Tip:
Highlight text to annotate it
X
>> NIKHIL MITTAL. Hi DEF CON! Thank you. I'm Nikhil Mittal. I'm from India and I'll be
talking about Powerpreter post exploitation like a boss. So how many of you are penetration
testers? (Showing of hands)
You surely do post exploitation? Yes or no?
>> AUDIENCE: Yes. >> NIKHIL MITTAL: Yeah. So we will have a
look at something which could be used to enhance your post exploitation experience. It sounds
like a vendor term, but yes. And let's have fun.
So something about me. I'm a hacker who goes by the handle sombrat asho. This is my total
handle. And you can find my blog posts on my blog.
I'm creator of Kautilya and Nishang. Kautilya is a toolkit which could be used to use human
interface devices like TNC and others, for penetration tests or for whatever you want
it to be. Nishang is a post exploitation framework in
Powershell. Powerpreter is going to be a part of this framework. You can find both of these
on Google code links or on my blog. I'm interested in offensive information security
methodology to hack systems, getting into systems. I'm a freelance penetration tester.
I've spoken twice. And I've spoken at a couple of conferences before this. And this is my
first time at DEF CON. (Shouts)
Thank you. (Applause)
So what we will be looking at is what is the need for post exploitation? What is Powershell
in a couple of slides? Why do we need Powershell? Then we will have a look at powerpreter, its
architecture, usage, payloads and much more details. Then this is a web shell which I
call C# Darknet and Powershell. And then limitations and conclusions.
So what is post exploitation? For me, it is the most important part of a penetration test.
As a freelance penetration tester, I know that someone who is going to pay me doesn't
necessarily understand what a shell is. "I got access through my PC?" I say "yeah, okay,
I got access through my PC." That's the kind of response you get in a meeting with a client.
But those guys want to pay you. So we need some ways to show actual data,
things like if it's a pharma company that complains their customers submit against them,
if it's a supply chain management company, then the profit they take at every step of
the supply chain, things like that. So this differentiates a good penetration
tester with something which will return a piece of crap.
So this is Powershell. It's a shell and a scripting language, which is present I think
by default on all Windows systems. It's an automation framework, designed to help system
admins and of course penetration testers who know how to use it to their profit.
It's built on a dot net framework and it's tightly integrated with Windows. Yes, it's
by default on Windows. (Laughter)
So why Powershell? Anybody here uses Powershell for their penetration testing things?
(Showing of hands) Wow, nice.
Any one of you use Nishang by any chance? (Showing of hands)
Oh, whoo. Just out of curiosity, anybody here uses Kautilya
or knows what is it already? (Showing of hands)
Okay, thank you. So, yes, why Powershell? It's easy to learn
and powerful. The help system is quite good. You can read help, have the commands leads
or commands or whatever. We're not going into the details of that. And one thing which I
have come to during my penetration tests is that it is trusted by system administrators,
account managers, et cetera. Nobody actually cares about Powershell. There are a lot more
things to have a look at. You can consider it a bash of Windows. Many things like, commands
like LS, CAD, et cetera, the very common ones, are user aliases in Powershell, so you will
be very comfortable using it. And this means less dependence on any liability
which converts your code to executable, let's say (inaudible) to EXE or things like that.
And to some level less dependence on MSF, too. MSF is very good. I mean, Powerpreter
is nowhere near Meterpreter, from where it borrows its name. But Windows is all around
MSF, so it's good if sometimes you have something in your tool chest other than MSF which can
help you in achieving things in a similar way.
Powerpreter, yes, it's a post exploitation tool within Powershell. It's a module. How
many Powershell programmers or guys you use Powershell, other than penetration testing
for anything? (Showing of hands)
Similar answer. Okay. Okay. It's a module or a script. It
depends on the usage. So how powerpreter is designed is if you rename a file to PS 1,
which is the default extension for Powershell scripts, it could be used as a Powershell
script. And if you limit it as PSM 1, then it's a partial module.
