DeepSec2016 Workshop: Offensive PowerShell for Red and Blue Teams – Nikhil Mittal
Penetration Tests and Red Team operations for secured environments need altered approaches, says Nikhil Mittal. You cannot afford to touch disks, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.
PowerShell has changed the way Windows networks are attacked – it is Microsoft’s shell and scripting language available by default in all modern Windows computers and can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teams to learn PowerShell.
Nikhil Mittals training is aimed towards attacking Windows networks using PowerShell. It is based on real world penetration tests and Red Team engagements for highly secured environments. We asked Nikhil a few questions about his course.
Please tell us the top 5 facts about your workshop.
- The course uses an online lab where students can get some real hands-on experience.
- A PowerShell cheatsheet will be shared with the students, which is useful for penetration testers.
- The workshop includes multiple real world scenarios which allow students, especially those on blue teams, to understand the tactics of adversaries.
- Those students who are part of red teams and want to include PowerShell in their arsenal will enjoy breaking different servers and active directory trusts.
- The course uses updated Windows 2012 R2 servers. We break the latest and the greatest.
How did you come up with it? Was there something like an initial spark that set your mind on creating this workshop?
PowerShell is the tool/script to go for if a security professional wants to test the security of his organization. I am using it since 2011 in my penetration tests. I always observed a lack of awareness in both Red Teams and Blue Teams when it comes to the security capabilities of PowerShell. That’s why I decided to create a workshop on this topic.
Why do you think this is an important topic?
PowerShell is present by-default on all modern Windows operating systems. It comes in very handy to know a tool which is very much integrated into the Windows OS and Active Directory environment. Regardless if one belongs to the offensive or defensive security, it is imperative to learn PowerShell.
Is there something you want everybody to know about your your training – some good advice for our readers maybe?
My training comes with a free one month access to my online lab. The lab mimics a live Active Directory environment with various real world penetration test scenarios.
A prediction about the future – What do you think will be the next
innovations or future downfalls when it comes to particularly your field of expertise / the topic of your workshop?
PowerShell attacks are here to stay! Although Microsoft has introduced some very interesting and useful security features for PowerShell, to learn how to use this tool / script properly is going to be equally useful for both Red and Blue teams for a long time.
Here’s a list of some of the techniques, implemented using PowerShell, which will be used in the course (scroll to “course content” for more details):In-memory shellcode execution using client side attacks.
- Exploiting SQL Servers (Command Execution, trust abuse, lateral movement.)
- Using Metasploit payloads with no detection
- Active Directory trust mapping, abuse and Kerberos attacks
- Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
- Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration
- Network relays, port forwarding and pivots to other machines
- Reboot and Event persistence
- Bypass security controls like Firewalls, HIPS and Anti-Virus.
This training aims to change how you test a Windows based environment.The course is a mixture of demonstrations, exercises, hands-on and lecture, focusing more on methodology and techniques than tools. After this training you’ll be able to write your own scripts and customize existing ones for security testing. Additionally, attendees will get free access to a complete Active Directory environment that lasts for one month.
- PowerShell Essentials and Getting a Foothold
- Introduction to PowerShell
- Language Essentials
- Using ISE
- Help system
- Syntax of cmdlets and other commands
- Variables, Operators, Types, Output Formatting
- Conditional and Loop Statements
- PowerShell Remoting and Jobs
- Writing simple PowerShell scripts
- Extending PowerShell with .Net
- WMI with PowerShell
- Playing with the Windows Registry
- COM Objects with PowerShell
- Recon, Information Gathering and the likes
- Vulnerability Scanning and Analysis
- Exploitation – Getting a foothold
- Exploiting MSSQL Servers
- Client Side Attacks with PowerShell
- PowerShell with Human Interface Devices
- Using Metasploit and PowerShell together
- Post Exploitation and Lateral Movement
- Post-Exploitation – What PowerShell is actually made for
- Enumeration and Information Gathering
- Privilege Escalation
- Dumping System and Domain Secrets
- Kerberos attacks (Golden, Silver Tickets and more)
- Backdoors and Command and Control
- Pivoting to other machines
- Poshing the hashes™
- Replaying credentials
- Network Relays and Port Forwarding
- Achieving Persistence
- Detecting and stopping PowerShell attacks
- Quick System Audits with PowerShell
- Security controls available with PowerShell
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.
He specializes in assessing security risks at secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation, and is the creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
He has spoken at conferences like Defcon, BlackHat, CanSecWest, DeepSec and more.
He blogs at http://www.labofapenetrationtester.com/.