 So, welcome to the 410 talk for the speaker workshops, and we're going to get started, and we're going to talk about POSHA by Michael Generakis and Keith Lee from Spider Lab, twice for you. Thank you. There we go. Okay, so just to introduce ourselves, so my name is Michael Generakis, I'm the director for Spider Labs APAC, and Keith is the Sydney Consultant in the Spider Labs APAC group, so I'm from Australia, Keith's from Singapore. So the motivation for the POSHA tool is, as pen testers, we do a number of internal network pen tests as part of our day today. There are a bunch of awesome tools and techniques for capturing and cracking credentials, for example, Responder, and we really wanted to fill the gap from, you know, once we've got a low privileged account, even perhaps, you know, the client will give you a low privileged account to start with, we really wanted to fill that gap between having a low privileged account and getting to a high privileged account in terms of the tooling. And also help with a few common issues that we came across as pen testers on our day today. So we developed a tool called POSHA to help with this. We developed POSHA because we found similar tools had a number of issues, so apart from the fact that they're all sort of disparate, you've got a number of PowerShell scripts and different tools that you use that don't really sort of sync together, and we're finding that a lot of the tools had limited support and success on more recent versions of Windows. They were not as effective against systems that have implemented common hardening techniques, so we had to sort of figure out ways to bypass that and then run what we needed to run. And we wanted a single but also modular tool to cover the techniques rather than having multiple tools. So POSHA aims to automate a number of the techniques that we commonly perform on an internal test after we've got a low privileged account. So things like privileged escalation, lateral movement, and also a bunch of convenience modules that we typically would like to use. Just as an aside on the name, so POSHA is actually a type of jumping spider that feeds on other spiders. They're known for being very intelligent and have good problem-solving capabilities, so we thought that was a, you know, being from spider labs, we thought that was a pretty cool name, so that's where it is. So this is a basic workflow for our purposes for demos. On the right, you can see a basic network that we've set up for demonstration purposes. It's got domain controller, a couple of hosts, and the hacker. So this is the basic workflow of POSHA. I'll dive into each of the individual items in more detail on how it works. But just to give you a bit of an overview, we've got our credentials, right? It checks the credentials, makes sure they're valid, and they work. It enumerates a list of users in the domain admin group. It checks if the account is part of the domain admin group because, you know, you might get lucky, you never know. It checks this file for stored credentials. It syncs the time with the domain controller and attempts to exploit MS-14068. If it's vulnerable, if not, it goes down and checks MS-08, 067, MS-1710. It checks which host the account has admin access on. It checks for impersonation tokens belonging to the domain admin group. If you don't get lucky with that, well, if you do get lucky with that, it adds the impersonation token to the domain admin group. And then you can run Mimikats on the DC. If not, it runs Mimikats locally and you get some hashes. And then if we get any new hashes or passwords, we test those credentials and we start again. So the whole idea is that it's iterative. We work through it. And then every time we get a new password, we start the process again. Every time we get access to a new host, we start the process again. And we will just continually work through this sort of basic workflow until all the passwords or hashes have been exhausted or all of the hosts have been compromised. And then we can continue with some of the post-exploitation modules we have. Another thing that we added recently is it's not just an automated sort of click and go tool. You can run any of these individual modules directly or combine them. So we want to tab that flexibility as well. So we start with the low-hanging fruit. So credentials may be sought in group policy preferences. So there are a number of locations where you might find credentials. So drive maps, local users and groups, schedule tasks, et cetera. So when you create a new group policy preference, an XML file is created in SysFile, which contains all the relevant configuration information, and you may get passwords in there as well. And any authenticated domain account can access that, so you don't need elevated privileges for that. And passwords are encrypted using a known 32-byte AES key. I say known because Microsoft published it on MSDN, presumably inadvertently, been there for years. So, yeah, we can decrypt them. But of course, once this came out, it's a pretty big fail. So Microsoft patched it in MS-14025. And so the result of that patch is you can't create new group policy preferences that rely on saved passwords. But it doesn't remove the old passwords, right? So how many clients and organizations do you know, they're just patching things, sometimes wrote a new patch where you apply it, but they're not really understanding what's going on in the patch. They don't know what it's fixing, and they don't know that they need to go back and clear out those passwords. So we still see it all the time on tests where they still have old, insecure passwords that we can decrypt using that key. Then we check for MS-14068. So basically, it's a