Welcome to the Day 5 of Week of PowerShell Shells. Today we will see interactive PowerShell shells using ICMP and DNS. Both ICMP and DNS are generally allowed through firewalls and are not as commonly used for shells as TCP or UDP. That makes both of them useful for attackers. Lets see how both could be used to serve our purpose.
For using DNS, lets use Ron Bowes' awesome dnscat2 (https://github.com/iagox86/dnscat2) as a server. On the target Windows machine, we can use, once again, powercat (https://github.com/besimorhino/powercat). We have used powercat earlier as well and it is of great use.
Use below command to start a dnscat2 server:
Use below command on the target to connect back:
And the result is:
Brilliant! We have an interactive PowerShell shell over legit DNS traffic.
While dnscat2 supports an indirect connection as well, we used a direct connection to the dns server started by dnscat2.
If we ask Wireshark, it has no complaints:
The pcap could be found here: https://drive.google.com/folderview?id=0B-Hsu8q12kG3fmV6YUpOOVJzaC05cnRRZ3huV2xZUkNlOHplSkFqZ0VjVFNpU2NTZGpUN1E&usp=sharing
While we are on this, Nishang has couple of interesting scripts which make use of DNS for command, script and msf shellcode execution. But there is no interactive shell. Please see this blog post for more details: http://www.labofapenetrationtester.com/2015/01/fun-with-dns-txt-records-and-powershell.html
Now, lets move on to ICMP. For server/listener part, we will use icmpsh (https://github.com/inquisb/icmpsh) by Bernardo Damele (@inquisb). I have written a client/connect-back in PowerShell. I give you Invoke-PowerShellIcmp.
The current source code without help and credtis documentation:
Invoke-PowerShellIcmp is available in the Nishang repo here: https://github.com/samratashok/nishang/tree/master/Shells
Use below command to disable ping replies (IPv4) and start a listener:
Use below command on the target:
Aaand:
Awesome! An interactive PowerShell session over ICMP.
Wireshark looks like this:
A video showing DNS shell and Invoke-PowerShellIcmp in action:
Those who wanted to know what to do after we get access to a target using these shells, please refer to my earlier blogposts.
For any of the Shells discussed in these five days, a PowerShell script could be executed with the help of the -EncodedCommand or -e parameter of powershell.exe.
For example, to execute Get-WLANKeys, encode it with the help of Invoke-Encode from Nishang. Make sure to remove the function declaration and help section.
which looks like this:
Then use the encodedscript in encodedcommand.txt with any of the shells:
or you can use the below one line to execute scripts from a local web server:
Please note that I encountered error in some of the shells if the encoded script is too long. I need more testing on this problem, so please provide feedback and report bugs.
The best way to pass parameters to modules or scripts when using -EncodedCommand is to include the parameter passing within the script.
To transfer files, the best way is to use following one line downloader. You can use a local web server like Apache/HFS.
Continuing with the shameless self promotion :), I would ask you to consider joining one of my upcoming two days training "PowerShell for Penetration Testers" at:
I hope you enjoyed reading the posts as much as I enjoyed writing them. Please leave comments, feedback and report bugs.
Wireshark looks like this:
The capture can be found here: https://drive.google.com/folderview?id=0B-Hsu8q12kG3fmV6YUpOOVJzaC05cnRRZ3huV2xZUkNlOHplSkFqZ0VjVFNpU2NTZGpUN1E&usp=sharing
A video showing DNS shell and Invoke-PowerShellIcmp in action:
Those who wanted to know what to do after we get access to a target using these shells, please refer to my earlier blogposts.
For any of the Shells discussed in these five days, a PowerShell script could be executed with the help of the -EncodedCommand or -e parameter of powershell.exe.
For example, to execute Get-WLANKeys, encode it with the help of Invoke-Encode from Nishang. Make sure to remove the function declaration and help section.
which looks like this:
Then use the encodedscript in encodedcommand.txt with any of the shells:
or you can use the below one line to execute scripts from a local web server:
Please note that I encountered error in some of the shells if the encoded script is too long. I need more testing on this problem, so please provide feedback and report bugs.
The best way to pass parameters to modules or scripts when using -EncodedCommand is to include the parameter passing within the script.
To transfer files, the best way is to use following one line downloader. You can use a local web server like Apache/HFS.
Wrap up of the Week of PowerShell Shells
We have reached the end of Week of PowerShell shells. It was a wonderful yet tiresome experience. I learned a lot while writing these posts and hope you learned something as well. The goal was to keep the posts concise and usable without going into too much details. In fact, to achive this goal, no protocol level details were discussed. I would like to believe that through this series, I am able to spread awareness about the capabilities of PowerShell to more folks in the Infosec community.Continuing with the shameless self promotion :), I would ask you to consider joining one of my upcoming two days training "PowerShell for Penetration Testers" at:
NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Hack In Paris, Paris (June 16-17th) - https://www.hackinparis.com/training-2015-powershell-for-penetration-testers
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/I hope you enjoyed reading the posts as much as I enjoyed writing them. Please leave comments, feedback and report bugs.
Your DNS shell requires egress port 53 to be open to outside which is in an average enterprise usually *blocked* for all systems except DNS forwarders. The better option would be to use DNS-A or/and DNS-TXT requests/answers as a transport for evading egress rules. Could you comment on that please ? Thanks
ReplyDeleteSure. When I wrote "While dnscat2 supports an indirect connection as well", I meant that you can use an internal DNS/forwarders as well. That holds true both for the shell and DNS_TXT_Pwnage backdoor. I believe I have also mentioned the same in the video. Sorry if that was not clear at first.
DeleteHope it helps.
Can I hack a faicebuk with this?
ReplyDeleteAwesome work! Im just having a couple of small issues with the scripts... The Invoke-Decode dosnt seem to work for me, it says something about the string/script not beeing correctly encoded, but i can decode the same string/script with an external base64 decoder. Another issue is when i exfiltrate data with the Do-Exfiltration, the gmail option throws an error, even though its correctly setup in the security settings of gmail. The pastebin option works but it only exfiltrates the first line of the output, Ive tested this with get-information and several other powerpreter functions. I also have problems with the persistence function of powerpreter. It seems like it only checks the "CheckURL" page of pastebin once when its run and once after reboot, not every 5 seconds.
ReplyDeleteThanks for your great work!
I forgot to mention that the "CheckURL" problem is there regardless of if it finds the magicstring, stopstring or nothing at all
DeleteThanks for reporting these. Since you are facing multiple issues, could you please raise issues at Nishang's Github repo? https://github.com/samratashok/nishang
DeletePlease make sure you the errors you are receiving.
Thank you for the quick response. Ive raised a issue on your github about the Gmail Do-Exfiltration option. The persistence function and the problem with it not rechecking "CheckURL" do not give any errors. But the Hit count on the pastebin "CheckURL" page just gets raised by one, once after i run the command and once after reboot of the machine, regardless of magicstring stopstring or random data on the "CheckURL" page. This also shows in the lack of script/command execution of the "PayloadURL", which also dosnt get an higher hit count, even when the magicstring is there in "CheckURL". I tested the persistence function on a regular user, an elevated user account and system, all with the same result. I have no idea where it goes wrong or if its me using this the wrong way. The lack of errors made me not want to raise this issue on your github
DeleteI really appreciate your great work with Nishang!