Monday, January 27, 2014

Persistence - Powerpreter and Nishang 0.3.2 - Part 3

This is the third post in the series about Powerpreter and Nishang.

You can read the first two parts here:
(Introducing) Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1
Pivoting to and poking other computers using powershell - Powerpreter and Nishang 0.3.1 - Part 2

Finally, I am back to blogging after few months. Hoping to resume the earlier frequency of writing :)

Many users wanted persistence for some payloads in Nishang. With this release, Reboot Persistence has been introduced for backdoors, keylogger and powerpreter. Scripts Add-Persistence and Remove-Persistence have also been added. Also, from this release, scripts in Nishang have been arranged in separate folders according to usage. Do let me know if you liked the change.

Persistence in Nishang uses WMI Permanent Event Consumers when used with Administrative privileges (elevated shell) and vanila Run Registry key otherwise. For WMI thingy, this Technet article helped me a lot. From 0.3.2 backdoors - HTTP-Backdoor, DNS_TXT_Pwnage and Execute-OnTime, Keylogger and Powerpreter will have this option.

For example, this is how persistence could be used for HTTP-Backdoor

The -persist parameter could be used with any of the above listed payloads.

The code for HTTP-Backdoor.ps1 is:
As visible in the above code, two files persist.vbs and HTTP-Backdoor.ps1 would be dropped in the TEMP directory of a user and a WMI permanent event consumer is created (by name of WindowsSanity) which launches persist.vbs on the user logon.I was unable to find a way to do this without dropping a file on the disk, suggestions are welcome on this.


For Powerpreter, the function Persistence could be used to achieve the same.
The Persistence function drops a copy of Powerpreter in User's TEMP directory and WMI events or Registry keys are created. On a reboot, Powerpreter is copied into the user's default $PSModulePath by the name of Update.psm1 which makes it directly usable (no Import-Module required) in Powershellv3. Note that one has to import the Update.psm1 module in Powershell v2 before using it. If the Update.psm1 is deleted by the user it will be copied back to $PSModulePath after a reboot.
The Peristence function in Powerpreter also has a HTTP based backdoor (works exaclty like the HTTP-Backdoor script).  An example.


And payload.txt contains call to
Aaand a calc pops up on the target!

Now, in case of the Keylogger, WMI method for persistence did not work. As the script is launched with the SYTEM privilege, keys for the user could not be logged by it. So the persistence method included in it is only using the Run registry key.

Ok, how about using the persistence thingy for any script? Add-Persistence could be used as below:

To check for the persistence, use the Remove-Persistence.ps1 script or Remove-Persistence function in powerpreter. Use with -remove option to clean.



That is all for this post. I am not sure if all would agree with calling this 'Persistence', but I found it useful anyway :)

Nishang could be downloaded from: http://code.google.com/p/nishang/source/browse/trunk

Hope you will find this useful too. As always I am looking forward for suggestions, feedback, bug reports and contributions.

Monday, September 16, 2013

Pivoting to and poking other computers using powershell - Powerpreter and Nishang 0.3.1 - Part 2

This is second post in the series about powerpreter. You can read the first part here: http://www.labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html

We can use Powerpreter to pivot to and poke other machines in a network. The assumption here is that we have local admin access to a machine in a network. That admin happens to have access to other machines in the network (as in many enterprise environments).

Pivot

Powerpreter contains Pivot functionality. It depends on Powershell Remoting to function. It means all which could be done using Pivot could be done even with Invoke-Command too. In fact, Pivot is just a wrapper around Invoke-Command.

Pivot could be used in both interactive and non-interactive mode. We can use username and password or use credentials of current session (for example, using a WCE generated powershell session).

Lets see a non-interactive Pivot to a single machine.




We can use it on multiple machines too. Lets see a non-interactive Pivot to multiple machines.



Nice and easy, isn't it.


Non-interactive is good but nothing beats an interactive session on a machine :) Let see interactive pivoting on multiple machines with a WCE-generated powershell (using password hashes).