privilege escalation, vulnerability that allows you to elevate your privileges to domain admin. So basically, you can create a fake pack claiming that your regular user that you have access to is a member of the domain administrators group, and then elevate your privileges that way. If that's not successful, we do try the classics, right? MS-08, 067, it's an old one. It's mostly patched, but you never know your luck, right? So it's easy one to do, and so we check for that. The more recent one, thanks to Shadowbrokers and the NSA, allegedly, we have MS-1710, and that's the SMB floor that can also allow for remote code execution. So if we get remote code execution on those boxes, well, then that's great, right? So assuming there's no passwords in SysFolm, and assuming those vulnerabilities have been patched and they're not exploitable, what do we do next? And that's what we get to the impersonation token. I'll hand it over to you. Okay, thanks. Impersonation token is when the user locks into a system, and then, which button is it? Okay, and then a delegation token is created, which is converted to an impersonation token even after the user locks out. So this impersonation token has exactly the same right as the delegation token. It doesn't get deleted and it remains on the system until it's rebooted. So what happens is, if a domain, I mean, locks into a box and then the attacker gets to the box, he can use that token to execute domain and receive commands that run having the same privilege as the domain manager as an example of what it looks like when we privilege escalation using the tokens. Sorry. Okay, so if there's no impersonation token, what happens for sure will run the Mimicats and actually done the local password hashes. So if there are new password hashes or new password that gets, it gets added to a database and then the process continues and it tries to use the new password to attack hosts that have not been tested before. And it repeats this again until there's, it runs out of password to test or until all hosts have been compromised. So the thing about shared local administrative password is, sometimes any T administrators are lazy or they've tried to do it the easy way out. All the systems are using the same shared look at administrative password. So when you compromise one host, you can compromise the other host in the network with having the same shared look at administrative password. So yeah, so with the shared local admin password, the idea is that typically when we talk about privilege escalation, right, we're usually only looking to go up. But one of the things that we want to do on a pen test is get a lot of coverage and it's a real sort of pain in the ass to check every sort of host in the network that you may be in scope to see if the credentials that you have could be useful. So the idea is that we can get a lot of breadth and we're looking to expand on that and I'll get to that at the end. So yeah, so the other thing, going back to the context, right, there are a number of controls that have been implemented that can stop us from doing these things. So we need to figure out ways to bypass that and Portia has support to automate some of these bypasses. So Microsoft created the anti-malware scan interface. So it's designed to detect and prevent script attacks. So things like all your PowerShell scripts, right, that you're running, it's designed to detect those and to shut them down, right? So it implements a number of security checks, so it scans file and memory and stream, content source, URL, IP checks and a whole bunch of other techniques. It also has some support for breaking through of the skated scripts and identifying of the skated scripts. And Portia currently implements two techniques to automatically bypass AMSI. So the first one is like a real basic one. You might get lucky with it, most times no, but we still got it because it's pretty easy to implement. So basically if the host is running .NET version 2.0, you can see the whole string up there. It's a very specific version. You can actually force the use of PowerShell V2. So AMSI is supported in PowerShell version 3, but not currently not PowerShell version 2. So with that, you can use the dash version option. So it's dash version 2 and you can force the use of PowerShell 2, which is bypassed as AMSI, so works well. But it's reliant on that single version being available. The more robust technique was created by a guy called Matt Graber and I apologize for having ruined his name. But basically it's a simple one liner that unloads AMSI from the current process and it doesn't require elevated privileges and it works with PowerShell V3 with AMSI. So that's the robust one that usually works most of the time. There's a bunch of other sort of bypass techniques that then are being presented over the years. And we'll probably add some more as we continue to develop Portia. The other control that we frequently run up against is AppLocker. So Portia implements a number of AppLocker bypass techniques. So the first one is exploiting weak path rules, so inappropriate folder permission. So by default Windows allows read and write under the Windows directory, but Windows slash tasks, Windows slash temp and Windows slash tracing. So any binary that executes from these folders won't be blocked by AppLocker. And so Portia just loads PowerShell into the task directory and we're good to go. So pretty straightforward bypass. The other one that it tries is with MSBuild.exe. So injecting code into a signed Microsoft binary, if you manage to do that, it will execute code without it being picked up by DeviceGuard. So MSBuild.exe specifically allows for inline tasks which basically allows you to compile