Pay loads and features are all divided into different functions. Each function represents
a different functionality. So if you have some code which you want to
include with powerpreter, so that it's helpful, and this could be used, for example, for assistance,
pivoting, et cetera. Then you can try a new function, copy it into your Powershell module,
and you're good to go. So how to use Powershell. So since we are
talking about post exploitation, we will assume that we have access to a machine. We have
access to a machine. And we will try to make our way to other machines on the network,
back door that machine or pull it out of that machine, more effectively than could be done
using nonPowershell methods or at least most -- in the most, MNLDB. And, yes, the third
thing, it could also be used with a Meterpreter shell. You can use -- and one thing, if you
using it from the Meterpreter shell, you won't be able to get an interactive Powershell prompt
from Meterpreter. It's the way Powershell handles outward redirection. And other than
from Meterpreter, if you have any custom shell which gives you the ability to execute code
on a machine, you can always use Powershell and hence powerpreter.
So there are many payloads in powerpreter. Let's have a look at it. That would be the
most lengthy part of this talk. Most of the time it will be in the demonstrations.
So these are the capabilities of powerpreter. Assistance using WMIE prominent event from
ZMOS will sign into the machine. It won't be starter script or something like that,
service failure or schedule task. It won't be anything of this. It would be -- we will
use WMIE, (inaudible) that's it. That's it. (inaudible). We will have a look at it.
One other thing, we will use built-in Powershell demoting to pivot to other machines, the tool
is possible. We just run commands noninteractively, or we will interactively run commands or scripts
or whatever on a remote machine. We have a simple function called enable duplicate
token, written by a friend Nicholas, which allows -- which is nothing great. But if you
are an admin level machine you can get system level access and do stuff like dumping hashes
or SUCRA. Then there are helper functionalities. Simple
ones like (inaudible) executables to Unicode, encoded text or basic script for encoding,
or execution of SUCRA. So these are some helper functionalities.
Deployment. We can deploy a partial from our partial session for partial remoting session.
We can use Metrepreter. What else we can use? We can use PS exec because it allows us to
execute commands on a remote machine. (Shouts and applause)
>> And of course we need a volunteer from the audience, first time DEF CON person. Your
hand shot up. Everybody else is like damn it!
To our new speaker and our new attendee. (Applause)
>> Busy afternoon. We have got to go. And no following us. We know you're out there.
>> NIKHIL MITTAL: Okay. So ... (Laughter)
Powerpreter could be deployed using drive by downloads. We will use external application,
which will execute VB code, which in turn would download powerpreter from a server,
and execute it. And we can also use human individuals, because
I love to insert HID into everything. So select some couple of functionalities, and run it
from your HID device, from your HID. Sorry. So let's get down with the demos.
So let's assume -- do you want me to assume that I have clear text passwords of the remote
machine or do I have the hashes of the remote machine?
>> AUDIENCE: (Shouting) >> NIKHIL MITTAL: Okay. Okay. So this is the
attacker machine and we will use WCE to pass the hashes. So let me put the target first.
>> AUDIENCE: Increase your font size on your terminal. Please.
>> NIKHIL MITTAL: What? The font size? >> AUDIENCE: Yes.
(Applause) >> NIKHIL MITTAL: Better?
Meanwhile, it is putting. So what we'll do, we will use these hashes with WCE, and on
our victim we will have administrative access, because it's a post exploitation thing. Please
don't shoot me. So we will have a remote session, which is
partial remoting a built-in feature of partial, which is enabled by default post server 2012.
So we will have a remoting session on the victim machine. There we will download the
powerpreter module, import it, and we will have fun.
So... okay. So we have hashes with us. So let's... okay. This (inaudible) session command
lid opens a PS session with this remote computer name, which is called Akila, which means stand-alone.
It's not part of any domain. Let me try with credentials, then. Maybe I
have older hashes with me. I think that was an issue because my attacker
machine had Powershell version 3 and the victim is Powershell version 2. So maybe because
of that, because I just tested it before the talk.
Okay. So the roles are reversed, so my VM machine is now attacker.
