PowerPreter: Post Exploitation Like a Boss

Presented at DEF CON 21 (2013), Aug. 3, 2013, 4 p.m. (45 minutes).

Powerpreter is "The" post exploitation tool. It is written completely in powershell which is present on all modern Windows systems. Powerpreter has multiple capabilties which any post exploitation shell worth its salt must have, minus the detection by anti virus or other countermeasure tools. Powerpreter has, to name a few, functions like stealing infromation, logging keys, dumping system secrets, in-memory code execution, getting user credenitals in plain, introducing vulnerabilties, stealing/modifying registry, web server and impersonate users. It is also capable of backdooring a target using multiple methods/payloads which could be controlled using top third party websites. Based on available privs, it could be used to pivot to other machines on a network and thus execute commands, code, powershell scripts etc. on those. It also contains a web shell which includes all these functionalities. It also has limited ability to clean up the system and tinker with logs. Almost all the capabilities of Powerpreter are persistent across reboots, memory resident and hard to detect. Powerpreter uses powershell which enables it not to use any "foreign" code. It could be deployed in a skeleton mode which pulls functionality from the internet on demand. It aims to improve Windows post exploitation practices and help in the most important phase of a Pen Test. The talk will be full of live demonstrations.


Presenters:

  • Nikhil Mittal - Security Researcher
    Nikhil Mittal (@nikhil_mitt) is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has many years of experience in Penetration Testing of many Government Organizations of India and other global corporate giants. He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using HID in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HID in penetration tests and Nishang, a post exploitation framework in powershell. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, does some vulnerability research and works on his projects. He has spoken/trained at conferences like BlackHat USA, BlackHat Europe, RSA China, Troopers, PHDays, BlackHat Abu Dhabi, Hackfest and more. Blog: http://labofapenetrationtester.blogspot.com/

Links:

Similar Presentations: