Pwning the Enterprise With PowerShell

Beau Bullock - @dafthack

Overview• A dramatic increase in PowerShell-based pentesting tools• Why use PowerShell?• Signed Microsoft binary native to Windows systems• Can execute code in memory avoiding AV detection• Allows us to “Live off the land”

• Going to detail:• A complete attack cycle using PowerShell

• Remote Attacks, C2, Privilege Escalation, Domain/Network/Post Exploitation• Techniques for running PowerShell in locked down environments• Some possible mitigations

whoami• Pentester at Black Hills

Information Security• Have a number of SANS and

OffSec certs…• CitySec Meetup Organizer• CigarCitySec – (Tampa, FL)• CitrusSec – (Orlando, FL)

• Guitarist• Avid OWA enthusiast

Remote AttacksAttacks Against an External Network

PowerMeta• Discover publicly available files• Extract Metadata from them• Can provide information about:• The internal username schema• System names• Domain info

• Author(s)• Beau Bullock (@dafthack)

• https://github.com/dafthack/PowerMeta

MailSniper• Enumerate users/domain• Password spray OWA/EWS• Get Global Address List• Search email for certain terms• Find VPN info• Reset 2FA keys or add new device

• Author(s)• Beau Bullock (@dafthack)

• https://github.com/dafthack/MailSniper

OWA Attack Flow

Gaining A FootholdEstablishing Internal Network Access

Gaining A Foothold• Phishing w/ PowerShell Payloads• PowerShell Empire – PowerShell

agent with many capabilities• Stagers/payloads, Lateral movement,

persistence, etc.• Author(s): Will Schroeder (@harmj0y), Justin

Warner (@sixdub), & Matt Nelson (@enigma0x3)

• Unicorn – Generate PowerShell-based payloads that inject shellcode into memory• Author(s): Dave Kennedy (@HackingDave)

Command and ControlFinding Holes in Egress Filtering

Command and Control• Each of these can transfer files, establish shells, etc.• Powercat - PowerShell version of Netcat

• Author(s): Mick Douglas (@besimorhino), Luke Baggett & Jesse Davis (@secabstraction)• https://github.com/secabstraction/PowerCat

• Invoke-PowerShellIcmp – C2 channel over ICMP echoes and replies• Author(s): Nikhil Mittal (@samratashok)• https://github.com/samratashok/nishang/blob/master/Shells/Invoke-

PowerShellIcmp.ps1

• Dnscat2-PowerShell – C2 channel over DNS requests• Author(s): Luke Baggett & dnscat2 server by Ron Bowes (@iagox86)• https://github.com/lukebaggett/dnscat2-powershell

Situational AwarenessPerform Additional Reconnaissance As Silently As Possible

HostRecon• Performs information gathering about

the local system, users and domain• Checks for common security products• Can check egress port filtering• Doesn’t use any system commands

like ‘net’, ‘ipconfig’, ‘netstat’, ‘whoami’, etc.

• Author(s):

• Beau Bullock(@dafthack)

• https://github.com/dafthack/HostRecon

Privilege EscalationSometimes Admin Access Is Closer Than You Thought

PowerUp• Performs a number of local

privilege escalation checks• Checks for:

• Unquoted service paths• Unattended Install Files• Service Permissions• …and more.

• Author(s):

• Will Schroeder (@harmj0y)

• https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

PowerUpSQL• SQL server discovery• Audit weak configurations• Perform privilege escalation to

obtain SA privileges• Find sensitive data at scale• Author(s):

• Scott Sutherland (@_nullbind)• https://github.com/NetSPI/PowerUpSQL

Domain ExploitationActive Directory Fun Time

Invoke-Kerberoast• Request TGS tickets (as any

domain user) for accounts with SPNs set• Extract the crackable hash• Crack hashes offline• Author(s):

• Will Schroeder (@harmj0y), Matan Hart (@machosec), credit for original research to Tim Medin (@timmedin)

• https://gist.github.com/HarmJ0y/cc1004307157e372fc5bd3f89e553059

Get-GPPPassword• Finds any passwords of accounts

set by GPP• Usually the first thing I check• Almost always find an admin

password here• Author(s):

• Chris Campbell (@obscuresec)

• https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1

BloodHound• Enumerates/Gathers:• Local admins group on all systems• Active user sessions on each system• Group membership information• Domain trusts info

• Find a path to domain admin• Authors(s):

• Andrew Robbins (@_wald0), Will Schroeder (@harmj0y), and Rohan Vazarkar (@CptJesus)

• https://github.com/BloodHoundAD/BloodHound

PowerView Find-LocalAdminAccess• Find a system on the network your user is a local admin of• Author(s): Will Schroeder (@harmj0y)

