Hacking with Windows Powershell!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

we're going to be spending like I mean I'd be spent in the next hour here on a little bit of power shell being used in the hacking world and I thought I'd better at least let you know who you're dealing with here my name is Duane Anderson one of the security consultant and instructors with mile two I've looked there's I'm supposed to be an expert but I always struggle to say that because there's always somebody better than me it doesn't have to go that far I have been in the industry for quite a while and I do travel the globe but I've actually offered training and or consulting in 35 different countries around the globe so I have quite a bit of a global experience there and I'm going to share a little bit about you know some of the experiences as we go through here some of the things that I do see out there in the world and I've worked with anything from large governments to banks to uh you know small businesses so I got a wide range of everything in between some are really really good and fun and others aren't so much good and fun it just kind of depends upon all right so I do spend a lot of my time in virtualization and cloud now why does that matter well it doesn't matter a whole lot other than the fact that I just wanted you guys to know that a fair bit of my experience is going to be on virtual machines good bad or other way so we're all good there okay so why what are we covering and why does it matter so first of all we're going to take a few minutes and talk about what PowerShell is and I mean just a few minutes I am NOT going to bore you to death with a two-hour discussion on what PowerShell is and what it can do for us not what we're here to do we're going to get you into the meat of it here fairly quickly we're going to we're also going to talk about why we care why is this a big deal today and what's actually happening out there in the end us from not so good point and from a good point that I will tell you guys that I am a big believer in utilizing PowerShell and companies especially when it comes to proper auditing talk about an easy way for continuous auditing to to take take effect and I'll probably talk about that here towards the end when we talk about a little bit of discussed a little bit of prevention here we're going to make sure that you guys know what you need to do to make it work and and how to go about utilizing it and then we're going to go walk through the different parts of pin testing and and what we can actually do here and what yeah so what we can do here and what we can't do here there's good and bad with this and we'll walk through some of that I'll show you how we've utilized it how others have utilized it and and it does go way beyond the intent of this webinar is to get you guys started so we're not going to be going into scripts that are 175 thousand lines long which they could be but it's not likely we're going to be going through some of the basics so that you understand what we're doing and why we're doing it and that'll get you a really really good start and we're going to finish up talking about prevention which is awesome some of the things that have been added into the latest version of this all right so what is PowerShell I love this statement here a good friend of mine out of the UK Tom Howarth is a big PowerShell guy our CLI guy and he coined the term as far as I know get PowerShell get life I will state that those that utilize PowerShell are often utilizing it in such a way that they lower the amount of time that it takes for them to actually perform and do work uh which is let's just say that's pretty cool right we've uh I have seen time and time again organizations that actually implement this and implement it right you can you can you can have time to go golf and you can have time to go fishing well you know whatever your hobby is rather than spending 24/7 at the shop although although you could also just fill your time with other things as well right so let's not go there so get powershell get life it is the it is a very common tool today and becoming even more common is it simply a task automation and configuration management framework that's it going to automate tasks and automate configuration it allows us to do everything from changing settings adding users adding machines changing configurations on systems in Active Directory whatever the heck you're dealing with I utilize power CLI all the time when configuring VMware virtualization vmware vsphere i love that tool it really saves me a ton of time I use scripts for many many of those components so this goes this goes way beyond just a Microsoft product there are a lot of other tools and it's interesting to take note that this was made open source and cross-platform just last year so we're going to continue to see this expand good and bad right continue to see those expand both good and bad okay so why do we care I could have went to a lot of different reports I just decided to grab the unified threat report from carbon black there's a lot of good organizations out there Carbon Black is one of many and they had seen in in last year 2016 38 percent of the incidents reported by their partners had utilized PowerShell that is fairly significant this is not 5 percent 10 percent we're talking 38% of the reported incidents so who knows about the unreported had made use of PowerShell very interesting so dirty now of investigations 68% of the companies responding partners encountered PowerShell almost a third reported getting no security alerts before the investigation of incidents related to a scripting language yes that's a typo I like to point out my title so it's supposed to say language so good so the cool thing here right no security alerts well why is that what do we think about PowerShell right PowerShell is an authorized API and authorized service and authorized process that runs works with many of these different operating systems and if an organization is utilizing them any user on the system can make use of PowerShell in whatever manner is allowed by the organization or the firm we'll talk about some of the good and bad related to that so if not likely you're going to get very many security alerts unless you have a high level of security related to the use of PowerShell which is not common very few people even know some of the news new capabilities with PowerShell version 5 so so so we're getting there right we're getting there but no security alerts very common and and we're going to walk through just a basic scenario I'm going to talk about where and what and all that kind of good stuff so the majority of attacks eighty to eighty seven percent or relating to click-fraud fake antivirus programs and ransomware but social engineering techniques are still the favorite language eighty seven percent click fraud social engineering geez you've never heard that before have you nope something new today right I'm just kidding so so again common common common items related to related to these attacks and so once we get on a system regardless of the users privileges if PowerShell is being used in the environment the user will be able to utilize it so keep that in mind okay all right so how do we make it make it work first of all our shell is already part of the Windows OS we're going to be spending our time here I've got an entire hacking environment set up in our totally awesome cyber range I'm okay I think it's totally awesome it's a fun place to go to be able to hack and be safe all of these systems are isolated they do have internet access but they're isolated the only place they go is to the outside world and back in and then they can of course pick on each other and all they want now we're going to be spending our time I've got a Windows 10 VM that we're going to be utilizing Windows 10 has PowerShell bit built into it right and then I'm actually to the dismay of one of my colleagues I'm actually going to be doing a bunch of enumeration information gathering out of this active directory that we have set up for most of our classes now that's just what we're going to be doing and then we're going to make use of Kali Linux towards the end if we have time if not I'll just walk through exactly what I'm doing we'll see we'll see how the time goes because I talk a lot all right so I'm going to show you guys we're going to be making use of Windows PowerShell and you know I'm going to just click here and just type our shell now Windows 10 Windows 8 1 comes with Windows PowerShell both the 32-bit and the 64-bit and PowerShell ISE now I like PowerShell ISE only because I can run multiple different programs all-in-one I'm not a big guy making use of functions I'll talk about that later on you can write your own little program script as a function that that you can run from command line you know with a dot backslash and away you go I think that's right I always get the backslash and folder slash mixed up but you know once you make a mistake once you figure it out so that's where that's where we're going to be spending our time here as we go through this so it's all built in that's always good right we love the fact that's built in you need a user account now one of the things that's a little dangerous about PowerShell and I in my opinion is that you do not have to have administrative rights to make use of PowerShell on a user can make use of PowerShell if it is if it is set up to work now there's going to be restrictions on PowerShell based upon whatever security if any security mechanisms you have in place and we'll finish up talking a little bit about them at the end of the session now this is important so if me as a hacker is going to make use of any scripts we're going to need to either utilize remote sign or unrestricted and and we'll go through I've got that in the next slide but I'm just going to talk a little bit about that there is you can allow none no scripting you can allow all signed scripts meaning they're going to be signed based upon a certificate or a signature mechanism that you guys utilize you can use remote sign meaning that they can be scripts that are signed by any anyplace that can be verified now that's also dangerous if the systems have internet access because I can sign my own scripts and have them be validated and verified by my own CA so as a hacker that's not a big deal but I most commonly see companies that are utilizing PowerShell they utilize the unn stricted scripts and it's real simple individuals that love and use powershell are constantly improving the scripts are constantly changing the scripts adding new ones it is a real pain in the backside to go through the signing process on every single little change you make inside of a script so I don't see it limited very often I see it unrestricted more often than not now I will tell you that in the banking and industry most banks not all but most banks do have them signed especially when we're getting into specific areas they will require them to be signed your own specific systems now the thing that thing is is that some people might say well we're not going to allow unsigned scripts to run in our unrestricted scripts to run against particular systems so we're going to reduce that and that that is a benefit that will help some but that is not the common that is not the norm because of the difficulty or the time it takes it's not that it's really hard it just takes time to go through that signature process now an administrator does have to set that up you have to have administrative rights in order to set it up for a remote signed or unrestricted and that's normally done we the hacker we wouldn't have to worry about that anyway that's already done and set up and part of the entire process or system so so good they would also need to add the remote server administration tools now that is only true if we want to make use of some of the items that I am going to demonstrate today there are pre-built in pre-built modules already installed but many of them take administrative rights to run what I am demoing for you guys today does not take administrative rights in order to get the end Meishan we're actually going to be querying an active directory for a ton of different information to see what we can find within the environment so you do have to add the remote server administration tools which is quick and easy to download and there's a quick link for you to to go and grab that and like I said we are recording this so we will make this available for you guys after and sometimes later later this week after we get everything set so how do you how do you use it it's built in Windows so it's I think it's fairly easy you'll you'll first be you know so we're talking about us setting up a demo environment if you're ready hacking into some places that's a different story okay maybe I shouldn't use hacking right because that would be illegal everything that we're doing today you do have to have authorized rights to do so but some of the first components are fine because it would be if you're an admin you're not doing anything illegal in these first first components that we're going to walk through now when we start putting a reverse shell on or or something of that nature well that's a different story so you log in as an admin or you fire a PowerShell with administrative rights and then you just simply type set execution policy unrestricted now I've already done that I'm not going to go through that again but that's all you need to do and that is fairly easy simple and well common all right fairly common then we download it install the are set and it's a simple download you double click on it installs now we're ready to go and we can move on now normally these items are installed on a bunch of different systems out here now I will also tell you that this scenario assumes one of two things you have either social engineered your way on to a box already and we and we'll walk through some of those components later on or you have or you are an