and execute code and memory on the target and can be used to effectively execute arbitrary code on the target and Portia uses that as an AppLocker bypass if necessary. And the final AppLocker bypass is a script that was written, I'm not gonna try and pronounce his GitHub username, but it was written by that guy and it was based on technique developed by Subteam and it lets you run .NET code inside Jscript or VB script. So PowerShell, Portia also has support for the invoke obfuscation script. So basically it's a script developed by a guy called Daniel Bohannon and it allows for obfuscation of your PowerShell scripts with the idea that you can bypass AV and other protections that might be looking for PowerShell scripts. So I mean, it doesn't work 100% of the time against every AV, but it works well enough most of the time. The other thing as well, again, going back to the context at the start where we sort of said, you know, a lot of these scripts and tools that we use aren't well maintained and they don't really run well against newer versions of Windows. The invokeMimicat script, which is the one that's commonly used to run Mimicats, it's running an outdated version of Mimicats and it can have issues with Windows 10. So the way that Portia does it, we use the invokeReflectivePinjection script which runs the latest version of Mimicats or it can be any kind of code, it doesn't have to be Mimicats in the memory of the target host and it's a way more reliable version, way more reliable against recent versions of Windows. So the other thing that Portia does automatically is we've got this list of passwords, right? We've got this database. We check it against any available SMB shares or folders just to see what we can access, what we can't and which passwords work with which resources. Cool, and Portia has a bunch of other modules so we mentioned a bunch of convenience modules and other privilege escalation related modules. This is just a sampling, we're adding more all the time so obviously it's available on GitHub or throw up the link at the end so if people wanna contribute, they can. So currently it dumps wireless passwords, it looks for configuration files that are known to have passwords in it like VNC configurations, party configurations, things like that. It dumps browser credentials as well and key pass credentials, config files, things like that. It also has a recent module which is automatic compromise of MS SQL databases and I'll hand over keys to go through that. Okay, so what happens in this module is, let's say if you don't have access to the SMB ports but there's an MS SQL service that's running. So what this module does is look for weak passwords whether you're using, it has to go into the weak password that is supplied by social engineering toolkit and then if it's successful, enable XP CMD shell like as a local admin account on the box and it also enables the admin share so that you can run SMB stuff. Dump hashes from the same database. Dump's clear text credentials via Mimicast. It also looks for interesting information store in the database like card information or password. Yeah, so this is just a screenshot of what it does. So as you see in this screenshot, it detects that PowerShell is blocked by a blocker so it attends one of the techniques to bypass it so it can write invoke Mimicast and then it dumps the KTex credentials from memory and then it dumps the same, the hashes from the same database and then it dumps the, sorry, the MSSQL credentials and lastly, at the bottom, you can see that it finds all the interesting data and display in a format that is easy for you to see so you don't have to look through all the tables and stuff. So PowerShell also looks for interesting files that could be like key pass, database, unattent.xml file that can contains credentials or travianc.ni that can also create credentials and documents that has the name password in them and so on and so forth. And yeah, you can use other modules like there's a key pass module or there's a true quick module or there's a beat locker module that can dump the password and the keys to decrypt it offline. You can use any of these modules individually. You don't need to use a letter from one order. And it will ultimately download them for you so you don't have to pull it down individually and you also display like the first few string of what it looks like if it's a text document. So the other thing that we do, another module that we have that's pretty common that's very useful is dumping browser creds. So it uses various PowerShell scripts. So first it checks if Firefox or Chrome is present on the system. It checks if the current logged in user, what the current logged in user is and checks whether we have that hash or password belonging to that user in our sort of Porsche database so to speak. And then we have a PowerShell script that runs within that user session and dumps the credentials to a file. The other thing we do, so this is an example of like a convenience module that we have in there that's not directly related to privileged escalation or lateral movement or anything like that. But it's a common activity that we would do on a pen test. So the most pen testing we do or generally is for PCI or we're looking for credit card information or something of value like that. So we've got a module in here that searches for pen on disk and in memory. It uses a couple of scripts that are already written. We didn't write anything new for it. Basically, obviously the credit card found on the disk it works through the same way as the other modules that find interesting files works. But the way that the memory scraper works, so Porsche will enumerate a list of all applications