Mass Hunting and exploitation with powershell Jordan Abernathy Director of Defensive Operations @ CompSec Direct

Agenda Brief Powershell info Example usage Demo 1 (Enable Winrm via psexec) Demo 2 (Mass DNS Cache retrieval) Demo 3 (Mass Remote Command Execution) Demo 4 (Mass File Contains Search) Demo 5 (Mass File Search)

Powershell Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework (1) Incorporated into major Windows releases around October 2009 http://en.wikipedia.org/wiki/Windows_PowerShell 3

What can I do with pshell here? Run multiple commands on multiple boxes. Aggregate collected information Schedule recurring collection Find malicious activity (Hunt) Exploit numerous boxes Evade AV (2) What? Yep,PowerSploit among others 2. https://www.sans.org/webcasts/fail-pen-test-98647/success 4

I see a lot of versions and pshell types, does it matter? Yes XP 2003 can only run Ver 2.0 Vista,7,8 2008/2012 use Ver 3.0 8.1 and 2012 R2 use Ver 4.0 Each revision adds features and deprecates others Don’t be surprised if scripts don’t work across multiple versions. There are 4 different pshell script forms: cmdlets, which are .NET programs designed to interact with PowerShell PowerShell scripts (files suffixed by .ps1) PowerShell functions Standalone executable programs

Enough slides, Demo Time Network Description Us – Windows Xp-SP3 Them – 5 Win XP Hosts, 5 Windows 7 Domain Joined Needs Kerberos authentication by defaults Task Retrieve multiple entries from multiple system with Pshell scripts Parse, sort, output to csv and other formats Find Anomalies Push Malware and malicious commands Undetected Signature evasion Delivery evasion Abusing trusted applications Poor Configs

But Pshell does nothing remotely yet :-( Need to start WinRM (Remote Management) Use psexec to make this happen Psexec @listofboxes –accepteula –s cmd /c “winrm quickconfig -q” Psexec used admin$ by default It also needs file and sharing to be enabled This command also makes firewall exceptions Your AV may or may not allow psexec and winrm to function But my customer said no new services Fine, get permission It’s in the scope, if not, insist you can disable this with two commands sc stop WinRM sc config WinRM start= disabled

Enable WinRM via psexec Demo 1 Enable WinRM via psexec Starts WinRM (unencrypted http over TCP 5986) Adds Windows Firewall Exceptions Adds WinRM service in Auto Mode

Enable WinRM via psexec Demo 1 Enable WinRM via psexec Starts WinRM (unencrypted http over TCP 5986) Adds Windows Firewall Exceptions Adds WinRM service in Auto Mode

Demo 2 Get cached DNS Entries for beaconing remnants $computernames = Get-Content -Path c:\sysint\comps.txt (Read all the hostnames in file) $session = New-PSSession -cn $computernames -cred boobooware\administrator (Make WinRM sessions from list into memory) (Have to use names or use https for ip's or WinRM) Invoke-Command -Session $session -ScriptBlock {ipconfig /displaydns} | select-string “Record Name . . . . . :” | Export-Csv -Path "c:\sysint\dnsrecords.csv“ |format-table –property * -autosize | out-string –width 4096 http://social.technet.microsoft.com/Forums/windowsserver/en-US/47ab4058-9ae5-4924-9e34-2627eb5ab15d/beginner-powershell-getting-machine-names-from-a-text-file-and-run-queries-functions-and?forum=winserverpowershell http://technet.microsoft.com/en-us/library/dd819505.aspx 10

Demo 2 Cached DNS Entries Dumps dns cache from 10 different hosts into csv file for further analysis Any command can be substituted for ipconfig command used for intel gathering

Demo 3 Get EventLogs related to Last 10 Security Log entries computernames = Get-Content -Path c:\scripts\comps.txt $session = New-PSSession -cn $computernames -cred boobooware\administrator Invoke-Command -Session $session {Get-EventLog -ComputerName $computernames -LogName Security -Newest 10| Export-Csv -Path "c:\sysint\secevents.csv“} | format-table –property * -autosize | out-string –width 4096 12

Demo 3 Event Log Retrieval Pulls the latest 10 entries for all the hosts Requires further parsing, but delivery is almost immediate

Demo 4 Find files across all machines containing text Invoke-Command -Session $session {Get-ChildItem “C:\temp\” -recurse -ea 0 | Select-String -pattern “administrator” | group path | select name} | |format-table –property * -autosize

Demo 5 Find file across all machines with filename equals Invoke-Command -Session $session {Get-ChildItem “C:\windows\system32\drivers\” – recurse -ea 0 –Filter booms.sys.txt | group path | select name} |format- table – property * -autosize

QA on Pshell