Harness: PowerShell Weaponization Made Easy (or at least easier)
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36423 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2313 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
Power (physics)Configuration spaceGastropod shellLine (geometry)Demo (music)WindowDirectory serviceElectronic mailing listPhysical systemProcess (computing)FrustrationNeuroinformatikMultiplication signType theoryRight angleCellular automatonGoodness of fitIP address
01:16
ComputerForceSoftware testingContext awarenessDependent and independent variablesScripting languageGreatest elementPower (physics)Gastropod shellSoftware developerUtility softwareMiniDiscMultiplication signPower (physics)Gastropod shellCheat <Computerspiel>AreaPoint (geometry)Information securityWindowFuzzy logicVirtual machineFunctional (mathematics)Directory serviceSoftwareSoftware testingScripting languageOffice suiteMathematical analysisComa BerenicesQuicksortCartesian coordinate systemLibrary (computing)Moment (mathematics)ResultantNumberIncidence algebraProjective planeCompilation albumSoftware developer
04:31
Gastropod shellWeb 2.0Web browserPower (physics)Server (computing)QuicksortFunctional (mathematics)Semiconductor memoryScripting languageRight angleMiniDisc
05:08
Gastropod shellResultantQuicksortType theoryInteractive televisionNatural numberComputer wormCASE <Informatik>Software testingUtility softwareVideo game consoleScripting languageNumberGastropod shellPower (physics)
05:44
Module (mathematics)Scripting languageMultiplication signLocal ringCodierung <Programmierung>Virtual machinePower (physics)Gastropod shellInterpreter (computing)Instance (computer science)Lecture/Conference
06:21
Interactive televisionScripting languageStructural loadComputer fileInteractive televisionCASE <Informatik>Mixed realityComputer wormString (computer science)Video game consolePower (physics)Gastropod shellBuildingLecture/Conference
06:57
Semiconductor memoryStructural loadHand fanVirtual machineCASE <Informatik>Scripting languageFunctional (mathematics)Power (physics)Gastropod shellLecture/Conference
07:28
Computer configurationModul <Datentyp>Interactive televisionGastropod shellPower (physics)Expert systemGame theoryExploit (computer security)Gastropod shellSoftware frameworkSystem administratorVirtual machineComputer configurationDemo (music)Video game consoleWeb 2.0WebsiteClient (computing)Interactive televisionModule (mathematics)Remote procedure callModule (mathematics)Multiplication signLecture/Conference
09:06
Demo (music)Module (mathematics)Structural loadData typeCodeBitSemiconductor memoryQuicksortInteractive televisionComputer wormFunctional (mathematics)Projective planeRemote procedure callVideo game consoleSoftware frameworkFocus (optics)Library (computing)NumberMiniDiscCASE <Informatik>Module (mathematics)Power (physics)Gastropod shellLecture/Conference
11:14
Data typeStructural loadACIDCASE <Informatik>Lecture/Conference
11:33
Computer wormQuicksortSystem callScripting languageBuffer solutionError messageSoftware bugCASE <Informatik>Object (grammar)ParsingMultiplication signBuildingoutputFunctional (mathematics)Lecture/Conference
13:07
MereologyModule (mathematics)ACIDStructural loadData typeSoftware frameworkFunctional (mathematics)Lecture/Conference
13:27
Module (mathematics)Structural loadData typeModulo (jargon)Client (computing)Server (computing)Semiconductor memorySystem callWeb 2.0ResultantCASE <Informatik>GodDifferent (Kate Ryan album)Demo (music)Functional (mathematics)Module (mathematics)Computer wormComa BerenicesPower (physics)Lecture/Conference
14:45
Demo (music)VideoconferencingProjective planeCASE <Informatik>Reflection (mathematics)Semiconductor memoryComputer wormPhysical systemModule (mathematics)Structural loadComputer clusterInterpreter (computing)Power (physics)Gastropod shellLecture/Conference
15:45
Cloud computingComputer wormBitModule (mathematics)Symbol tableResultantCASE <Informatik>Process (computing)Physical systemComputer-assisted translationQuicksortSemiconductor memoryPasswordOcean currentSpherical capSpecial functionsInjektivitätPower (physics)Gastropod shellLecture/Conference
18:05
Module (mathematics)Maxima and minimaData managementCodePhysical systemSystem administratorQuicksortModule (mathematics)Process (computing)Water vaporDemosceneWindowComputer worm.NET FrameworkCASE <Informatik>NumberTask (computing)Thread (computing)Software frameworkProjective planeRegular graphoutputServer (computing)InformationGastropod shellPower (physics)Weight
Transcript: English(auto-generated)
00:00
Hey, good afternoon, everybody. How are we doing? Let's learn some stuff about power shell. In my day job I'm mostly a simple country lawyer. I open up a computer every now and again. I remember the first time I saw power shell, hey, this is neat. Somebody said it's more powerful than the
00:22
old windows command line. I type in LS and there's my directory listing. Oh, this is awesome. I know this. It was like Jurassic Park. What's my IP address? If config. It doesn't do anything. It doesn't do anything. I hate power shell.
00:41
Done with this. So along those lines I'd like to use some of that power of power shell when I'm doing demos and doing things on my own systems, of course, and to my own systems. But it can be kind of frustrating. So what we're going to learn about now, Rich is going to show us some stuff that he's done to make evil power shell a lot easier. So
01:03
Rich is going to give us a great talk. Let's give him a big hand. Thanks for coming out. A lot bigger crowd than I realized here. My name is Rich Kelly. First talk, first time here at DEF CON. Give a little background on myself.
01:22
Compside background. Previously I was a com officer in the Air Force. After I got out I became a contractor. Did some network engineering, software development, and eventually ended up in security doing pen testing, mostly for the government. Most recently branched out, co-founded a small info sec startup out of Virginia. Mostly focused on
01:44
application pen testing at the moment. And in my spare time I'll occasionally release some sort of utilities that are probably only useful to me and maybe one other person. All right. So why should you care? If you're here, you probably already know this already. But the first point is
02:02
power shell is here to stay. It's going to be on Windows for the foreseeable future. So if you're not using it and if you're an offensive guy and you're not using it, then you're really just kind of cheating yourself. It's a resource that's there. You don't have to put anything on disk usually. I recommend taking a look at power shell
02:21
and a lot of the offensive community has been focused on that lately. Also from the defense side, I get the impression that a lot of defenders aren't really aware of how dangerous it can be to give access to power shell. I've been on networks where as a regular user I had access to active directory functions within power shell, which is completely
02:41
unnecessary. So the more we bring it up, the more secure we can make things. I was also struck by how hard it is to kind of do any sort of post mortem analysis on any sort of incident that an attacker had used power shell. So if you're looking for a research topic, it might be a good area to start focusing in. Okay. So what is the power shell
03:07
weaponization problem? I guess just to put it simply, it's how do you get your power shell scripts running on your target machines and effectively get your results back? I think that's probably the most simple way to put it. It may not be quite obvious, but up until a few months ago, it was
03:22
actually not really that easy to kind of work power shell into your work flow. There was a number of scripts and tools and great libraries that came out, but I think there was still kind of this vague understanding of how you would use it on a pen tester and red team engagement. So when I started this project, I was just trying to make it easier
03:40
on myself and enough people I have respect for convinced me to put in for a talk and so here I am. So hasn't this problem been solved? And the answer to that is yes. Certainly in the past couple of months, we've had a lot of really interesting and great tools that came out to utilize power shell, so the excuses are getting less and less for why
04:03
you wouldn't use it on a pen test. When I started this, the thing that kind of drove me down this path is that there was this kind of fuzzy area where you gain access, do something, use power shell and then you're good to go. So I think that's where I started trying to fill in the gap. As I mentioned, there's a bunch of solutions recently. I
04:23
think even there was one a few days ago that I'll talk about quickly that everybody should check out as well. All right. So briefly I just wanted to go over some of the other ways you can use power shell. You can weaponize it. So of course if you have RDP access, you can just bring up the
04:40
power shell executable that we all know and love. If you bypass the execution policy, you can go ahead and just import your script if you've dropped it to disk. You can copy and paste your function into power shell and it's loaded into memory for you to use. More than likely though, you're probably using the line on top there which is referred to as download cradle where you're using a web client to reach out
05:02
and download a power shell script that you've staged on some web server. So the next way is if you have some sort of command shell which is more likely way you probably used it. In this case you can't just drop into a power shell interactive console like you would normally. So the nature of power shell and the way it works, it just made
05:22
it more difficult to develop that type of payload. So the easy way to get around that was to use the encoded command. So there's a number of utilities that will help you with that. You just encode your script and you pass it as a command line argument to the power shell executable and it'll go ahead and execute that and return some results. So this is probably how most of you have probably used power
05:41
shell on most of your tests. If you have a interpreter shell, you can use a lot of metasploit modules that make things really easy. So you can use the execute power shell module. This has been around for a while actually. So what's nice about this is you can stage your script on your local attack machine and metasploit takes care of some of the
06:04
heavy lifting for you. So it does the encoding in the background and passes it through the interpreter session to execute. I have had a few issues with it. On larger scripts it's occasionally opened up a lot of power shell instances. So it was flaky a couple times. Most recently in
06:24
