PowerShell for Penetration Testers

Presented at DeepSec 2015 „DeepSec No. 9“, Unknown date/time (Unknown duration)

Overview PowerShell has changed the way Windows networks are attacked. It is Microsoft's shell and scripting language, available by default in all modern Windows computers. It can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows network. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell. This training is aimed towards attacking Windows network by using PowerShell and is based on real world penetration tests done by the instructor. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase. Some of the techniques used in the course: - In-memory shellcode execution using PowerShell from a Word macro. - Exploiting SQL Servers (more than executing commands) - Using Metasploit shellcode with no detection - Active Directory trust mapping and abuse. - Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text - Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration. - Network relays, port forwarding and pivots to other machines. - Reboot and Event persistence - Bypass security controls like Firewalls, HIPS and Anti-Virus. The course is a mixture of demonstrations, exercises, hands-on and lecture. It has a live CTF which attendees can try while and after the training. After this training the attendees will be able to write own scripts and customize existing ones for security testing.It aims to change how you test a Windows based environment. Course Content - Introduction to PowerShell - Language Essentials - Using ISE - Help system - Syntax of cmdlets and other commands - Variables, Operators, Types, Output Formatting - Conditional and Loop Statements - Functions - Modules - PowerShell Remoting and Jobs - Writing simple PowerShell scripts - Extending PowerShell with .Net - WMI with PowerShell - Playing with the Windows Registry - COM Objects with PowerShell - Recon, Information Gathering and the like  - Vulnerability Scanning and Analysis - Exploitation - Getting a foothold - Exploiting MSSQL Servers - Client Side Attacks with PowerShell - PowerShell with Human Interface Devices - Writing shells in PowerShell - Using Metasploit and PowerShell together - Porting Exploits to PowerShell - Post-Exploitation - What PowerShell is actually made for - Enumeration and Information Gathering - Privilege Escalation - Dumping System and Domain Secrets - Backdoors - Pivoting to other machines - Poshing the hashes™ - Replaying credentials - Network Relays and Port Forwarding - Achieving Persistence - Clearing Tracks - Quick System Audits with PowerShell - Detecting PowerShell attacks - Security controls available with PowerShell What's in it for you? 1. PowerShell Hacker's Cheat Sheet, access to the online CTF, solutions to exercises, sample source code, updated tools and extra slides explaining things which could not be covered. 2. Attendees will learn a powerful attack method which can be applied from day one after the training. 3. They'll understand that it is not always required to use a third party tool or non-native code on the target machine for post exploitation. 4. And learn how PowerShell makes things easier than previous scripting options on Windows like VB. Prerequisites 1. Basic understanding of how penetration test are done. 2. Basic understanding of a programming or scripting language could be helpful but is not mandatory. 3. An open mind. System Requirements Windows 7 or later system, with administrative access and ability to run PowerShell scripts.

Presenters:

• Nikhil Mittal - Independent
  Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients, including many global corporate giants. He is also a member of Red teams of selected clients. He specializes in assessing security risks in secure environments which require novel attack vectors and an "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences. He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more. He blogs at http://www.labofapenetrationtester.com/

Links:

• https://deepsec.net/archive/2015.deepsec.net/speaker.html#WSLOT192

Similar Presentations:

• PancakesCon 1 (2020) Virtual / PowerShell and Pickling
• DeepSec 2016 „Ten“ / Offensive PowerShell for Red and Blue Teams (closed)
• DeepSec 2014 „Do you want to know more?“ / Powershell for Penetration Testers