on the host that we have admin access on. And then once we've got that list of processors running we have producer table that shows which programs are running on which hosts and what processes are common. And then we look for interesting processes to dump. So we don't dump at all, obviously. But this is what it looks like. So you've got that table there. So let's say you're doing a retail client or something like that that got pod systems. It's likely their pod's application potentially has credit card information in memory. So you would select that process if you got access to that host. And dump the memory and see if you can find anything good in the memory. We've also got some basic support for analyzing hashes. So currently we can analyze if there's a blank hash or if there are accounts that are using the same hash. But we want to build out this functionality a little bit further. So one of the things that we unfortunately commonly see on Pentes is password reuse between low privileged accounts and high privileged accounts. So we sort of see that all the time where they use the same password for both. So if you're able to get the low privileged account, it's very easy to get access to the high privileged account. So we've got a, well, Portia, currently this is what Portia does. It has a list of the valid hashes and analyzes it for patterns. Obviously blank ones, reused passwords across different accounts and things like that. So yeah, and as I said, we're looking to expand it and it can be useful on a Pentes. So where are we looking to take Portia? So something that we're continuing to actively develop. The biggest area that we want to progress in is attacking targets and adjacent networks via proxying through trusted hosts, right? So if we're in a particular network segment and we don't have access to other hosts on another network segment, but we have a host that we have access to on our segment that's trusted into the other segment, we can proxy through that to run Portia then on those hosts that it can see. So that's something that we're working on right now that we want to really improve on and I think it's sort of the missing feature right now that will make Portia really a lot more robust. So that's what we're working on now. We're looking to add a bunch of data exfiltration modules as well, because that's a common activity that we're doing on Pentes. We would like to add support for more database modules as well. So not just MS SQL, Postgres, whatever, and there are a few dependencies as you may have been able to allude to and it's not difficult to set up, it's not like trying to set up Metasploit from scratch, but we want to create a docket image just to make it easier to set up and deploy. So this is where it's located. It's on our GitHub page. Feel free to, oh yeah, we'll just switch over. But hopefully it works, we'll see. But yeah, so check it out. It's on our GitHub page. Feel free to submit an issue if you have an idea or if you want to develop a module of your own. Yeah, I think we're good. Yeah. No, nothing. Yeah, there we go. All right. So yeah, if you have ideas for modules or you have issues or bugs, submit an issue in GitHub or submit a pull request if you want to and we'll go from there. So now we have a demo. Yeah, so I'm running this through the normal mode where you find the boxes and try to compromise and get the hashers and passwords and from compromising one box to compromising the domain controller. I'll let you run first because it takes a while, but let me explain, I'll come back to it. So what happens is you get a password that you capture or crack from Responder or some other place. So you've managed to find that it has an admin access on one of the boxes which is going to a domain and this is what you see. So firstly it dumps mini-cats followed by dumping the hashers. So something interesting is one of the administrator has locked into the same box. So you do see a domain admin account here. Can everybody see that it's a bit small, right? Zoom in? Okay, let's move back. Okay, so yeah. Sorry, this is just a really simple network. We've got a domain controller. We've got a domain controller. We've got a host that's connected to the domain controller. We've got a separate host as well and we've got the attacker machine which is what Keith has got here. So a pretty simple network. It's just because it can take a while if you've got a... So on this machine that's joined to a domain, there is a domain admin account. I mean the domain admin strator has locked in. So after it dumps the credentials by admin-cats, it dumps the same database. It analyzes that. It also tries to pick up the impersonation token. So that's an administrator impersonation token. So we can basically make use of either the clear text credential or the token. Since you have the past clear text credential, the script for sure will just use the clear text credential to compromise the domain controller. Yup, it just tests MS14068. Since the first account we used was a local user account, it doesn't have access to the domain so it will skip this part. If it has a valid user account, it will test whether is it vulnerable to MS14068. So now it has moved the lateral movement to the compromise the domain controller using the credentials that it had captured from memory. So it does the same thing, mini-cats, same database, and then tokens. And then it collects all these credentials and hashes and compromise the third box which is a host in the work group mode. But coincidentally, there's just as we spoke earlier about the shared look at administrator password. So these two machines, even the whites and the domain whites of the work group, both are using the same