employee with general user right on the inside and you got a grudge so you're you're wanting to do you know some damage to the company or maybe your salesman and you want access to certain data that you can't get access to before you leave and or maybe you are a victim of a client-side attack utilizing a quick jacking of some type right so there's a lot of different options out there but we are going to need because this is you're not going to you're not going to run PowerShell from home to a system that you don't have access to that's obviously not going to happen so we're talking about inside of an organization in first you got to be inside the organization first and then we need to understand subscripting variables and and then we're going to go through some of them here in a moment so we're going to walk through different parts of the pen testing here so first of all can we do information gathering well yeah but for what we're doing it's an absolute waste of time we don't need to mess with it okay we're just going to go write down an enumeration we don't need to do scanning we don't need to reach out touch the system because as a general user you have right to query Active Directory and you can query Active Directory for a ton of information that is what is really cool so we're going to be spending our time on enumeration we're going to demo a simple attack that as an insider is actually pretty darn easy to do and we'll discuss leaving a backdoor if I get to demoing it we will otherwise I'll at least explain it and we'll clear some event logs for the fun of it and all that kind of good stuff right so are we having fun yet so we're going to go through and do something numeration now first thing we have to understand is get statements get is just that we are asking for information we are querying something to gain a little bit of information when it comes to active directory any user can query the ad for set information it's not quite the same when we're dealing with other systems that we may or may not have access to remotely if we don't have rights to be on the box we won't be able to query said box and there's a few other things for example I cannot get event logs as a general user I would have to be admin okay so the guest statements are very important to us and we're going to gather a ton of information to be able to demo what a simple a simple attack that we've done inside systems multiple times and have fairly decent success as we're learning more about it okay all right next get the ad user all right that makes sense we're going to gather information about the Active Directory user we're going to gather information about the computer we can even talk about get service now get service does require you to be an admin all right so we do have to be an admin in order to make that one happy so before we even start getting at getting the service we've got to figure out how we can become an admin alright so what I want to do here is roll you guys through a few different options as we are and explain what's going on so you kind of see what we can and cannot do here alright so I'm going to I'm in my Windows 10 and I want it I want to point out two things I have two different Windows PowerShell ISE items open this one as you can see in the upper left here is being ran as an administrator all right so we're not going to utilize this one to start with okay I am going to utilize a general user and you know it's a general user because it does not say administrator in front of it okay now a general user as I may mention you can see down the bottom I'm logged in as student 100 woohoo so I'm the 100th most important person in the company today which is sad because there's only ten of us come on that was funny I'm just messing around it wasn't that funny alright so what we're going to do here is I got some different scenarios that I've laid out and yes I did just make it easy on myself by making it so I can copy and paste here and I could just run the whole thing this is a scripting tool so I could just run all of these I can comment some of them out and do what I needed to we're going to start with getting user details and that's what my plan is it's kind of dig through this so the first thing I want you to understand is we're running is a student 100 and I'm going to simply utilize the get 80 user command and and the dash filter I could filter by a lot of things and I'll demo some of that but we're going to get all of the details for every or not all the details of country we're going to we're going to actually get all users and it will return just a few details back here so I'm going to press ENTER here and I'm going to let it finish and then we'll go take a look at what I've done here so this bottom one let's just look at this so we can see the distinguished name for an account that's not mine right we can see that this is enabled that's cool the given name service account well SRV acct right short for service account name the object class it is the user okay user now scroll up here I probably should just I think I'll wait and do and do the another command another way because they'll take me too long to find what I want we got our object we got our Sam account name our did and don't have a surname there and user principal name alright cool that's pretty normal stuff I think you could have guessed most of that just being part of the organization right that sounds pretty normal well let's take a look at more of the properties okay alright so we're going to look at all of the properties here for student 25 and then we're going to see if we can take a look at the same for the administrator account okay there is some good information in this and there are a ton of properties here this is not just a one-stop shop in a small quick item here alright so your student twenty five so we have if there's an expiration date on the account when the accounting expires you have to go look up those numbers because I can't tell you exactly what it means I've got to go look it up with Microsoft's I'm good you can't lock out time there isn't one right now account not delegated okay that's cool allow reversible password encryption now this is an interesting one and you'll see that we have one account that allows for a reversible password encryption but the user didn't set it up correctly or the administrator will discuss what's going on this one's an interesting one because this actually lowers your level of encryption this makes it easier for us to to brute force makes it easier easier for us to crack the encryption utilized because it is reversible the so we like to look for a low reversible password encryption just because it can make it easier there's also a tool called RV dump that you can download and run that you can actually dump the reversible password encryption in clear-text it's a it's an interesting tools not is easiest thing to work but but it is it is kind of interesting alright so what else don't want to talk about here there's a couple of other items if you