Saturday, August 29, 2015

Review: Escape The Room Philly, The Office

I recently experienced Escape The Room Philly with a great group of people. We picked The Office scenario, as it was their original room and our first time doing a "room escape" type challenge. The general principal is a group of up to 10 people are dead bolted in an office room with various puzzle challenges that eventually lead to a key and hopefully their escape, but they only have an hour to do it!

We went into this with a lot of planning, having originally split our nine (9) person part up into smaller groups of puzzle solvers, searchers, and overall note takers. This wasn't the best strategy as some members arrived to the event slightly late (arrive early people!), so different groups were entering the room at various stages of the event, throwing off our original team designs and giving us a more ad-hoc play style. At times, organization turned to chaos, although we were able to reign in order later, especially when clues came in over the TV in the main room. That said, it may actually be useful to have smaller groups than ten or nine play, to decrease the amount of confusion and running around that can occur in those rooms under the shot clock (countdown clock on the TV in the main room).

We found it important to keep a list of clues for the puzzles we were working on. This helped us keep a tab on active clues (and write down clues that flashed across the TV), as well as cross off the clues that were used. There were paper and pens available to us in the room as clues which doubled as useful tools for taking notes. Remember to collect all tidbits of information, if you find it in the room it probably has relevance, further write down any and all number combinations that stick out. Try to keep the status sheet available to the whole team, they can also fill in clues and cross them off as they are solved, this will keep the whole team on the same page if they need to check the status sheet.

Something that helped us was keeping tab on all the active locks blocking our way. A tip here is to mentally separate the locks by physical keys and combination locks. You can take this further by associating keys with certain types of locks (desk locks vs dead bolts should clearly have a different amount of teeth). Similarly associating groups of numbers that are uncovered with the combination locks you've encountered that have the same amount of digits, will aid you greatly as you complete puzzles and move on with your rewards. Dates and other sets of four numbers are ideal for combination locks, and if necessary, try your numbers in different combinations or sets.

Our preparation did pay off, since there were no restrictions to what we were able to bring in beforehand. This turned out to be a blessing in disguise, as we actually needed our smart phones for some challenges (basic apps we already had) although for other challenges they left dictionaries and encyclopedias in the room for us. I also think it helps to have someone in your group who is experienced with technology, as more then one challenge was based on a simple modern technology. That said, don't overthink the challenges, they make them simple enough for most anyone to solve and generally give you all the tools you need.

Overall we had a blast, I couldn't image a more fun, generally non-technical, team building activity!! I highly recommend this for puzzle enthusiasts, work groups, and friends alike! In my humble opinion the following traits would make for the best teammates; logical, attention to detail, intuitive, calm under pressure, cooperative, non-linear thinkers, and ultimately, problem solvers.  Final thoughts, hear all ideas out, this is a group effort over everything, keep your cool, and organize your clues. My recommendation, find one near you, try it out, and have fun (it's just a game :).

Tuesday, August 18, 2015

Book Review: "Wicked Cool PHP"

Wicked Cool PHP, by William Steinmetz is an interesting php cookbook that provides a ton of scripts with a 'focus on security'. The book is ~$20 on Amazon, published through NoStarchPress, and provides 76 various PHP scripts in under 200 pages. The book is decent for learning PHP, albeit you have to understand the fundamentals, but it will quickly put any beginner on a practical path to writing their own code and implementing their own ideas. I also enjoyed that this book repeatedly preaches security theory, teaching programmers to never trust user input and properly sanitize all data. That said, most of the code examples in the book are very rudimentary, bug ridden, and some actually contain serious security flaws (which my review will focus on). Because of the security issues I will expand on and a review regarding general issues with the code / book that I agree with, I give this book 4 out of 10 stars, although I will say it makes for a nice php cookbook for quick applications.

My biggest problems with this book are the numerous security issues that if newbies actually followed they would end up in trouble. PHP gets a bad reputation for giving new learners just enough rope to hang themselves and this book exemplifies that. For example, the single entry on SQL injection, Script #19, advises to use the depreciated 'mysql_real_escape_string()', which is still vulnerable to multiple types of sql injection, vs using prepared statements, as I've detailed on this blog with PDO.  Another one which was just laughable was Script #60, Forcing a User to Use SSL-Encrypted Pages, only checks to see if the server is running over port 443 (which newbies should understand that protocols can run on any port), vs using the $_SERVER['HTTPS'] variable to check that the HTTPS protocol is being used or even better setting an HSTS cookie with PHP. Another potentially vulnerable mistake can be found in Script #5, which promotes the notorious unserialize function, which makes for a fun exercise. The final one I'll mention is Script #66, Creating a CAPTCHA (Security) Image. These shouldn't be considered secure and rather it should be a script such as implementing Google's reCAPTCH. There are many more examples throughout the book (tons of home-brewed input filters), but despite all of that I would like to say that I appreciate how the book constantly reminds the user of security theory and best practices, lessons which I stand behind.

As with most of my book reviews, the following is a modified table of contents, so that you can get a good idea of all the chapters and scripts included:

Introduction

Chapter 1: The FAQs Of Life — The Scripts Every PHP Programmer Wants (Or Needs) To Know

Script #1: Including Another File as a Part of Your Script
Script #2: Highlighting Alternate Row Colors in a Table
Script #3: Creating Previous/Next Links
Script #4: Printing the Contents of an Array
Script #5: Turning an Array into a Nonarray Variable That Can Be Restored Later
Script #6: Sorting Multidimensional Arrays
Script #7: Templating Your Site with Smarty

Chapter 2: CONFIGURING PHP 

Configuration Settings and the php.ini File
Locating Your php.ini File
Script #8: Revealing All of PHP’s Settings
Script #9: Reading an Individual Setting
Script #10: Error Reporting
Script #11: Suppressing All Error Messages
Script #12: Extending the Run Time of a Script
Script #13: Preventing Users from Uploading Large Files
Script #14: Turning Off Registered Global Variables
Script #15: Enabling Magic Quotes
Script #16: Restricting the Files that PHP Can Access
Script #17: Shutting Down Specific Functions
Script #18: Adding Extensions to PHP
Adding PHP Extensions
Installing Extensions with a Web-Based Control Panel

Chapter 3: PHP Security

Recommended Security Configuration Options
Script #19: SQL Injection Attacks
Script #20: Preventing Basic XSS Attacks
Script #21: Using SafeHTML
Script #22: Protecting Data with a One-Way Hash
Script #23: Encrypting Data with Mcrypt
Script #24: Generating Random Passwords

Chapter 4: Working With Forms 

Security Measures: Forms Are Not Trustworthy
Verification Strategies
Using $_POST, $_GET, $_REQUEST, and $_FILES to Access Form Data
Script #25: Fetching Form Variables Consistently and Safely
Script #26: Trimming Excess Whitespace
Script #27: Importing Form Variables into an Array
Script #28: Making Sure a Response Is One of a Set of Given Values
Script #29: Using Multiple Submit Buttons
Script #30: Validating a Credit Card
Script #31: Double-Checking a Credit Card’s Expiration Date
Script #32: Checking Valid Email Addresses
Script #33: Checking American Phone Numbers

Chapter 5: Working With Text And HTML 

Script #34: Extracting Part of a String
Script #35: Making a String Uppercase, Lowercase, or Capitalized
Script #36: Finding Substrings
Script #37: Replacing Substrings
Script #38: Finding and Fixing Misspelled Words with pspell
Working with the Default Dictionary
Adding a Custom Dictionary to pspell
Script #39: Regular Expressions
Regular Expression Basics
Special Character Sequences
Pattern Repeaters
Grouping
Character Classes
Putting It All Together
Matching and Extracting with Regular Expressions
Replacing Substrings with Regular Expressions
Script #40: Rearranging a Table
Script #41: Creating a Screen Scraper
Script #42: Converting Plaintext into HTML-Ready Markup
Script #43: Automatically Hyperlinking URLs
Script #44: Stripping HTML Tags from Strings

Chapter 6: Working With Dates

How Unix Time Works
Script #45: Getting the Current Timestamp
Script #46: Getting the Timestamp of a Date in the Past or Future
Creating Timestamps from a String
Creating Timestamps from Date Values
Script #47: Formatting Dates and Times
Script #48: Calculating the Day of the Week from a Given Date
Script #49: Finding the Difference Between Two Dates
MySQL Date Formats

