 So a little bit about Josh here. Hi guys, I'm Josh. I work with Dave. I'm a security analyst there. I do just about anything technical, including watching Dave modify my slides. Cause Dave is a big Pearl fan. He loves Pearl and he programs solely in Pearl. I do Python. So I mean, I'm not as good as him. He's being sarcastic. So the people give me thumbs up. It's sarcasm. I do not like Pearl. Dude, you should see all the things he's got out there in CPANN. So next slide. So I have heavy experience in penetration testing and all that good stuff. Wrote to social engineer toolkit. So really, how many people use it? Got two people. We got two, it's good. That's all I wanted. So I got a heavy military background. Deployed to Iraq a couple of times and yada, yada. Before we start, I want to say a special thanks to Iron Geek and Kathy Peters. Kathy, you in here? Guess not. Thank you. So let's do a little brief intro in a PowerShell. Is anybody here familiar with PowerShell? I know what PowerShell is. Use PowerShell on a regular basis. That's great. So. Wow, that was a lot of people. It was a lot of people. Yeah. So it's installed by default on Windows 7 and Server 2008. In Windows 7, you cannot uninstall. So it's basically embedded into the OS at this point. PowerShell basically is a fully flexible, you know, UNIX, Linux type programming environment or bash environment. And it actually integrates completely into the .NET programming language, which we'll be seeing a lot of that today. So if you haven't seen it, it's really exciting. That's what it looks like. Oh, look, can you guys tell that's blue? Just so you know, that's blue. It's 2010, and we're still using the same command prompt from Windows 98. They upgraded. They put a PS in front of it. It says PS in front of it, so yeah, that is better. And it's blue. That blue is kind of nice. You can make it transparent too. Hey, when you maximize though, it still goes, doesn't expand. Yeah. I think they would fix that by now. So PowerShell for haxers. You need to learn how to spell. Yeah, so we'll be getting, we'll be the first ones to admit that PowerShell is absolutely a benefit to the IT, as well as us as security professionals, right? You'll see a lot of demos here as proof of concept codes, as well as if you go to my site at the end of this talk, secmaniac.com, you can download all the proof of concept codes and new Metasploit modules and all that other good stuff. But I'll say is for us from a security standpoint, we generally didn't have this type of programming language at the command line. The ability to completely interface with the .NET framework and do whatever we want from an automation perspective is really sexy to us. And you'll be seeing a little bit of a couple demonstrations as we go with that. Yeah, before we had to rely on like VBS scripts and batch files and stuff like that, isn't this? CSE? Yeah, not a lot of power in those, but this definitely takes a cake. So, execution policies, wanna talk a little about that? Yeah, the execution policies are there. It's kind of a security benefit, kind of, not really. Microsoft will even admit now that it's not really there for security. But you have restricted, which pretty much restricts all execution of PowerShell scripts on the system. You can still execute PowerShell and run your commands within the environment, but you can't execute the actual PS1 file, so you have. All sign requires all scripts to be signed before they can be executed. The other one's remote signed, so anything you download from the internet, it creates an alternative data stream and it will let PowerShell know that it's been downloaded from the internet, and if it's not been signed, it will not execute, but you can still execute your own scripts that you've written. And then unrestricted is unrestricted. You can execute any PowerShell script that you want. So it's unrestricted? That's what I heard. Okay. Sorry, I was confused. I couldn't tell. So release in Metasploit module one. I don't know if you guys remember, but in FastTrack, what we use with doing SQL injection or through specifically MS SQL, or you find like a weak essay account or something like that, what we're doing is we're taking a binary, converting it to hexadecimal, and then using the XP command shell store procedure to write that hexadecimal representation of the binary to the underlying operating system. Try saying that three times fast. Did anyone here actually use FastTrack and use that part? Oh, wow, okay, that's good. Okay, this is so new. This is all new to you guys. Awesome, great. So we just did this. That stuff never existed. Yeah. This is all new. Right. Thanks, buddy. I spent like four months on that. Anyways. That was me, then. When it gets set to the underlying operating system as hex, we used to call Windows Debug to convert it back to a binary for us. Now, there was a slight little problem. You had the 64K restrictions that Windows Debug has. So if your binary was larger than 64K, Debug would cancow and wouldn't allow you to do it. So what we ended up doing, or the team that I was with at the time, basically wrote a small stager that just reads in hex and spits