shared look at administrator password. So using the, as you see here, it uses the hash, anti-ln hash to compromise the third box. So in the end, it will tell you like, since it will stop when it runs out of hashes or passwords to try, or when all hosts have been compromised. So what you see here is all the hashes that I've seen and collected so far. Password first, followed by hashes. And then it does an analysis of what accounts use what password, what hash. So you can see that these two accounts use the same password hash and so on. And then it also lists down what hash and what password it used to get into the box. So, and then it ends by saying that you can rather run post-expertory module or it stops this way. So let's look at another thing, which is the MSSQL module. Just now I was explaining in scenario where there's only MSSQL port that's open, SMB ports are not open. So how do you compromise it? So in this case, it found a default account. It tried to test against the weak password. And then, so it got in and then it enabled the XP-CMD shell. It has a local admin account. And then when it's trying to run other scripts, it realized that PowerShell is blocked by AppLocker. So it had one of the techniques and then successfully run Mimicast on the machine, done the clear text credentials, done the same database, and then followed by things like the password and look for interesting data. I mean, it also enabled the admin folder so that you can access it remotely. Even though it's blocked initially. In future version, I plan to do like every version that's compromised, you return shells. So that's more fun than just getting password. Another thing that we're also developing in support where we can to, well, the purpose of that tool is to automatically attack certain two-way implementations. So we feel like it's a good fit for PowerShell as well. So we're gonna probably integrate the two. That's not how SpiderLabs get helped just yet, but it will be soon and we'll probably integrate it to PowerShell. So this is another module about scanning from Ramvity. So it scans for MS08067 or MS17010. It doesn't export at this point, but as time goes on, we plan to add in because we want to add in all the common techniques to get from zero to domain admin. As easy as possible. So let's go on to the next module. It's about files, finding interesting files. So same as usual, it checks whether PowerShell is blocked or not because it's easier to run post-acidation with PowerShell. And after that, it finds all the interesting files that could contain passwords or other sensitive data because previously, MS087 might be storing passwords using text document, then they migrated to Excel, then they upgraded to KeyPass. So, might as well download the KeyPass file. It downloads all the interesting files for you as well as the location. This one is to show that it's the same, it's just show, it'll be locked, please. Give me a second. Okay, if the administrator or the user has the KeyPass open on his computer, it's able to dump the clear text credentials. So it's just using a common script, but it detects which user is, you lock on and using the KeyPass software and it has to run it in a context so that we can dump the credentials. If not, it doesn't work at all. This is just another screenshot to show that it dumps the true creep keys so that we can decrypt it offline. There's also a module that we are working on like just now we've been speaking about finding alternative route to attack a decision network. So, if you provide it with a list of IP address and it can't access those IP address initially by ping or whatever, but it found a route in an alternate host, it will highlight, it doesn't show here because I don't have an example, but it will highlight here, it says that this host has an alternative route to what you might be interested in. So this is just a small step to where we are going next. Going to be next to. Okay. Last, second last, it finds clear text, I mean documents that contains credit cards and as well this is same as what we see just now but it displayed a card number, not my card number. And then this is just what we run just now but as it takes some time, now it has finished running to show that it works. Just a comment, you guys should check out ClocoFi done by Joe Gervais last year. Python 2.7, I've made, I upgraded to 3.5 and did the PowerShell version but it takes any EXE file, image file, binary file and turns it into a list, set of lists that you define. A list of Pokemon with latitude and longitude in front of it, clear text, whatever, it's pretty powerful, it's awesome. Yeah, thanks man, we'll check it out. You had a question there? So, in talking about sensitive data, you mentioned credit cards. How about PII and PHI, which is a little more complicated? Yeah, so at the moment it's relatively limited in terms of what it looks for but that said we are expending that and that's on the list to do. We're trying to get the routing stuff in first but expending our searches for broader categories of sensitive information is definitely on the radar and obviously if anybody wants to contribute then feel free, yeah. No, you can define the limits of the scope or you can just let it run, it depends. You just, we tried to make it as modular and as progressive as possible so you can have it run as much as possible against whatever it can do or you can either run individual modules or you can limit certain modules to have certain options to limit what gets run. Yeah, another question? Yeah. It's now on screen but that's a good idea. You should probably be able to add an option to dump it to a file, yeah, for sure. Cool, any other questions? I think we're out of time.