DEF CON 25 - Lee Holmes - Get $pwnd: Attacking Battle Hardened Windows Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right everybody thanks for coming here 10:00 a.m. is early I could barely convince myself to wake up for this talk so I don't know how you're doing it I'm Lea Holmes I am the lead security architect for Azure management and Microsoft I'm the author of the Windows PowerShell cookbook and also have been a developer of PowerShell since its early versions so you may know me from such parameters as execution policy bypass or other such things so let's do some context right here so you're an engagement you fish somebody you get inside the network you find some creds and you got some code execution so you do a little bit of recon you find out that the somebody's been connecting up to a machine that machine has one part open recognize that one five nine eight five there you go that's double yes-man PowerShell so you got PowerShell you got creds this is gonna be a good day right you connect up using PowerShell to that machine they're connecting to I don't know 15 20 commands that seems a little bit off but you plow on you plow on Who am I you ruin that thing you see that you're the DNS administrator DNS is almost always co-located with Active Directory so you're good you got creds you got PowerShell you're on a DC as the DNS admin you decide to borrow yourself a little bit deeper you add in another account here what you get you get an error that's kind of weird so you move on you try to run kind of one of those traditional download cradles that doesn't work either you get an error that that you're in constrain language mode and you know allowed to run that kind of stuff you're like this is weird why I'm a DNS admin let me see if I can restart the DNS server that works just fine but then you try to restart when I RAM and that doesn't work so what's going on here you're against obviously a target of a completely different category than you've run into before you my friends have run into just enough administration just enough administration is the idea that admins are your attack surface and you cannot treat them as your buddies anymore so you might say Lee are you saying that we get rid of admins no no no of course we need admins but here's the issue people make mistakes sometimes they're just bad actors but the big thing to realize is that everything they can do an attacker can do as well all the stuff you see about PowerShell is just unauthorized administration so if you're worried about PowerShell attacks you'll be worried about your administrators so wouldn't it be great if people didn't need these huge admin privity their jobs what if you popped a machine and you didn't get all these high-value creds that people are leaking everywhere and what if you didn't need to give them full domain admin to just manage DNS what if you could just give them the stuff they needed to do their actual jobs and of course logging what if everything that happened on a machine got logged and when a bad thing happened you could always go back and take a look so the answer there is just enough administration this is based on the security features that have been in PowerShell since 2008 so Exchange Online uses this really really heavily they're putting just enough administration based principles to the entire internet so it's based on three simple concepts one is role capabilities so this is making sure and defining what people are allowed to do when they connect then there's the end point which is the configuration that happens when they connect to the machine itself and then you've got the identity so this is when they connect what is the identity that runs the commands that this person is running so these three things together are what lets you lock down a machine like crazy and a good way to think about this you know you're a security exposure on a given machine it's kind of two things it's it's the time that somebody has access to the machine but it's also the capability of what they can do so we've done a pretty good job as an industry of starting to lock down the time we've got also sorts of Pam modules and all that kind of stuff that will say hey your this is just in time admin you're only allowed to do a certain task once you ask for privilege and then you're only allowed to do it let's say between nine and five something like that so we're starting to see some good stuff to do this kind of lockdown just enough administration is all about the capability so yeah sure if somebody's got access for a given amount of time but why do you need to give them full access to the domain controller once the service ticket is open so combining the two this is what your attack surface reduction can look like so it seems like it's kind of a cool thing being able to reduce your attack surface by this much I even I was talking with this guy on Twitter about it it was kind of going very slow and it made me realize that some people are very slow learners Edward Snowden you think he might realize the danger of a admin running amok but obviously not this threat didn't make it much further now how does somebody actually go through and do one of these just enough administration lockdowns the first part is defining role capabilities so this is what can a person do and it really is this simple you can say that when they connect you import the DNS server module and here are the five commandlets that they're allowed to run but what you can also do is declare your own functions so if a built-in command light isn't good enough you can define a function that say Who am I and this is the example that you saw before so this is a custom written function that you want to expose then you've got the endpoint itself so this is defining what happens when somebody connects the key point with just enough administration is that you say the session type is restricted remote server of course you want to log all the things so you set up a transcript directory everything that you do comes and goes through this transcript directory so you can audit this at all times I'll get into the run as virtual account in a second that's your definition of what identity you want these things to run as so the run as virtual account is the best one you want to use here and then you configure the role definitions so this is me saying that when the DNS admin connects this can be either a principal or a group when they connect they get the role capabilities of let's say DNS maintenance and that's really just a reference to what you saw in that last slide identity is the big one here so by default when you connect up with PowerShell the identity that you use is the connecting user so when Li connects up to a machine well