out binary. So we basically got around the Debug 64K restriction. Now, the problem is, shortly after that talk, they removed Debug from all 64-bit systems. So the traditional method for payload delivery was no longer existent. So we're releasing a new Metasploit module called the PowerShell Debug. It allows you to do the exact same thing all through PowerShell. And one thing I'd like to say with this, and we'll talk a little bit more with this in a few minutes, but these type of attacks, the PowerShell attacks, like Metasploit modules that will be shown, the bypass, the reverse and bind shell purely in PowerShell, or none of these are getting hit by AV or HIPs. So it's a completely new attack vector that no one's really looking at. And you can basically get anything you want through the system, which is kind of nice. Oops. So quick demo. You guys probably can't see that, huh? So I'll do a little narrative here for a second. We're just doing a quick end map scan of a host. Nothing spectacular. We find that 1433 is open. We load up our favorite tool, Metasploit, and we're going to try to brute force the SA account. And the SA account is, if you're using integrated or SQL authentication, it's the account that gets created by default, the sysadmin account for Microsoft SQL, if we weren't familiar with that. Very easy to find in large organizations. And we're gonna go ahead and brute force this account. So very quickly with 255 threads, it finds an SA account of blank. I'm sorry with, yeah, blank. So now we're gonna load up our new SQL, MS SQL payload that will be put into the Metasploit repositories here very shortly. I talked to HD, he's working on it. And basically we're gonna intact. Now what we're gonna do next is we're gonna, there's new options added to this specific payload. So instead of using the debug version, it'll allow you to use the PowerShell version. So you just use PowerShell, set it to true. You turn off the old one and hit exploit. Now this is all gonna take a executable, convert it to Hex, put it on the learning operating system, bypass execution restriction policies, which we'll talk about in a second. And then we'll actually execute the payload on the system and we get a interpreter shell. That looked easy. So just a real quick recap. Binary is converted to Hex and placed into the file system. Convert script is created to take the Hex a decimal and rewrite it back as a byte array as binary. Payload is now on the system for execution. So execution restriction policies, you know, they're not, they shouldn't be relied upon for any type of protection whatsoever. They're really not designed for that. If you look at the sites and people talking about, a lot of people do talk about it as a preventative measure for, you know, not allowing scripts to execute or not allowing to get specific code on the system itself. It's really not designed for that and it's very easy to bypass. Execution restriction policies really do not help from a post exploitation perspective. Period. Do you want to talk about this? Sure. So the create command release, we'll be releasing the tool. It's also on SecManiac.com. Basically the contents of the file are coordinated and compressed and converted to a base 64 string. The boilerplate bootstrap created when we use specific calls encoded command and command to basically invoke expressions for using the invoke expression for executing our payload on the system. So basically what this essentially allows you to do is take any PowerShell script you want to, execute it, bypass all the execution restriction policies and allow you to run whatever you want to on the system itself. So with the most restrictive policy set on PowerShell, we can still execute whatever we want. Again, this really is not a security prevention method. No need to disable execution restriction policies through like registry interaction, reboots, et cetera, et cetera. We can just do it on the fly. So here's a quick demo. In this scenario, I'm actually gonna be on the local system itself just to show you as a representation. So here we just created a macro to basically set the execution restriction policy to unrestricted and we're gonna create a file. So we'll show you in the next slide, we wrote a tool called PowerDump and basically it'll dump the same database purely through PowerShell. So in this example, we're gonna actually use PowerDump to get around the execution restriction policy through our new command create command. And so what it does is it actually sets out a BAT file for you, a nice little BAT file. You just double click the BAT file, loads everything into PowerShell for you and you just call your function. So we're creating a service right here as a system so we can dump the same database. We're running a system right here and we're gonna go ahead and execute that specific BAT file. It loads everything into PowerShell for us and I'll have to do this type dump hashes and we have the hash values bypassing execution restriction policies. So it's really nice. Go ahead. All right, so what's really nice is we have full access to PowerShell and .NET libraries. We can do pretty much anything we want. Releasing