 Hi, DevCon. Thank you. I'm Nikhil Mittal. I'm from India. And I'll be talking about power pitter post exploitation like a boss. So how many of you are penetration testers? You surely do post exploitation? Yes or no? Yeah. So we'll have a look at something which could be used to enhance your post exploitation experience. Sounds like a vendor term, but yes. And let's have fun. So something about me. I'm a hacker who go by the handle Samrat Ashok. This is my Twitter handle. And you can find my blog posts on my blog. I'm creator of Cortilla and Nishank. Cortilla is a toolkit which could be used to use human interface devices like TNC and others in a penetration test or whatever way you want to be. Nishank is a post exploitation framework in PowerShell. PowerPitter is going to be a part of this framework. You can find both of these on Google code. Links are on my blog. I'm interested in offensive information security, methodology to upon systems, getting into systems. I'm a freelance penetration tester. Just read it twice. And I've spoken at a couple of conferences before this. And this is my first time at DevCon. So what we'd be looking at is what is the need for post exploitation? What is PowerShell in a couple of slides? Why do we need PowerShell? Then we'll have a look at PowerPitter, its architecture, usage, payloads and much more details. Then there's a web shell which I call C-sharp.net and PowerShell. And then limitations and conclusions. So what is post exploitation? For me it is the most important part of a penetration test. As a freelance penetration tester I know that someone who is going to pay me doesn't understand what a shell is. But I got access to my DC. Yeah, that's okay. Even I have access to my DC. So that's kind of response you get in a meeting with the client, with those guys who want to pay you. So we need some ways to show actual data or things like if it's a pharma company, the complaints their customers have made against them or if it's a supply chain management company, then the profit they take at every step of the supply chain, things like that. So this differentiates a good penetration tester with something which I've written, etc. So what is PowerShell? It's a shell and a scripting language which is present, I think post Vista, it is present by default on all Windows systems. It is an automation framework designed to help system admins and of course penetration testers who know how to use it to their profit. It's based on .NET framework and is tightly integrated with Windows. Yes, it's by default on Windows. So why PowerShell? Anybody here uses PowerShell for their penetration testing things? Wow, nice. Anyone of you use Nishan by any chance? Wow. Just out of curiosity, anybody here uses Scotilla or knows what is it already? Okay, thank you. So yes, why PowerShell? It's easy to learn and powerful. The health system is quite good. You can read help out, FG command let or command, so whatever it is in it. We're not going into details of that. And one thing which I have come through during my penetration tests is that it is trusted by system administrators, counter measures, etc. No one actually cares about PowerShell. There are a lot more things to have a look at. You can consider it a bash of Windows. Many things like commands like LS, CAT, etc., the very common ones are used as LSEs in PowerShell. So it would be comfortable using it. And this means less dependence on any library which converts your code to executable, let's say, Python 2, EXCOS, things like that. And somewhat, to some level, less dependence on MSF2. MSF is very good. I mean, it is nowhere near meterpreter from where it borrows its name. But AV vendors are all around MSF. So it's good if sometimes you have something in your tool chest other than MSF which can help you in achieving things in a similar way. Powerpreter. Yeah, it's a post-exploitation tool written in PowerShell. It's a module. How many PowerShell programmers or guys use PowerShell other than penetration testing for anything? Same, guys. Okay. It's a module or a script. It depends on the usage. So how Powerpreter is designed is if you rename a file to PS1, which is the default extension for PowerShell scripts, it could be used as a PowerShell script. And if you rename it as PSM1, then it's a PowerShell module. Payloads and features are all divided into different functions. Each function represents a different functionality. So if you have some code which you want to include with Powerpreter so that it's helper functionalities could be used, for example, persistence, pivoting, et cetera, then you can just write a new function, copy it into your PowerShell module, and you're good to go. So how to use PowerShell? So since we're talking about post-exploitation, we'll assume that we have access to a machine. Rather, we have administrative access to a machine and we'll try to make our way to other machines on the network, backdoor that machine, or pull data out of that machine, more effectively that could be done using non-PowerShell methods, or at least in the most healthy way. And yes, the third thing, it could also be used with a Metropeter shell. You can use... And one thing, if you're using it from Metropeter shell, you won't be able to get an interactive PowerShell prompt from Metropeter. It's the way PowerShell handles output redirection. And other than from Metropeter, if you have any custom shell code which gives you ability to execute code on a machine, you can always use PowerShell and hence Powerpreter. So there are many payloads in Powerpreter. We'd have a look at it. That would be the most lengthy part of this talk. Most of the time, we'll be in the demonstrations. So these are the capabilities of Powerpreter. Persistence. Using WMI permanent event consumers. We'll reside into the machine. It won't be starter script or something like that service failure or schedule task. It won't be anything of these. It would be... We'll use WMI permanent event consumers. That's it. I can explain it right now. We'll have a look at it. Pivoting. We'll use built-in PowerShell remoting to pivot to other