Friday, July 24, 2015

PowerShell Remoting for Penetration Testers

Wassup! Lately I've been on a PowerShell kick and much can be said about how useful PowerShell is for penetration testers in general (in both exploitation and utility), but today I want to highlight one specific feature which can be used for lateral movement and file-less persistence during a Windows domain penetration test. That feature is PowerShell Remoting, which is technically enabling the service WindowsRM and communicating with that using WS-Man (which is actually SOAP over HTTP(TCP:5985) and HTTPS(TCP:5986)), while reusing credentials that have access to that machine. This WS-Man communication is all taken care of using native PowerShell features (you need at least PowerShell version 2), similar to the way Deep-Panda used WMI because it was a native Windows feature. The best way to get started is just enable PowerShell Remoting via an Administrator shell on your victim machine, although you may need to bypass PowerShell execution policy.

I find it really helpful to look at security events from all sides of the coin. PowerShell Remoting is used heavily by incident responders and IT, so as a defender it's nice to know the logs PowerShell Remoting is generating (Type 3, Network Logon) and how these logs occur naturally in target environments. It's also pretty cool that you scan for PowerShell Remoting enabled machines by looking for ports 47001, 5985, and 5986.

The best part is a lot of the leg work has already been done for us as penetration testers, as we can invoke any existing PowerShell scripts easily, using PowerShell Remoting as our vector rather than WMI or psexec. There is also some great PowerShell Remoting cheatsheats out there. The following is a demo rich video where Joe not only shows the various uses of PowerShell, but really shows the effectiveness of PowerShell Remoting by running Mimikatz en mass on systems, without touching disk. Further, if you look at the source code of Invoke-Mimikatz you will see that they are using the PowerShell Remoting verb 'Invoke-Command' and native PowerShell 'ComputerName' array to invoke their code block on the remote machines:

Saturday, July 18, 2015

Book Review: "Windows PowerShell Pocket Reference"

This is my review of "Windows PowerShell Pocket Reference" by Lee Holmes. It's a cheap book, I picked it up for $13 at Barnes and Noble, but it's even cheaper on Amazon for ~$8. It's also a quick read, with around 180 pages, cover to cover, you can read it through for a better understanding of PowerShell or you can keep it as a small desk reference for your own scripts. Essentially, It's a fundamentals book, focusing on the basic features of the language, such as data types, built in functions (such as utilizing the .NET framework), and lots of expression logic. It's a great book for having on hand as a reference if you are writing PowerShell scripts and hit a tricky logical situation, however it's not applied like Black Hat Python and it's not a cookbook or cheatsheet book similar to RTFM. Due to the lack of applied focus, I recommend this book for those looking to become better with PowerShell fundamentals, either writing or modifying custom scripts, as well as those who want to become more effective with Windows, as opposed to specifically penetration testers or even security engineers.  That said, I'm giving this book 6 out of 10 stars for it's price, compact format, content, and usefulness as a reference text while scripting, but I would appreciate more of an applied administrative focus (like Part IV of Windows PowerShell CookBook, that I believe this reference is based on). The following is the table of contents, so you know can get a solid understanding of the fundamental, yet PowerShell specific, concepts this book covers:

Chapter 1: PowerShell Language and Environment
    Commands and Expressions
    Help Comments
    Arrays and Lists
    Hashtables (Associative Arrays)
    Simple Operators
    Comparison Operators
    Conditional Statements
    Looping Statements
    Working with the .NET Framework
    Writing Scripts, Reusing Functionality
    Managing Errors
    Formatting Output
    Capturing Output
    Common Customization Points
Chapter 2: Regular Expression Reference
Chapter 3: XPath Quick Reference
Chapter 4: .NET String Formatting

    String Formatting Syntax
    Standard Numeric Format Strings
    Custom Numeric Format Strings
Chapter 5: .NET DateTime Formatting
    Custom DateTime Format Strings
Chapter 6: Selected .NET Classes and Their Uses
Chapter 7: WMI Reference
Chapter 8: Selected COM Objects and Their Uses
Chapter 9: Selected Events and Their Uses
Chapter 10: Standard PowerShell Verbs

The first 80+ pages are devoted to the first chapter, however my favorite chapters are 6-10, covering .NET, WMI, COM objects, Windows events, and Powershell commands, pages 109-151. Like I always say, it's all about the code, and while O'Reilly doesn't publish any of this books code online, it does publish the code from the Windows PowerShell CookBook, that this book is based on. While this book isn't security focused, I got into PowerShell through several security frameworks, which I am highly recommending for those into PowerShell and information security: PowerSploit, PoshSec, Nishang, Veil's PowerTools, and even the Github PowerShell group. I've also started my own repository, similar to my SPSE repo, with a focus on PowerShell template code and security scripts, called PSSE.