today is a proof of concept of a reverse bind and a regular bind of a command shell just as a proof of concept to see if we could really utilize the .NET libraries to do some post exploitation stuff. One thing about that is it's purely coded in PowerShell. So I mean it's a bind and reverse completely coded in PowerShell. We're actually looking at editing add to the MSF payload libraries as well as a few others doing interpreter through PowerShell, a lot of other great things. And this was also written in PowerShell version one. So this is compatible with both version one and version two that you see on all the newer operating systems. So a real quick demo of the new Metasploit module PowerDump. And we have to give a big shout out to Kathy Peters on this one because she's the one that coded most of this. I did a lot of research but she was the one that actually was able to get it done in time. So if you look here we're running a fully patched Server 2008 R2 64 bit platform. All you do is specifically call the PowerDump executable or the add on. And it will go ahead and dump the hash values for us. Done. On PowerShell. Who thought you could do that with PowerShell? So yeah, interpreter based module will dump the SAM database purely through PowerShell. Again, you can download them from our site if you want it immediately. And it's broken up into two parts. So you have the Metasploit modules that file then you have the PowerShell based examples. So either one, all the proof of concept code for PowerDump without having it in interpreter is also there as well. So anything that you wanna go through and modify or add, go for it. So PowerDump is a Metasploit interpreter based module will dump the SAM database through PowerShell. It works on all operating systems. Both x86 and 64 bit. And obviously anything that has PowerShell installed on it. Which in Service Pack 3 it's an optional update. And Windows Vista it's an optional update. But Windows 7, it's server 2008, it's 100% installed by default. Another interesting component with PowerShell is there's gonna be full, there already is full integration into Exchange 2010. As well as any new Microsoft product that comes out. So PowerShell will be 100% integrated into pretty much every aspect of the Microsoft product line which will definitely be beneficial for us as we're going through and performing penetration tests and doing different things. I mean you're talking about a whole new vector of tools and different ways of attacking systems that we generally didn't have before. So one of the tools I write is the social engineer toolkit. And it's very applicable to what we're gonna do here because I have here a 10Z device. We'll talk about that in a second. For those of you that don't know the social engineer toolkit, it's a tool for social engineering. That's about it. No creative name there. Yeah, it's also called SET. For some reason I had this fascination with Arnold Palmer for the past six months. Every time my wife goes to the store she buys the whole store out. So I have gallons and gallons and gallons of all-in-parmer. And I tell you, every time I drink all-in-parmer I crank out like 10,000 lines of code. So I really recommend, if you're a hacker and you code, Arnold Palmer will basically make you, will let you present at DEF CON. Yeah, trade out your Mountain Dew, trade out your Dr. Pepper, get on. Are you tired of getting rejected? You know, you're tired of getting your submissions rejected, drink all-in-parmer and you'll be speaking at DEF CON. Look at me, I'm here. You don't drink all-in-parmer. I don't know. Tastes nasty. Oh, dude. Get off stage. Get off. Let's go. Dude, I almost broke my hand trying to get in your trunk because the Arnold Palmer was falling onto me. Yeah, so Walgreens around the corner is actually sold out of Arnold Palmer. I was coming back with like three bags. You know, my arms are like streaming sore right now. It's going good. But they're all gone. So the basics of SET, it's open source. It's purely programmed in Python. Python. I'm working on a plural version of it. Was that the Archaic 1970s programming language toolkit? Sorry, pro guys. I really apologize. That was harsh. I think Jabra, hate you now. Yeah, almost likely. So it has integration of Metaspoit for both the Explorer repository, client side attacks and the payloads. Multiple attack vectors specifically designed for SoulStream engineering. For good, not bad. Help penetration testers and organizations secure your program. You know, again, use this for your good. You're going to see a couple of demos here that are specifically rated C power shell next to one that's not. But that will definitely help you as you're doing penetration tests or you're trying to hack your mom's computer or whatever you guys do on your spare time. It's up to you. Legally. So the USB hit attack factor. Really cool. Have you guys seen the 10Z devices? The 10Z devices? Did anyone say in Adrian's talk yesterday about the 10Z? Did you see Adrian's talk yesterday? Great. Did a phenomenal job, phenomenal job. What we've been working with Adrian, Adrian's got some really cool stuff he's doing. So what we decided to