Monday, May 11, 2015

Week of PowerShell Shells - Announcement and Day 1

PowerShell as an essential tool for Penetration Testers and Red Teamers needs no introduction. Its tight integration with Windows operating system allows us to do a variety of interesting stuff which other PowerShell hackers and I have blogged and coded over time. Still, during my talks and trainings I see both attackers and defenders unaware of what PowerShell is capable of and how it can make their life easy. I have also met infosec folks who were dismissive of PowerShell just because it comes from Microsoft. To generate awareness and spread the goodness of PowerShell in the infosec community, I am glad to announce a Week of PowerShell shells.

On each day of the current week, from 11th May to 15th May 2015, I will publish/discuss a blog post and accompanying open source tools for getting interactive PowerShell on a target using different methods, techniques and protocols.

Day 1 - Interactive PowerShell shells over TCP
Day 2 - Interactive PowerShell shells over UDP (Click Here)
Day 3 - Interactive PowerShell shells over HTTP/HTTPS (Click Here)
Day 4 - Interactive PowerShell shells with WMI (Click Here)
Day 5 - Interactive PowerShell shells over ICMP and DNS (Click Here)

Without further ado, lets get started with Day 1.

Day 1 - Interactive PowerShell shells over TCP

Lets start with a reverse shell. It is based on this awesome post at Nettitude by Ben Turner (@benpturner) and Dave Hardy (@davehardy20). Using the scripts with metasploit is well documented in that article. After removing some code and changing few things, I give you Invoke-PowerShellTcp. This script is capable of providing a reverse as well as a bind interactive PowerShell. The current source code (without the help documentation ) looks like this:


It could be found in the Shells directory of Nishang https://github.com/samratashok/nishang/tree/master/Shells


A screenshot of it in action. A listener is running on Kali linux:

A listener could be set up on a Windows machine as well. Lets use powercat (https://github.com/besimorhino/powercat) as a listener:


Using Invoke-PowerShellTcp as a bind shell:

The ability to have an interactive PowerShell helps us in many situations. One good example would be my previous blog post about Dumping users passwords in plaintext for Windows 8.1 and Server 2012. In that case, it was not possible to achieve the results without an interactive PowerShell.

Note that we can use powercat as well. 

Choose whatever you like depending on the scenario at hand.

If you see the source code of Invoke-PowerShellTcp, it is really small and therefore can be used with various attack techniques like Weaponized MS Office documents, Human Interface Devices (see Kautilya), Drive by downloads, DNS TXT records etc. where a shorter script is desirable. In fact, it could further be shortened if we remove some error handling and fancy user input. I give you Invoke-PowerShellTcpOneLine.

Further shortened version which does not show output and could fit in two tweets:

A quick video shows how Invoke-PowerShellTcp could be used with a weaponized MS Word document:



If you enjoyed the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/

7 comments:

  1. Looks like a great series; would be great if you also post pcaps to o along with these.

    ReplyDelete
  2. This is fantastic. I'd drop some spare change if I had a way to tip you for putting this info together.

    ReplyDelete
  3. Hi Nikhil,

    I used the code you gave and created a reverse shell.
    The problem is that it doesn't full redirect the input from the victim.

    When for example I am sending a command to delete a folder:
    rd C:\someFolder

    The victim receives a message:
    The item at C:\someFolder has children and the Recurse parameter was not specified. If you continue, all children will be
    removed with the item. Are you sure you want to continue?
    [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):

    Instead for the attacker to receive this message and decide what to do.

    How can we also redirect such messages ?

    ReplyDelete
  4. Could you please also include one-liner TCP *bind* shell ? I cannot stress how often I encounter machines that I can reach (e.g. I land of user's PC) but the other side reverse connection is blocked by some network ACL.
    So please, make oneliner *bind* TCP shell.
    Thank you!!

    ReplyDelete
    Replies
    1. Here you go!
      https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLineBind.ps1

      Delete
    2. Thanks! (that was fast)

      Delete

Note: Only a member of this blog may post a comment.