Interactive PowerShell Sessions in Metasploit 4 th July 2015 Presented to SteelCon Presented by Ben Turner amp Dave Hardy HOW ARE BUSINESSES EVOLVING Dave Hardy davehardy20 ID: 322129
Download Presentation The PPT/PDF document "PowerShell Fu with Metasploit" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
PowerShell Fu with Metasploit
“Interactive PowerShell Sessions in Metasploit”
4
th
July
2015
Presented to
SteelCon
Presented by Ben Turner & Dave HardySlide2
::
HOW ARE BUSINESSES EVOLVING?
Dave Hardy @davehardy20
Ben Turner @
benpturner
::
WHOAMI /groups
Hacker / Penetration Tester
Nettitude
Limited
:
1 Jephson Court Tancred Close Leamington Spa Warwickshire CV31 3RZNettitude Inc: 222 Broadway 19th Floor New York NY10038Slide3
What is Metasploit?Slide4
::
HOW ARE BUSINESSES EVOLVING?
Defacto
penetration testing framework!!
::
Metasploit
@
hdmooreSlide5
What is
Powershell
?Slide6
::
HOW ARE BUSINESSES EVOLVING?
::
PowerShell
Command prompt on steroids!!Slide7
::
HOW ARE BUSINESSES EVOLVING?
Introduced in May 2009, PowerShell version 1.0 was released on Vista
Object-Oriented
Incorporates .NET Objects and Forms
More Functions compared to cmd.exe and VBScript.More Extensible via
cmdlets, plugins.
Background Jobs
::PowerShell Slide8
Why
do we need
PowerShell?Slide9
::
HOW ARE BUSINESSES EVOLVING?
Examples are many, but here’s a few notable ones
Windows Server 2012 Core
It is possible to re add the GUI, but it needs a reboot
Windows Nano ServerA cut down minimal ‘
JeOS
’ build of Windows Server, manageable via PowerShell/DSCPowerShell 5So many new features and
cmdlets, but most notable online repositories, ‘apt-get’ for WindowsNew versions of Windows Server, aka Server 2016 default to a core installPowerShell is at the ‘Heart’ of the OS nowAllow us to do so many cool things, and ‘MOSTLY’ undetected SSH Support is coming!::Microsoft has really got behind PowerShellSlide10
Why should
pentesters
use PowerShell?Slide11
::
HOW ARE BUSINESSES EVOLVING?
PowerSploit
,
PowerTools
, Nishang, Inveigh, Powercat, Get-Packet (Wireshark)
https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1
https
://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1
https
://
raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-TimedScreenshot.ps1https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerUp/PowerUp.ps1https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1https://
github.com/samratashok/nishang
::
PowerShell-Based ToolsSlide12
::
HOW ARE BUSINESSES EVOLVING?
Not much…We could execute one PowerShell script at a time and get results
Slow, not very intuitive
Nothing preserved between running scripts <– This is important!
::
What did we have before in Metasploit?Slide13
::
HOW ARE BUSINESSES EVOLVING?
::
Demo EnvironmentSlide14
::
HOW ARE BUSINESSES EVOLVING?
::
Demo – Old WaySlide15
Some background Slide16
::
HOW ARE BUSINESSES EVOLVING?
“Background – Development Evolution”
Bourne out of the need to easily import tools like PowerSploit into a
PoSH
sessionDeveloped scripts to achieve, but physical or RDP access was requiredWhy not use Metasploit, developed POC to return a PoSH
session, with PowerCat
::
The old way functional, but in no way ideal!!Slide17
So
whats
new!!Slide18
::
HOW ARE BUSINESSES EVOLVING?
::
MSF Interactive PowerShell Sessions
“We have developed, for Metasploit a PowerShell session that gives us an ‘On the Box’ like session to run PowerShell commands, modules and scripts”Slide19
::
HOW ARE BUSINESSES EVOLVING?
“This was not a trivial task”
7 new pull requests
10
new modules/payloads/classes added to Metasploit git repository
178 comments, suggestions, mainly from:
@hdmoore, @meatballs, @mubix
, @thecolonial, @sempervictus::MSF Interactive PowerShell SessionsSlide20
::
HOW ARE BUSINESSES EVOLVING?
“We have added functionality to ‘Weaponise’ the PowerShell session”
::
AND………Slide21
::
HOW ARE BUSINESSES EVOLVING?
“Everything is done in memory”
No Pesky Anti-Virus Interference
Most Antivirus doesn't see inside PowerShell Sessions.
::
MSF Interactive PowerShell SessionsSlide22
::
HOW ARE BUSINESSES EVOLVING?
::
Demo – New WaySlide23
::
HOW ARE BUSINESSES EVOLVING?
::
Powerfun
Code (Lines 1 – 37)Slide24
::
HOW ARE BUSINESSES EVOLVING?
::
Powerfun
Code
(Lines 38 – 75)Slide25
Further DevelopmentSlide26
::
HOW ARE BUSINESSES EVOLVING?
“New Metasploit Pull Requests”
64 bit PowerShell sessions
SSL support for all payloads
Reverse HTTP that is proxy awareLoad_Script – Silver BulletSimple POST modulesRe-writing of ‘
mixin
’ modules
::We have not rested on our Laurels (or Hardy’s)Slide27
Demo 64bit and LOAD_SCRIPT moduleSlide28
::
HOW ARE BUSINESSES EVOLVING?
::
Demo – 64bit Payloads &
Load_Script
ModuleSlide29
::
HOW ARE BUSINESSES EVOLVING?
::
Demo – Proxy Aware HTTP PayloadSlide30
::
HOW ARE BUSINESSES EVOLVING?
::
How to write a simple Post ModuleSlide31
Blue Team ApproachSlide32
::
HOW ARE BUSINESSES EVOLVING?
“It is possible to stop this attack”
Close monitoring of eventlog
GPO – Blacklist Powershell.exe
Local Windows Firewall ‘Egress’ rules
::
Time to be responsible hackersSlide33
::
HOW ARE BUSINESSES EVOLVING?
Close monitoring of eventlog
::
Time to be responsible hackers
Would only detect initial scriptSlide34
::
HOW ARE BUSINESSES EVOLVING?
GPO – Blacklist Powershell.exe
::
Time to be responsible hackersSlide35
::
HOW ARE BUSINESSES EVOLVING?
Local Windows Firewall ‘Egress’ rules
::
Time to be responsible hackersSlide36
::
HOW ARE BUSINESSES EVOLVING?
::
We have not rested on our Laurels (or Hardy’s)
https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit
/ Slide37
Any Questions?