then that process runs as Li whatever you can do a named identity that's being able to configure a very specific domain account you might need this for some specific reasons a danger with a named identity if that endpoint gets popped then you do have an issue of well then somebody can steal the creds of that named identity and do stuff with it so you want to be very very careful with that named identity a virtual account that's kind of what happens in iis when you can have a temporary local administrator Windows handles all the password maintenance you don't need to worry about rotating these nothing else when DNS admin connects up this now runs as a local administrator but just without a password that you have to worry about rotating and then you have route managed service accounts these are the same thing as a named identity but this is the kind of identity that Active Directory will automatically rotate and manage passwords for you so there's a very very strong option if you don't want to have to deal with that kind of password maintenance and what makes things super cool is you can even get really really deep into fine-grained proxy control so you saw there but or somebody was able to run and they were able to restart the DNS service but they weren't able to restart the winner em service so here's an example of somebody restricting restart service and using some parameters that says the name parameter I'm gonna lock this down to only the DNS or the DNS cache services so you can get super super hardcore on this so you might say here this is Fort Knox this is like what am I gonna do this is the impenetrable wall somebody's actually got their stuff together they're not a whale they're not just deploying a server with no patience what can they actually do to start getting some what can you do if you're on an engagement trying to attack one of these things turns out there is a couple things and I guarantee you everything I I'm gonna show you next I could be pulling up Kali I can show you some shells raining but we don't have the time for the applause in 20 minutes so I'm gonna skip on that the first thing is ports right I showed you this wonderful world of connecting where a machine all you've done is exposed PowerShell remoting but realistically you're gonna run into systems where somebody's still doing things like exposing our DP or telnet or something like that so if you've got creds and they're also letting you use those creds for RDP well then yeah just RDP in and whatever so just enough administration all it can do is lock down PowerShell access so there's the first kind of MIS configuration you're gonna see but here's another example I showed you locking down you know a handful of commandlets but some commandlets they're not immediately obvious what's going on so here's an example from matt week's script junkie where if you expose something like hey i'm gonna give a end point where i can join systems into the domain well hey if you're an attacker and you get access to that command 'let you don't have to pick it you don't have to add it to the domain that that the enterprise wants you can also add it to your own domain and start pushing out malicious group policies or something like that so the commands are not always obvious language mode is another huge one I showed you back there trying to run any script and that didn't work well here's an example of somebody trying to make it a bit more friendly and using a version of power shell called constrain language mode so constrain language mode at first blush looks like it's pretty cool I can't do arbitrary done scripting or anything like that but the big thing with Gaea this is why constrain language is a bad idea if you take a look on the right hand side the way that Gaea controls the access is it places a very big distinction between the functions that you expose to the user and then the capability that you're allowed to run as part of one of those functions so if you do constrain language in constrain language you're allowed to create new functions and so all you got to do is create a new function and that function now can run anything you want that is no longer restricted and so you create a new one and then you've completely bypassed anything somebody's put in when it comes to to a geo restriction on commands so no language mode if you ever see anything but that just they have a complete RCE and that's your way in but by far by far your biggest danger is vulnerable functions code you know if you saw the session before on all the etherium vulnerabilities it's all about the code right when you're letting people expose any sort of functions to untrusted input they're gonna make mistakes command injection there's nothing new about command injection in our industry it turns out if somebody is writing a PowerShell function they can just as easily write a command injection vulnerability when it comes to their functions so here's an example of somebody taking user input and then for some reason deciding to call PowerShell directly and injecting that user input like anything you're used to in the past you can put a semicolon in there and run arbitrary commands and it's not just PowerShell of course if they're calling CMD for some reason you can all so input that user input there and get arbitrary CMD injection by far the biggest thing that you're going to see though are vulnerable functions so this is somebody doing invoke expression and invoke expression is almost never needed in PowerShell itself here's an example of somebody thinking they want to take some user input and then for example the process name and call get processed with that name and which you'll normally see is that they're used to doing things from Python or whatever where you do an exec call or a system call so this is somebody trying to do that with get process that's a bad idea invoke expression says PowerShell I'm going to give you a chunk of script run whatever I give you user input can contain semicolons or any sort of download cradle and and you're done there there's a bunch of obscure forms of script injection coming here from invoke script create nested pipeline add script so make sure to keep your eyes on those but here's an example of it being done correctly it turns out you almost never need to invoke expression in PowerShell of course in a in PowerShell I can do arbitrary user input and just provide that as a variable to a parameter name if I don't know the parameter name beforehand I could also dump things into a hash table the parameters and their values and do something called splatting that on a command let that's the at sign parameters there so this is a way to invoke a command lit with no parameters that you don't know