Chapter 7: Working With Files

File Permissions
Permissions with an FTP Program
The Command Line
Script #50: Placing a File’s Contents into a Variable
Script #51: Creating and Writing to a File
Script #52: Checking to See If a File Exists
Script #53: Deleting Files
Script #54: Uploading Images to a Directory
Script #55: Reading a Comma-Separated File

Chapter 8: User And Session Tracking

Using Cookies and Sessions to Track User Data
Cookies
Sessions
Script #56: Creating a “Welcome Back, Username!” Message with Cookies
Script #57: Using Sessions to Temporarily Store Data
Script #58: Checking to See If a User’s Browser Accepts Cookies
Script #59: Redirecting Users to Different Pages
Script #60: Forcing a User to Use SSL-Encrypted Pages
Script #61: Extracting Client Information
Script #62: Session Timeouts
Script #63: A Simple Login System

Chapter 9: Working With Email

Script #64: Using PHPMailer to Send Mail
Script #65: Using Email to Verify User Accounts

Chapter 10: Working With Images

Script #66: Creating a CAPTCHA (Security) Image
Script #67: Creating Thumbnail Images

Chapter 11: Using CURL To Interact With Web Services

Script #68: Connecting to Other Websites
Script #69: Using Cookies
Script #70: Transforming XML into a Usable Form
Script #71: Using Mapping Web Services
Script #72: Using PHP and SOAP to Request Data from Amazon.com
Script #73: Building a Web Service

Chapter 12: Intermediate Projects

Script #74: A User Poll
Creating a Ballot Form
Processing the Ballot
Getting Poll Results
Script #75: Electronic Greeting Cards
Choosing a Card
Sending the Card
Viewing the Card
Script #76: A Blogging System
Creating Blog Entries
Displaying an Entry
Adding Comments
Creating a Blog Index

Appendix                    
Index

All in all, this is a pretty neat book for those looking for a hand in getting started, but you should understand that this is not refined nor production ready code. I enjoy the scripts with sections like 'What Can Go Wrong?', which helps programmers debug their scripts for errors, and 'Hacking the Script', which helps programmers modify the scripts for more uses, which I thought was a nice approach for a cookbook style programming book. You can read the fourth chapter for free, which should help for a better understanding of the chapters. And as I always say, code rules everything around me (CREAM, get the knowledge), so make sure you check out all of the Wicked Cool PHP scripts. Having gotten all of that out, my main problems with this book is that it gives the novice users just enough information to get themselves into trouble, here teaching unaware programmers all of the bad security practices I've highlighted in this review.

Wednesday, August 12, 2015

BSides 2015 SF and Asheville PCAP Writeup

As promised, the writeup for the 3 pcap challenges used during both BSides SF 2015 and BSides Asheville 2015.

The challenge started with a single pcap, albeit large at roughly ~300MB. The pcap was full of general networking traffic and specifically lots of odd web traffic. Ultimately, the challenge consisted of 3 questions.

1) What was the malware operators password?

This is where the challenge starts, and also the easiest question to solve. Simply open the capture file in Wireshark and use ctrl+f searching for the string 'Password=' until you find the c2 login prompt. It takes a few searches but this will also quickly reveal the attacker's hostname as 'emergencyreset.com' and IP address as '104.130.131.113'. These TTPs will be helpful in identifying the rest of the attacker traffic.


2) What was the contents of the flag.txt, a file which the malware operator stole from the victim?

After originally locating the attackers c2 traffic, this challenge becomes much easier. We can sort the traffic specific to the attacker, and then begin to see how the rat operates. There seems to be a lot of calls to ajax.asp and a few to show.asp. Investigating any of these streams shows the attacker's server returning chunked and gzip encoded data, for the client to render. Wireshark uncompressed this for us in the bottom field. Further, it becomes apparent that the ajax.asp pages gather current victim information and the show.asp pages contain data pulled from the victim. Searching our show.asp pages quickly reveals a flag in the last one.


3) What was the image on the victim's deskop?

Finally, we must locate a screenshot of the victims desktop that the attacker took. Doing some searching for the word 'Desktop' reveals a screenshot being pulled in the 'show.asp?b_id=76' stream, however this stream seems to be missing some key packets.