machines. There are two ways possible. Either we'll just run commands non-interactively or we'll interactively run commands or scripts or whatever on a remote machine. We have a simple function called enable duplicate token written by a friend Nicholas which allows... Which is nothing great but if you are admin on machine, you can get system level access and do stuff like jumping hashes or LSE secrets, etc. Then there are helper functionalities. Simple ones like converting executables to unicode encoded text or base 64 encoding or acceleration, etc. So these are some helper functionalities. Deployment. We can deploy a PowerShell from a PowerShell session, from PowerShell remoting session. We can use Metropeter. What else we can use? We can use PSX, obviously, because that allows us to execute commands on a remote machine. And of course we need to volunteer from the audience. First time DEF CON person. Your hand shot up. Yeah, yeah, yeah. Everybody else is like, damn it. To our new speaker and our new attendee. Busy afternoon. We have to go. We're following us. We know you're out there. Okay, so. PowerPeter could be deployed using drive by downloads. We'll use a HTML application which will execute a VB code which in turn would download PowerPeter from a server and execute it. And we can also use human interface device because I love to insert HID thing into everything. So select some couple of functionalities and run it from your HID device. From your HID, sorry. So let's get down with demos. So let's assume. Do you want me to assume that I have clear text passwords of the remote machine or do I have the hashes of the remote machine? Okay. So this is a attacker machine and we'll use WCE to pass the hashes. Sorry, let me boot the target first. But the font size? Better? Meanwhile it is booting. So what we'll do, we'll use these hashes with WCE. And on our victim, we will have administrative access. So yeah, because it's a post-evaluation thing, please don't shoot me. So we'll have a remote session which is partial remoting a built-in feature of partial which is enabled by default post-server 2012. So we'll have a remoting session on the victim machine. There we'll download the PowerPeter module, import it and we'll have fun. Okay. So we have hashes with us. So let's, okay, this enter PS session, command let opens a PS session with this remote computer name which is called Akela, which means standalone. It's not part of any domain. Let me try with credentials then. Maybe I have older hashes with me. Okay. I think that was an issue with the, because my attacker machine had partial version 3. And the victim is partial version 2. So maybe because of that, otherwise I just tested it before the talk. Okay, so the roles are reversed. So my VR machine is now attacker. Okay. So let's, okay, I am, now if I import the module because, sorry. Okay. So the module is already there. Either we can download it using this one liner, which is this. But I'm not going to do that because I've already wasted a couple of minutes. So I've renamed it to update.psm1 just because I was testing some things. So let's import this. So now we have some functions imported into this current partial session. For example, let's see. Won't be beautiful. But let's see what is some some juicy or basic information about the client. Okay. Isn't looking beautiful, but as you can see, we have, we have logged in, profiles of logged in users, partial environment, pretty trusted hosts, pretty saved sessions, recently used commands, other initiatives on the machine now, environment variables, some details about the current user, no SNMP, installed applications, installed applications for current user, domain name, no, it's a stand-alone system, contents of ETC host, running services, local users, local groups, WLAN info. This is the thing which messes it all. Okay. Et cetera. So this gives us a basic idea about the target system. Now, let's have a look at the basic things like get WLAN keys. So one thing I would like you to note is, for example, when I say get WLAN, this is an independent script. This is not because of popular, it's presiding in that system. Better I get out of this folder. So this get WLAN keys function shows us the keys in plain text of all the WLAN system, WLAN profiles residing on that system, or which it has connected to in past. No, that's my home Wi-Fi. Okay. Just to make things faster, I made a list of what I want to demonstrate. Okay. WLAN keys are done. Key logger I'm not showing. It takes time. Okay. We already had hashes. We assume that we had hashes. But suppose you got access to this system from a remote shell. You don't have access to the password hashes. Then let's use this. Will you get hashes? No, we won't. Because we need system privileges to execute this thing. So for that, we have a helper function called enable duplicate token. This duplicates system token from LSS service and assigns it to the current partial thread. So we run both of these in tandem. And here we do have the hashes of the system. Okay. But these are hashes. What if we want LSS secrets from the machine? Let's try it out. Okay. But this is a 64 bit system, our new victim. So for that, I need to execute. Is it the correct path? Wow, 64 bits. Okay. Okay. So thank you. Okay. This is the 32 bit partial because LSS secrets are stored in the 32 bit registry. And here we have to, we'll import power printer in this 32 bit partial. Call enable duplicate and call get LSA. So that, networks. Let's see. Thank you. Okay. So we will input it. Okay. So we have the LSS secrets of this machine. As you can see, this is again my password. Okay now. Let me try again to get back to the older victim. Because for couple of these things, I have a MS SQL server running on the older victim. Or rather let's use it on the same machine. So now we are just for the sake of demonstration, we are running it on the same machine. But I swear it works on the remote machines too. Let's try this invoke, invoke by DUSA. It's a basic brute force. Let's do it on ourselves. Okay. That's, it's bound to be successful because we are running