Presentation is loading. Please wait.

Presentation is loading. Please wait.

EXCELLENCE AS STANDARD PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit” 4 th July 2015 Presented to SteelCon Presented by.

Published byClifton Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "EXCELLENCE AS STANDARD PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit” 4 th July 2015 Presented to SteelCon Presented by."— Presentation transcript:

1 EXCELLENCE AS STANDARD PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit” 4 th July 2015 Presented to SteelCon Presented by Ben Turner & Dave Hardy

2 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Dave Hardy @davehardy20 o Ben Turner @benpturner :: WHOAMI /groups o Hacker / Penetration Tester Nettitude Limited: 1 Jephson Court Tancred Close Leamington Spa Warwickshire CV31 3RZ Nettitude Inc: 222 Broadway 19th Floor New York NY10038

3 EXCELLENCE AS STANDARD What is Metasploit?

4 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Defacto penetration testing framework!! :: Metasploit @hdmoore

5 EXCELLENCE AS STANDARD What is Powershell?

6 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: PowerShell Command prompt on steroids!!

7 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Introduced in May 2009, PowerShell version 1.0 was released on Vista -Object-Oriented -Incorporates.NET Objects and Forms -More Functions compared to cmd.exe and VBScript. -More Extensible via cmdlets, plugins. -Background Jobs :: PowerShell

8 EXCELLENCE AS STANDARD Why do we need PowerShell?

9 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? Examples are many, but here’s a few notable ones o Windows Server 2012 Core o It is possible to re add the GUI, but it needs a reboot  o Windows Nano Server o A cut down minimal ‘JeOS’ build of Windows Server, manageable via PowerShell/DSC o PowerShell 5 o So many new features and cmdlets, but most notable online repositories, ‘apt-get’ for Windows o New versions of Windows Server, aka Server 2016 default to a core install o PowerShell is at the ‘Heart’ of the OS now o Allow us to do so many cool things, and ‘MOSTLY’ undetected o SSH Support is coming! ::Microsoft has really got behind PowerShell

10 EXCELLENCE AS STANDARD Why should pentesters use PowerShell?

11 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o PowerSploit, PowerTools, Nishang, Inveigh, Powercat, Get-Packet (Wireshark) o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-TimedScreenshot.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-TimedScreenshot.ps1 o https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 o https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerUp/PowerUp.ps1 https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerUp/PowerUp.ps1 o https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1 https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1 o https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1 https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1 o https://github.com/samratashok/nishang https://github.com/samratashok/nishang :: PowerShell-Based Tools

12 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? o Not much…We could execute one PowerShell script at a time and get results o Slow, not very intuitive o Nothing preserved between running scripts <– This is important! :: What did we have before in Metasploit?

13 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo Environment

14 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – Old Way

15 EXCELLENCE AS STANDARD Some background

16 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “Background – Development Evolution” Bourne out of the need to easily import tools like PowerSploit into a PoSH session Developed scripts to achieve, but physical or RDP access was required Why not use Metasploit, developed POC to return a PoSH session, with PowerCat :: The old way functional, but in no way ideal!!

17 EXCELLENCE AS STANDARD So whats new!!

18 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: MSF Interactive PowerShell Sessions “We have developed, for Metasploit a PowerShell session that gives us an ‘On the Box’ like session to run PowerShell commands, modules and scripts”

19 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “This was not a trivial task” 7 new pull requests 10 new modules/payloads/classes added to Metasploit git repository 178 comments, suggestions, mainly from: @hdmoore, @meatballs, @mubix, @thecolonial, @sempervictus :: MSF Interactive PowerShell Sessions

20 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “We have added functionality to ‘Weaponise’ the PowerShell session” :: AND………

21 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “Everything is done in memory” No Pesky Anti-Virus Interference Most Antivirus doesn't see inside PowerShell Sessions. :: MSF Interactive PowerShell Sessions

22 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – New Way

23 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Powerfun Code (Lines 1 – 37)

24 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Powerfun Code (Lines 38 – 75)

25 EXCELLENCE AS STANDARD Further Development

26 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “New Metasploit Pull Requests” 64 bit PowerShell sessions SSL support for all payloads Reverse HTTP that is proxy aware Load_Script – Silver Bullet Simple POST modules Re-writing of ‘mixin’ modules :: We have not rested on our Laurels (or Hardy’s)

27 EXCELLENCE AS STANDARD Demo 64bit and LOAD_SCRIPT module

28 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – 64bit Payloads & Load_Script Module

29 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: Demo – Proxy Aware HTTP Payload

30 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: How to write a simple Post Module

31 EXCELLENCE AS STANDARD Blue Team Approach

32 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? “It is possible to stop this attack” Close monitoring of eventlog GPO – Blacklist Powershell.exe Local Windows Firewall ‘Egress’ rules :: Time to be responsible hackers

33 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? Close monitoring of eventlog :: Time to be responsible hackers Would only detect initial script

34 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? GPO – Blacklist Powershell.exe :: Time to be responsible hackers

35 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? Local Windows Firewall ‘Egress’ rules :: Time to be responsible hackers

36 EXCELLENCE AS STANDARD :: HOW ARE BUSINESSES EVOLVING? :: We have not rested on our Laurels (or Hardy’s) https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/

37 EXCELLENCE AS STANDARD Any Questions?

Download ppt "EXCELLENCE AS STANDARD PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit” 4 th July 2015 Presented to SteelCon Presented by."

Similar presentations

Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
An open source QA stack testing tools for agile teams Presented by Aaron Evans

An open source QA stack testing tools for agile teams Presented by Aaron Evans
en-us/sharepoint/fp142366.

en-us/sharepoint/fp
Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7.

Abusing Windows Remote Management with Metasploit David Maloney Metasploit Software Engineer Rapid7.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
James Boother Blog: INTRODUCTION TO POWERSHELL.

James Boother Blog: INTRODUCTION TO POWERSHELL.
James Boother Blog: AUTOMATING ADMIN TASKS WITH POWERSHELL.

James Boother Blog: AUTOMATING ADMIN TASKS WITH POWERSHELL.
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.

Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
Lesson 2: Configuring Servers

Lesson 2: Configuring Servers
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Technical Workshops | Esri International User Conference San Diego, California Customizing ArcPad solutions Marika Vertzonis, Gareth Walters, Stephen Quan.

Technical Workshops | Esri International User Conference San Diego, California Customizing ArcPad solutions Marika Vertzonis, Gareth Walters, Stephen Quan.
DotNET A Developer’s Perspective Mike Litzkow University of Wisconsin - MadisonOne.

DotNET A Developer’s Perspective Mike Litzkow University of Wisconsin - MadisonOne.
We have you by the gadgets Hitting your OS below the belt.

We have you by the gadgets Hitting your OS below the belt.
System Center 2012 R2 Windows Azure Pack Service Management Automation 101.

System Center 2012 R2 Windows Azure Pack Service Management Automation 101.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.

Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.
Microsoft ® Official Course Module XA Using Windows PowerShell ®

Microsoft ® Official Course Module XA Using Windows PowerShell ®
Appendix A Starting Out with Windows PowerShell™ 2.0.

Appendix A Starting Out with Windows PowerShell™ 2.0.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Similar presentations

Ads by Google