Tuesday, May 12, 2015

Week of PowerShell Shells - Day 2 - UDP Shells

Welcome to the day 2 of Week of PowerShell Shells. Today we will see how UDP could be used for interactive PowerShell shells. I love UDP because many security and infrastructure teams love to ignore it. I have seen client environments where UDP ports like 53, 161 and even 389 are not properly filtered and monitored. Lets use this condition for our benefit and get some shells. 

Let me introduce to you, Invoke-PowerShellUdp. It is similar to Invoke-PowerShellTcp in syntax. Here is the current source without the credits and help documentation:
It is available in the Shells directory of Nishang repository  https://github.com/samratashok/nishang/tree/master/Shells

A screenshot of Invoke-PowerShellUdp reverse shell in action:

An interactive PowerShell reverse shell over UDP using IPv6:
A bind connection:

Pcaps for all of the above could be found here on my Google drive: https://drive.google.com/open?id=0B-Hsu8q12kG3fmZoREtISjJyTjZiRGpGN29SVVJDWF9TVlBmVExFRnVlWHRsUkVXOTdmLUU&authuser=0

Invoke-PowerShellUdp has a one line version as well with many lines of code stripped down. It is a reverse only version and IPAddress and Port number needs to be hardcoded. Below is the current source of Invoke-PowerShellUdpOneLine

Powercat could also be used for getting interactive PowerShell over UDP.

That is all for today! Hope you enjoyed it.

If you enjoyed the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:
NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/

No comments:

Post a Comment