(Laughter) Okay. So let's...
Okay. I'm... Now if I import the model --
>> AUDIENCE: (Shouts) >> NIKHIL MITTAL: Sorry.
>> AUDIENCE: Font size. >> NIKHIL MITTAL: Yep.
Okay. So the module is already there. Either we can download it using this one liner, which
is test. But I'm not going to do that, because I already wasted a couple of minutes.
So I renamed it to update it to PSM 1, just because I was testing some things. So let's
import this. So now we have some functions imported into this current partial session.
For example, let's see -- it won't be beautiful, but let's see what is -- some basic information
about the client. Okay. Isn't looking beautiful bad? As you can see,
we have -- (Laughter)
We have logged in -- we have logged in users, Powershell environment, trusted hosts, for
the same sessions, we simply use commands. Are they initiated on the machine? No. Environment.
Some details about the current user. No SMNP, install applications, install applications
for current user, dominant node system, standalone system. Content of ECC holds. Running services,
local users, local groups, the LAN info. This is the thing which you message on. Okay?
It's a crock. So this gives us a basic idea about the target
system. Now, let's have a look at the basic things
like (inaudible) keys. So one thing I would like you to note is, for example, when I say
get WM -- this is an independent script. This is not because of powerpreter. It's residing
in that system. Better I get out of this photo. Okay.
So this GAB double N keys function shows us the keys in plain text of all the WiFi double
N system, double N profiles, the setting on that system, of which it is connected to in
the past. Oh, that's my home WiFi.
(Laughter and applause) Just to make things faster, I made a list
of what I want to demonstrate. Double N keys and clear, done.
Kilogram, I'm not showing this. Next time. Okay. We already had hashes. We assumed that
we had had hashes. But suppose I got access to this system from a remote shell. You don't
have access to the password hashes. Then let's use this. Will we get hashes? No, we won't.
Because we need system privileges to execute this thing. So for that we have a helper function,
called enable duplicate token. This duplicates system token from the service, and assigns
it to the current partial thread. So we run both of these in tandem. And here we do have
the hashes of the system. (Applause)
Okay. But these are hashes. What if you want LSS secrets from the machine. Let's try it
out. But this is a 64 bit system, our new victim.
So for that I need to execute -- okay. This is the correct font? 64 bits.
>> AUDIENCE: (Commenting) >> NIKHIL MITTAL: Okay. Thank you.
Okay. This is the 32 bit partial, because LSS has shortened the 32 bit registry. And
here we have to -- we will import powerpreter in this 32 bit Powershell, call enable duplicate
and call get LSE, so that works. Let's see. Okay. So we will import it... So we have the
LSS secrets of this machine. So this is -- okay. It's my password.
(Applause) Okay. Now, let me try again to get back to
the older victim. Because for a couple of these things, I have a skilled server running
on the older victim. Rather let's use it on the same machine.
So now we are -- just for the sake of demonstration, we are running it on the same machine. But
I swear it works on the both machines, too. Let's try this and invoke producer, it's a
basic bruteforcer. Let's do it on ourselves. It's bound to be successful because it's running
in the same machine. And we will leave it for now. Let's... Execute some MSS skill commands
on this machine with the user name this and password this.
So it asks whether you want to run a partial shell or a skilled shell or a command shell.
Let's pick partial. So now we have a partial shell on this machine. So let's check what
is the version? So it's version 2. And we can do more stuff. So there are already many
built-in commandlets in partial which could be very useful in a penetration test. For
example, get process. Okay. We do have a basic port scanner, too,
but let's leave it. Okay. We do have execute shell code, but let's
leave it, too. Because I want to show you one more thing which was not present in the
slides on the DVD. That's why. Let's have a look at pivoting. So there will
be pivot to. Meanwhile, it's getting up. Let's have a look at the video. Okay. I'm on the
remote machine. Zoom out. Zoom out. As you can see, I'm on the remote machine. Okay.