I think it was April or May, metasploit merged in the new interactive power shell payloads. To be honest, if this was around back when I started this I may not have gone down the path of building harness. So in this case it is currently in metasploit and it's got some really nice features. You do get an interactive console. You can also pass it a comma
06:44
delimited string of file paths where all your local scripts are so that once it runs it goes ahead and loads up all the scripts for you. So it's really nice, something you can use right now in metasploit. Then there's cobalt strike. If you have cobalt strike I think this was
07:02
probably the first really clean solution to the power shell weaponization problem that I saw. In this case if you have beacon on a machine and anybody who knows me knows I'm a big fan of beacon, you can just say power shell import, give it the path to your local script and then it does the hard work for you, sends it across the wire, loads
07:21
it up in memory and you have your functions available there. So if you have cobalt strike this is really easy. So some other options I just wanted to touch on briefly. So you have power shell remoting. This is a native capability in power shell. You have to have it enabled but once it is you can actually just use power shell to invoke commands on a remote
07:41
machine. So whether it's enabled by the administrator of the target machine or if you do it once you get on the machine it's a nice feature and you don't have to really install anything. WMI, I'm certainly not an expert in WMI but there's going to be a talk tomorrow I recommend you go to. I'm sure it will tell you everything you ever wanted to about offensive WMI. Then of course Empire, this is the tool
08:02
I was alluding to. It was released just a couple days ago at B-sides and it's really kind of a game changer. It's a post exploitation agent implemented in power shell. It also has a really nice framework to help you build out modules for that. So if you haven't already checked that out I would recommend going to their website and taking a look
08:21
at that. Okay so I'm always kind of harping on my clients to give me requirements which is rough sometimes but the requirements for myself was it seemed pretty simple. I wanted a fully interactive remote power shell console with the same capabilities as the native power shell executable. And
08:40
I also wanted the ability to seamlessly import modules across the wire. I didn't really want to have to stage them and use the web download feature. I just wanted to say import module, give it a path and be done with it. So those were my two requirements when I set out probably last December sometime and working on it off and on proved to be a little more challenging than I thought. All right so I'm going to
09:04
attempt a live demo here. We'll see how this works out.
09:22
Okay so ultimately harnesses is the actual payload. So in this case it's interactive remote power shell console so it's not implemented in power shell actually. It's implemented in C sharp so Microsoft has got a lot of functions that you can use to build out your own custom hosts. So if you want to dig into the MSDN library you can
09:43
do that. The documentation on it was a little limited so that's why I struggled quite a bit in the beginning but here I'll show you what I have. So I've kind of bundled everything into this python framework and it's really not the focus. It's almost a separate project but it was an easy way to kind of get the code out to you guys and let
10:03
you look at it. Ultimately you can integrate the payload into whatever your workflow is. So it's got the usual commands, show, set, things like that. In this case there's not a whole lot of modules. Like I said it's not the focus. I have a handler and then I also have a number of payloads here. So mostly just 86 and 64 bit executable and
10:25
also reflective DLL that you can use to inject into memory and I'll show you that here in a minute too. So if you wanted to use payload, very similar to metasploit here. So
11:01
in practice you probably wouldn't use the dropper unless you actually had to. You know you try to avoid touching disk when you're on some sort of mission but you just run it like that, you get your executable and then it's kind of up to you how you would get it to your target. So in this case I've already kind of dropped it on target. Let's
11:21
see if we can get a call back. But what I really want to show you is you don't really need a special handler in this case. It will communicate with any socket. So in this case let's see if we can use netcat and we get a nice
11:47
call back here. So you don't really need anything special to get most of the features out of this. And so this isn't running Powershell UXE. It's an unmanaged payload so if there's some sort of white list you've avoided that. One of the things I also wanted that you don't get in
12:02
a lot of the interactive payloads is that if you notice in Powershell you get the multiline inputs. So I really kind of wanted that feature in there. I thought it was like a hallmark of having Powershell. So you can do stuff like this now. And what it's doing in the
12:24
background is every time you send it something it's accumulating the script and it's doing a check for whether or not you have any sort of parse errors. And once it says that it's clean it goes ahead and executes it. So in this case you can get it, you can just print out. So
12:40
this allows you to kind of build functions on the fly. You can try to copy and paste in there. I'm working on that problem right now. The buffers can't keep up with each other but eventually I'd like to have that problem solved as well. All right. So that was getting kind of close to my first objective. It's not completely, it's not
13:00