• https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

DomainPasswordSpray• Tool for password spraying all domain users• Common Scenario:• Domain locks out accounts after a certain number of failed logins• Can’t brute force • Solution:

• Try a number of passwords less than the domain lockout policy against EVERY account in the domain

• Author(s):• Beau Bullock (@dafthack)

• https://github.com/dafthack/DomainPasswordSpray

Network ExploitationAbusing Network Protocols and Finding Vulnerable Systems

Inveigh• Exploit LLMNR & NBNS• By default when DNS fails

Windows systems will query local network• Obtain NTLMv1/NTLMv2 hashes• Crack hashes offline• Author(s):

• Kevin Robertson (@kevin_robertson)

• https://github.com/Kevin-Robertson/Inveigh

PowerView Get-ExploitableSystem• Queries Active Directory for hostnames, OS versions, and service pack levels• Cross-references those with common Metasploit modules• Author(s):

• Scott Sutherland (@_nullbind), Will Schroeder (@harmj0y)

• https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

PowerWebShot• If escalation options are failing, might need to resort to network

attacks; Web servers tend to be good targets• Default Creds• Not patched internally• etc…

• Analyze a large number of web servers quickly• Inspiration and thanks goes to Chris Truncer for EyeWitness• Author(s):

• Beau Bullock (@dafthack)

Post-ExploitationPillaging, Plundering, and Discovering Sensitive Data

Invoke-Mimikatz• Dump cleartext credentials• Avoids writing to disk• Could sneakily dump creds from

LSASS dumps from other systems• Author(s):

• Joe Bialek (@JosephBialek), & Benjamin Delpy (@gentilkiwi)

• https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

PowerView Invoke-ShareFinder / Invoke-FileFinder• Sensitive files on shares?• ShareFinder then FileFinder• FileFinder will find files with the

following strings in their title:• ‘*pass*’, ‘*sensitive*’, ‘*admin*’,

‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’

• Author(s):• Will Schroeder (@harmj0y)

MailSniper• Pillage sensitive data from every

user’s mailbox• Gather credentials, insider intel,

network architecture info, etc.• Search all mailboxes as admin or

current user’s as non-admin• Author(s):

• Beau Bullock (@dafthack)• https://github.com/dafthack/MailSniper

Obfuscating PowerShellMaking the Blue Team’s Life Hard

Invoke-Obfuscation• Command line args are what

most monitoring tools alert on when powershell.exe is run• ‘LeT’+’s’+’ob’+’FusCa’+’te’• Encode, concatenate, reorder,

etc. • Author(s):

• Daniel Bohannon (@danielbohannon)

• https://github.com/danielbohannon/Invoke-Obfuscation

PowerShell Without PowerShellOh, You Disabled PowerShell? We’ll See About That.

Using C#• C# and PowerShell both are

basically frontends for the .NET framework• Can use csc.exe to compile C#

code containing ps1 script• Results in standalone EXE• Props to Brian Fehrman

(@fullmetalcache) • http://www.blackhillsinfosec.com/?p=5257

PowerOps• C# application that has many

PowerShell scripts built in• PowerSploit• Nishang• GPPPassword• Empire• PowerCat• …and more

• Author(s):• Rui Reis (@fdiskyou)

• https://github.com/fdiskyou/PowerOPS

PowerLine / PowerStripper• PowerStripper – preps ps1’s for

PowerLine, encodes, strips comments• PowerLine – purely run with

cmd-line args• Works with Meterpreter and Empire

shells

• Author(s):• Brian Fehrman (@fullmetalcache)

• https://github.com/fullmetalcache/PowerLine

• https://github.com/fullmetalcache/PowerStripper

Possible MitigationsOk, so how do I stop this madness?

Possible Mitigations• Disable cmd.exe, PowerShell.exe, & PowerShell_ISE.exe for users

where possible• Logging, monitoring, alerting• Utilize enhanced logging in PowerShell v5.0• Remove PSv2 to prevent logging bypass• Use Sysmon to monitor and alert for system.management.automation DLL• Ensure network and host-based IDS engines are tuned correctly

• Could possibly disable csc.exe compilation tool (be careful)• Use AppWhitelisting (but know that there are still bypasses)

Conclusion• PowerShell is… well…

Powerful• Expect more tools to be

created• Expect defenders to

implement more protections• Expect attackers to find

bypasses for those protections

Slide from Jeffrey “Father of PowerShell” Snover’s keynote at Derbycon 6.0

Questions?• Black Hills Information Security• http://www.blackhillsinfosec.com/• @BHInfoSecurity

• Beau Bullock• beau@blackhillsinfosec.com• @dafthack