Wednesday, May 13, 2015

Week of PowerShell shells - Day 3 - HTTPS Shells

Welcome to the day 3 of week of PowerShell shells. Lets focus on HTTP/HTTPS today. The traffic over HTTPS is mostly considered safe and often overlooked by the blue teams and system administrators. This makes HTTPS a desirable channel for our shells. I have stolen Casey Smith's (@subTee) Poshrat (https://github.com/subTee/PoshRat) and tweaked it a bit. I give you Invoke-PoshRatHttps. 

Invoke-PoshRatHttps, as the name suggests, establishes an encrypted medium of communication between the target and the attacker. This was lacking in the previous shells we saw on Day 1 and Day 2. It could be found in the Nishang repository here: https://github.com/samratashok/nishang/tree/master/Shells

Invoke-PoshRatHttps requires Administrative access on the attacker's machine to listen on ports and install SSL certificates. Lets set up a listener on a machine:
Note that the listener needs two ports. One for initial connect and another for encrypted communication. 
On a target, we just need to execute the below command (note the HTTP):
A user could be tricked to open a HTA file as well. Though the kind of warnings shown by browsers reduce the chances of a successful attack. A target needs to open the below URL:

Lets see it in action:
Awesome! An interactive and encrypted reverse PowerShell!

In Wireshark we can see that only the initial connect request is sent over HTTP, everything else is over HTTPS. The initial unencrypted connect is used to setup the HTTPS channel :
The pcap is available at: https://drive.google.com/folderview?id=0B-Hsu8q12kG3fkVMaWlQejI4bmktVFlnZHd5Y3pjcHcxRVppQVM1Y1ZYamI5RlYxNExhY2s&usp=sharing


Note that Invoke-PoshRatHttps installs Root certificates by the name of "Windows Update Agent" and the IPAddress specified on your machine and opens incoming traffic on the specified ports. The firewall rules are named "Windows Update HTTPS" and "Windows Update HTTP".

There is a HTTP version as well, Invoke-PoshRatHttp.
What makes Invoke-PoshRatHttps awesome is that the client part is very small and could be used with wide variety of techniques where there are size limitations. 

To clean up the machine after using Invoke-PoshRatHttps, we can use Remove-PoshRat. It needs to be run from an elevated PowerShell.

Nishang has another HTTPS shell Invoke-PsGcat which uses Gmail for command and script execution. I have blogged about it earlier: http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html


A video showing usage of Invoke-PoshRatHttps:

Please note that I am deliberately not going into what can be done after we get shell access to a target. For that please see my previous blog posts.

Hope this proves to be useful. Please leave feedback and comments.


If you enjoyed the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/

1 comment:

  1. First of all THANKS for your GREAT work. Efficient,simple :) but complex powershell :D
    Do you plan to release a reverse shell automaticly detecting proxy, mainly used in companies (squid, cloud proxy..)/proxy pac...etc Something like this https://www.pentestgeek.com/2013/09/18/invoke-shellcode/ wich use meterpreter. A kind of 'one click pwnage'/one liner powershell command ?

    ReplyDelete