Wednesday, July 8, 2015

Deploying Custom Amazon Images with the AWS CLI on Demand

This is a cross post from a quick post I did on Proto-Hack. I figured I would include it here as it goes over the best practices of using AMI to create a less privileged account for administration vs using your root AWS account. Today I am going to go over how to make a gold image of an Amazon EC2 instance, then deploy copies of that instance on demand with a simple AWS CLI script! 

First of all, this tutorial assumes you have already installed the AWS CLI tools on your client architecture. You will also want to create a new IAM user such that you aren't using your root credentials to hit the AWS API, and make sure this new user has enough permissions to create new instances. Make sure to use that user's Access Key ID and Secret Access Key in your AWS CLI config. Finally, we will want to have launched a default AMI, configured this system like we want every subsequent system (this includes setting up the AWS access keys, security group, and subnet) , and then turn this into a custom AMI using the Web Console:

Next, we are going to launch a copy of that instance using the following AWS command line script, substituting the xxxxxx variables with our own selected variable ids:

And there we go! This will return all the details of the new instance it has just launched in the console, making it easy to script this simple command and parse the output to chain even more automated deployment (like then ssh-ing to the server and running some updated configuration scripts)!

Sunday, July 5, 2015

Disabiling Built-In or System Level Scheduled Tasks in Windows 8 and Server 2012

If you've ever tried to disable a system level scheduled task in Windows 8 or Server 2012 using task scheduler, such as GWXUX or Automatic Maintenance, you may have seen the annoying prompt, "The user account you are operating under does not have permission to disable this task.". And it's even more upsetting when you get this prompt after you've located Task Scheduler and right-clicked "Run as administrator".

Luckily the System Internals tool PsExec is here to help us run commands as System! We simply need to find the full path of the registry key item, which Task Scheduler gladly shows us. We can use the following commands, all in a CMD prompt run as administrator in the same directory as PsExec.exe, to disable all six above scheduled tasks (and two more for the rest of GWX):

And wala! We've successfully disabled all of those annoying GWX system level and default scheduled tasks.

Sunday, June 28, 2015

BSides Asheville 2015 CTF

BSides Asheville 2015 was this weekend in North Carolina and is one of my favorite BSides as they live stream some of their presentations and this year hosted an online CTF for remote attendees. I actually built the CTF for BSides Asheville 2015, which was the first CTF I've built and run on my own (although modeled off of the BSides San Francisco CTF). Again, I used Matir's scoreboard and a similar server configuration as before. We ran the ctf for 10 hours, I whipped together 16 challenges totaling 1,800 points, and we had 26 players on 14 teams. Overall, 15 of the challenges were solved and the teams collectively scored 4,865 points, with only 8 of the teams breaking 0.  I had 3 network analysis, 4 malware analysis, 6 crypto, and 3 miscellaneous challenges. The CTF was themed around celebrating the Sneakers movie, similar to how the BSides SF CTF was Hackers themed. Feel free to check it out, I'm going to leave the server up for the next few days for anyone who wants to play around on it at (I have since taken the server down, if you want access to any of the challenges still please let me know).  Finally, I've included a screenshot of the final scoreboard below:

Thanks for playing everyone! Would love to hear feedback!! I'm looking at you SamSlam of IcePiratesv6 or anyone from Cha-Ha who played!

Friday, June 26, 2015

PHP, PDO, and Prepared Statements

Hey all! Seeing as how PDO can be such a massive proponent to preventing sql injection, and seeing as how so few people use it in PHP (due to being new to PHP / programming or just unexposed), I thought I would take a moment to expand on how to do use PDO to help prevent sql injection.

Recently, my college wrote a brief post on switching a legacy PHP application from the old mysql connector to PDO, however one key element I want to highlight is the way PDO helps prevent sql injection, which is through prepared statements. In his example he puts variables directly in the statements (all though he does escape and quote the input), as opposed to using PDO's features of place holders in a prepared statement then assigning the input dynamically. You can see this below:

I've updated it a bit to use prepared statements, which should help prevent sql injection (granted, we still need to verify our input, I use a custom input validation class when accepting the data from the user) and allows us to reuse more code by dynamically reassigning variables and executing the statement again (as is shown in the commented out Optional Step):

Finally, there are tons of resources out there on how to use PDO, but there are so many different ways to implement it, I find it can be a bit of information overload. If your sticking to the method I described here, then this other post can show you some other prepared statements in similar PDO fashion. There are also really good posts on using more PDO functionality for various statements in other ways. Until next time!!

Saturday, June 20, 2015

SecurityTube Python Scripting Expert Course Review (SPSE)

Hey Guys! I've been taking's Python Scripting Expert Course lately (SPSE for short), and thought I would write a quick review of the course before I go for the certification it offers at the end. The videos can be cheap, giving you access for as little as $39, however with the certification the course can cost $250, which seems a bit pricy! When you register for the course, there is also an odd 24-48 hour delay from payment to receiving the video packages. However, this course is epic, it dives deep into the details of the python language, providing a solid computer science background for the many security focused tasks it puts before the students. Some critique that Vivek (the course instructor), has a thick Indian accent that makes the lessons hard to understand, however I disagree and had no problems with his speech. There are 9 modules, with roughly  6-10 videos each, however the videos are short, ranging from 6-20 minutes, ultimately totaling only a few hours of video. Vivek spends a lot of time guiding the users through programs, and then assigns difficult tasks based on the lessons learned in the guided programs at the end of every video. Overall, I highly recommend this series for both those looking to learn python, improve their python game, and get deeper into the details of computer security engineering. Basically, I would suggest this video guided python course over the course I reviewed last time. Personally I think, if your familiar with Python then it should be easy to skip the first and second modules, however I had fun going over them. That said, the later modules are challenging and fun, taking common security tasks and guiding you to implementing them yourself in a variety of different ways. I've included the syllabus bellow for those interested in the course material:

Module 1: Python Scripting – Language Essentials
Introduction to Interpreted Languages and Python
Data Types and variables
Operators and Expressions
Program Structure and Control
Functions and Functional Programming
Classes, Objects and other OOPS concepts
Modules, Packages and Distribution
Python in Linux and Unixes
Python in Windows
Python in Mobiles: iPhone and Androids
Python in Embedded Devices: Routers
Program Portability
Lab Exercises

Module 2: System Programming and Security
I/O in Python
File and Directory Access
Multithreading and Concurrency
Inter Process Communication (IPC)
Permissions and Controls
Case Studies
Lab Exercises

Module 3: Network Security Programming – Sniffers and Packet Injectors

Raw Socket basics
Socket Libraries and Functionality
Programming Servers and Clients
Programming Wired and Wireless Sniffers
Programming arbitrary packet injectors
PCAP file parsing and analysis
Case Studies
Lab Exercises

Module 4: Web Application Security
Web Servers and Client scripting
Web Application Fuzzers
Scraping Web Applications – HTML and XML file analysis
Web Browser Emulation
Attacking Web Services
Application Proxies and Data Mangling
Automation of attacks such as SQL Injection, XSS etc.
Case Studies
Lab Exercises

Module 5: Exploitation Techniques
Exploit Development techniques
Immunity Debuggers and Libs
Writing plugins in Python
Binary data analysis
Exploit analysis Automation
Case Studies
Lab Exercises

Module 6: Malware Analysis and Reverse Engineering
Process Debugging basics
Pydbg and its applications
Analyzing live applications
Setting breakpoints, reading memory etc.
In-memory modifications and patching
Case Studies
Lab Exercises

Module 7: Attack Task Automation
Task Automation with Python
Libraries and Applications
Case Studies
Lab Exercises

Module 8: Further Study and Roadmap
Course consolidation
Interesting project ideas to pursue

Module 9: Exam Pattern and Mock Exam

Exam format
Example Questions
Mock Exam

But like I always say, it's all about the code. Which is why I've been documenting my progress and small scripts in an open github repo to help others with template code. It's a fun little repo and I hope others will contribute comments and more template code. I will check back in when I have passed the certification, but in the mean time keep your eyes on the repo and here is my favorite sample video from the course: