GET-HELPAn intro to PowerShell and how to use it for evil

PS C:\> WHOAMI

Jared Haight Security Engineer with the CLT team at Gotham Digital Science

Former Sysadmin Hobbyist Developer Corgi Enthusiast @jaredhaight

WHY ARE WE HERE?

I think PowerShell is pretty awesome I want you to think PowerShell is pretty awesome I’m going to give you a bunch of reasons that PowerShell is pretty awesome

WHY SHOULD YOU CARE ABOUT POWERSHELL

Or “How I justified this talk to BSides Charleston”

RED TEAMS

PowerShell is what the admins use to manage their infrastructure

Microsoft is pushing more and more tasks into PowerShell Standard on Windows 7 and up Robust, object oriented scripting language with access to a wide range of things on the computer Access to entire .NET and WMI frameworks

Lots of very interesting offensive projects going on Blue Teams aren’t typically looking for it

BLUE TEAMS It’s what the bad guys are using.. like.. real ones. There’s some really cool DFIR stuff going on with Powershell

WHAT DO I NEED TO KNOW TO USE POWERSHELL?

Scripting for people whose idea of server administration is next > next > finish

VOCABULARY

String – Any combination of letters and numbers that are surrounded by quotation marks (single or double). Used for printing stuff. Example: “a”, “abc”, “abc123”, “123”

Integer – A number without quotes. Used for math. Example: 1, 2, 3, 5

Boolean – True or False, represented in PS as $True or $False Variable – A reference to a value that can be assigned over the course of a script/program. Declared in PowerShell with as $[word], ex: $foo

OBJECTS

An object is a type of “something”. As an object of a specific type, it inherits properties and methods related to it’s object type Properties – Information about the object Methods – Code that interacts with the object

For example, strings have properties for length and methods to change the case of their letters.

ARRAYS

A list of objects separated by commas Example: “one”,”two”,”three”

You can access specific items in the array by using index numbers Index starts at zero

CMDLETS

Primary way of getting things done in PowerShell Always in a “verb-noun” format Examples

write-host – print something to screen get-process – get running processes set-clipboard – copy something to clipboard get-eventlog – get contents of eventlog

POWERSHELL SPECIFICS

Most everything is tab completable Cmdlets Parameters Parameter Values

PowerShell ISE “Integrated Scripting Editor” installed by default with PowerShell

Includes Visual Studio like auto-completion (intellisense) Sidebar featuring all available cmdlets

POWERSHELL ISE

BUNNY BREAK

MAKING STUFF DO STUFF

FOR LOOPS

Code1 $list = "one", "two", "three"2 forEach ($item in $list)3 {4 write-host * $item 5 }

Output* one* two* three

FOR LOOPS – PRACTICAL EXAMPLE CODE

1 $dirs = Get-ChildItem C:\2 forEach ($dir in $dirs)3 {4 write-host $dir.FullName5 write-host "-----”6 $acl = $dir.GetAccessControl()7 write-host $acl.AccessToString8 write-host9 }

FOR LOOPS – PRACTICAL EXAMPLE OUTPUT

[...]C:\repos-----BUILTIN\Administrators Allow FullControlNT AUTHORITY\SYSTEM Allow FullControlBUILTIN\Users Allow ReadAndExecute, SynchronizeNT AUTHORITY\Authenticated Users Allow Modify, SynchronizeNT AUTHORITY\Authenticated Users Allow -536805376C:\Sandbox-----NT AUTHORITY\Authenticated Users Allow FullControlEveryone Allow FullControl[...]

LOGIC

Logic in programming amounts to “if foo is true, do bar” You can compare things in PowerShell with:

-lt – Less than -le – Less than or equal to -eq – Equal to -ne – Not equal to -ge – Greater than or equal to -gt – Greater than

LOGIC – IF/ELSE STATEMENTS

1 $nums = 1,2,3,4,5,6,7,8,9,102 forEach ($num in $nums)3 {4 if ($num -eq 4)5 {6 write-host $num is four.7 }8 else9 {10 write-host $num is not four.11 }12 }

Output1 is not four.2 is not four.3 is not four.4 is four.5 is not four.6 is not four.7 is not four.8 is not four.9 is not four.10 is not four.

