Saturday, August 10, 2013

(Introducing) Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1

This post is all about what I was unable to discuss during my talk at Defcon 21 "Powerpreter: Post Exploitation like a boss". In 45 minutes one can only highlight limited things, so this and some more posts would try to fill the gaps left during the talk.

Posts planned in this series are:
Introducing Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1
Powerpreter and Nishang 0.3.0 : Pivoting and poking other computers - Part 2
Powerpreter and Nishang 0.3.0 : Persistence - Part 3
Powerpreter and Nishang 0.3.0 : Various methods to deploy and use - Part 4
Introducing Antak, Powerpreter and Nishang 0.3.0 : A webshell in powershell - Part 5
UPDATE: I have decided to finish the series in three parts. Part 4 and Part 5 would be posted as independent posts.

Powerpreter is a powershell module. I decided to make it a part of Nishang as there is a large amount of repeated code. This post assumes that we have Administrative access to a Windows 7 machine. Powerpreter can surely be used as a non-admin user but obviously with limited (but still useful as seen in below examples) functionalities. Like other scripts in Nishang, I have tried my best to keep powerpreter compatible to powershellv2 so you may see some code which could be done by a cmdlet in powershellv3 and v4.

Once we have access to a machine, powerpreter could be downloaded and imported in a powershell session for further fun. For using hashes or credentials with powershell remoting see my previous posts:
http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html
http://labofapenetrationtester.blogspot.in/2013/05/poshing-hashes-part-2.html

 From a powershell remoting session:


Now, to list the methods in the imported module:

We can list help for each function by using help. For example to get help for Check-VM

Now, lets have a look at some of these methods/commands/payloads. Some of the payloads in powerpreter have already been explained in blog posts about Nishang. I will explain only couple of those and some new functionality in powerpreter:

Take Get-WLAN-Keys for example


You can also use -exfil option if you would like to exfiltrate info to pastebin/gmail/tinypaste. See this for more detail: http://labofapenetrationtester.blogspot.in/2013/06/nishang-0-2-7.html


Enable-DuplicateToken, Get-PassHashes and Get-LsaSecret.

Use Enable-DuplicateToken to escalate to SYSTEM and then use Get-PassHases or Get-LsaSecret depending on your requirement.



Let's see it in action from a meterpreter.

First we download the powerpreter. I use -encodedcommand option with powershell.exe in meterpreter to avoid any issues. StringtoBase64 in powerpreter could be used for this.





In case of Get-LsaSecret on 64-bit machine, 32-bit powershell needs to be run. So use this path for powershell.exe: C:\Windows\SysWOW64\WindowsPowerShell\v1.0 from powershell remoting session. But while using meterpreter if the process on target is 32-bit, no need to specifically call 32-bit powershell.


Get-LsaSecret is written by Niklas Goude and Get-Passhashes by David Kennedy



HTTP-Backdoor

This backdoor can be controlled using a website whose content could be changed. Lets use pastebin for this.



It asks for four parameters. It keeps polling the url provided in CheckURL option for a string, provided in the Magicstring option. As soon as the string matches, it pulls a powershell script/command from PayloadURL.

Differents commands or scripts can be executed by changing the payloads in PayloadURL. After a sucessful execution, it waits for 60 seconds before polling again to avoid generating too much traffic.
The backdoor starts in a new process. With -exfil option, results of the backdoor could be exfiltrated.

This is how the backdoor process will look to naked eyes.



DNS TXT Backdoor
This backdoor uses DNS TXT records for receiving commands and scripts to execute as well as instructions to stop and start.

The backoor asks for various options. StartDomain is the one which would be polled by the backdoor for instructions. Three possibilities are present

  1. If txt record at Startdomain matches cmdstring, the backdoor will query txt record of commanddomain to look for a oneline command and will execute it on the target.
  2. If txt record at Startdomain matches psstring, the backdoor will look base64 encoded powershell script in txt record of psdomain.
  3. If txt record of Startdomain matches stopstring the payload stops.

As in case of HTTP-Backdoor this backdoor also runs in a new process and could use -exfil option. The below example shows a usage of backdoor.



We executed Get-Service on the target and results were exfiltrated to gmail.


Now lets have a look at Keylogger. Unfortunately, this does not work from a powershell remoting session. Lets run it from a meterpreter session.



The keylogger logs keys to a file in user temp directory of the target. The logged keys could be parsed using Parse_Keys script in Nishang. If you use -exfil option and select gmail , the key.log file would be sent as an attachment to the given gmail id.To avoid sending same keys repeatedly, after 30 reads key.log is flushed out.

DNS TXT Code Execution
This payload could be used to pull shellcode from DNS TXT records. The shellcode is then executed in memory. We have to provide different domains for 32-bit and 64-bit shellcode. The payload will determine the architecture during execution and pull the shellcode accordingly.

We could use the command given in help of the payload to generate the shellcode using msf.



Lets see this in action on a 64-bit machine.

 

On the listener console:
The code execution code is written by Matt Graeber.

UPDATE: Since many of you asked - HTTP-Backdoor, DNS TXT Backdoor, Keylogger and DNS TXT Code Execution - all could be used by a non-admin user. Though to use powershell remoting we must have admin access to the remote machine, unless configured otherwise. So, if we have non-admin shell access to a machine we can still use above.