do was take one of these 10Z devices and do a power shell based payload on it that will compromise the system. So basically you insert this USB device into any computer you want to and it can actually make a multi-platform. So it doesn't have to be power shell. It can be Linux, OSX or Windows or whatever or the Hannah Montana Linux distribution or any of those will work. And that's my primary operating system. It's for my wife. I'm just kidding, guys. It's awesome. It is awesome. The music plays in there. I'm just gonna load it up. Oh, that's great. But basically when you plug it in, it gets recognized as a keyboard. So that means Audaron, all that good stuff is pretty much out the window, right? It emulates exactly what you're gonna do from a keyboard perspective. So as soon as you plug it in, I simulate keystrokes. So it does like 140 to 280 characters per second. It's actually more than that, isn't it? Yeah, it's a lot more than that. Yeah, sorry, thanks. And basically it will execute a payload on the system. Basically we're only restricted by how fast the buffer is on the program. Did they go that in Perl? No, they didn't go that in Perl. I was just checking. At least on a Windows system. I was just checking. I mean, you never know. So you can drop a payload on the system either through power shell or W script or the two main methods. Automatic creation of the attack vector through sets. That's the big thing. That's why I wanted to show set today. It will actually create the attack vector for you, create the PDE device which you can load into Adreno and then copy it over and you'll see an example of that. And it will compromise the computer for you. So how easy does it get? We're gonna load up Backtrack 4, right? Everybody uses Backtrack 4. Yep, come on. Wow, that's not a lot of people. It's Sunday, I'm not, I'm not. The Hannah Montana party was yesterday. So we're gonna go ahead and load up set. You know, again, codename Arnold Palmer. I already got the version of that seven which is gonna be awesome, so pretty funny. I try to come up with different ones every time. What we're gonna do is we're gonna do number six which is the 10Z USB hit attack vector. So as you select that, it's gonna say what attack vector do you wanna use? Do you wanna use a purely power shell based reverse shell? Do you wanna do a W script HTB MSF payload? Or do you wanna do a power shell HTB get MSF payload? In this example, I'll use power shell second. I wanna show you the W script one because it has more of a presentation experience. Looks better. So it's gonna ask you if you wanna create a payload. I'm gonna hit yep, absolutely. Type in my IP address. And then here we get options to use metasploits. So we're gonna hit the default, which is meterpreter. And then we're gonna backdoor the executable. So with an MSF and code and MSF payload, right, you can take a legitimate executable and shove meterpreter on the bottom of it so it has better AV detection. What I found was when you're actually executing payloads on the client side, if it has any type of command interface to it, it's gonna pop up a black window to the user. So obviously you don't want that when you're doing a social engineering attack and it's probably gonna be kind of suspicious. Well, at least if you're using Hannah Montana, it was probably not. But basically what ends up happening, what I ended up doing was I took a version of Calc and I just modified it so it was basically broken. But the execution flow within assembly still works perfectly and everything like that, but nothing pops up. So I have that built into set. And what ends up happening is when you backdoor the executable, puts the meterpreter stuff on the bottom of it, when the payload executes the user's not presented with anything at all, which is great. We use the default port 443. And we're gonna, hey, start up our little listener here. Now if you look it says, was able to create the PDE file under report slash tensi.PDE. So what we're gonna do is we're gonna copy that to our OSX machine. All right. So we have our tensi.PDE device here. Now there's two things to take special note of. There's the Adreno-based application which is basically the developer ID for programming and communal-based devices. So the small microchip, microprocessor type devices, that's what you do all your programming in. On the left-hand side, this is the tensi loader. So this is what actually uploads your bad stuff to this device here. So all we're gonna do is just simply drag us over and we have our code automatically generated for us with our IP address, sets up the web server for you, the listener, everything else for you. And then you insert your USB device and you upload it. So it programmed, it reboots, and we're all set. So now we have our malicious USB fuck device. So we're gonna put USB keyboard down there. There you go. So we're gonna take this and we're on a server 2008 fully patched, all that good stuff, right? We're gonna plug it in, demo gods. There it goes. We have a interpreter. So let's just back this up real quick and do the exact same tag factor all through PowerShell, because it actually is not as cool looking, but