EXCELLENCE AS STANDARD PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit” 4 th July 2015 Presented to SteelCon Presented by Ben Turner & Dave Hardy

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Dave o Ben :: WHOAMI /groups o Hacker / Penetration Tester Nettitude Limited: 1 Jephson Court Tancred Close Leamington Spa Warwickshire CV31 3RZ Nettitude Inc: 222 Broadway 19th Floor New York NY10038

EXCELLENCE AS STANDARD What is Metasploit?

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Defacto penetration testing framework!! ::

EXCELLENCE AS STANDARD What is Powershell?

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: PowerShell Command prompt on steroids!!

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Introduced in May 2009, PowerShell version 1.0 was released on Vista -Object-Oriented -Incorporates.NET Objects and Forms -More Functions compared to cmd.exe and VBScript. -More Extensible via cmdlets, plugins. -Background Jobs :: PowerShell

EXCELLENCE AS STANDARD Why do we need PowerShell?

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? Examples are many, but here’s a few notable ones o Windows Server 2012 Core o It is possible to re add the GUI, but it needs a reboot  o Windows Nano Server o A cut down minimal ‘JeOS’ build of Windows Server, manageable via PowerShell/DSC o PowerShell 5 o So many new features and cmdlets, but most notable online repositories, ‘apt-get’ for Windows o New versions of Windows Server, aka Server 2016 default to a core install o PowerShell is at the ‘Heart’ of the OS now o Allow us to do so many cool things, and ‘MOSTLY’ undetected o SSH Support is coming! ::Microsoft has really got behind PowerShell

EXCELLENCE AS STANDARD Why should pentesters use PowerShell?

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o PowerSploit, PowerTools, Nishang, Inveigh, Powercat, Get-Packet (Wireshark) o o o o o o o o o o o o :: PowerShell-Based Tools

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Not much…We could execute one PowerShell script at a time and get results o Slow, not very intuitive o Nothing preserved between running scripts <– This is important! :: What did we have before in Metasploit?

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo Environment

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – Old Way

EXCELLENCE AS STANDARD Some background

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “Background – Development Evolution” Bourne out of the need to easily import tools like PowerSploit into a PoSH session Developed scripts to achieve, but physical or RDP access was required Why not use Metasploit, developed POC to return a PoSH session, with PowerCat :: The old way functional, but in no way ideal!!

EXCELLENCE AS STANDARD So whats new!!

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: MSF Interactive PowerShell Sessions “We have developed, for Metasploit a PowerShell session that gives us an ‘On the Box’ like session to run PowerShell commands, modules and scripts”

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “This was not a trivial task” 7 new pull requests 10 new modules/payloads/classes added to Metasploit git repository 178 comments, suggestions, @sempervictus :: MSF Interactive PowerShell Sessions

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “We have added functionality to ‘Weaponise’ the PowerShell session” :: AND………

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “Everything is done in memory” No Pesky Anti-Virus Interference Most Antivirus doesn't see inside PowerShell Sessions. :: MSF Interactive PowerShell Sessions

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – New Way

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Powerfun Code (Lines 1 – 37)

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Powerfun Code (Lines 38 – 75)

EXCELLENCE AS STANDARD Further Development

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “New Metasploit Pull Requests” 64 bit PowerShell sessions SSL support for all payloads Reverse HTTP that is proxy aware Load_Script – Silver Bullet Simple POST modules Re-writing of ‘mixin’ modules :: We have not rested on our Laurels (or Hardy’s)

EXCELLENCE AS STANDARD Demo 64bit and LOAD_SCRIPT module

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – 64bit Payloads & Load_Script Module

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – Proxy Aware HTTP Payload

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: How to write a simple Post Module

EXCELLENCE AS STANDARD Blue Team Approach

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “It is possible to stop this attack” Close monitoring of eventlog GPO – Blacklist Powershell.exe Local Windows Firewall ‘Egress’ rules :: Time to be responsible hackers

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? Close monitoring of eventlog :: Time to be responsible hackers Would only detect initial script

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? GPO – Blacklist Powershell.exe :: Time to be responsible hackers

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? Local Windows Firewall ‘Egress’ rules :: Time to be responsible hackers

EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: We have not rested on our Laurels (or Hardy’s)

EXCELLENCE AS STANDARD Any Questions?