Harness: PowerShell Weaponization Made Easy (or at least easier)
-
Upload
rgkelley5 -
Category
Technology
-
view
245 -
download
4
Transcript of Harness: PowerShell Weaponization Made Easy (or at least easier)
![Page 1: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/1.jpg)
Harness: PowerShell Weaponization Made Easy (or at least easier)Rich Kelley
@RGKelley5
![Page 2: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/2.jpg)
Who is this guy?
• Computer science background
• Prior US Air Force Communications Officer
• Network engineer, software developer, penetration tester
• Co-founder Gray Tier Technologies, LLC
• Currently focused on application pen testing
• Mostly I enjoy writing obscure utilities pyHashcat Keyboard Walk generators
![Page 3: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/3.jpg)
Why should I care?
• “…Microsoft’s Post-Exploitation Language” – Chris Campbell (@obsuresec)
• Defenders should be more aware of the damage attackers can do with PowerShell alone
• We need more research into incident response related to malicious PowerShell use DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating
PowerShell Attacks
![Page 4: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/4.jpg)
PowerShell weaponization problem?
‘How do you get your [PowerShell] scripts running on your target machines, and effectively get your results back?’ – Will Schroeder (@harmj0y)
Bottom line • PowerShell weaponization can be used to be
somewhat cumbersome • Hopefully I’ve made that a little easier with the
Harness tool set
![Page 5: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/5.jpg)
Hasn’t this problem been solved?
• Yep, but I’m a developer. Why use someone else’s solution when I can write my own (I’m kidding…sort of)
• Previous solutions were not as seamless as I wanted Step 1: Gain access Step 2: ????? Step 3: PowerShell! Step 4: Pwn all things!
• A couple of very cool new solutions have recently been released
![Page 6: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/6.jpg)
RDP – Paste, Download, or Import
![Page 7: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/7.jpg)
Remote shell – PowerShell encoded command
![Page 8: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/8.jpg)
Metasploit – exec_powershell
![Page 9: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/9.jpg)
Metasploit – Interactive PS Payloads
![Page 10: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/10.jpg)
Cobalt Strike – Beacon
![Page 11: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/11.jpg)
Other Options• PowerShell Remoting
Must be enabled to use
• WMI
• Empire -www.powershellempire.com
![Page 12: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/12.jpg)
My Development Requirements
1. Fully interactive remote PowerShell console with the same capabilities as the native PowerShell.exe
2. Ability to seamlessly import modules across the wire
![Page 13: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/13.jpg)
Demo Time!
![Page 14: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/14.jpg)
Under the hood• Payload Requirements
.NET 4.0+ System.Management.Automation Assembly
• Tested on: Windows 7 Window 8 Windows 8.1 Windows Server 2008 R2 Windows Server 2012
![Page 15: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/15.jpg)
Under the hood• Listener/Framework Requirements
Python 3.4 Asyncio (although could easily be ported to alternative)
Linux Tested on Kali
• Why Python? Why not Ruby? Why not Metasploit? Mostly for the learning experience I prefer Python to Ruby (calm down) Should be simple enough to port to Metasploit module
ReflectiveHarness can be used with DllInject module
![Page 16: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/16.jpg)
Defense• Restrict Access to System.Management.Automation
• Enable monitoring New features added to PowerShell 5.0
![Page 17: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/17.jpg)
Thank you!• Matt Benton (@ruddawg26)
• James Icenogle (@sploitmonkey)
• Matt Graeber (@mattifestation)
• Will Schroeder (@harmj0y)
• Justin Warner (@sixdub)
• Contact: Twitter: @RGKelley5 Email: [email protected] Blog: www.frogstarworldc.com Github: https://github.com/Rich5/Harness
![Page 18: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/18.jpg)
Questions?
![Page 19: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/19.jpg)
Bonus
Payload
Socket ps.BeginInvoke
while script not valid: accumulateend
PS C:\>
script/cmd
Send results
ls
PS C:\> ls
Directory C:\
Mode: LastWriteTime--------------------------d---- 2/2/1015
Handler
PS C:\> ls
![Page 20: Harness: PowerShell Weaponization Made Easy (or at least easier)](https://reader035.fdocuments.net/reader035/viewer/2022062515/55d37b2fbb61ebb6518b485b/html5/thumbnails/20.jpg)
Bonus
Payload Handler
Socket ps.BeginInvoke
Inbound script True
PS C:\>
<rs>
PS C:\> ^import-module script.ps1
Send results
Socket byte stream
PS C:\> ^import-module script.ps1
Directory C:\
Mode: LastWriteTime----- ---------------------d---- 2/2/1015
while !rcvd close signal: accumulateend
</rs>