@haydnjohnson

“Building an Empire” PowerShell Goodness

http://www.slideshare.net/harmj0y/building-an-empire-with-powershell1

@haydnjohnson

Post Exploitation● Have gained access

a. Via phishingb. Via Exploitc. Via ??

● Want to know where we are in the network● Want to know WHO we are● What PERMISSIONS do we have● Getting a shell is just the beginning :)

2

@haydnjohnson

So you have gained access - Now what● What Box are you on?

○ IP address○ What platform?○ Service Pack?

● Normal User or Privileged User?○ What permissions○ What can you execute

● What else is out in the Abyss?○ Network shares○ Other boxes○ Where are the domain admins??

3

@haydnjohnson

Any other things we might want to know

???

4

@haydnjohnson

We want to pilfer - quietly as possible● As small a footprint as possible● Use native tools● A scripting language like bash for windows?● BATCH any good?

5

@haydnjohnson

PowerShell - our best friend ● It is native - pretty much guaranteed to be available ● Full .NET access● Most likely to be whitelisted● Access to Win32 API

○ Access to Kernel

● Run things in memory!○ Even assemble binaries

For an amazing explanation read:http://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html

6

@haydnjohnson

Empire comes to the rescueFree open source

Power-packed!

7

@haydnjohnson

Incorporates:

● PowerSploit● Posh-SecMod● PowerShell-AD-Recon● Mimikatz

Developers:

● @harmj0y● @enigma0x3● Many others!

8

@haydnjohnson

Referenceshttp://www.powershellempire.com/

Peeps to follow:

● https://twitter.com/enigma0x3● https://twitter.com/harmj0y● https://twitter.com/mattifestation● https://twitter.com/obscuresec● https://twitter.com/JosephBialek● https://twitter.com/pyrotek3● https://twitter.com/tifkin_● https://twitter.com/ben0xa● https://twitter.com/mwjcomputing

● https://github.com/leechristensen/UnmanagedPowerShell● https://github.com/PyroTek3/PowerShell-AD-Recon● https://github.com/darkoperator/Posh-SecMod

Many more +

9

@haydnjohnson

Pocketful of goodies!● Create Listeners easily

○ PowerShell command straight into CMD○ VBA for excel Macros○ Ducky scripts

● Agents (C2 comms) are easy to use● Modules and more modules!

10

@haydnjohnson

ListenersCommunicates with your agent (the thing that sits on your victim's machine)

11

@haydnjohnson 12

@haydnjohnson

Agents● Are what you tell to do things on your victim's machine!● Similar to a meterpreter session? More powerful maybe?

13

@haydnjohnson 14

@haydnjohnson

Modules● Numerous scripts with awesomeness● Run situational awareness scripts● Run Privilege escalation scripts

15

@haydnjohnson 16

@haydnjohnson

No more theory. Let's give this a try.

17

@haydnjohnson

The plan1. Install PowerShell Empire2. Create a listener3. Execute an Agent on Victim4. Run modules5. Escalate to high privileged process as Admin (bypassuac)6. Look for other shares/boxes to get Domain Admin

a. If classes infrastructure has AD

18

@haydnjohnson

Tutorial to Follow Part 1 - Getting Accesshttps://www.cybrary.it/0p3n/powershell-empire-stagers-1-phishing-office-macro-evading-avs/

● Covers Installation● Receiving connection via a VBA Macro

19

@haydnjohnson

Install EmpireGit Clone onto your Linux machine

Got Kali?

20

@haydnjohnson

Create a Listener“listeners” - switch to listeners mode

“options” | “info” - view options to configure

“set Name Test1” - Set a name for listener

“execute” - activates the listener

21

@haydnjohnson

Create a macro“usestager macro Test” - create macro for the listener named Test

“options” - ensure listener is connected

“execute” - will create a file with VBA code

Add code from Macro into Victims Excel/Word document.

Execute file and receive agent

If no excel/word use “usestager launcher”, copy and paste into CMD

22

@haydnjohnson

Have now gained access

23

@haydnjohnson

Tutorial To Follow Part 2 - Controlling your agenthttps://www.cybrary.it/0p3n/powershell-empire-stagers-2-controlling-victims-machine/

Opened file - should have an agent

“agents” - will take you to the listing of agents

“interact ABCDEDINDF” - select the agent to interact with.

“sysinfo” - gain information about your victim

“usemodule” <tab> - gain a list of all the awesomeness

24

@haydnjohnson

Useful commands● >Git clone https://github.com/PowerShellEmpire/Empire.git● >Listeners

○ List & create listeners

● >Usestager launcher○ Usestager <tab> to see other launchers :)

● >Agents○ >sysinfo - list system info agent is on

● >usemodule <tab>● Bypassuac <2nd listener>

25

@haydnjohnson

GoalsFind a flag - you have local admin access, there is a flag on an open share. Find it

Get Domain Admin credentials - you may need to ‘hunt’ for a domain admin

26

@haydnjohnson

Any other fun stuff we can do?Detailed case study:

https://enigma0x3.net/2016/01/28/an-empire-case-study/

27