries.
oCheck out what’s being done at http://www.invoke-ir.com/
What can Red Teams use it for?
Offensive PowerShell is Awesome
• Using the admin’s tools against them
oThere’s great stuff already there, live off the land.
• Hard to lock down
oNo real logging before PowerShell v5
oPowerShell is actually part of .NET, it’s NOT powershell.exe
oNot a lot of awareness on the admin side of offensive
PowerShell
• A lot of advanced work being done by the community
oDLL injection
oWMI Abuse
oMature Methodologies
The Barrier to PowerShell
• Lack of interest
oWindows isn’t cool
• A little intimidating
oLots of testers are more comfortable with *nix
oWhole new language to learn
oWhere do you start?
• Hard to stay up on the latest and greatest
oPowerShell clique on Twitter
oCool stuff doesn’t always get surfaced
PS>Attack to the Rescue
What is PS>Attack
• A tool that makes using Offensive PowerShell easy
oCustom console designed to emulate powershell.exe
oSome of the best tools available are built in
oPowerful tab completion
• Commands
• File Paths
• Parameters
oSingle Executable – just download and run
What’s in PS>Attack
• Over 110 Commands covering Recon, Privesc,
Backdoors and Exfiltration
• Including
oCommands from PowerTools, PowerSploit and Nishang
oInveigh – A Windows PowerShell LLMNR/NBNS spoofer with
challenge/response capture over HTTP(S)/SMB and NTLMv2
HTTP to SMB relay.
oPowercat – Netcat, but in Powershell
• Get-Attack – A command for finding the attack you’re
looking for
• An attack command search tool
Not just for the lab
• Embedded Payloads are
encrypted to evade AV and
IR teams
• Payloads are decrypted
straight into memory so
they never touch disk.
• Custom built console doesn’t
rely on “powershell.exe”
• Works out of the box on
everything from a fresh
Windows 7 install to a
patched version of
Windows 10.
Get-Help
• PowerShell’s help system
• Available for any command in PS>Attack
oget-help invoke-mimikatz
• Use the –Examples switch to view usage examples
oget-help invoke-mimikatz -examples
Demo!
Making PS>Attack Even
Better
PS>Attack Shortcomings
• All versions use the same encrypted files
oEasy for AV to flag
• PowerShell tools are being updated daily
Enter: The PS>Attack Build Tool
What does it do?
• Downloads latest release of PS>Attack
• Downloads the latest versions of the modules/tools that
PS>Attack uses
• Encrypts everything with a unique key
• Compiles everything for you
• Its super easy.
How easy is it?
PS>Attack Build Tool Dependencies
• .NET 3.5 Full
oNeeded to build PS>Attack
oProvides msbuild.exe
oBackwards compatibility in .NET is all sorts of broken
• .NET 4.5 (and up?)
oNeeded to run Build Tool
• Modules.json
oJSON file containing names and urls for PowerShell modules
oIncluded with the Build Tool
Getting PS>Attack
• https://github.com/jaredhaight
oPS>Attack: https://github.com/jaredhaight/psattack
oBuild Tool: https://github.com/jaredhaight/psattackbuildtool
oPrecompiled versions are available on the releases tab
• https://www.psattack.com
oTheres a bunch of stuff on there, some of it is related to
PS>Attack
PS> get-future
Where do we go from here?
What’s next?
• Bug fixes
• More PowerShell modules!
oWithin reason.. PS>Punch is already 3mb.
• Better AV/IR evasion
oLess static strings, more magic
• Better console emulation
oScript support, Better exe support
• New features
oReverse Shell? Command line params? What does the
community want?
How can you help?
• Submit issues
oLet me know what errors you run into
oLet me know when things don’t work the way you expect
• Submit pull requests
oIf you want to implement a new feature or something, ping
me and we can talk
• Feedback of any kind is incredibly helpful
oHit me up on twitter, email, in person.
Wrapping up
The real MVPs
• @mattifestation
• @sixdub
• @harmj0y
• @enigma0x3
• @subtee
• @nikhil_mitt
• @kevin_robertson
Like, Comment and Subscribe
• @jaredhaight
• jhaight@gdssecurity.com
• https://github.com/jaredhaight
• Charlotte Hackers – http://www.charlottehackers.com
Fin.
• Questions?
Introducing PS>Attack: An offensive PowerShell toolkit

Weitere ähnliche Inhalte

Was ist angesagt?

Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingRavikanth Chaganti
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
Metasploit magic the dark coners of the framework
Metasploit magic   the dark coners of the frameworkMetasploit magic   the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 

Was ist angesagt? (20)

Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Metasploit magic the dark coners of the framework
Metasploit magic   the dark coners of the frameworkMetasploit magic   the dark coners of the framework
Metasploit magic the dark coners of the framework
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 

Andere mochten auch

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsConcentrated Technology
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingConcentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateDon Reese
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationConcentrated Technology
 
Introduction to powershell
Introduction to powershellIntroduction to powershell
Introduction to powershellSalaudeen Rajack
 
Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!Thomas Lee
 

Andere mochten auch (20)

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
 
Automating ad with powershell
Automating ad with powershellAutomating ad with powershell
Automating ad with powershell
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
 
From VB Script to PowerShell
From VB Script to PowerShellFrom VB Script to PowerShell
From VB Script to PowerShell
 
PS scripting and modularization
PS scripting and modularizationPS scripting and modularization
PS scripting and modularization
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
 
Implementing dr w. hyper v clustering
Implementing dr w. hyper v clusteringImplementing dr w. hyper v clustering
Implementing dr w. hyper v clustering
 
Introduction to powershell
Introduction to powershellIntroduction to powershell
Introduction to powershell
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
 
PowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepointPowerShell crashcourse for sharepoint
PowerShell crashcourse for sharepoint
 
Server Core2
Server Core2Server Core2
Server Core2
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
 
Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!Three cool cmdlets I wish PowerShell Had!
Three cool cmdlets I wish PowerShell Had!
 

Ähnlich wie Introducing PS>Attack: An offensive PowerShell toolkit

DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyFelipe Prado
 
Holy PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionHoly PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionDave Diehl
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Professional Help for PowerShell Modules
Professional Help for PowerShell ModulesProfessional Help for PowerShell Modules
Professional Help for PowerShell ModulesJune Blender
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsDev 010101
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Power shell basics day 2
Power shell basics day 2Power shell basics day 2
Power shell basics day 2Ashish Raj
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!Thomas Lee
 
Introduction to PowerShell and getting started
Introduction to PowerShell and getting startedIntroduction to PowerShell and getting started
Introduction to PowerShell and getting startedRavikanth Chaganti
 
2010 za con_jameel_haffejee
2010 za con_jameel_haffejee2010 za con_jameel_haffejee
2010 za con_jameel_haffejeeJohan Klerk
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopersBryan Cafferky
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to  Command LineChapter 1: Introduction to  Command Line
Chapter 1: Introduction to Command Lineazzamhadeel89
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction  to Command LineChapter 1: Introduction  to Command Line
Chapter 1: Introduction to Command Lineazzamhadeel89
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 

Ähnlich wie Introducing PS>Attack: An offensive PowerShell toolkit (20)

Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
 
Holy PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionHoly PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood edition
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 
Professional Help for PowerShell Modules
Professional Help for PowerShell ModulesProfessional Help for PowerShell Modules
Professional Help for PowerShell Modules
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Power shell basics day 2
Power shell basics day 2Power shell basics day 2
Power shell basics day 2
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 
Introduction to PowerShell and getting started
Introduction to PowerShell and getting startedIntroduction to PowerShell and getting started
Introduction to PowerShell and getting started
 
2010 za con_jameel_haffejee
2010 za con_jameel_haffejee2010 za con_jameel_haffejee
2010 za con_jameel_haffejee
 
Powering up on power shell avengercon - 2018
Powering up on power shell   avengercon - 2018Powering up on power shell   avengercon - 2018
Powering up on power shell avengercon - 2018
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction to  Command LineChapter 1: Introduction to  Command Line
Chapter 1: Introduction to Command Line
 
Chapter 1: Introduction to Command Line
Chapter 1: Introduction  to Command LineChapter 1: Introduction  to Command Line
Chapter 1: Introduction to Command Line
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell  - BSides Greenville 2019Powering up on PowerShell  - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
 

Kürzlich hochgeladen

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Introducing PS>Attack: An offensive PowerShell toolkit