beforehand still without any sort of injection vulnerabilities and even if you don't know the command lip before hand you can use the invocation operator and still get the same thing so this is the the best approach this is what people should be moving forward to but sometimes you'll see somebody who thinks that they're aware of the invoke expression vulnerability and what they decide to do here is well I'm going to do get processed - name I'm going to escape the user input with single quotes because single quotes are kind of a safest kind of thing in PowerShell and the line before that I'm you're going to escape out single quotes with single quotes you see this people trying to prevent sequel injection a lot of times but here's the issue PowerShell was raised in the world of Outlook and Exchange in WordPress where there is all kinds of quotes there is curly quotes there's back posters hanging quotes there's like six kinds of quotes in PowerShell the version you see here only escapes one of them use any other form of quote and you're right through this sometimes you'll see script block injection so script block injection is when somebody wants to take user input and then take that input and run it via PowerShell remoting and another system so here is somebody who takes that script block at a based on user input but they need to create a script block they do this with a string that can be injected as well there's a obscure form of this as well you see the new script block with a string that can be injected so there's a bunch of ways to make sure you're not doing that and that's the approach you want to take string expansion is another thing that you'll sometimes see where somebody wants to take a variable and figure out the value of that variable so they use the expand string API there's a couple versions of that expose through execution contexts as well that can go through some string expansion vulnerabilities itself and so you don't have you don't want to be using expand string and user input the best thing you want to do is use it the get variable command let to figure out the current value of a variable there's some excuse here method injection if you're taking user input and using it in the for each command lit you can start to run arbitrary methods arbitrary functions there don't want to make that happen you've got vulnerable functions to here's an example that can really burn a lot of people if you want to take user input and send it into the add type command lit well the add type command lit can run arbitrary c-sharp code so if you ever see anybody taking user input and sending it into the add type command lit well now you have arbitrary c-sharp arbitrary access to win32 API s and Bob's your uncle and is over now that's a lot to keep in mind what can you do if you're actually trying to audit this or defend against any of these things turns out that PowerShell is powerful and it's not just powerful when it comes to all the stuff it lets you do but every scripting language pretty much goes through two phases when it understands a script the first thing is tokenizing so this is an example of tokenizing here where you give it a command and PowerShell actually has an API that lets you see okay there's a generic token there's a parameter some left parens there's an operator you can start to do some really smart analysis against the token level of PowerShell itself but on top of every token stream there's the parse stream which generates an AST so this is what PowerShell has as a AST which is kind of a tree like structure of what it interprets the command to be so you can even do crazy things here like the value of a parameter was that a constant expression or is that the result of doing some binary operators on some things here's an example of the PowerShell ast there's a great module on the PowerShell gallery that you can just run an install module on and start browsing through the ast for a different command so the ast is cool but how is this actually gonna get help you either find issues or prevent issues and then the answer here is there's a lot of wicked hunting things you can do with the ast so you see at the bottom here kind of read this one from the bottom to the top that last line there's a method on the ast that lets you find all things that match a given predicate so this is doing a tree a navigation of the tree looking for anything that matches the predicate that you asked okay so hunting with the AST is a really big thing so that bottom line just keep it in your in your mind's eye so the bottom I was going through and the bottom line you can do an AST searcher based on anything that any predicate that you give and so the top line and so the top line was an example of a predicate that you can do and start to run against all the ast so this is an example of finding an invoked member AST where the thing being invoke was not a constant expression kind of one of those examples but doing this at scale is a really really hard problem so that's why parasol has the script analyzer this already is used in things like visual studio code and stuff every time you for example do an alias or whatever it can find things like aliases that you could remap to something else so I can start to take those predicates and write AST rules against arbitrary powershell scripts but this time based on known script injection vulnerabilities so obviously that's a great thing to do so we did it what we're releasing now is the power shell injection hunter that takes every single thing I talked about today and does it for you automatically see run PowerShell script script analyzer against these injection rules and then you're done this will flag everything that you might be worried about but even better you've got integration with Visual Studio code you enable this in Visual Studio code and you can see these things while you're developing your PowerShell scripts anything that might cause an issue when exposed to untrusted user input [Applause] [Music] [Applause] so here's a thing if you're if you're on an engagement make sure you're testing for administrative complexity testing for script injection vulnerabilities but if you've got things to defend man up use woman up use Gia use things like that and use script injection hunter to find vulnerabilities thanks for your time glad you can make us orally [Music] [Applause]
Info
Channel: DEFCONConference
Views: 5,305
Rating: undefined out of 5
Keywords: DEF CON 2017, DEF CON 25, DEF CON, DC25, hackers, security conference, Lee Holmes, Windows, WIndows Server, $pwnd, PowerShell, JEA
Id: ahxMOAAani8
Channel Id: undefined
Length: 22min 15sec (1335 seconds)
Published: Thu Nov 02 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.