Get-Help: An intro to PowerShell and how to Use it for Evil
-
Upload
jaredhaight -
Category
Technology
-
view
749 -
download
0
Transcript of Get-Help: An intro to PowerShell and how to Use it for Evil
PS C:\> WHOAMI
Jared Haight Security Engineer with the CLT team at Gotham Digital Science
Former Sysadmin Hobbyist Developer Corgi Enthusiast @jaredhaight
WHY ARE WE HERE?
I think PowerShell is pretty awesome I want you to think PowerShell is pretty awesome I’m going to give you a bunch of reasons that PowerShell is pretty awesome
RED TEAMS
PowerShell is what the admins use to manage their infrastructure
Microsoft is pushing more and more tasks into PowerShell Standard on Windows 7 and up Robust, object oriented scripting language with access to a wide range of things on the computer Access to entire .NET and WMI frameworks
Lots of very interesting offensive projects going on Blue Teams aren’t typically looking for it
BLUE TEAMS It’s what the bad guys are using.. like.. real ones. There’s some really cool DFIR stuff going on with Powershell
WHAT DO I NEED TO KNOW TO USE POWERSHELL?
Scripting for people whose idea of server administration is next > next > finish
VOCABULARY
String – Any combination of letters and numbers that are surrounded by quotation marks (single or double). Used for printing stuff. Example: “a”, “abc”, “abc123”, “123”
Integer – A number without quotes. Used for math. Example: 1, 2, 3, 5
Boolean – True or False, represented in PS as $True or $False Variable – A reference to a value that can be assigned over the course of a script/program. Declared in PowerShell with as $[word], ex: $foo
OBJECTS
An object is a type of “something”. As an object of a specific type, it inherits properties and methods related to it’s object type Properties – Information about the object Methods – Code that interacts with the object
For example, strings have properties for length and methods to change the case of their letters.
ARRAYS
A list of objects separated by commas Example: “one”,”two”,”three”
You can access specific items in the array by using index numbers Index starts at zero
CMDLETS
Primary way of getting things done in PowerShell Always in a “verb-noun” format Examples
write-host – print something to screen get-process – get running processes set-clipboard – copy something to clipboard get-eventlog – get contents of eventlog
POWERSHELL SPECIFICS
Most everything is tab completable Cmdlets Parameters Parameter Values
PowerShell ISE “Integrated Scripting Editor” installed by default with PowerShell
Includes Visual Studio like auto-completion (intellisense) Sidebar featuring all available cmdlets
FOR LOOPS
Code1 $list = "one", "two", "three"2 forEach ($item in $list)3 {4 write-host * $item 5 }
Output* one* two* three
FOR LOOPS – PRACTICAL EXAMPLE CODE
1 $dirs = Get-ChildItem C:\2 forEach ($dir in $dirs)3 {4 write-host $dir.FullName5 write-host "-----”6 $acl = $dir.GetAccessControl()7 write-host $acl.AccessToString8 write-host9 }
FOR LOOPS – PRACTICAL EXAMPLE OUTPUT
[...]C:\repos-----BUILTIN\Administrators Allow FullControlNT AUTHORITY\SYSTEM Allow FullControlBUILTIN\Users Allow ReadAndExecute, SynchronizeNT AUTHORITY\Authenticated Users Allow Modify, SynchronizeNT AUTHORITY\Authenticated Users Allow -536805376C:\Sandbox-----NT AUTHORITY\Authenticated Users Allow FullControlEveryone Allow FullControl[...]
LOGIC
Logic in programming amounts to “if foo is true, do bar” You can compare things in PowerShell with:
-lt – Less than -le – Less than or equal to -eq – Equal to -ne – Not equal to -ge – Greater than or equal to -gt – Greater than
LOGIC – IF/ELSE STATEMENTS
1 $nums = 1,2,3,4,5,6,7,8,9,102 forEach ($num in $nums)3 {4 if ($num -eq 4)5 {6 write-host $num is four.7 }8 else9 {10 write-host $num is not four.11 }12 }
Output1 is not four.2 is not four.3 is not four.4 is four.5 is not four.6 is not four.7 is not four.8 is not four.9 is not four.10 is not four.
Code
FIGURING STUFF OUT
Get-Command [Search term] Example: get-command “*clipboard”
Get-Help “Command” It gets help. Example: get-help write-host Example: get-help write-host –examples
Get-Member Pipe an object to it to find out the objects properties and methods
Example $dir | get-member
GET-MEMBER OUTPUTPS C:\> $dir | Get-Member TypeName: System.IO.FileInfoName MemberType ---- ---------- ----------Mode CodeProperty System.String Mode{get=Mode;}AppendText Method System.IO.StreamWriter[...]CopyTo Method System.IO.FileInfo[...]Create Method System.IO.FileStream Create()CreateObjRef Method System.Runtime.Remoting[...]CreateText Method System.IO.StreamWriter[...]Decrypt Method void Decrypt()Delete Method void Delete()[...]
PUTTING IT ALL TOGETHER
1 1 $dirs = Get-ChildItem C:\2 ForEach ($dir in $dirs)3 {4 $i = 05 $acl = $dir.GetAccessControl()6 while ($acl.Access[$i] -ne $Null)[...]
PUTTING IT ALL TOGETHER (BREAK DOWN)
[...]9 $ace = $acl.Access[$i]10 if ($ace.IdentityReference.Value.contains("Everyone"))11 {12 write-host $dir.FullName13 write-host "-----“14 write-host $ace.IdentityReference.Value:
$ace.FileSystemRights.toString()15 write-host16 }17 $i = $i + 1[...]
1 $dirs = Get-ChildItem C:\2 ForEach ($dir in $dirs)3 {4 $i = 05 $acl = $dir.GetAccessControl()6 while ($acl.Access[$i] -ne $Null) 8 {9 $ace = $acl.Access[$i]10 if ($ace.IdentityReference.Value.contains("Everyone"))11 {12 write-host $dir.FullName13 write-host "-----“14 write-host $ace.IdentityReference.Value:
$ace.FileSystemRights.toString()15 write-host16 }17 $i = $i + 1 18 }19 }
PUTTING IT ALL TOGETHER (OUTPUT)
C:\Sandbox-----Everyone : FullControl
C:\Users-----Everyone : ReadAndExecute, Synchronize
REGISTRY FUN – REGISTRY AS A DRIVEPS C:\> cd HKCU:\PS HKCU:\> cd .\SOFTWARE\PS HKCU:\SOFTWARE\> dir Micro*
Hive: HKEY_CURRENT_USER\SOFTWAREName Property---- --------MicrosoftMicrosoft CorporationMicrosoft Studios
REGISTRY FUN – CREATING ENTRIES# Does the key exist?PS HKCU:\SOFTWARE\> test-path "BSidesCHS"False
# Create keyPS HKCU:\SOFTWARE\> new-item "BSidesCHS" Hive: HKEY_CURRENT_USER\SOFTWAREName Property---- --------BSidesCHS
# Create item in keyPS HKCU:\SOFTWARE\> New-ItemProperty -path .\BSidesCHS\ -Name Demo -PropertyType String -Value "TextGoesHere"
REMOTE FUN
Most (all?) cmdlets understand UNC paths test-path \\server\share\test.txt
A lot of cmdlets support the –ComputerName parameter. stop-service spooler –ComputerName demo-dc01
WinRM makes everything better Microsofts Remote Management service enter-pssession demo-dc01 invoke-command –ComputerName demo-dc01 “{code}”
WHAT CAN WE BREAK? There is a lot of really impressive work going into offensive PowerShell frameworks. Recon Backdoors Shellcode Exfiltration Privesc
Lots of very smart and devious people working on PowerShell frameworks
Big focus on “in memory” attacks. Don’t touch the disk, don’t trip AV.
POWERSPLOIT
https://github.com/PowerShellMafia/PowerSploit Modules
AV Bypass Code Execution Exfiltration Mayhem Persistence Recon Script Modification
COOL THINGS IN POWERSPLOIT Exfiltration
Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume and parsing NTFS structures
Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t touch disk when run against a remote computer.
Get-GPPPassword – Browses Group Policy and finds passwords
Code Execution Invoke-Shellcode – Inject shellcode into a specified process
Mayhem Set-MasterBootRecord – Writes a string to the MBR Set-CriticalProcess - BSOD
VEIL POWERTOOLS https://github.com/PowerShellEmpire/PowerTools Part of the Empire Framework now Components
PewPewPew – Run commands against a list of servers without touching the HDD
PowerBreach – Offers a variety of ways to trigger backdoor code
PowerPick – Allows the execution of PS code without powershell.exe
PowerUp – Assists with local escalation PowerView – Network awareness tool
COOL STUFF IN POWERTOOLS PowerView
Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions from specific users accounts
Invoke-FindLocalAdminAccess – Finds machines that the current account has admins rights on
Get-ExploitableSystems – Cross references systems against common metasploit payloads
PowerBreach Invoke-DeadUserBackdoor – Triggers a payload if a given user account is
deleted Invoke-EventLogBackdoor – Triggers a payload if a specific user fails an RDP
login PewPewPew
Invoke-MassCommand – Runs a given command against a bunch of servers Invoke-MassMimikatz – Runs mimikatz against all the things.
NISHANG
https://github.com/samratashok/nishang Modules
Backdoors Escalation Gather Pivot Scans Shells Client
COOL THINGS ABOUT NISHANG
Client Out-Word – Creates a word file (or infect an existing one) with a macro that downloads and runs a PowerShell script
Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java
Backdoors DNS_Txt_Pwnage – A backdoor that receives commands through DNS TXT queries
Gupt-Backdoor – A backdoor that receives commands from WLAN SSIDs (without connecting)
.DESCRIPTIONGupt looks for a specially crafted Wireless Network Name/SSID from list of all available networks. It matches first four characters of each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and executed. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and executed in memory from the URL.
EMPIRE
http://www.powershellempire.com/ Pure PowerShell post-exploitation agent Cryptographically secure communications Flexible “phone-home” architecture Think Meterpreter, but native PowerShell Combines a lot of the modules present in other frameworks into an easy to use reverse shell
USING EMPIRE
Obtain a Linux server git clone https://github.com/powershellempire/empire && cd empire/config && ./install.sh
Setup listeners (HTTP/S endpoints) on the server Generate launchers (PowerShell code that runs on clients that makes them phone home)
Run launchers client side Receive shells
BLUE TEAMS
PoshSecFramework (https://github.com/PoshSec/PoshSecFramework) PowerShell Console for Incident Response
Invoke-IR (http://www.invoke-ir.com/) PowerForensics Uproot (IDS in Powershell)
Kansa Information gathering and baseline
LEARNING MORE POWERSHELL
Microsoft Virtual Academy (https://mva.microsoft.com/) Learn Windows Powershell in a Month of Lunches (it’s a book)
Google Get your hands dirty
Spin up a lab and play Find stuff to Powershellify on the job
PEOPLE TO FOLLOW
@sixdub – PowerTools, Empire @harmj0y – PowerTools, Empire @enigma0x3 – Empire @mattifestation – PowerSploit @nikhil_mitt – Nishang @jaredcatkinson – Invoke-IR @ben0xa – PoshSecFramework
THE END
Questions? @jaredhaight [email protected] Charlotte Hackers – http://www.charlottehackers.com Gotham Digital Science – http://www.gdssecurity.com