Special thanks to Lee Holmes for going through my ugly coding of powerpreter and suggesting changes.

Ok, that is enough in this post about Powerpreter. As powerpreter is going to be a part of Nishang, I would like to announce an updated version Nishang 0.3.0. Changes could be found in the CHANGELOG below.

- Added Powerpreter
- Added Execute-DNSTXT-Code
- Bug fix in Create-MultipleSessions.
- Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand
- More Changes to StringToBase64. Now a file can be converted.
- Added Copy-VSS
- Information_Gather shows output in better format now.
- Information_Gather renamed to Get-Information.
- Wait for command renamed to HTTP-Backdoor.
- Time_Execution renamed Execute-OnTime
- Invoke-PingSweep renamed to Port-Scan
- Invoke-Medusa renamed to Brute-Force


You can get Nishang and powerpreter here: http://code.google.com/p/nishang

BTW Nishang has a logo of its own now :) Please let me know how you found it to be. It is "designed" in powerpoint and the background was removed using lunapic.com


Also, if you are looking for slides of my talk at Defcon, they are here:
http://labofapenetrationtester.blogspot.in/p/blog-page.html

Hope you enjoyed this post and it would be useful. As always, please let me know about bugs, feedback and feature requests.

12 comments:

  1. Your PS scripts are awesome! i've taken them and tweaked several, thanks. However i can't get EnableDuplicateToken to work in vista/win7/2008 in 64 & 32 bit. Running powershell as admin, On most the 64bit systems, the script runs however my access stays the same. I'm still not system. Any advice?

    ReplyDelete
    Replies
    1. It works for me even on a 64-bit system. How are you checking for elevated privileges after running Enable-DupicateToken? Have you tried EnableDuplicateToken;Get-PassHashes?

      To use Get-LsaSecrets on 64-bit machine, you need to run 32-bit powershell.
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -command Import-Module ; EnableDuplicateToken;Get-LsaSecret

      Delete
    2. Also, if you have tweaked some scripts, could you please share the improvements? I love contributions. Thanks.

      Delete
  2. i feel stupid now, i misunderstood how enableDuplicateToken worked. I didn't realize it was temporary and only for a command ran on the same line... anyways thanks, it works great lol.

    my mods were mainly removing all the pastebin & tinypaste, though i did leave some of the gmail.
    However for gmail to work i had to mod the line to add the port:
    $smtp = new-object Net.Mail.SmtpClient($smtpServer,587 )

    For the HttpBackdoor i have 2 main mods, 1 allows https with an invalid cert. 2 was to download the payload to a string and execute the string, vs download it to a file then run the file. Also then it'll run as a job and wait for it to stop vs wait 60 seconds

    #before the loop add this
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

    #download to string, then execute as a job
    $sb = [scriptblock]::create($filecontent)
    $job = start-job -scriptblock $sb -name scriptjob
    $jobvalue = get-job $job.id | wait-job | receive-job

    other little tweaks too but more just for how we do things, nothing big. Though i did add an option to post to our webserver vs a public site, like pastebin

    ReplyDelete
    Replies
    1. Regarding Enable-DuplicateToken, the beavior you mentioned is in a powershell remoting session. It sets the stolen token to current process thread and in case you try it on a machine from an interactive shell other than ps remoting (local access or an interactive powershell somehow), it will "elevate" the privileges till the life of calling thread.

      Regarding your tweaks, thank you very much. I will test and make changes. I am always looking for contributors so let me know if you want to share something.

      Delete
  3. Awesome work! I have a question on your HTTP-backdoor code execution. Maybe I'm reading into it or i'm missing something, so hopefully you can help me out.

    When using the HTTP backdoor, how does the code execution actually work? I understand how it downloads the script, but giving that script a command..how does that work? For example:

    I host powershellscript for your powerpreter on http://pastebin.com/powerpreter.psm1

    I use the HTTP-backdoor with a magic string, and it goes to my pastebin and downloads the powerpreter. How do I give the powerpreter commands, like Get-Information? Until I give the stopstring, does the powerpreter run in the same powershell instance, or does it spawn a new one each time.

    Hope this wasn't too confusing. Just asking for a bit of guidance! Thanks!

    ReplyDelete
    Replies
    1. Hi,

      Thanks for reporting this. This needs enhancement in the code. I have raised an issue and working on it.
      https://github.com/samratashok/nishang/issues/10

      Delete
    2. Hi Sirulian,

      It has been fixed. Please update your repo and try again. You should now be able to provide command like Get-Information with the -Arguments parameter while using script module like Powerpreter. To provide a different command, HTTP-Backdoor needs to be run again.

      Although, for using multiple scripts as payload in a single run, you can change the script at PayloadURL while the HTTP-Backdoor is running on the target.
      Also, until stopstring is given, it runs in the same instance of PowerShell.

      Hope this helps.

      Delete
    3. Thanks for your reply and quick work! I'll update my repos and try them out :)

      Delete
  4. I've tested the HTTP backdoor and it doesn't seem to be working as of now.

    ReplyDelete
    Replies
    1. I've checked it and it is working fine. What is the problem you are facing?

      Delete
  5. Hey Nikhil,
    I read your blog on Nishang but I am unable to get it work.
    Can you please help me as it is troubling me a lot and its urgent..
    https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1

    This is the code from github i am referring..

    Thanks

    ReplyDelete