Code

LOGIC – WHILE LOOPS

Code1 $i = 12 while ($i -le 4)3 {4 write-host $i5 $i = $i + 16 }

Output1234

FIGURING STUFF OUT

Get-Command [Search term] Example: get-command “*clipboard”

Get-Help “Command” It gets help. Example: get-help write-host Example: get-help write-host –examples

Get-Member Pipe an object to it to find out the objects properties and methods

Example $dir | get-member

GET-MEMBER OUTPUTPS C:\> $dir | Get-Member TypeName: System.IO.FileInfoName MemberType ---- ---------- ----------Mode CodeProperty System.String Mode{get=Mode;}AppendText Method System.IO.StreamWriter[...]CopyTo Method System.IO.FileInfo[...]Create Method System.IO.FileStream Create()CreateObjRef Method System.Runtime.Remoting[...]CreateText Method System.IO.StreamWriter[...]Decrypt Method void Decrypt()Delete Method void Delete()[...]

BUNNY BREAK

PUTTING IT ALL TOGETHER

PUTTING IT ALL TOGETHER

1 1 $dirs = Get-ChildItem C:\2 ForEach ($dir in $dirs)3 {4 $i = 05 $acl = $dir.GetAccessControl()6 while ($acl.Access[$i] -ne $Null)[...]

PUTTING IT ALL TOGETHER (BREAK DOWN)

[...]9 $ace = $acl.Access[$i]10 if ($ace.IdentityReference.Value.contains("Everyone"))11 {12 write-host $dir.FullName13 write-host "-----“14 write-host $ace.IdentityReference.Value:

$ace.FileSystemRights.toString()15 write-host16 }17 $i = $i + 1[...]

1 $dirs = Get-ChildItem C:\2 ForEach ($dir in $dirs)3 {4 $i = 05 $acl = $dir.GetAccessControl()6 while ($acl.Access[$i] -ne $Null) 8 {9 $ace = $acl.Access[$i]10 if ($ace.IdentityReference.Value.contains("Everyone"))11 {12 write-host $dir.FullName13 write-host "-----“14 write-host $ace.IdentityReference.Value:

$ace.FileSystemRights.toString()15 write-host16 }17 $i = $i + 1 18 }19 }

PUTTING IT ALL TOGETHER (OUTPUT)

C:\Sandbox-----Everyone : FullControl

C:\Users-----Everyone : ReadAndExecute, Synchronize

DOING FUN STUFF WITH POWERSHELL

I may have a strange definition of “fun”

REGISTRY FUN – REGISTRY AS A DRIVEPS C:\> cd HKCU:\PS HKCU:\> cd .\SOFTWARE\PS HKCU:\SOFTWARE\> dir Micro*

Hive: HKEY_CURRENT_USER\SOFTWAREName Property---- --------MicrosoftMicrosoft CorporationMicrosoft Studios

REGISTRY FUN – CREATING ENTRIES# Does the key exist?PS HKCU:\SOFTWARE\> test-path "BSidesCHS"False

# Create keyPS HKCU:\SOFTWARE\> new-item "BSidesCHS" Hive: HKEY_CURRENT_USER\SOFTWAREName Property---- --------BSidesCHS

# Create item in keyPS HKCU:\SOFTWARE\> New-ItemProperty -path .\BSidesCHS\ -Name Demo -PropertyType String -Value "TextGoesHere"

REMOTE FUN

Most (all?) cmdlets understand UNC paths test-path \\server\share\test.txt

A lot of cmdlets support the –ComputerName parameter. stop-service spooler –ComputerName demo-dc01

WinRM makes everything better Microsofts Remote Management service enter-pssession demo-dc01 invoke-command –ComputerName demo-dc01 “{code}”

PUPPY BREAK

EVIL

WHAT CAN WE BREAK? There is a lot of really impressive work going into offensive PowerShell frameworks. Recon Backdoors Shellcode Exfiltration Privesc

Lots of very smart and devious people working on PowerShell frameworks

Big focus on “in memory” attacks. Don’t touch the disk, don’t trip AV.

USING A FRAMEWORK

Clone the repo Run “Import-Module $repo”

POWERSPLOIT

https://github.com/PowerShellMafia/PowerSploit Modules

AV Bypass Code Execution Exfiltration Mayhem Persistence Recon Script Modification

COOL THINGS IN POWERSPLOIT Exfiltration

Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume and parsing NTFS structures

Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t touch disk when run against a remote computer.

Get-GPPPassword – Browses Group Policy and finds passwords

Code Execution Invoke-Shellcode – Inject shellcode into a specified process

Mayhem Set-MasterBootRecord – Writes a string to the MBR Set-CriticalProcess - BSOD

VEIL POWERTOOLS https://github.com/PowerShellEmpire/PowerTools Part of the Empire Framework now Components

PewPewPew – Run commands against a list of servers without touching the HDD

PowerBreach – Offers a variety of ways to trigger backdoor code

PowerPick – Allows the execution of PS code without powershell.exe

PowerUp – Assists with local escalation PowerView – Network awareness tool

COOL STUFF IN POWERTOOLS PowerView

Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions from specific users accounts

Invoke-FindLocalAdminAccess – Finds machines that the current account has admins rights on

Get-ExploitableSystems – Cross references systems against common metasploit payloads

PowerBreach Invoke-DeadUserBackdoor – Triggers a payload if a given user account is

deleted Invoke-EventLogBackdoor – Triggers a payload if a specific user fails an RDP

login PewPewPew

Invoke-MassCommand – Runs a given command against a bunch of servers Invoke-MassMimikatz – Runs mimikatz against all the things.

NISHANG

https://github.com/samratashok/nishang Modules

Backdoors Escalation Gather Pivot Scans Shells Client

COOL THINGS ABOUT NISHANG

Client Out-Word – Creates a word file (or infect an existing one) with a macro that downloads and runs a PowerShell script

Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java

Backdoors DNS_Txt_Pwnage – A backdoor that receives commands through DNS TXT queries

Gupt-Backdoor – A backdoor that receives commands from WLAN SSIDs (without connecting)

.DESCRIPTIONGupt looks for a specially crafted Wireless Network Name/SSID from list of all available networks. It matches first four characters of each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and executed. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and executed in memory from the URL.

DEMOOur demo gods, which art in conferences..

EMPIREA Magnum Opus of attacking with PowerShell

EMPIRE

http://www.powershellempire.com/ Pure PowerShell post-exploitation agent Cryptographically secure communications Flexible “phone-home” architecture Think Meterpreter, but native PowerShell Combines a lot of the modules present in other frameworks into an easy to use reverse shell

USING EMPIRE

Obtain a Linux server git clone https://github.com/powershellempire/empire && cd empire/config && ./install.sh

Setup listeners (HTTP/S endpoints) on the server Generate launchers (PowerShell code that runs on clients that makes them phone home)

Run launchers client side Receive shells

FURTHER INFO

BLUE TEAMS

PoshSecFramework (https://github.com/PoshSec/PoshSecFramework) PowerShell Console for Incident Response

Invoke-IR (http://www.invoke-ir.com/) PowerForensics Uproot (IDS in Powershell)

Kansa Information gathering and baseline

LEARNING MORE POWERSHELL

Microsoft Virtual Academy (https://mva.microsoft.com/) Learn Windows Powershell in a Month of Lunches (it’s a book)

Google Get your hands dirty

Spin up a lab and play Find stuff to Powershellify on the job

PEOPLE TO FOLLOW

@sixdub – PowerTools, Empire @harmj0y – PowerTools, Empire @enigma0x3 – Empire @mattifestation – PowerSploit @nikhil_mitt – Nishang @jaredcatkinson – Invoke-IR @ben0xa – PoshSecFramework

THE END

THE END

Questions? @jaredhaight jhaight@gdssecurity.com Charlotte Hackers – http://www.charlottehackers.com Gotham Digital Science – http://www.gdssecurity.com