in the same machine. We'll leave it for now. Let's execute some MS SQL commands on this machine. We'll use a name this and password this. So it asks whether you need, you want to run a partial shell or a skill shell or a command shell. Let's write partial. So now we have a partial shell on this machine. So let's check what's the version. This is version 2. And we can do much stuff. So there are already many built-in commandlets in partial which could be very useful in a penetration test. For example, get process, etc., etc. Okay. We do have a basic port scanner too. But let's leave it. Okay. We do have execute shell code but let's let's leave it too because I want to show you one more thing which was not present in the slides on the DVD. That's why. Let's, let's have a look at pivoting. Where will we pivot to? Okay. Meanwhile, it's, it's getting up. Let's have a look at a video. Okay. I'm on a remote machine. Zoom out. Zoom out. As you can see, I'm on a remote machine. I think I'll open it in VNC. No, it's not playing it. Okay. I'll try to. Okay. So we are on a remote machine. And yeah, just import the module. And this is a back door called wait for command. Which, which waits, which pulls URL for commands. And only when, those who can't see, I'm sorry. So we have this, check URL as this space win. And as the payload URL will use this space win URL. You can use any service, any, any website, any web app you want. Okay. We have the check URL, the payload URL, the magic string. The magic string, the payload will check if, if, if, if the magic string provided to the payload matches this one, only then the payload will execute. We say start one, two, three. And the stop string is stop. When, whenever stop comes in place of the start one, two, three, the back door will stop. Okay. We just downloaded Power Prater and got hashes of this system. As you can see, the, the payload was this, the payload was this. And now we change the payload to, to maybe get process. Meanwhile, in the background, the, the back door, it's, it's waiting for either the stop string or next command. Till the time stop is not found on the check URL, it will keep looking for new commands or new payloads on the payload URL part. And the time it, it takes one minute, that is 60, it takes 60 seconds to execute commands in between. So that it doesn't create too much noise or too much traffic to get caught easily. So after waiting for one minute. Okay. So I'm running out of time. So yeah, it will show the process and then I'll change it to stop and it will stop. Let's, let's leave the pivot thing for the while I'll blog about it. Okay. Let's see the, what's the IP of this victim? Okay. Assume you have a file upload or somehow you can upload files to ASP.NET machine or server. So you can use this, this may come handy. Is it 146? Okay. First the slides because I've made the slides so I have to go through them. Okay. It's named after the God of death, Yamraj. How many of you know Yamraj here? I've seen a couple of Indian faces so you guys might know it. Yeah. So it's God of death, sounds badass. So it's written in C sharp.net as I said that is what I call it. The UI is designed to be, to, to look like a actual power shell, shell or power shell prompt. You have the ability to download and upload files. You can execute scripts using the encode and execute button. And if the remoting is enabled, you can also run commands on remote machines using this web shell. So before the demo, meet Yamraj. Whoa. What's this? Wife of Yamraj. Okay. So is it visible? Better now? Let's have a quick look at it. If you type help, it will show you how you can execute commands on this, on the, on the victim using this. And the best thing in this is encode and execute this option. You can actually copy a fairly large power shell script in this command console. And when you click it, it uses a compressed post script by Carlos Perez. Thanks to him. It compresses the script and uses power shell encoded command to execute it on the victim. It won't have a look at it. It will take time. Let's see that whether we are really able to do something. Yes. Some basic commands. Yes. Users. What else? Any, any command you want me to run here? Let's say stop computer, et cetera, anything. And one thing is if you want to download or upload any file, the help clearly says you have to physically type here. For example, if you want to upload a file to the current directory, you have to put the full name here. Let's say one dot. No, that's it. Browse for it. Sorry. Browse for it. Select it and upload it. That's, that's a little bit inconvenient, but it's for the purpose of maintaining the feel of a proper power shell prompt. Okay. Limitations. Yet to under code community testing, I've been using this for past six months. Many of the payloads are already part of Nishan. So some of them have undergone some testing. Others have not. So bugs will keep coming, I think, to improve the time. And one aspect is keylogger does not work from the power shell remoting session. I don't know why. It's maybe because of the run space restrictions with the power shell remoting session. I'm unaware of any keylogger in power shell which runs from a power shell remoting session. And yes, back doors can be detected with careful traffic analysis because it's a fixed time interval in which it pulls the source. It depends upon power shell remoting. Okay. To conclude with, power shell gives you much control over a Windows machine or a Windows network. And Power Printer utilizes this thing in an attempt to ease this most important phase of a penetration test. Obviously, there are other ways to do the same thing. Power shell just makes it or tries to make it easier. I would like to thank, give shout and give credit to all these guys who are friends and fellow power shell hackers. So I would request applause for these guys. And I would like to thank my friend Arthur who helped me getting here. And this is another interesting power shell talk tomorrow by Joe. Please make sure you attend it. Thank you. Any questions, insults, feedbacks? You're welcome. Thank you.