have a bad password bad login count it will record those here notice here that the user cannot change the password well that's good news for us right we don't have to worry about that happening in the future that's that's always like looking for those things what else might be interesting in here display name all good does not require pyaar pre-authorization well that's bad they do require pre-authorization that would be kind of nice to know if there was an account that did not require pre-authorization a couple of other items i was going to point out here if i get down to them whether or not they're locked out that's good they're not locked out last log off bad password attempt last bad password attempt at least record records those things is kind of interesting m NS log on account not a big deal there let's see what else did I want to talk about I know there was something else that I wanted to point out and it might come to me as I look down through here passwords not expired that's good last set never expires is true password not required I always like to look for those in this case that is false I'd like that to be true but that's not the case all right so let me see is there anything else here that I want just kind of looking down through these you can see there's a lot of information here whether or not is trusted for delegation trusted to off for delegation so I'm not happening there all right I guess we're going to be good enough so there's a lot of information here so what I'm going to do now is we're going to roll through let's let's just do a quick up arrow here and let's instead of student 25 let's see if we can get that same information for administrator all right well that's good to know user certificate well that might be useful yeah you want to be able to do some certificate injection fake yourself as a user that might be very useful for us they see here so you can see it's all the same details as to what we had seen before which is good right and then what I wanted to look for just looking to see if it's trusted for delegation it is not now we can also just do a simple one instead of getting all the properties we can just get the basic items for the administrator here so we can see that it's enabled it's still a user yeah Sam account name so what we're getting at here is the email on a normal user I just gathered quite a bit of information related to yeah related related to those components now that's a good example as well one of the individuals made mention which is which is good that what the member of we can see how much power that user actually has what what different groups they're in that's that's a good good one to be looking at as well completely forgot about that so I appreciate that good stuff here right a lot of good information that we can gather from this so let's go down through here and just talk about what's happening on these next items so to get a tee user we can use this filter command and we can filter for any of the properties that were that were listed in that long list to make our job easier so we're going to take a look at and see if there's any users that have the password not required equal to true well if there was one that might be kind of nice right oh we got one and of course it's the guest account and it is not enabled so that's going to be a waste right but boy that would have been awesome if we would have found someone that said password not required we started thinking about start thinking about different services that some companies have running and and the different service accounts there are there are organizations that have service accounts that do not require a password due to the particular application that they have they have running usually they're a little older in nature but it is it is the case and could possibly be the case so we do want to look for that and look how hard it was for me as a normal user to go find that particular system and of course we don't know what they're a member of what kind of power they have of course we can see that one here but but you sort of start thinking through the enumeration processor we've got a lot of items here now we can also do just the opposite here we can actually look at a particular user and validate its property to take a good look at at that particular user so what happens is when you run this particular command we're going to get all of the normal items that we read that we gather when you do a standard get ad user but we're also going to add the property password not required so notice it did come back distinguished and given a mana stuff but it also included the password not required set to true but sadly like I said this one is enabled to default well I made mention that you know about this filtering I may mention about the allow reversible password encryption so let's go ahead and do a filter for that shall we I'm glad you guys are saying yeah Duane let's do that let's test that all right so here you go we just did a allow reversible password encryption and there was one user that service account that has that actually set to true now that's interesting usually oh I just did a filter for it sorry I did a filter for it I was thinking I was thinking about this bottom one here what it would actually pop that up so that account must have the allow me because that's all we did this filter for it so now I'm going to validate it utilizing this other one where we're actually searching for that particular property and that's at the top and that's that's true so that's interesting which means that this could be weak or authentication now in order to in order to verify or validate that let's go see what the domain password policy is and then and then I'll explain some of the various components here related to it I'm just going to do a quick get domain password policy now I want you to keep in mind that if there was more than one domain we can connect to and provide specific domains in here I we only have one domain setup sore sticking with that one and utilizing it but if there was more than one more than one group if you have custom password policies on particular groups we can query that as well that's not set up in this environment so that's why we're sticking with what we have here okay so we can see the complexity is enabled well that's good news the distinguished name mwha local that stands for Midwest Housing Association woohoo all right lockout duration and observation window is 30 minutes now look at this one no this is interesting the lockout threshold this is the default setting for Windows there are so when it's set to zero that means that we can have as many bad logins as we want we are never going to be logged out you set it to one you have one bad login you will be out for 30 minutes you set it to 3 you'll have up to 3 bad logins then you'll be locked out for 30 minutes but at zero that means it is off that means that there is no lockout threshold which is really cool our maximum password age by default is 42 days but we already saw that some of those accounts we are net were never required to change minimum password length or sorry minimum password age is 7 the password length sorry the minimum password length is 7 but the ages is one day object class domain DNS ka we can we know we can password history counts we they keep 24 but since we never changed it doesn't matter but the bottom will notice here reversible encryption enabled it is set to false now in order for that user to actually work in function he needs to fall under a password policy that would also be set to true so usually when companies are making use of that they will have a separate oh you just for those users and they'll have a custom domain password policy for that oh you for that organizational unit and then that would be set to true and then when you set the user to true then it is saved and I'm sharing that information because when you go to gather some passwords in when we were when we go to enumerate some of these items we could actually get that in clear text if it was set to allow reversible encryption that's not the case so now here is the key behind this okay here is the key behind this the reason that I think this is so dangerous is when we know the lockout threshold this is important okay lockout threshold and lockout time I want you to stop for a minute and and and and and we're going to walk through I'm going to go I'm going to go to get some OS details I want to walk through doing some dictionary attacks but I want you to keep in mind even if you have set to three I am going to try two passwords and I'm going to put a weight in my script and I'm going to wait for 30 is 30 minutes I'm going to try two more passwords I'm going to wait for 30 minutes I'm going to try two more you see what I'm getting at regardless of what this is set at we can run a script for a long time and try to guess the password we know the password minimum password length and if we have any idea about the organization and its people the bigger the company the more likely you're going to find some passwords right just just use the top 100 passwords you will find somebody utilizing them I can almost guarantee it we do every time so it's just kind of an interesting thought process behind what is what is happening out there what can be done so we're going to walk through some of that alright so we've talked about the getting the user details let's go take a look at the operating system now in the operating system they have get a B computer and yes we are communicating with the ad because some of the items that we would want to do specifically to a system does require does require administrative rights so we're not going to go there so let's take a look at get a D computer with our filter asterik just like we had done before so there's a ton of computers in here we'll just look at this bottom one because it's easy alright so we got the distinguished name it is enabled the host name is a computer nothing special there let's go see what else we can find out so let's take any of these systems I don't know what system I want let's do B RA - one shall we that type right will be good right let's come over here and let's you know a - you want to remember this is window so it is not case-sensitive if we were working in Linux it would be let's see what we find so here is VRA one and this is all the information that is actually in the active directory all right so let's scroll down here is a couple of things talking about enumeration and yeah alright so cannot change password that's good we can change our password or a common name here's our cannot I can never say it can anyt anyways that name I don't know why I struggle to say that sometimes I can get it spit out on other times I can't spell good our distinguished name dog table look at this we got an IP address hey that's cool so here's I could be for address if we were making use of ipv6 that would be listed there as well obviously we're not last login cool lock out login object category so here is our operating system so this is a sled operating system this happens to be VRA one this happens to actually be a V cloud or V realize implementation they're running on a sled OS the service pack is unknown the operating system version is 11 so that's good to know primary group ID lots of good information here don't you agree we've got quite a bit of information now let's just talk about hacking systems here and what we're going to want to look for so this next item I'm going to go ahead and first paste it in here and then we'll talk through this so we're not going to we're going to gather every VM we're going to gather every property and then we're going to list this in a format set of type command we're going to pipe it to a format table and we're pulling out the name operating system operating system service pack and operating system version and that is what we're going to take a look at scroll over here and we're going to tell it to wrap and auto space so that we actually get to see everything because if you don't put the dash Auto in there it'll cut it off and I don't remember how many bytes it is it'll cut it off you won't be able to read everything so we want to be able to read it let's see what we can gather here how hard is our information gathering today guru all right there you go we'll scroll up so you can see what it looks like from the top then I wake you guys up hopefully I don't have you sleeping on me all right so and as you can see this is fun and time-consuming all right we got a whole lot of systems here so we've got our name we've got our operating system if the FBI operating system service pack is listed so this tells me that somebody I'll blame myself on this one has not updated our active directory since the original install that's probably not a good thing we don't have any service packs their operating system version 6.3 9600 now that is really good information once you agree now if I'm working as an insight or gathering this information is fairly easy to give to someone that's more skilled or or though okay now that I know what you guys have in there here's what you need to do to crack into it to gather that information right so you can roll down through here and see a ton of good information mwha MPT oh that was a interesting one so we've got a couple of multi-point server 2012 premium that's kind of cool windows 7 Enterprise a couple of sleds or some unknown so they couldn't the the ESXi host don't register the proper information but that's interesting because it does say likewise open 6.2 now that is interesting so I become a virtualization guy I know that that means that this is version 6 update 2 that's installed on that particular ESXi host so that's kind of cool so I even though it doesn't tell me I just did some enumeration there and I could go gather more information as I if I needed to so you scroll down through and see all this not kind of cool now let's just say - you and I are going to say well we want to actually go right in and look at the 2012 servers we're going to so what we're going to do now is we're going to simply do our filter for operating system equals to Windows Server 2012 r2 data center and we're looking for properties all of those properties that we had listed before but we're only looking for that particular operating system so there we go here's all those systems that have that unique operating system well you know what that's not quite enough because I need IP addresses so let's just run another community here we go now with all the VMS boom away you go now we can easily type this out you can easily pipe this out to a file right so we could pipe this out to systems dot txt hmm I could also use I'm going to go CSV there we go and you'll see here that I got to go back to this one now I've got a systems dot CSV file now I don't have Excel or any other type of spreadsheet installed here but I could open in word and away we go so you can see we can pipe that stuff out pretty easily as well all right so we got all of our operating systems we kind of know where we want to go but we're just a general user and we need an administrator Calico and we can't run our guest service command we we can't clear our logs because we don't have admin rights so we're going to walk through a common method that's utilized for guessing passwords yeah you got to love that right okay so I'm a general user keep that in mind we have gathered all of this information from ad as a general user now I do have a password file here this just got four passwords in it I could make this huge book I don't want to spend hours going through this you don't need it we can demonstrate what we're trying to do here okay so what we're going to do is I've created a script now the first thing I want to do is make sure that my users file is deleted I'm going to delete this users file here okay all right we'll come back to it I promise we're going to get the ad user just like we had done before - filter asterisk and we're going to select the name and that's it and we're going to pipe that into the users txt file now I can do all this together but I'll explain why I'm doing that here part of the reasons why I'm doing that is because I didn't want to write a script that would remove the first three lines I don't want to see the errors related to this so I'm going to delete those and now I have just the user names and the entire list of those user names that are in our ad so we'll save that there we go okay now we're going to come back here to our script so I am defining the domain because we did already gather that information so this first part is defining the domain and next we're going to do a simple for each statement so when you do need to at least get somewhat familiar with PowerShell I am by no means some crazy expert I go to others to help with this I will tell you that if I can figure this stuff out you can figure it out it is it is not that hard to do and what's happening is it's going to read the users txt file so the DAT dot backslash users dot txt now I did not have to put a folder in it because I am already in the users student 100 directory and in that directory contains my users text file right so we're going to look at that content so it's going to it's going to look at every single item and for every user dollar sign user in get contact in that file we are going to do the rest so if there's two users it's going to do this on two of them if there's 100 it's going to do it on 100 if there are one 2544 it's going to perform it on 2544 and next we are changing the user account we're going to provide the variable dollar sign you in what we're doing is we're making sure there is no spaces in the user name remember if it cold in a space made them you know which I'm sure it did if it pulled in a space after any of those needs that would air out when we go to do our password guessing right our dictionary attack so what we're doing is we're making sure that user name has no spaces in it so we're replacing the space with nothing so we're just removing the space in the user name which we need to do and then we're just going to print out on our screen that user name so we can see who are attacking and then we're doing another for each statement and you got to make sure you have these brackets before and after and before and after they got to be in there otherwise it's not going to work very well alright so the in this for each statement now we are going to look at every password so if we had 5,000 277 passwords in our password 5 it would run through this for each statement for every user thousand two hundred and seventy-seven times and fortunately there's no lockout on the users so we don't even have to worry about time we don't have to put a wait statement in here because normally we would do this twice and then we would wait so forever turns three times for every for every third time we would put a wait statement in here and you can do a counter and set that up it's not hard to do it's another fairly simple process all right now the next next items here you would end up having it you know like me I'm not an avid PowerShell user I had to go look these items up in order to you know when we first started doing this I didn't know what any of this stuff was I had to go look it up so I'm doing the exact same thing with the password making sure there's no spaces in there on every single one of them and then we are defining the system directory service account management context type as domain we're going to be utilizing the domain for account management context type and then we're creating a new object within our Active Directory under account management and we're utilizing a principal context format now I am I'm not going to sit here try to tell you all of the details what's actually happening here in the end we're creating a attempting to create a new a new object within our ad now we're not going to actually finalize the creation of that because before we actually finish the creation of the principal context we're validating the passwords but then we never actually create the new object however this is going to have a ton of logging if set up correctly so I'm going to show you a secondary method utilizing some executables that are built into PowerShell that do not log near as many details and are easier to bypass loggers alright so hide yourself and and so now we're going to utilize so we're creating new new object create based on dollar-sign CT so it's domain context type account management and we're defining the domain which is the mwha we have to have that as well and then if and only if this equals true so you're going to run the dollar sign PC yadda yadda yadda and which is going to be either a true or false so the username and password is either going to be valid or it's not and what I've done is I've created a simple if statement if it's true tell me it's true otherwise don't do anything that's all that I'm doing here all right so you got all that right let's see what happens and of course we know what we're doing