introducing ps>attack: an offensive powershell toolkit
TRANSCRIPT
PS> whoami • Jared Haight• Security Engineer for Gotham Digital Science• PowerShell fanboy• Guess I’m a developer?• I enjoy long walks in the woods• Co-owner of a broken bunny.
What is PowerShell?• Windows PowerShell (as described by Wikipedia)
o task automation and configuration management frameworkoconsisting of a command-line shell and associated scripting
language obuilt on the .NET Frameworkoprovides full access to COM and WMIoenabling administrators to perform administrative tasks on
both local and remote Windows systems
What makes PowerShell great• Object Oriented Language• Intuitive Commands
oVerb-Noun format (get-help, test-connection, etc)oSimilar switches across commands (-ComputerName, -Debug,
etc)• A help system that’s actually usable• Great tab completion• Available on Windows 7 and up.
What is it being used for?• Administering all the things!
oYou can administer most anything in a Domain with PowerShell
• AutomationoDesired State Config is the Puppet/Chef/Ansible/Salt of the
Windows world.• Information Security
oLot of work in DFIRoGreat for event log parsing and WMI queries.oCheck out what’s being done at http://www.invoke-ir.com/
Offensive PowerShell is Awesome• Using the admin’s tools against them
oThere’s great stuff already there, live off the land.• Hard to lock down
oNo real logging before PowerShell v5oPowerShell is actually part of .NET, it’s NOT powershell.exeoNot a lot of awareness on the admin side of offensive PowerShell
• A lot of advanced work being done by the communityoDLL injectionoWMI AbuseoMature Methodologies
The Barrier to PowerShell• Lack of interest
oWindows isn’t cool• A little intimidating
oLots of testers are more comfortable with *nixoWhole new language to learnoWhere do you start?
• Hard to stay up on the latest and greatestoPowerShell clique on TwitteroCool stuff doesn’t always get surfaced
What is PS>Attack• A tool that makes using Offensive PowerShell easy
oCustom console designed to emulate powershell.exeoSome of the best tools available are built inoPowerful tab completion
• Commands• File Paths• Parameters
oSingle Executable – just download and run
What’s in PS>Attack• Over 110 Commands covering Recon, Privesc,
Backdoors and Exfiltration• Including
oCommands from PowerTools, PowerSploit and Nishango Inveigh – A Windows PowerShell LLMNR/NBNS spoofer with
challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay.
oPowercat – Netcat, but in Powershell• Get-Attack – A command for finding the attack you’re
looking for
Not just for the lab• Embedded Payloads are
encrypted to evade AV and IR teams
• Payloads are decrypted straight into memory so they never touch disk.
• Custom built console doesn’t rely on “powershell.exe”
• Works out of the box on everything from a fresh Windows 7 install to a patched version of Windows 10.
Get-Help• PowerShell’s help system• Available for any command in PS>Attack
oget-help invoke-mimikatz• Use the –Examples switch to view usage examples
oget-help invoke-mimikatz -examples
PS>Attack Shortcomings• All versions use the same encrypted files
oEasy for AV to flag• PowerShell tools are being updated daily
What does it do?• Downloads latest release of PS>Attack• Downloads the latest versions of the modules/tools that
PS>Attack uses• Encrypts everything with a unique key• Compiles everything for you• Its super easy.
PS>Attack Build Tool Dependencies• .NET 3.5 Full
oNeeded to build PS>AttackoProvides msbuild.exeoBackwards compatibility in .NET is all sorts of broken
• .NET 4.5 (and up?)oNeeded to run Build Tool
• Modules.jsono JSON file containing names and urls for PowerShell moduleso Included with the Build Tool
Getting PS>Attack• https://github.com/jaredhaight
oPS>Attack: https://github.com/jaredhaight/psattackoBuild Tool: https://github.com/jaredhaight/psattackbuildtooloPrecompiled versions are available on the releases tab
• https://www.psattack.comoTheres a bunch of stuff on there, some of it is related to
PS>Attack
What’s next?• Bug fixes• More PowerShell modules!
oWithin reason.. PS>Punch is already 3mb.• Better AV/IR evasion
oLess static strings, more magic• Better console emulation
oScript support, Better exe support• New features
oReverse Shell? Command line params? What does the community want?
How can you help?• Submit issues
oLet me know what errors you run intooLet me know when things don’t work the way you expect
• Submit pull requestso If you want to implement a new feature or something, ping me
and we can talk• Feedback of any kind is incredibly helpful
oHit me up on twitter, email, in person.
The real MVPs• @mattifestation• @sixdub• @harmj0y• @enigma0x3• @subtee• @nikhil_mitt• @kevin_robertson
Like, Comment and Subscribe• @jaredhaight• [email protected]• https://github.com/jaredhaight• Charlotte Hackers – http://www.charlottehackers.com