![PowerShell weaponization problem?
‘How do you get your [PowerShell] scripts running
on your target machines, and effectively get your
results back?’ – Will Schroeder (@harmj0y)
Bottom line
• PowerShell weaponization can be used to be somewhat
cumbersome
• Hopefully I’ve made that a little easier with the Harness
tool set](https://image.slidesharecdn.com/harness-150809142527-lva1-app6891/85/Harness-PowerShell-Weaponization-Made-Easy-or-at-least-easier-4-320.jpg)
Harness: PowerShell Weaponization Made Easy (or at least easier)
- 1. Harness: PowerShell Weaponization Made Easy (or at least easier) Rich Kelley @RGKelley5
- 2. Who is this guy? • Computer science background • Prior US Air Force Communications Officer • Network engineer, software developer, penetration tester • Co-founder Gray Tier Technologies, LLC • Currently focused on application pen testing • Mostly I enjoy writing obscure utilities pyHashcat Keyboard Walk generators
- 3. Why should I care? • “…Microsoft’s Post-Exploitation Language” – Chris Campbell (@obsuresec) • Defenders should be more aware of the damage attackers can do with PowerShell alone • We need more research into incident response related to malicious PowerShell use DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating PowerShell Attacks
- 4. PowerShell weaponization problem? ‘How do you get your [PowerShell] scripts running on your target machines, and effectively get your results back?’ – Will Schroeder (@harmj0y) Bottom line • PowerShell weaponization can be used to be somewhat cumbersome • Hopefully I’ve made that a little easier with the Harness tool set
- 5. Hasn’t this problem been solved? • Yep, but I’m a developer. Why use someone else’s solution when I can write my own (I’m kidding…sort of) • Previous solutions were not as seamless as I wanted Step 1: Gain access Step 2: ????? Step 3: PowerShell! Step 4: Pwn all things! • A couple of very cool new solutions have recently been released
- 6. RDP – Paste, Download, or Import
- 7. Remote shell – PowerShell encoded command
- 9. Metasploit – Interactive PS Payloads
- 10. Cobalt Strike – Beacon
- 11. Other Options • PowerShell Remoting Must be enabled to use • WMI • Empire -www.powershellempire.com
- 12. My Development Requirements 1. Fully interactive remote PowerShell console with the same capabilities as the native PowerShell.exe 2. Ability to seamlessly import modules across the wire
- 13. Demo Time!
- 14. Under the hood • Payload Requirements .NET 4.0+ System.Management.Automation Assembly • Tested on: Windows 7 Window 8 Windows 8.1 Windows Server 2008 R2 Windows Server 2012
- 15. Under the hood • Listener/Framework Requirements Python 3.4 Asyncio (although could easily be ported to alternative) Linux Tested on Kali • Why Python? Why not Ruby? Why not Metasploit? Mostly for the learning experience I prefer Python to Ruby (calm down) Should be simple enough to port to Metasploit module ReflectiveHarness can be used with DllInject module
- 16. Defense • Restrict Access to System.Management.Automation • Enable monitoring New features added to PowerShell 5.0
- 17. Thank you! • Matt Benton (@ruddawg26) • James Icenogle (@sploitmonkey) • Matt Graeber (@mattifestation) • Will Schroeder (@harmj0y) • Justin Warner (@sixdub) • Contact: Twitter: @RGKelley5 Email: rk5devmail@gmail.com Blog: www.frogstarworldc.com Github: https://github.com/Rich5/Harness
- 18. Questions?
- 19. Bonus Payload Socket ps.BeginInvoke while script not valid: accumulate end PS C:> script/cmd Send results ls PS C:> ls Directory C: Mode: LastWriteTime ----- --------------------- d---- 2/2/1015 Handler PS C:> ls
- 20. Bonus Payload Handler Socket ps.BeginInvoke Inbound script True PS C:> <rs> PS C:> ^import-module script.ps1 Send results Socket byte stream PS C:> ^import-module script.ps1 Directory C: Mode: LastWriteTime ----- --------------------- d---- 2/2/1015 while !rcvd close signal: accumulate end </rs>