because we have it in our account but just to show you here so we're testing every single account with all of the passwords in our password file and only those accounts that have the password that we have the correct password doesn't respond so now we know all of the different accounts that and they're the user accounts and passwords and one of the ones that's interesting is this one here the administrator account we now know the admin account whew yes this is a debt test Deb or sorry it's a pen testing environments of course it's an easy password all I'm getting at is that if you know your people well enough you can build a good dictionary file there's a lot of good dictionary files out there when you run this in an environment it is very likely you're going to find some account passwords not all of course you're not going to find out you'll find some the larger the environment the more passwords you'll find it's really interesting how positive this can work and I just get all of this as a normal user now isn't that cool woohoo now and if you're not logging or monitoring everything that's going on within PowerShell I am monitoring for that you're not going to even know this is happening all right now another script for guessing passwords is utilizing the DES query a domain services query executable that is built into power she'll built into the operating system comes with the are stat commands and this is a slightly different way of gathering the information from Active Directory these executables are designed specifically to do a ton of different information for us related to gathering changing editing whatever it is we want to do within ad now this was actually designed before the ad commands I just demonstrated so yeah administrators have been utilizing these for quite some time now we can do the same thing here on this DS query outputting it to user dot txt I'm going to go and delete my user txt file now well--that's users what did I name this one not still the same thing so just going to delete that so don't have any issues all right and then again another for each statement and we're getting that contents is the exact same thing we did before we set now we're actually going to be utilizing the DS get command the DS get command is slightly different so when let's just do a let's do a quick yes get user administrator I'm okay because now why did that just fail I was just going to try to do a simple steal well something quite right here that happens oh I know need to tell it what I'm actually they type administrator right still don't have something right well maybe I'll just run the command and make it show you I went through all of this before and now my mind went blank on me so typical components that's the script run did all this ahead of time why I am at a time and of course I'm going to have issues the DS query is query for the users on the local domain and then we're going to utilize the DS get command for a specific user gathering the Sam ID I know what I'm doing so the D is query well let's just do it this way so here is the what the DF query the command that you're going to get all of these lengthy F to the N so this is what I've done wrong I forgot about that so these are these argue your domain your domain names that are built into the environment and DF get is actually going to so now if I do the and that's what I was doing wrong it doesn't it you have to have that name in order to make it work you okay now with the DS get command we're going to be able to see the Sam ID and this has three entries now the reason I wanted to show you this and I forgot to run the Diaz query first I apologize so the the reason I wanted to show you this is so I can explain what what's happening here now that we have the same ID the same ID actually produces three different results and this is Sam ID is the first one and that is zero the actual name is one and the DS get succeeded is two so when we look at assigning a particular variable we want only the user named student 49 so we do not want 0 or 3 we just want number 1 and just like we did before we're going to replace the spaces with a no we're going to write out that Sam ID so that we can see what it is and then for every password in the get contents of just like before go to that same process but now we're you know liking Dias get which is not logged in PowerShell in the same manner there is on there this is a different component we're not trying to add any new objects we're simply getting the user items and validating verifying that they are who they are now what happens is is that we're just going to know this out so it's not going to produce any information but we're going to be able to utilize the final code which could be like an error code the no code true or false and anything that produces a true the dollar sign question mark is going to write out and give us the information this is just a slightly different way of producing the exact same stuff so here we go and now it's testing in this case it tells us every account those that we guessed it produces the password and those that we didn't it doesn't produce the password exact same manner a little bit more stealthy than what we had before kind of cool right yeah woohoo so here we are hacking away now it's already past my hour so what are we going to do here I'm going to show you a couple of different commands first of all getting OS details dan can we now that we know administrative accounts of course we can get services of any system that's actually up and running right so let's just see if we can run that quickly as the administrator let me see here I think there we go we'll try it on a different computer name and of course huh well that's interesting that computer might not I just ran this I'm not kidding I just ran this a few hours ago to gather that server those services as administrator so that's interesting that we that we don't have that information well let let's go ahead and isn't that interesting so maybe I need to open this again as a try to get the event log for that system see it's not not allowing us to run it all of a sudden so I am going to actually close this off and we're going to open a new one as administrator something has changed there maybe my session timed out so we'll go ahead and do that because remember we do know the administrative username and password hopefully it was it the timeout session there we go it was just a timeout issue all right so here we can see all of the services that are running on this particular system not I just wanted to show you that now that we have that boom we can get that information we're querying directly that particular VM and we can also come back over to my normal session here and go to the event log let's go ahead and and see about getting event logs and this is on an RDP session a multi-point server we're just going to gather that information quickly alright and we're looking at the newest ten so here is the newest 10 security logs that have been in there in that particular time so we take a look at at the timeframe here June 27th 1004 1004 1003 so we've got that understanding now we're going to actually pull back and grab we're going to clear now these event logs and see what happened shall we hiding our tracks got to love that right all right so it says that it finished because there was no error so let's see about getting those Wow look at that 1006 instead of 1004 so you start seeing okay those are quite interesting now we only have and if you an account was logged off logged in so we can see that things have changed a little bit here and the only logs on the latest newest blogs related to what we had just performed here so and we could go back and mess around with that all I'm saying is that this allows us to do because we're administrators we had to get to the administrative session now I'm gonna I don't have time to show you everything here but I do want to walk through setting up a persistent backdoor so enumeration not a problem where we're doing all kinds of fun getting you two names and passwords without getting caught now leaving a backdoor built into Kali is a little-known set of tools called power sploit and what what power sploit allows it to do now we do not have access to a system and and here's what I want you guys to be thinking about so when we find user accounts associated with particular systems that have RDP enabled on them now we can RDP to that system usually that's a concern we already p2 that get that system and now once on that system we can set up a permanent or persistent backdoor via PowerShell now what we're trying to do here is leverage an unauthorized user of PowerShell to inject in memory a backdoor attempting to bypass item antivirus now I'm going to show you guys the power sploit power sploit is available in github from powershell mafia they have antivirus bypass code execution exfiltration setting up persistent systems in other words what will happen is is you can actually migrate to ace on a service that runs all the time and embed a DOL that will run with that service every time the systems either logged on to or turned on so we get we get that particular component sometimes we can escalate our privileges there as well and there's some addition reconnaissance that are that can be done this is a really nice tool and maybe maybe in my next next session I well we do this actually in our class so I was going to see any in the next session but I'm planning on doing something else for your next session but get some good stuff here and and it's not hard to do you use me ms mm from from Metasploit to create your package upload it download anything you need in memory so we're running in memory which can bypass antivirus and we actually do antivirus bypass in our course but I think in our next session next month we'll actually do be doing an antivirus bypass session so also we're going to try to do in our next session we don't have the date or time yet I'll get to that in a moment just be thinking antivirus bypasses what's coming up all right so PowerShell mafia with power sploit some good stuff all right so how do we we did the covering tracks here prevention sign all your scripts with x.509 certificates and set the execution policy to all sign that will prevent most of this from happening they would have to be able to sign with your same certificates in order to run we don't we that's going to be much more difficult to do only have the remote administration tools on your Bastian host only set it up on the systems that needed period now PowerShell version 5 has the ability to do script lock logging we can have system-wide transcripts any PowerShell scripts single codes that's ran will be that those transcripts will be logged every single one of them so everything I did even though I was an authorized user would be log so we can easily track down what back was going on that's good now they've also got something new where we can actually make use of app Locker to constrain the Power Cell PowerShell usage now this goes in even greater detail than utilizing sign science or signed scripts that is a fairly new system as well which is quite good so here you go those of you that stayed on to the bitter end our next webinar we're going to we're going to be doing with doing antivirus bypass be on the lookout because we do not have a date yet for that at the end of look out so antivirus bypass utilizing probably utilizing Metasploit and maybe I might even throw in here our squid for that as well now for those of you in the next webinar that stay to the end we'll be in the running for a free seat to any of our online classes whether it's a pen testing class a cloud security class a virtualization security class information security class whatever it is you desire that's the way it's going to be so share with your friends or maybe you don't share with your friends maybe you know don't share with anybody to keep your numbers down or you tell your friends about it and tell them if they win they have to give it to you because you share the information with them all right so we do have some upcoming CPT e as well lots of good information out here and for those of you that might be interested you can go to the mile 2 website for our pen testing engineer outline lots of good information here what we do what we don't do our public schedule so these are the classes you'd be in the running for online classes you'd be in the running for if you if you attend that next webinar and so you just go to mile to comm /schedule and away you go here and be able to look up the mile to comm /schedule slash events this is where you will find out about our next webinar we will post that probably with sometime the next week related to when the next webinar is going to be and that's going to be on bypassing antivirus so be aware of that that's where you go to view that vial t.com /schedule slash events and if you're already on our email list you'll receive that information as well remember in the hands-on classes we endeavor to spend a lot of time with hands on you can't get good with benefit penetration testing with security without doing the hands-on I just went and showed you all of these little links here so there they are for you guys I want to say thank you for your time today I appreciated it this is recorded so everything that we've done will be low be available by our website and/or YouTube at a later time so that you can go through practice spend time get good at enumeration with PowerShell as a general user see how many of your cop if you're an administrator see how many passwords you can guess with this particular system good stuff right all right you enjoy your day I'm signing off now have fun and we'll catch you the next go-around

Info

Channel: Mile2 - Cyber Security Certifications

Views: 37,277

Rating: 4.647059 out of 5

Keywords: windows powershell, penetretion testing, cpte, Hacking with Windows Powershell

Id: f2uJeaYJy04

Channel Id: undefined

Length: 73min 39sec (4419 seconds)

Published: Wed Jun 28 2017