DeepSec 2014 Talk: Advanced Powershell Threat – Lethal Client Side Attacks

René Pfeiffer/ September 16, 2014/ Conference

Modern environments feature a lot of platforms that can execute code by a variety of frameworks. There are UNIX® shells, lots of interpreted languages, macros of all kinds (Office applications or otherwise), and there is the Microsoft Windows PowerShell. Once you find a client, you usually will find a suitable scripting engine. This is very important for defending networks and – of course – attacking them. Nikhil Mittal will present ways to use the PowerShell in order to attack networks from the inside via the exploitation of clients.

PowerShell is the “official” shell and scripting language for Windows. It is installed by default on all post-Vista Windows systems and is found even on XP and Windows 2003 machines in an enterprise network. Built on the .NET framework, PowerShell allows interaction with almost everything one finds in a Windows machine and network. One could access system registry, Windows API, WMI, COM objects, .NET libraries, access other machines on network and so on. It is very useful for system administrators which make it an ideal tool/platform for penetration testers as well.

PowerShell has various distinct advantages over binaries and other non-Windows scripting languages. It is trusted by the operating system, the system administrators and antivirus. It is possible to perform various attacks using PowerShell without dropping anything to the disk. Add to this, the ability to natively interact with the machine and the network and you have a tool for penetration tests which is too good to be true!

There has been much interesting work on usage of PowerShell in penetration tests. The talk will introduce Nishang, which is a toolkit for usage of PowerShell in penetration tests. It has scripts divided under following heads:

  • Backdoors – Contains, DNS, HTTP and SSID backdoors.
  • Escalation – Escalate privileges, introduce vulnerabilities.
  • Execution – Execute code in memory using DNS TXT records, get authenticated shell access to a MSSQL Server.
  • Gather – Log keys, get credentials in plain, check for open ports on a target, dump SAM file, WLAN keys in secret, LSA Secrets.
  • Pivot – Execute PowerShell commands and scripts on other machines in network.
  • Scan – Port Scan and Brute Force
  • Utility – Add persistence, exfiltrate data, encode scripts.
  • Powerpreter – A script module with almost all functionality of Nishang in single script.
  • Antak – A webshell in ASP.NET which utilizes PowerShell.

One frequently asked question by users of Nishang is this: How PowerShell could be used for getting access to a network? Could it be used for getting a foothold in an enterprise network? Yes, of course, use client side attacks.

In this presentation it will be demonstrated that a client side attack with PowerShell is very effective as it exploits human ignorance and uses features of PowerShell – both inherent to any enterprise network. The attacks demonstrated would be phishing (user clicks on a link), malicious attachments (MS Word and Excel), malicious shortcuts (.LNK file), attacks using Java applets and Human Interface Devices (HIDs).

There have been many instances of PowerShell being used by malware writers for client side attacks. Some notable examples, a Russian ransomware, for infecting MS Office files, and malicious short-cuts.

The PowerShell scripts that will be presented in this talk draw inspiration from some of the above attacks.

This talk should be attended by those who do external penetration tests and would like to know more about using PowerShell for this purpose. System Administrators should also attend this talk to understand the latest tools used by the attackers.

For anyone intending to dive deeper into the powers of the PowerShell, we strongly recommend booking Nikhils training course, also held at DeepSec 2014.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.


Comments are closed.