Upload
nikhil-mittal
View
6.281
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Slides of my talk at Defcon 21
Citation preview
PowerPreter: Post Exploitation like a boss
Nikhil “SamratAshok” Mittal
>Powerpreter by Nikhil Mittal 2
Get-Host
• Hacker who goes by the handle SamratAshok• Twitter - @nikhil_mitt• Blog – http://labofapenetrationtester.blogspot.com• Creator of Kautilya and Nishang• Interested in Offensive Information Security, new
attack vectors and methodologies to pwn systems.• Freelance penetration tester *hint*• Spoken at BlackHat, Troopers, PHDays and more
>Powerpreter by Nikhil Mittal 3
Get-Content
• Need for Post Exploitation• PowerShell• Why PowerShell?• Introducing – Powerpreter
– Architecture– Usage– Payloads – Capabilities– Deployment
• Antak – The WebShell• Limitations• Conclusion
>Powerpreter by Nikhil Mittal 4
Need for Post Exploitation
• The most important part of a penetration test.• Guy who will pay you $$$ do not understand
technology (neither he wants to). A “shell” is not what he wants from you.
• IMHO, this differentiates a good pen tester and one-click-i-pwn-you-omg pen tester.
• Etc Etc
>Powerpreter by Nikhil Mittal 5
PowerShell
• A shell and scripting language present by default on new Windows machines.
• Designed to automate things and make life easier for system admin.
• Based on .Net framework and is tightly integrated with Windows.
>Powerpreter by Nikhil Mittal 6
>Powerpreter by Nikhil Mittal 7
Why PowerShell?
• Provides access to almost everything in a Windows platform which could be useful for an attacker.
• Easy to learn and really powerful.• Trusted by the countermeasures and system
administrators.• Consider it bash of Windows.• Less dependence on msf and
<insert_linux_scripting>-to-executable libraries.
>Powerpreter by Nikhil Mittal 8
Powerpreter - Introduction
• A post exploitation tool written completely in powershell.
• To be a part of Nishang, powershell based post exploitation framework, written by the speaker.
• The name is similar to meterpreter. Powerpreter wants to be like meterpreter after growing up :)
>Powerpreter by Nikhil Mittal 9
Powerpreter - Architecture
• Powerpreter is a powershell module and/or script depending on the usage.
• Payloads and features in powerpreter are structured as functions. Separate function for each functionality.
• It could be easily extended to include new scripts, just add a new function and it would be used with other options.
>Powerpreter by Nikhil Mittal 10
Powerpreter – Usage
• Powerpreter is best used from a Powershell Remote Session.
• It could be imported as a module and the functionalities get loaded in the current session.
• It could also be used with meterpreter and “possibly” other shells as well.
>Powerpreter by Nikhil Mittal 11
Powerpreter – Payloads
• Payloads depend on the privileges available.• Many useful payloads.• Better seen in the demo.
>Powerpreter by Nikhil Mittal 12
Powerpreter – Capabilities
• Persistence• Pivoting• Admin to SYSTEM• Helper functionalities• Etc Etc
>Powerpreter by Nikhil Mittal 13
Powerpreter – Deployment
• From a powershell session• Using meterpreter.• Using psexec.• Drive-by-download• Human Interface Device (Bare bones
preferred)
>Powerpreter by Nikhil Mittal 14
Powerpreter - DEMO
>Powerpreter by Nikhil Mittal 15
Antak- The Webshell
• Named after God of Death (Yamraj) in Indian mythology….muhahaha
• Written in C#.Net (that is what I call it).• The UI is designed to look like a powershell prompt.• Ability to upload & download files, executing
commands.• Scripts can be executed by using the “Encode and
Execute” option.• If remoting is enabled, commands/scripts on remote
systems can be executed.
>Powerpreter by Nikhil Mittal 16
BTW meet Yamraj
>Powerpreter by Nikhil Mittal 17
Limitations
• Yet to undergo community testing.• Keylogger does not work from powershell
remoting session.• Backdoors can be detected with careful traffic
analysis.• Pivot depends upon powershell remoting.
>Powerpreter by Nikhil Mittal 18
Conclusion
• Powershell provides much control over a Windows system and Windows based network
• Powerpreter has been designed to derive its power from above fact and provides (or at least attempts to) a useful set of features for penetration testers.
• Obviously, there are other ways to achieve similar things. Powerpreter just makes it easier.
>Powerpreter by Nikhil Mittal 19
Thanks/Credit/Greetz
• Thanks to my friend Arthur Donkers for helping me to come to Defcon.
• Thanks/Credit/Greetz/Shoutz to powershell hackers (in no particular order)@obscuresec, @mattifestation, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @adamdiscroll, @JosephBialek, @dave_rel1k and all bloggers and book writers.
• Go see another awesome powershell talk in Track- 2 tomorrow – “PowerPwning: Post-Exploiting By Overpowering PowerShell by Joe Bialek“
>Powerpreter by Nikhil Mittal 20
Thank You
• Questions?• Insults?• Feedback?• Powerpreter would be available at
http://code.google.com/p/nishang/• Follow me @nikhil_mitt• Latest slides for this preso could be found at:
http://labofapenetrationtester.blogspot.in/p/blog-page.html