I think I'll open it in VLC. It's not taking it. Okay. I'll try to -- okay. So we are on
a remote machine. And I just imported the module. And this is a backdoor called wait
for command, which waits -- which polls URL for commands, and only when -- for those who
can't see, I'm sorry. So we have this check URL this space and as the payload URL we will
use this space for the URL. You can use any service, any website, any Web app you want.
Okay. We have the check URL, the payload URL, the magic string. The magic string the payload
will check -- if the magic string provided to the payload matches this one, only then
the payload will execute. This says chart 1, 2, 3, and the stop string is stop. Whenever
stop comes in place of the start, we will see the backdoor is stop.
Okay. We just downloaded powerpreter and got hashes of the system. As you can see, the
payload was this. The payload was this. And now we change the payload to maybe get
process. And meanwhile in the background, the backdoor, it's waiting for either the
start string or the next command. Until the time stop is not found on the check URL, it
will keep looking for new commands or new payloads on the payload URL part. In the time
-- it takes one minute, it takes 60 seconds to execute commands in between. So that it
doesn't create too much noise or too much traffic to get caught easily. So after waiting
for one minute -- okay. So I'm running out of time. So, yes, it will show the process
and then I'll change it to stop and it will stop.
Let's leave the payload thing while I blog about it.
Okay. Let's see the -- what is the IP of this victim?
Assume you have file upload or somehow you can upload files to an SP.net machine or server.
So you can use this. This will become handy. What is it, 146... first the slides. Because
I have made the slides so we have to go through them.
Okay, it's named after the God of death, yimlat. How many of you know yimlat here? I see a
couple of you physicists here, so you might know it. So it's God of death; it sounds bad
***. So its redundancy shall donate, as I said that is what I call it, the UI is designed
to be -- to look like an actual Powershell shell, a Powershell prompt. And you have the
ability to download and upload files. You can execute scripts using the encode and execute
button. And if the remote is enabled, you can also run commands on remote machines using
this Web shell. So before the demo, meet Emrad. Oh, what is this? Wife of Emrad. So is it
visible? Better now? Let's have a quick look at it. If you type
help, it will show you how you can execute commands that are on this -- on the victim
using this. And the best thing in this is encode and execute, this option. You can actually
copy a fairly large partial script in this command console. And when you click it, it
uses compressed postscript by Carlos Perez. Thanks to him. It compresses the script and
uses partial encoded command to execute it on the victim.
If you want to have a look at it, it will take time. Let's see whether we are really
able to do something. Yes, some basic commands. Yes. Users. Any command you want me to run
here? Anything. And one thing is if you want to download or
upload any file, the help clearly says you have to physically type here. For example,
if you want to upload a file to the current directory, you have to put the full name here.
Let's say 1.-- no. That's it. Browse for it. Sorry. Browse for it. Select it and upload
it. That's a little bit inconvenient, but it's for the purpose of mandating a feel of
a proper Powershell prompt. Okay. Limitations. You have to undergo community
testing. I've been using this for the past six months. Many of the payloads are already
part of Nishang. So some of them have undergone some testing. Others have not. So bugs will
keep coming, I think, but will improve in time. And one aspect is key logger does not
work from the partial remoting session. I don't know why. It's maybe because of the
run space descriptions from the partial remoting session. I'm not aware of any key logger in
partial which runs from a partial remoting session. And yes, backdoors can be detected
with careful traffic analysis, because it's a fixed time interval and it will -- in which
it polls the source. Payload depends upon partial remoting.
Okay. To conclude with, partial gives you much control over a Windows machine or Windows
network and powerpreter utilizes this thing, in an attempt to easy this most important
phase of a penetration test. Obviously there are other ways to do the same thing. Powershell
just makes it or tries to make it easier. I would like to thank, give shout, and give
credit to all these guys who are friends and fellow Powershell hackers. So I would request
applause for these guys. (Applause)
And I would like to thank my friend Arthur, who helped me getting here.
And there is another interesting Powershell talk tomorrow by Joe. Please make sure you
attend it. Thank you. Any questions, insults, feedbacks? You're welcome.
Thank you. (Applause)