Automating Post Exploitation with PowerShell

Automating Post-Exploitation with
PowerShell
A Practical Approach
Presented by James Tarala
Principal Consultant Enclave Security© 2015

2
Automating Post-Exploitation with PowerShell © Enclave Security 2015
Problem Statement
• A pen-tester has broken into a system, now what?
• Wouldn’t it be nice if could save time by automating our post-
exploitation recipes for stealing loot from systems?
• For example:
– Identify locally available accounts on all nearby computers
– Dump password hashes for all nearby computers (or memory!)
– Perform port scans of nearly computers to identify running services
– Transfer files back to our own system, using native binaries
– Clear event logs on all compromised computers

3
Problem Statement (cont)
• During a security assessment, bringing tools to a system can
be problematic
• Potential issues include:
– Network transfers
– Anti-malware software
– Whitelisting software
– Business owner nerves

4
“Living off the Land”
• Ideally a penetration tester or auditor would be
able to “live off the land”
• In other words: Only use native operating
system tools to perform a security assessment
• Removes the need to download or transfer
software
• Lowers the likelihood of being blocked by AV or
whitelisting software

5
Potential Solution: Native PowerShell Cmdlets
• Potential solution = Microsoft Windows
PowerShell
• Available for Microsoft Windows XP / Server
2003 and later Microsoft Windows operating
systems
• Security assessors will still need the rights &
permissions to do their assessment
• However some common pitfalls can be
avoided using PowerShell

6
CMDLET Specific Switches
• Many PowerShell cmdlets have native syntax to allow for
remote execution of the cmdlet on another system
• Typically through the use of the COMPUTERNAME switch

7
Windows Remote Management (WinRM)
• Available by default in Windows 7 / 2008 R2 and later
• Distributed Management Task Force (DMTF) standard for
remotely managing systems via web
• Most recent release WinRM 2.0 in PowerShell 2.0 & later
• To automatically install, run:
Enable-PSRemoting
• “-SkipNetworkProfileCheck” switch might be necessary if
current firewall profile is “Public”

8
Enable-PSRemoting
• Built in script for enabling PSRemoting on a computer
• Automates the steps that could be set manually or via a
Group Policy Object

9
PSSession - Like Native SSH for Windows
• Creates an interactive session with a remote machine using the WS-
Management protocol
• To start a session: Enter-PSSession –Computername Name
• To end a session: Exit-PSSession
• Supports mutual authentication (via domain, SSL, or TrustedHosts)

10
PSSession - PowerShell v3.0
• New feature in PowerShell v3.0 & later
• Allows users to disconnect / reconnect to running PSSession
• Analogy: Similar to Metasploit sessions
• Administrators can commandeer other users’ sessions

11
Invoke-Command
• Creates a temporary PSSession with a remote machine
• Session lasts for only as long as necessary for a command to
execute
• Can be used to execute a CMDLET, such as:
Invoke-Command -ComputerName ENV-DC-01 -ScriptBlock {Get-Process}
• Can be used to execute a PowerShell script, such as:
Invoke-Command -ComputerName ENV-DC-01 -FilePath c:process.ps1
• Version 3.0 & later allows modules to be remotely imported

12
Automating Post-Exploitation
• If Invoke-Command allows us to pass a script, then we can
write our recipes in advance and run them automatically
• Step #1: Identify your post-exploitation objectives.
• Step #2: Identify PS code (recipes) to meet those objectives.
• Step #3: Write a script based on your recipes.
• Step #4: Add to the script the more you learn.
• Step #5: Share your script with your team / the community.

13
But What About the ExecutionPolicy?
• By default Windows does not allow PowerShell scripts to be
executed on a local machine
• Normally the execution policy needs to be edited by an
administrator with a command such as:
Set-ExecutionPolicy Unrestricted
• It turns out there are ways around this issue, many are simple
• For more information check out:
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

14
Use Pre-Existing PowerShell Scripts
• You are not the first to walk this path…
• There are many pre-existing scripts you can use to
accomplish your pen-testing goals, without uploading binaries
• Some PowerShell scripts to consider are:
– PowerCat
– PSNmap
– PowerUp
– PowerSploit
– Nishang

15
PowerCat – A Native Netcat Replacement
• An example of a traditional pentest binary ported to PS
• Acts as a standards netcat listener or client
– Supports remote chat / data transfers
– Supports file transfer capabilities
– Supports remote shells
– Supports relaying between systems for lateral movement
• Supports additional features too, such as:
– SSL / TLS support for encrypted channels
– “Listen Harder” / listener persistence after disconnect
– Can utilize TCP / UDP or impersonate SMB
Github page at: https://github.com/secabstraction/PowerCat

16
PowerCat in Action

17
PowerCat in Action (cont)

18
PowerCat Syntax / Usage
From github syntax at: https://github.com/secabstraction/PowerCat

19
PSNmap – Native PowerShell Port Scanning
• Written by Joakim Svendsen as a PS native scanner
• Hobby project, with a lot of great functionality
• Replicates many, but not all, the functions of Fyodor’s Nmap
– Ping sweep / device discovery
– Port scans – TCP/UDP
– DNS lookup capability
• Not a full nmap replacement (no NSE, version scanning, etc)
• But capable of processing output with PS

20
PSNmap in Action – Ping Sweep & Port Scan

21
PowerUp – Privilege Escalation with PowerShell
• Service Enumeration:
• Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name
• Get-ServiceFilePermission - returns services where the current user can write to the service binary path or its config
• Get-ServicePermission - returns services the current user can modify
• Get-ServiceDetail - returns detailed information about a specified service
• ServiceAbuse:
• Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command
• Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom
command
• Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command
• Restore-ServiceBinary - restores a replaced service binary with the original executable

22
PowerUp – Privilege Escalation with PowerShell
• DLL Hijacking:
• Find-DLLHijack - finds .dll hijacking opportunities for currently running processes
• Find-PathHijack - finds service %PATH% .dll hijacking opportunities
• Write-HijackDll - writes out a hijackable .dll
• Misc:
• Get-VulnSchTask - find schtasks with modifiable target files
• Get-UnattendedInstallFile - finds remaining unattended installation files
• Get-Webconfig - checks for any encrypted web.config strings
• Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords
• Write-UserAddMSI - write out a MSI installer that prompts for a user to be added
• Invoke-AllChecks - runs all current escalation checks and returns a report

23
PowerSploit & PowerShellArsenal
• Powershell frameworks for pen-testing & reverse engineering
• Modules included for:
– Antivirus Bypass
– Code Execution
– Exfiltration
– Mayhem
– Persistence
– Recon
– Script Modification
– Reverse Engineering Malware

24
PowerSploit: Invoke-Mimikatz

25
PowerSploit: Invoke-Portscan

26
Nishang – Another PenTesting Toolkit
• “Nishang is a framework and collection of scripts and
payloads which enables usage of PowerShell for offensive
security, penetration testing and red teaming.”
• Written by Nikhil Mittal (@nikhil_mitt)
• Includes dozens of cmdlets for each of the phases of the pen-
testing process
• One of the most mature PS native toolkits
• Basically Metasploit for PS

27
Nishang Cmdlets
Escalation
Enable-DuplicateToken
Remove-Update
Invoke-PsUACme
Execution
Download-Execute-PS
Download_Execute
Execute-Command-MSSQL
Execute-DNSTXT-Code
Antak - the Webshell
Backdoors
HTTP-Backdoor
DNS_TXT_Pwnage
Execute-OnTime
Gupt-Backdoor
Add-ScrnSaveBackdoor
Invoke-ADSBackdoor
Client Side Exploits
Out-CHM
Out-Word
Out-Excel
Out-HTA
Out-Java
Out-Shortcut
Out-WebQuery

28
Nishang Cmdlets (cont)
Keylogger
Invoke-
MimikatzWdigestDowngrade
Get-PassHints
Pivot
Create-MultipleSessions
Run-EXEonRemote
Invoke-Network
Prasadhak (VirusTotal)
Gather
Check-VM
Copy-VSS
Invoke-CredentialsPhish
FireBuster FireListener
Get-Information
Get-LSASecret
Get-PassHashes
Get-WLAN-Keys
Scan
Brute-Force
Port-Scan
Powerpreter

29
Nishang Cmdlets (cont)
Shells
Invoke-PsGcat
Invoke-PsGcatAgent
Invoke-PowerShellTcp
Invoke-PowerShellTcpOneLine
Invoke-PowerShellUdp
Invoke-PowerShellUdpOneLine
Invoke-PoshRatHttps
Invoke-PoshRatHttp
Remove-PoshRat
Invoke-PowerShellWmi
Invoke-PowerShellIcmp
Utility
Add-Exfiltration
Add-Persistence
Remove-Persistence
Do-Exfiltration
Download
Parse_Keys
Invoke-Encode
Invoke-Decode
Start-CaptureServer

30
Additional Benefits to Invoke-Command Scripts
1. All scripts are encrypted across the network by default
using serialized XML over an HTTP channel
(Organizations may also choose to pass the traffic over TLS tunnels)
2. All recipes will be automated and consistent
3. Limited penetration tester involvement is necessary
(Great for getting junior penetration testers experience)
4. Gives penetration testers time to focus on more interesting
or obscure discoveries

31
Additional Resources to Investigate
1. Integrating PowerShell scripts into
Metasploit post modules
(post/windows/manage/exec_powershell)
2. Client-side attacks with PowerShell
3. Using some of the publically available
incident handling scripts and tools
(Such as Invoke-IR, Kansa, or PSRecon)
4. Performing memory forensics with native
PowerShell scripts
(Dump-Memory, Dump-Strings)

32
Next Steps
• If you find yourself regularly assessing Microsoft Windows
based systems – learn PowerShell
1. Learn the foundations of PowerShell scripting
2. Learn the basic built-in cmdlets Windows provides
3. Learn about additional modules that can be added to a
standard Windows environment
4. Write scripts to automate common assessment tasks
5. Experiment with output & reporting in PowerShell
6. Share your scripts with the community

33
Further Questions
• James Tarala
– Principal Consultant & Founder, Enclave Security
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit
– Website: http://www.auditscripts.com/
• Resources for further study:
– AuditScripts.com Audit Resources
– SANS SEC 505: Securing Windows & Resisting Malware
– Nikhil "SamratAshok" Mittal’s Blog “Lab of a Penetration Tester”
– Windows PowerShell in Action by Bruce Payette

34
References
• PowerCat - https://github.com/secabstraction/PowerCat
• PSNmap -
http://www.powershelladmin.com/wiki/Port_scan_subnets_wit
h_PSnmap_for_PowerShell
• PowerUp - http://www.harmj0y.net/blog/powershell/powerup/
• PowerSploit - https://github.com/mattifestation/PowerSploit
• Nishang - https://github.com/samratashok/nishang

Automating Post Exploitation with PowerShell

More Related Content

What's hot

Viewers also liked

Similar to Automating Post Exploitation with PowerShell

More from EnclaveSecurity

Recently uploaded

Automating Post Exploitation with PowerShell

Editor's Notes