it's actually a lot more efficient. So if you're going after a system, and what's cool about these, if you look and you can see it's kind of hard to tell, but there's dip switches on here. Thanks again, Adrian. The dip switches allow you to program different payloads per dip switch that's flipped. So if you wanna do, you know, you're coming up to a server 2008 machine, you insert it, you hit dip switch two, it targets PowerShell based systems. You hit dip switch three, it targets OSX. You hit dip switch four, it pops up a message box saying ha ha, you know, whatever you got. So basically, you can program it to do whatever you want to, use any dip switch you want to, have multiple payloads, it's all great. So we're a little upset again, we'll go to the 10Z USB Hit Attack Factor, the PowerShell, we're gonna create a payload, we're gonna type in our IP address, we're gonna do all the defaults, and it's under reports 10Z slash PDE. So we're gonna go ahead and copy this over again, easy. Sometimes it doesn't take. Hang on one second, sorry about that. All right, so I'm just copying the file back over again, it didn't overwrite the other one for some reason. All right, good, we got our PowerShell payload. We're gonna go ahead and upload this cat. It's good. And these PDE files are completely customizable. You know, and there's actually, on the website, there's multiple different types of, Here's your customer. Hang on one second here. There's actually multiple different types of attacks you can use with this, this is just an example. It's a false one. All right, so it'll go ahead and reboot. All right, we're good. So again, in PowerShell, my hands are off. Actually, I can't type that fast anyway. I don't know, you can move pretty fast. There it goes, that's all you needed. So it actually executed the PowerShell script, now it's executing our payload. Next, we got my interpreter. That was cool. That was pretty cool. I was impressed it worked. She's in DEF CON 16, man. Whoo, glad these demos are working. So integrating into existing hardware, Josh, why don't you talk about this a little bit? All right, so we did this as a practical joke to one of the guys in the office. He went away for a week and was getting a new computer, so we wanted to mess with him really good. What I did was took part at the back of the keyboard, soldered just this little bit of a USB cable to the back of it. This, it's a Dell keyboard. It's got USB hub built into it, and then plugged a 10C right into it and screwed it all back together. No one could tell any difference about it. So plugged it into his keyboard, or into his docking station, he came back to work the next day, and all of a sudden his mouth started moving on him. Now, I had programmed the 10C to just move the mouse a little bit and click. So every 30 seconds. So it gets better, it gets better. So, okay, so if day one goes by, he's sitting there typing word documents, constantly messing them up, getting frustrated. It's just, he's having a horrible day. Well, and I had to go out of the office. So as this is going, I know what's going on, because I'm sitting there cracking up, as you start putting this back together, I'm sitting there laughing my butt off. Yeah, we were, this was a test run to see if we could do this to someone else higher up in the office. Right, yeah. We're not doing that. We didn't do that, though. Oh, we found out this was way too damaging. This is not, yeah, not good. So anyways, before you get into that, so I leave the office for like three days. So figuring if it got out of hand, they'd probably stop doing it, right? Yeah. So, all right, so we know he's getting a new computer. So he gets his new computer, he thinks all the problems are gonna go away with this. And lo and behold, he keeps the same docking station, same keyboard, same mouse, and boom, the problems start up again. He's like, what the hell's going on? This is a Windows 7 box that should be working perfectly. You know, he's doing all sorts of stuff, and he's just getting so frustrated. He's just, so he's like, okay, fine, it's gotta be the mouse. Changes out his mouse, comes back, plugs it in, boom, starts up again. He's like, he's frustrated, so it's okay, so logical troubleshooting, it's gotta be the docking station. Changes out the docking station, does it again. He's getting so frustrated that he's got a new keyboard on the way. He's also started to put in a request for a new computer. So I get at the office, and this guy is literally pulling his hair out, and he's like, I just ordered another computer, I can't figure out, I'm like, all right, wait a minute. Yeah. Thankfully, Dave pulls him into the office before he starts to switch out his keyboard, and I'm able to grab my keyboard that has a 10C device in it, so he doesn't throw that away, because I don't wanna lose that. Yeah, so we actually didn't tell him, because he was really upset. So I pulled the hey, man, I gotta talk to you about that stuff you're doing over there. Why don't you come over to my office for a little bit, and I did the whole swap the keyboard, and you're sitting there and you're like, man, I really only wish it was like a 10 second conversation, but then it goes on for like 30 minutes. But it worked, and he never knew the difference, so magically it started fixing it. Yeah, so magically it started fixing it. Wait, these aren't recorded, are they? I didn't say any names. Well, I mean, he's gonna know exactly what happened to that, you know. Yeah, that keyboard's sitting on my desk still. Oh crap. Well, the funny part about it was, one of the other guys that's in the audience right now was listening in, and he knew what was going on, and he had to listen to this other guy who we were playing joke on to complain about it, and he didn't even have the heart to tell him either, so. Well, you know, I figured, you know, as this dude's sitting there spending like half his day trying to fix his keyboard and stuff, you know, and he goes over to Ryan, he's right there, actually, I want you to raise your hand, Ryan. You can stand up, I actually want you to stand up. I wasn't gonna call him out. Yeah, Ryan, Ryan Nulkins, maybe we're gonna give him a clap. Way to keep the joke going, way to keep the joke going. So he, you know, the guy comes over, and he's like, dude, my computer's so messed up, man, I'm so upset, he's like, he cannot figure it out, I'm so frustrated, and Ryan's like, dude, that sucks. That sucks, man. Have you tried changing out the mouse yet? Yeah, he's like, dude, the mouse, but gotta be the mouse. Like, come on, man, it's three days, he's swapping out his laptop, I don't know. Hey, it's all good and fun and games, right? Yeah, Dave told him about a week later, he hasn't talked to me since. Or me, and I'm his boss, not good. So this is what the keyboard looks like put back together. Does it look like a keyboard to you guys? Yeah, it's like a keyboard. Now if you were in Iron Geeks Talk yesterday, you can also see that you can embed this into pretty much anything you want to. This is just, it's a little bit bigger than you might see, but the chip set is only that big. So I mean, you can fit it into anything you want to. Yeah, Iron Geek was actually able to fit a hub, a SD card, a 10C, and all of that into just a normal mouse. And some LEDs too to make it look really cool. That is cool. I want one. Me too. So kind of off topic here, but I just wanna show you the powerful stuff with set. There's the Java Apple attack vector within, and that's pretty much the meat and potatoes of the SoulStrench in your toolkit. If you guys wanna do 100% success rate on your pentests, I recommend this right here, 100% success rate. It doesn't work, I'm not gonna pay you anything for that comment, but I mean, it will work. So let's just say a real quick demo here. I'm gonna just prep my config. You're doing this one live too. Dude, I know, last minute's gonna be awesome. All right, so we're gonna load set, and it has the website attack vector. We're gonna select the Java Apple attack method. Now here's what we can do if I actually wanted to use Defconn's wireless. I could do a Cyclone using Defconn's wireless on stage. Yeah, if that was a Windows box hit blue screen immediately. Yeah. So what we're gonna do instead is we're gonna use the web templates. What we can do is you can actually clone an entire site. So it automatically, we say you're going after company X. Hopefully there's not a company X out there. It's company X and it'll actually go and rip their site off completely, set up a web server with it, with all the malicious Java applet code in it. And basically when they go and browse the site, it looks identical in every way, shape, and form to whatever company you clone. In this example, we're just gonna use the web templates. We're gonna set our interface IP address since I'm not connected to the internet. And then we're gonna sign our Java applet. So in this instance, we'll be pretending we're Google, because we love all Google. Google does no evil, right? I like Google. Google's good for you. So we're gonna hit three for the Google. These are just different templates that are built in, but you can definitely clone any site you want to. And we're gonna select the defaults, look familiar, interpreter, backdoor executable, board 443, look good. And what's interesting enough about this payload is it works for Linux, OSX, and Windows. Yeah, Java makes everything nice, doesn't it? So we'll go ahead and just do an example of OSX. So it sets up the listener for us, the web server, all that good stuff, right? Now we're gonna go ahead and go to the site. I hope you prayed to the demo gods last night. I did, they're gonna be fine, they're cool. And we get this warning saying, Google, the publisher, wants you to run this Java applet. Do you want to continue? Dude, it's Google. I'm not saying no to Google. I know better than that. If I say cancel, my computer's crashing. I can't search the internet, nothing works. Yeah, there's no other search engines out there. Yeah. What's up? What's that? Sounds cool. So we go ahead and hit run. Now, if I was actually connected to the internet, you would actually see the logo there and everything else looking pretty, since we don't have internet, so I'm doing that. But interesting enough, as soon as the payload executes, it redirects you back to the legitimate Google site. So you never even knew that you were at a malicious site. And while we're there, on the back end, we have interpreter shells. Yes, the demo guy smiled upon you today. Dude, I had no worries. I sacrificed five lambs. No worries. So I got to give a shout out to Thomas Worth, who helped me write the, or he wrote the Java applet attack vector. It was closed source. We initially released that Shmoocon closed source and heavily obfuscated, but we did open source it with version 0.6, which was released at B-Sides on Wednesday. So you can actually manipulate the source code for this, use anything you want to do what you want to. It's all open source. So again, special thanks to Thomas Worth for that. So basically the user hits run, payload is executed on the victim's machine, redirects the user back to the original site, makes the attack less conspicuous. Would anybody not fall for that? Oh yeah, that's what I'm talking about. So getting back onto the PowerShell kick, what does this really mean? Well for one, antivirus and host-based intrusion prevention systems are doing a squad for this right now. Yeah, I think there's only one PowerShell script that they actually catch. And it's an old Trojan that was written back when PowerShell was codenamed Monad that used Kaza to do, just to move around from system to system and just really did nothing. It was more of a proof of concept. That's the only one that I've seen in the AV databases. And it's actually a problem. I mean we've been, before this presentation, before the black app presentation, I do have to give a special shout out to Kudos to Microsoft because they're very responsive. We basically sent them all of our proof of concept code, our slides, everything else. And they definitely did a good job at basically looking at what we're doing, seeing what ideas we had. So definitely a shout out to them for the responsiveness that they had. They even cleaned up some of our code. It was nice. Yeah, they did actually. Thank you. I mean we're sloppy coders man. I mean you're trying to bang this out for death kind of like. Dude, I mean he codes in pearl all day. I mean, what do you expect? Dude, dude, you installed me one more time. Does anybody here have a knife? Actually don't answer that. Don't answer that. Yeah, please, please don't answer that. My wife wants to see me. No, I'm worried about the goons coming and kicking their ass. Oh, good point. Those guys are rough. So where was I? I'm sorry. Hibs AV, stuff like that. Right. Microsoft. The usefulness of PowerShell really does enable us to be able to perform these type of advanced attack factors with PowerShell. You guys, I really recommend just picking up a book on this and if you already know .NET, this is gonna be absolutely trivial for you to pick up. You have full range to use the .NET libraries in PowerShell, completely call them from there. So you can write complete tools. You can write GUIs. I mean you can write whatever you want to through the PowerShell command line interface which means for us, we can do a lot of cool things. Yeah, one of the IDEs that's out there for PowerShell, PowerGUI, it's actually written all in PowerShell. So I mean it's pretty impressive what you can do with it. So some future plans. Process injection and code injection capabilities within PowerShell. So the ability to inject into already existing processes and migrate to others is something that we're working on right now. So if you think about it, PowerShell basement interpreter would be pretty sweet to have and do that all through PowerShell. Pretty cool. The ability to deploy security baselines for multiple systems and insurance enforcement. I mean there's like, just as an example, there's so much automation you can do, so many different checks and things like that that you can do. Working on the PowerShell exploitation framework. PEP. I mean, I don't know where I came up with that. Yeah, that sounds cool. And integrating it to MSF. So trying to work on the PowerShell exploitation framework so that you can build specific tools and attack vectors all through PowerShell would be pretty sweet. Definitely a shout out. We're gonna be doing a conference in September 30th, October 2nd, 2011. So keep your eyes out for DerbyCon. We already have a lot of good speakers out there, so keep your night out at derbycon.com. And my boys at social-engineer.org. Did anybody participate in the captured flag or see it, the social-engineer-captured flag? A lot of people, a lot of good results, making a lot of media out there. Definitely check out social-engineer.org. They are phenomenal. The podcast we actually just got done finishing. You actually had to bail out early. I had to bail out early for this talk, I mean, you know. But. And really special thanks to Kathy Peters. Be sure to check out www.secmaniac.com. That's S-E-C, not S-A-C. Secmaniac.com. Secman. And you can always follow me and Josh on Twitter. I'm Dave underscore R-E-L-1-K, so Dave underscore Relic. And WinFang98. Now, does anybody have any questions? No questions? I mean, I did a good job. Hey, thanks guys, I appreciate it. That's rock.com.