Lucky for us, the data is missing out of a gzip encoded blob, so we can extract the corrupt gzip we have and recover as much of it as possible. Doing this leaves us with an HTML page that has a partial image. Google Chrome will render the partial image, which is just enough to give us the flag.


There you have it, the solution to unsolved pcap challenge of BSides 2015 SF and BSides 2015 Asheville. Until next time, keep your nose on the wire!

Tuesday, August 11, 2015

Wassenaar Arrangement Issues

Having just returned from DefCon23, one piece of news was particularly concerning and prompted this post. News of the Wassenaar Arrangement, also known as WA or Export Controls for Conventional Arms and Dual-Use Goods and Technologies, which was formed in 1996 by 41 different countries, is currently threatening to put the field of vulnerability research back 10 or more years of progress. Within that larger agreement, the implementation in the United States is now being discussed. Some interpretations of the Wassenaar Arrangement state it will prevent legitimate business and researchers from participating in bug bounty and responsible disclosure that rewards the bug hunter while at the same time kills the bug. Further, it will impact international cooperation on exploit research and counter-intelligence, making it hard for global teams to operate. The Wassenaar Arrangement makes the sale of private 'intrusion software' a.k.a. dual-use security tools illegal, in fear that companies like Hacking Team will sell exploits and post-exploitation kits that will be used to suppress certain groups of people. The problem is that the law is missing the good value in these dual-use tools, potentially damaging the industry.  Further, as many other researches have pointed out, the bad guys are rarely stopped by such controls, and so long as illicit and open source exploit kits remain at large then these controls will only harm the ability for legitimate organizations to research and prepare in this area. That's why several prominent organizations have spoken out, including Google, The EFF, and @ErrataRob. I hope this post can raise awareness of the issue while also reminding us why we've fought so hard for these dual-use tools, they help us understand and realistically prevent the issues instead of inadequate attempts to legislate the threats away.

Monday, August 3, 2015

Book Review: "Incident Response and Computer Forensics, Third Edition"

Welcome back for another computer science / information security book review! Today I'm bringing you a core staple in incident response theory and methodology, "Incident Response and Computer Forensics, Thirst Edition", by a gang of people, including such major and minor authors as, Jason T. Luttgens, Matt Pepe, Kevin Mandia, Marshall Heilman, Ryan Kazanciyan, Jeff Hamm, Willi Ballenthin, Justin Prosco, Ryan Benson, Niles Akens, and Robert Honnies. I've had the pleasure of working with most of these gents at Mandiant and I can say definitively that this text lives and breaths core Mandiant incident response methodology and theory. The book is cheap too, at $40 for 544 pages, this book really delivers on value and content, despite being slightly dated. A lot of the tools and core methodologies are Mandiant based (from using RedLine to defining host based observable events in terms of IOCs), which is nice that they use reliable methodologies that I am familiar with, but this also comes with the criticism that incident responders should not be tool dependent (which the book emphasizes). The book is also rife with examples, providing entertaining and real world stories that bring the theories to life. The sections of the book are well thought out as well, the entire book continually shifts from theory up front (Parts 1-3) to hardcore technical details and operations (Parts 3-5). Overall, I give this book a solid 8 out of 10 stars for bringing the theory, being applicable (despite being outdated), and conveying tried, true, and effective methods for incident response. I recommend blue teamers stop what they are doing and pick this book up immediately if they haven't read this or a similar book on incident response, and I also recommend this book to other infosec practitioners looking to get a better understand of incident response.

As with my other reviews, the following is the Table of Contents, as to give the reader a solid understanding of each chapter and its detailed contents.

Cover
Title Page
Copyright Page
About the Authors
    About the Contributors
    About the Technical Editor
Contents
Foreword
Acknowledgments
Introduction