  • 1. PS #> Get-Content psattack.txt Making it easy to use PowerShell for evil
  • 2. PS> whoami • Jared Haight • Security Engineer for Gotham Digital Science • PowerShell fanboy • Guess I’m a developer? • I enjoy long walks in the woods • Co-owner of a broken bunny.
  • 3.
  • 4. What is PowerShell Microsoft’s attempt to get admins to use a keyboard
  • 5. What is PowerShell? • Windows PowerShell (as described by Wikipedia) otask automation and configuration management framework oconsisting of a command-line shell and associated scripting language obuilt on the .NET Framework oprovides full access to COM and WMI oenabling administrators to perform administrative tasks on both local and remote Windows systems
  • 6. What makes PowerShell great • Object Oriented Language • Intuitive Commands oVerb-Noun format (get-help, test-connection, etc) oSimilar switches across commands (-ComputerName, -Debug, etc) • A help system that’s actually usable • Great tab completion • Available on Windows 7 and up.
  • 7. What is it being used for? • Administering all the things! oYou can administer most anything in a Domain with PowerShell • Automation oDesired State Config is the Puppet/Chef/Ansible/Salt of the Windows world. • Information Security oLot of work in DFIR oGreat for event log parsing and WMI queries. oCheck out what’s being done at http://www.invoke-ir.com/
  • 8. What can Red Teams use it for?
  • 9. Offensive PowerShell is Awesome • Using the admin’s tools against them oThere’s great stuff already there, live off the land. • Hard to lock down oNo real logging before PowerShell v5 oPowerShell is actually part of .NET, it’s NOT powershell.exe oNot a lot of awareness on the admin side of offensive PowerShell • A lot of advanced work being done by the community oDLL injection oWMI Abuse oMature Methodologies
  • 10. The Barrier to PowerShell • Lack of interest oWindows isn’t cool • A little intimidating oLots of testers are more comfortable with *nix oWhole new language to learn oWhere do you start? • Hard to stay up on the latest and greatest oPowerShell clique on Twitter oCool stuff doesn’t always get surfaced
  • 12. What is PS>Attack • A tool that makes using Offensive PowerShell easy oCustom console designed to emulate powershell.exe oSome of the best tools available are built in oPowerful tab completion • Commands • File Paths • Parameters oSingle Executable – just download and run
  • 13. What’s in PS>Attack • Over 110 Commands covering Recon, Privesc, Backdoors and Exfiltration • Including oCommands from PowerTools, PowerSploit and Nishang oInveigh – A Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay. oPowercat – Netcat, but in Powershell • Get-Attack – A command for finding the attack you’re looking for
  • 14. • An attack command search tool
  • 15. Not just for the lab • Embedded Payloads are encrypted to evade AV and IR teams • Payloads are decrypted straight into memory so they never touch disk. • Custom built console doesn’t rely on “powershell.exe” • Works out of the box on everything from a fresh Windows 7 install to a patched version of Windows 10.
  • 16. Get-Help • PowerShell’s help system • Available for any command in PS>Attack oget-help invoke-mimikatz • Use the –Examples switch to view usage examples oget-help invoke-mimikatz -examples
  • 17. Demo!
  • 19. PS>Attack Shortcomings • All versions use the same encrypted files oEasy for AV to flag • PowerShell tools are being updated daily
  • 20. Enter: The PS>Attack Build Tool
  • 21. What does it do? • Downloads latest release of PS>Attack • Downloads the latest versions of the modules/tools that PS>Attack uses • Encrypts everything with a unique key • Compiles everything for you • Its super easy.
  • 22. How easy is it?
  • 23.
  • 24. PS>Attack Build Tool Dependencies • .NET 3.5 Full oNeeded to build PS>Attack oProvides msbuild.exe oBackwards compatibility in .NET is all sorts of broken • .NET 4.5 (and up?) oNeeded to run Build Tool • Modules.json oJSON file containing names and urls for PowerShell modules oIncluded with the Build Tool
  • 25.
  • 26. Getting PS>Attack • https://github.com/jaredhaight oPS>Attack: https://github.com/jaredhaight/psattack oBuild Tool: https://github.com/jaredhaight/psattackbuildtool oPrecompiled versions are available on the releases tab • https://www.psattack.com oTheres a bunch of stuff on there, some of it is related to PS>Attack
  • 27. PS> get-future Where do we go from here?
  • 28. What’s next? • Bug fixes • More PowerShell modules! oWithin reason.. PS>Punch is already 3mb. • Better AV/IR evasion oLess static strings, more magic • Better console emulation oScript support, Better exe support • New features oReverse Shell? Command line params? What does the community want?
  • 29. How can you help? • Submit issues oLet me know what errors you run into oLet me know when things don’t work the way you expect • Submit pull requests oIf you want to implement a new feature or something, ping me and we can talk • Feedback of any kind is incredibly helpful oHit me up on twitter, email, in person.
  • 31. The real MVPs • @mattifestation • @sixdub • @harmj0y • @enigma0x3 • @subtee • @nikhil_mitt • @kevin_robertson
  • 32. Like, Comment and Subscribe • @jaredhaight • jhaight@gdssecurity.com • https://github.com/jaredhaight • Charlotte Hackers – http://www.charlottehackers.com

Hinweis der Redaktion

  1. Powershell Conventions like –Verbose, etc
  2. Windows is only useful when we’re breaking it Massive frameworks, which frameworks to use?
  3. * Powercat from PS>Attack includes all of the PS>Attack Tools
  4. G