Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mass Hunting and exploitation with powershell

Similar presentations


Presentation on theme: "Mass Hunting and exploitation with powershell"— Presentation transcript:

1 Mass Hunting and exploitation with powershell
Jordan Abernathy Director of Defensive CompSec Direct

2 Agenda Brief Powershell info Example usage
Demo 1 (Enable Winrm via psexec) Demo 2 (Mass DNS Cache retrieval) Demo 3 (Mass Remote Command Execution) Demo 4 (Mass File Contains Search) Demo 5 (Mass File Search)

3 Powershell Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework (1) Incorporated into major Windows releases around October 2009 3

4 What can I do with pshell here?
Run multiple commands on multiple boxes. Aggregate collected information Schedule recurring collection Find malicious activity (Hunt) Exploit numerous boxes Evade AV (2) What? Yep,PowerSploit among others 2. 4

5 I see a lot of versions and pshell types, does it matter?
Yes XP 2003 can only run Ver 2.0 Vista,7,8 2008/2012 use Ver 3.0 8.1 and 2012 R2 use Ver 4.0 Each revision adds features and deprecates others Don’t be surprised if scripts don’t work across multiple versions. There are 4 different pshell script forms: cmdlets, which are .NET programs designed to interact with PowerShell PowerShell scripts (files suffixed by .ps1) PowerShell functions Standalone executable programs

6 Enough slides, Demo Time
Network Description Us – Windows Xp-SP3 Them – 5 Win XP Hosts, 5 Windows 7 Domain Joined Needs Kerberos authentication by defaults Task Retrieve multiple entries from multiple system with Pshell scripts Parse, sort, output to csv and other formats Find Anomalies Push Malware and malicious commands Undetected Signature evasion Delivery evasion Abusing trusted applications Poor Configs

7 But Pshell does nothing remotely yet :-(
Need to start WinRM (Remote Management) Use psexec to make this happen –accepteula –s cmd /c “winrm quickconfig -q” Psexec used admin$ by default It also needs file and sharing to be enabled This command also makes firewall exceptions Your AV may or may not allow psexec and winrm to function But my customer said no new services Fine, get permission It’s in the scope, if not, insist you can disable this with two commands sc stop WinRM sc config WinRM start= disabled

8 Enable WinRM via psexec
Demo 1 Enable WinRM via psexec Starts WinRM (unencrypted http over TCP 5986) Adds Windows Firewall Exceptions Adds WinRM service in Auto Mode

9 Enable WinRM via psexec
Demo 1 Enable WinRM via psexec Starts WinRM (unencrypted http over TCP 5986) Adds Windows Firewall Exceptions Adds WinRM service in Auto Mode

10 Demo 2 Get cached DNS Entries for beaconing remnants
$computernames = Get-Content -Path c:\sysint\comps.txt (Read all the hostnames in file) $session = New-PSSession -cn $computernames -cred boobooware\administrator (Make WinRM sessions from list into memory) (Have to use names or use https for ip's or WinRM) Invoke-Command -Session $session -ScriptBlock {ipconfig /displaydns} | select-string “Record Name :” | Export-Csv -Path "c:\sysint\dnsrecords.csv“ |format-table –property * -autosize | out-string –width 4096 10

11 Demo 2 Cached DNS Entries
Dumps dns cache from 10 different hosts into csv file for further analysis Any command can be substituted for ipconfig command used for intel gathering

12 Demo 3 Get EventLogs related to Last 10 Security Log entries
computernames = Get-Content -Path c:\scripts\comps.txt $session = New-PSSession -cn $computernames -cred boobooware\administrator Invoke-Command -Session $session {Get-EventLog -ComputerName $computernames -LogName Security -Newest 10| Export-Csv -Path "c:\sysint\secevents.csv“} | format-table –property * -autosize | out-string –width 4096 12

13 Demo 3 Event Log Retrieval
Pulls the latest 10 entries for all the hosts Requires further parsing, but delivery is almost immediate

14 Demo 4 Find files across all machines containing text
Invoke-Command -Session $session {Get-ChildItem “C:\temp\” -recurse -ea 0 | Select-String -pattern “administrator” | group path | select name} | |format-table –property * -autosize

15 Demo 5 Find file across all machines with filename equals
Invoke-Command -Session $session {Get-ChildItem “C:\windows\system32\drivers\” – recurse -ea 0 –Filter booms.sys.txt | group path | select name} |format- table – property * -autosize

16 QA on Pshell


Download ppt "Mass Hunting and exploitation with powershell"

Similar presentations


Ads by Google