Part I: Preparing for the Inevitable Incident

Chapter 1: Real-World Incidents
    What Constitutes an Incident?
    What Is Incident Response?
    Where We Are Now
    Why Should You Care About Incident Response?
    Case Studies
        Case Study #1: Show Me the Money
        Case Study #2: Certificate of Authenticity
    Concept of the Attack Lifecycle
    So What?
    Questions
Chapter 2: IR Management Handbook
    What Is a Computer Security Incident?
    What Are the Goals of Incident Response?
    Who Is Involved in the IR Process?
        Finding IR Talent
    The Incident Response Process
        Initial Response
        Investigation
        Remediation
        Tracking of Significant Investigative Information
        Reporting
    So What?
    Questions
Chapter 3: Pre-Incident Preparation
    Preparing the Organization for Incident Response
        Identifying Risk
        Policies That Promote a Successful IR
        Working with Outsourced IT
        Thoughts on Global Infrastructure Issues
        Educating Users on Host-Based Security
    Preparing the IR Team
        Defining the Mission
        Communication Procedures
        Deliverables
        Resources for the IR Team
    Preparing the Infrastructure for Incident Response
        Computing Device Configuration
        Network Configuration
    So What?
    Questions

Part II: Incident Detection and Characterization

Chapter 4: Getting the Investigation Started on the Right Foot
    Collecting Initial Facts
        Checklists
    Maintenance of Case Notes
        Building an Attack Timeline
    Understanding Investigative Priorities
        What Are Elements of Proof?
        Setting Expectations with Management
    So What?
    Questions
Chapter 5: Initial Development of Leads
    Defining Leads of Value
    Acting on Leads
        Turning Leads into Indicators
        The Lifecycle of Indicator Generation
        Resolving Internal Leads
        Resolving External Leads
    So What?
    Questions
Chapter 6: Discovering the Scope of the Incident
    What Should I Do?
        Examining Initial Data
        Gathering and Reviewing Preliminary Evidence
        Determining a Course of Action
    Customer Data Loss Scenario
        Customer Data Loss—Scoping Gone Wrong
    Automated Clearing House (ACH) Fraud Scenario
        ACH Fraud—Scoping Gone Wrong
    So What?
    Questions

Part III: Data Collection

Chapter 7: Live Data Collection
    When to Perform a Live Response
    Selecting a Live Response Tool
    What to Collect
    Collection Best Practices
    Live Data Collection on Microsoft Windows Systems
        Prebuilt Toolkits
        Do It Yourself
        Memory Collection
    Live Data Collection on Unix-Based Systems
        Live Response Toolkits
        Memory Collection
    So What?
    Questions
Chapter 8: Forensic Duplication
    Forensic Image Formats
        Complete Disk Image
        Partition Image
        Logical Image
        Image Integrity
    Traditional Duplication
        Hardware Write Blockers
        Image Creation Tools
    Live System Duplication
    Duplication of Enterprise Assets
        Duplication of Virtual Machines
    So What?
    Questions
Chapter 9: Network Evidence
    The Case for Network Monitoring
    Types of Network Monitoring
        Event-Based Alert Monitoring
        Header and Full Packet Logging
        Statistical Modeling
    Setting Up a Network Monitoring System
        Choosing Appropriate Hardware
        Installation of a Pre-built Distribution
        Deploying the Network Sensor
        Evaluating Your Network Monitor
    Network Data Analysis
        Data Theft Scenario
        Webshell Reconnaissance Scenario
        Other Network Analysis Tools
    Collect Logs Generated from Network Events
    So What?
    Questions
Chapter 10: Enterprise Services
    Network Infrastructure Services
        DHCP
        DNS
    Enterprise Management Applications
        LANDesk Software Management Suite
        Symantec Altiris Client Management Suite
    Antivirus Software
        Antivirus Quarantine
        Symantec Endpoint Protection
        McAfee VirusScan
        Trend Micro OfficeScan
    Web Servers
        Web Server Background
        Apache HTTP Server
        Microsoft Internet Information Services (IIS)
    Database Servers
        Microsoft SQL
        MySQL
        Oracle
    So What?
    Questions

Part IV: Data Analysis

Chapter 11: Analysis Methodology
    Define Objectives
    Know Your Data
        Where Is Data Stored?
        What’s Available?
    Access Your Data
    Analyze Your Data
        Outline an Approach
        Select Methods
    Evaluate Results
    So What?
    Questions
Chapter 12: Investigating Windows Systems
    NTFS and File System Analysis
        The Master File Table
        INDX Attributes
        Change Logs
        Volume Shadow Copies
        File System Redirector
    Prefetch
        The Evidence
        Analysis
    Event Logs
        The Evidence
        Analysis
    Scheduled Tasks
        Creating Tasks with the “at” Command
        Creating Tasks with the schtasks Command
        The Evidence
        Analysis
    The Windows Registry
        The Evidence
        Analysis
        Registry Analysis Tools
    Other Artifacts of Interactive Sessions
        LNK Files
        Jump Lists
        The Recycle Bin
    Memory Forensics
        The Evidence
        Memory Analysis
    Alternative Persistence Mechanisms
        Startup Folders
        Recurring Tasks
        System Binary Modification
        DLL Load-Order Hijacking
    Review: Answering Common Investigative Questions
    So What?
    Questions
Chapter 13: Investigating Mac OS X Systems
    HFS+ and File System Analysis
        Volume Layout
        File System Services
    Core Operating System Data
        File System Layout
        User and Service Configuration
        Trash and Deleted Files
        System Auditing, Databases, and Logging
        Scheduled Tasks and Services
        Application Installers
    A Review: Answering Common Investigative Questions
    So What?
    Questions
Chapter 14: Investigating Applications
    What Is Application Data?
    Where Is Application Data Stored?
        Windows
        OS X
        Linux
    General Investigation Methods
    Web Browsers
        Internet Explorer
        Google Chrome
        Mozilla Firefox
    E-Mail Clients
        Web E-Mail
        Microsoft Outlook for Windows
        Apple Mail
        Microsoft Outlook for Mac
    Instant Message Clients
        Methodology
        Instant Message
    So What?
    Questions
Chapter 15: Malware Triage
    Malware Handling
        Safety
        Documentation
        Distribution
        Accessing Malicious Sites
    Triage Environment
        Setting Up a Virtual Environment
    Static Analysis
        What Is That File?
        Portable Executable Files
    Dynamic Analysis
        Automated Dynamic Analysis: Sandboxes
        Manual Dynamic Analysis
    So What?
    Questions
Chapter 16: Report Writing
    Why Write Reports?
    Reporting Standards
        Report Style and Formatting
        Report Content and Organization
    Quality Assurance
    So What?
    Questions

Part V: Remediation

Chapter 17: Remediation Introduction
    Basic Concepts
    Remediation Pre-Checks
    Form the Remediation Team
        When to Create the Remediation Team
        Assigning a Remediation Owner
        Members of the Remediation Team
    Determine the Timing of the Remediation
    Develop and Implement Remediation Posturing Actions
        Implications of Alerting the Attacker
    Develop and Implement Incident Containment Actions
    Develop the Eradication Action Plan
    Determine Eradication Event Timing and Execute Eradication Plan
    Develop Strategic Recommendations
    Document the Lessons Learned
    Putting It All Together
    Common Mistakes That Lead to Remediation Failure
    So What?
    Questions
Chapter 18: Remediation Case Study
    Remediation Plan for Case Study #1: Show Me the Money
        Select the Team
        Determine Remediation Timing
        Contain the Incident
        Posture the Environment
        Eradicate the Attacker
        Set the Strategic Direction
    So What?
    Questions
Index

In conclusion, if your a blue team member or an incident responder, this is a book you really can't afford to pass up. This book would be a massive miss for any type of defensive information security leader to pass up, such as a CSO, CISO, SOC manager or even IR engagement lead, as it really impresses core information security management concepts such as properly scoping an investigation, handling various local and international regulations, and even proper handling of evidence and chain of custody. The authors also provide tons of resources from the IR3E book in a specific site to maintain the content.  Essentially, it's a seminal work of Mandiant, their methodologies and operations, as one of the leading incident response firms currently dealing with advanced state actors and incident response at scale.

Friday, July 24, 2015

PowerShell Remoting for Penetration Testers

Wassup! Lately I've been on a PowerShell kick and much can be said about how useful PowerShell is for penetration testers in general (in both exploitation and utility), but today I want to highlight one specific feature which can be used for lateral movement and file-less persistence during a Windows domain penetration test. That feature is PowerShell Remoting, which is technically enabling the service WindowsRM and communicating with that using WS-Man (which is actually SOAP over HTTP(TCP:5985) and HTTPS(TCP:5986)), while reusing credentials that have access to that machine. This WS-Man communication is all taken care of using native PowerShell features (you need at least PowerShell version 2), similar to the way Deep-Panda used WMI because it was a native Windows feature. The best way to get started is just enable PowerShell Remoting via an Administrator shell on your victim machine, although you may need to bypass PowerShell execution policy.