Nice, we have two sessions with us. We can use Get-PSSession cmdlet to list the sessions. To interact with a session use Use-Session function of powerpreter.


We can use built-in cmdlet Enter-PSSession to interact, then why we have a separate function for similar thing in powerpreter? This happens when one tries to use Enter-PSSession from a powershell remoting session.


Points to note in above example:
1. When using Pivot from remote, note that we used username in form of "computer\username".
2. We got an error while trying to use Enter-PSSession from remote session, AFAIK it is not supported.
3. But Use-Session from powerpreter worked!

Why did Use-Session work?


Invoke-Command is supported from a powershell remoting session. We are using it with -Session parameter to save state and use it interactively.

Now, lets have a look at couple more functionalities in powerpreter which could be used to poke other machines in the network.

Port-Scan
As the name suggest we can use this to port scan other machines on a network.



Please note that we used the parameter -ScanPort to specify that we want a port scan, by default only a ping sweep is performed. There is a default port range which would be scanned but a custom port range could also be provided.

Lets look for a MSSQL Server on the network.



Bingo! We found one - already setup ;)

Brute-Force
We can use this to Brute Force services like MSSQL, ActiveDirectory, Web or FTP on other machines. Default service is MSSQL. Lets brute force with sa username on above discovered server.

Yay we got one password! - this too has been setup already ;)

As you can see we could use a list of password (also IP and username) instead of using a single password. There is a small catch here, the password list should start with the word "password" like this.

Why? Have a look at the code snippet.


It is due to the ValueFromPipeLineByPropertyName property. See this for more details: http://blogs.msdn.com/b/powershell/archive/2009/01/05/revisiting-old-posts-get-process-dir-about-valuefrompipelinebypropertyname.aspx

Execute-Command-MSSQL
Ok we have username and password for the MSSQL Server, what next? See this earlier post to understand usage of Execute-Command-MSSQL: http://www.labofapenetrationtester.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html 

Create-Multiple-Session
Function which can check for credentials on remote computers and can open PSSessions if the credentials work. See this old post to understand its working: http://www.labofapenetrationtester.com/2013/04/poshing-the-hashes.html

There are some code changes to powerpreter and other scripts in Nishang. So I am releasing Nishang 0.3.1 too. You can find the repository here: http://code.google.com/p/nishang/

As always I would like feedback, bugs, feature request and code contributions. Enjoy.

Friday, September 6, 2013

Kautilya 0.4.4 - dump lsa secrets, introduce vulns, improved backdoors and more

Here comes  Kautilya 0.4.4. This version adds three new payloads and improves couple of others.

Download and Execute Powerhell Script - As the name suggests this script downloads a powershell script and executes it on the target.

Remove Update - Remove all or security or a specific hotfix from the target. Great way to introduce vulnerability on a target.

LSA Secrets - Dump LSA Secrets from a victim. The payload detects 32-bit or 64-bit machine and calls the proper version of powershell accordingly.

I am always looking for contributors, if you want to contribute to Kautilya (or Nishang) do not hesitate to contact me.

Please refer to the CHANGELOG below for details.

0.4.4
- Added "Download and Execute Powershell Script" windows payload.
- Added "Remove Update" windows payload.
- Added "LSA Secrets" windows payload.
- Updated "DNS TXT Backdoor". It is much more easy to use now.
- Renamed Wait for Command to HTTP Backdoor
- HTTP Backdoor now keeps running till the stopstring is matched.
- An option has been added for no exfiltration of data. Choose 0 when Kautilya asks for exfil option.

Please update your repos or download the source from the repository here http://code.google.com/p/kautilya/

On a related note, Paul - the maker of Teensy pushed some updates for non-English keyboards. See the thread here (Thanks to Lorenz for reporting this): http://forum.pjrc.com/threads/23688-Possible-bug-with-windows-and-a-German-keyboard-layout. Please let me know if it helps with the problems for non-English keyboard users.

 Please feel free to report bugs and feedback.