completely implemented yet. But I'm working through some of the bugs. So the next thing I want to show you is if you use the handler built into the framework here you get a little more functionality. So you can load the handler here. Just
13:24
run it on 80. Once again we'll execute it. And we get a call back here. So we can interact here. So now what you can do is using the server and the client together you can
13:41
import modules across the wire. So in this case built in some custom commands. So the only difference is the module, it'll
14:06
try to send it over the wire. So this isn't doing a web download. This is actually sending it over the same com channel as you're currently using. So in this case once you've loaded into memory there you can see we have all the functions from the power up available. So let's see if
14:22
we can do invoke all checks. What I have noticed is that it does actually consume a lot of memory when you're doing things like invoke all checks. So here we go. We got the results back from invoke all checks. Nothing too exciting here. So
14:41
the next demo I want to show you is the reflective payload. In this case rather than attempt the demo gods I wanted to show you a video. I apologize if it's too small. So in this case you're going to run your handler like you
15:01
normally would. Load up the reflective DLL which wouldn't be possible without building on the awesome work from the unmanaged power shell project and also from the reflective pick project. So if you haven't checked those out you should
15:21
take a look at those as well. It really helped out. And of course reflective DLLs are built off all the work from Steve and Fuhrer. So without those three projects there's no way I could have implemented that myself. So now we're going to create a payload, in this case a DLL. Now I've already staged an interpreter callback from here that's running a system. So in this case you can actually use
15:42
reflective DLL post module and you can inject it directly into memory. So inject it directly into LSAS here. Okay so it
16:07
injects into LSAS and it's going to take a minute. The 64 bit payload seems to take a little bit to kind of get ramped up but eventually you get a callback here running a system. Anytime now. There we go. So you get a callback and
16:31
you can just interact with the session like you normally would. So now that we're running a system we can do things like invoke Mimikatz. So like I said before you can now
16:45
import your modules all the way across the wire. What I did for any sort of special functions that required handling there's a carrot symbol in front of it. I was trying to differentiate between the native power shell commands and then the harness commands. So in this case I'll import Mimikatz. And just to prove that it's actually
17:17
loaded into memory you can take a look at what the
17:20
current process ID is running in LSAS. So this is very similar to the capability you can get with things like Empire now. So it's going to be a lot harder to detect
17:40
malicious power shell in the future as well. So we invoke Mimikatz. There we go. So you get your results back just like you normally would. Mimikatz you get your password. Okay so under the hood the payload actually has
18:12
been compiled with .NET 4.0. I think you could probably compile it down to 3.5 if you actually needed to. It does require the system management and automation assembly which is
18:20
where all the internal methods come from to actually build out your own power shell host. Tested it on a number of systems and it should work from Windows 7 on up. As far as the server is concerned it's almost like a separate project. I did implement it and it requires Python 3.4 but you could build your own very easily. The actual listener is
18:41
using asyncio which if you're familiar with that it allows you to run multiple asynchronous I guess processes, not processes but tasks in the same thread. So in this case all of these sessions are actually running in the same thread. So that was kind of another pet project that I implemented there but you could easily implement it in
19:01
just a regular listener or something like the Metasploit framework. So why did I choose Python? Why not Ruby? Why didn't I just go ahead and build a Metasploit module and really it was mostly for the learning experience. It helped me to actually fill in some gaps that I had and I have a lot more appreciation now for a lot of the heavy lifting that Metasploit does behind the scenes. I also work better in
19:22
Python than Ruby so no critique there. It's just my preference. And as I mentioned it should be easy enough to port to Metasploit module. The payload is compatible. So reflective harness as you saw can be used with ELL injects currently. As far as defense I haven't done too much work in this but if you can restrict access to system management
19:41
automation you can actually, you could probably stop these attacks or even monitor any access to system management automation and kind of trigger on any sort of malicious use. You can also look and see if it's loaded into processes it shouldn't have and then you can tell whether there is something that shouldn't be there. LSAS shouldn't have PowerShell loaded into it. Also there's new features built
20:01
into PowerShell. PowerShell 5.0 actually has a lot of nice logging features and if you were in the red versus blue talk earlier today he went over a lot of really great defense techniques. Okay so that's all I have. A big thanks to all these people. Wouldn't be possible without it. Thanks for answering my questions. Thanks for the encouragement. So I
20:21
really appreciate it. All the code here is released on GitHub so the address below and that's my contact information if you have any questions. Thank you.