I find it really helpful to look at security events from all sides of the coin. PowerShell Remoting is used heavily by incident responders and IT, so as a defender it's nice to know the logs PowerShell Remoting is generating (Type 3, Network Logon) and how these logs occur naturally in target environments. It's also pretty cool that you scan for PowerShell Remoting enabled machines by looking for ports 47001, 5985, and 5986.

The best part is a lot of the leg work has already been done for us as penetration testers, as we can invoke any existing PowerShell scripts easily, using PowerShell Remoting as our vector rather than WMI or psexec. There is also some great PowerShell Remoting cheatsheats out there. The following is a demo rich video where Joe not only shows the various uses of PowerShell, but really shows the effectiveness of PowerShell Remoting by running Mimikatz en mass on systems, without touching disk. Further, if you look at the source code of Invoke-Mimikatz you will see that they are using the PowerShell Remoting verb 'Invoke-Command' and native PowerShell 'ComputerName' array to invoke their code block on the remote machines:


Saturday, July 18, 2015

Book Review: "Windows PowerShell Pocket Reference"

This is my review of "Windows PowerShell Pocket Reference" by Lee Holmes. It's a cheap book, I picked it up for $13 at Barnes and Noble, but it's even cheaper on Amazon for ~$8. It's also a quick read, with around 180 pages, cover to cover, you can read it through for a better understanding of PowerShell or you can keep it as a small desk reference for your own scripts. Essentially, It's a fundamentals book, focusing on the basic features of the language, such as data types, built in functions (such as utilizing the .NET framework), and lots of expression logic. It's a great book for having on hand as a reference if you are writing PowerShell scripts and hit a tricky logical situation, however it's not applied like Black Hat Python and it's not a cookbook or cheatsheet book similar to RTFM. Due to the lack of applied focus, I recommend this book for those looking to become better with PowerShell fundamentals, either writing or modifying custom scripts, as well as those who want to become more effective with Windows, as opposed to specifically penetration testers or even security engineers.  That said, I'm giving this book 6 out of 10 stars for it's price, compact format, content, and usefulness as a reference text while scripting, but I would appreciate more of an applied administrative focus (like Part IV of Windows PowerShell CookBook, that I believe this reference is based on). The following is the table of contents, so you know can get a solid understanding of the fundamental, yet PowerShell specific, concepts this book covers:

Chapter 1: PowerShell Language and Environment
    Commands and Expressions
    Comments
    Help Comments
    Variables
    Booleans
    Strings
    Numbers
    Arrays and Lists
    Hashtables (Associative Arrays)
    XML
    Simple Operators
    Comparison Operators
    Conditional Statements
    Looping Statements
    Working with the .NET Framework
    Writing Scripts, Reusing Functionality
    Managing Errors
    Formatting Output
    Capturing Output
    Common Customization Points
Chapter 2: Regular Expression Reference
Chapter 3: XPath Quick Reference
Chapter 4: .NET String Formatting

    String Formatting Syntax
    Standard Numeric Format Strings
    Custom Numeric Format Strings
Chapter 5: .NET DateTime Formatting
    Custom DateTime Format Strings
Chapter 6: Selected .NET Classes and Their Uses
Chapter 7: WMI Reference
Chapter 8: Selected COM Objects and Their Uses
Chapter 9: Selected Events and Their Uses
Chapter 10: Standard PowerShell Verbs


The first 80+ pages are devoted to the first chapter, however my favorite chapters are 6-10, covering .NET, WMI, COM objects, Windows events, and Powershell commands, pages 109-151. Like I always say, it's all about the code, and while O'Reilly doesn't publish any of this books code online, it does publish the code from the Windows PowerShell CookBook, that this book is based on. While this book isn't security focused, I got into PowerShell through several security frameworks, which I am highly recommending for those into PowerShell and information security: PowerSploit, PoshSec, Nishang, Veil's PowerTools, and even the Github PowerShell group. I've also started my own repository, similar to my SPSE repo, with a focus on PowerShell template code and security scripts, called PSSE.