Pentesting with Powershell by Rajganesh Pandurangan
Rajganesh (Raj) Pandurangan - OSCP, CISSP, CEH, QSA, PA-QSA MCSD.NET Email: prajganesh@gmail.com Senior Managing Consultant at U.S.Bank 16 years of security consulting experience Results-driven success across a multitude of Fortune 100 companies Consulting Services Web Application security assessment. Mobile security assessment. Network penetration testing. Wireless security testing. Security code review. Payment Card Industry Assessment Security GAP assessment. Implementing effective security solutions and strategies
Web Applications and Exploitation Distro (WAED) Site: http://www.waed.info Features: WAED is based on Debian 8.0 distribution. Use Docker to provide sandboxed environment Pre-installed web application testing tools 13 pre-installed vulnerable web application Each application can be started separately DEMO
What is Powershell Microsoft attempt to make admins use command line Task automation and configuration management framework Command line shell and scripting language Built on .NET framework Provides full access to WMI and COM Perform administrative tasks on local and remote windows systems Great for log parsing and WMI queries Available by default on Windows 7 and up
Contd.. Security Lot of work in DFIR -http://www.invoke-ir.com DLL injection WMI Abuse Hard to protect against attacks
Pentesting Methodology
(Firewall, IDS, IPS, DNS, DHCP) Host Machine (Mac) Kali Linux External Testing External DMZ PFSENSE -port 80, 443 (Firewall, IDS, IPS, DNS, DHCP) 192.168.15.100 DHCP https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo0Zga2juUBxxFTH4Bk Windows 2012 Domain Controller, DNS 192.168.15.248 Internal https://www.youtube.com/watch?v=50VhoeG_6rY http://www.rebeladmin.com/2014/07/step-by-step-guide-to-setup-active-directory-on-windows-server-2012/ Debian - WAED Kali Linux Internal Testing 192.168.15.249 Windows 7 192.168.15.125 Windows 8 Windows 10 192.168.15.135 https://www.youtube.com/watch?v=w1QPijf4Wa0 https://www.youtube.com/watch?v=9Rs4RSfTgL0
Tools Required for Offensive Powershell Nishang - https://github.com/samratashok/nishang Powersploit - https://github.com/PowerShellMafia/PowerSploit Empire - https://github.com/PowerShellEmpire/Empire Posh-SecMod -https://github.com/darkoperator/Posh-SecMod PSAttack - https://github.com/jaredhaight/PSAttack PowerUPSQL - http://seclist.us/powerupsql-a-powershell-toolkit- for-attacking-sql-server.html
Few Important Scripts Invoke-CredentialsPhish Import-module Port-Scan out-csv, out-excel Get-help Get-NetComputer Get-NetDomainController Get-Netuser, Get-Netuser -user pentest3 Get-NetLocalGroup Invoke-filefinder Find-LocalAdminAccess Invoke-UserHunter Get-ServiceUnquoted Invoke-TokenManipulation -enumerate Invoke-TokenManipulation -createprocess "cmd.exe" -username "NT AUTHORITY\SYSTEM” (ls hklm:\security) Get-PassHashes Invoke-Mimikatz Invoke-AllChecks Get-GPPPassword Invoke-CredentialsPhish
Powershell Empire http://www.powershellempire.com Powerful post exploitation framework built on PowerShell Integrates tools from Powersploit Easily Extensible