Pentesting with PowerShell by Rajganesh Pandurangan
Pentesting with Powershell
by Rajganesh Pandurangan
Senior Managing Consultant at U.S.Bank
16 years of security consulting experience
Results-driven success across a multitude of Fortune 100 companies
C
o
n
s
u
l
t
i
n
g
S
e
r
v
i
c
e
s
Web Application security assessment.
Mobile security assessment.
Network penetration testing.
Wireless security testing.
Security code review.
Payment Card Industry Assessment
Security GAP assessment.
Implementing effective security solutions and strategies
R
a
j
g
a
n
e
s
h
(
R
a
j
)
P
a
n
d
u
r
a
n
g
a
n
-
O
S
C
P
,
C
I
S
S
P
,
C
E
H
,
Q
S
A
,
P
A
-
Q
S
A
M
C
S
D
.
N
E
T
Email:
prajganesh@gmail.com
S
i
t
e
:
h
t
t
p
:
/
/
w
w
w
.
w
a
e
d
.
i
n
f
o
F
e
a
t
u
r
e
s
:
WAED is based on Debian 8.0 distribution.
Use Docker to provide sandboxed environment
Pre-installed web application testing tools
13 pre-installed vulnerable web application
E
a
c
h
a
p
p
l
i
c
a
t
i
o
n
c
a
n
b
e
s
t
a
r
t
e
d
s
e
p
a
r
a
t
e
l
y
D
E
M
O
W
e
b
A
p
p
l
i
c
a
t
i
o
n
s
a
n
d
E
x
p
l
o
i
t
a
t
i
o
n
D
i
s
t
r
o
(
W
A
E
D
)
What is Powershell
•
Microsoft attempt to make admins use command line
•
Task automation and configuration management framework
•
Command line shell and scripting language
•
Built on .NET framework
•
Provides full access to WMI and COM
•
Perform administrative tasks on local and remote windows systems
•
Great for log parsing and WMI queries
•
Available by default on Windows 7 and up
Contd..
S
e
c
u
r
i
t
y
•
Lot of work in DFIR -
http://www.invoke-ir.com
•
DLL injection
•
WMI Abuse
•
Hard to protect against attacks
Pentesting Methodology
Windows 8
Windows
7
192.168.15.125
Windows 10
192.168.15.135
Host Machine
(Mac)
PFSENSE -port 80, 443
(Firewall, IDS, IPS, DNS,
DHCP)
192.168.15.100
DHCP
Debian -
WAED
Windows 2012
Domain Controller, DNS
192.168.15.248
Kali Linux
Internal Testing
192.168.15.249
•
https://www.youtube.com/watch?v=50VhoeG_6rY
•
http://www.rebeladmin.com/2014/07/step-by-step-guide-to-
setup-active-directory-on-windows-server-2012/
•
https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo
0Zga2juUBxxFTH4Bk
•
https://www.youtube.com/watch?v=w1QPijf4Wa0
•
https://www.youtube.com/watch?v=9Rs4RSfTgL0
Kali Linux
External Testing
External
Internal
DMZ
Tools Required for Offensive Powershell
•
Nishang -
https://github.com/samratashok/nishang
•
Powersploit - https://github.com/PowerShellMafia/PowerSploit
•
Empire - https://github.com/PowerShellEmpire/Empire
•
Posh-SecMod -
https://github.com/darkoperator/Posh-SecMod
•
PSAttack -
https://github.com/jaredhaight/PSAttack
•
PowerUPSQL -
http://seclist.us/powerupsql-a-powershell-toolkit-for-
attacking-sql-server.html
Few Important Scripts
•
Import-module
•
Port-Scan
•
out-csv, out-excel
•
Get-help
•
Get-NetComputer
•
Get-NetDomainController
•
Get-Netuser, Get-Netuser -user pentest3
•
Get-NetLocalGroup
•
Invoke-filefinder
•
Find-LocalAdminAccess
•
Invoke-UserHunter
•
Get-ServiceUnquoted
•
Invoke-TokenManipulation -enumerate
•
Invoke-TokenManipulation -createprocess "cmd.exe" -username "NT AUTHORITY\SYSTEM” (ls hklm:\security)
•
Get-PassHashes
•
Invoke-Mimikatz
•
Invoke-AllChecks
•
Get-GPPPassword
•
Invoke-CredentialsPhish
Powershell Empire
•
http://www.powershellempire.com
•
Powerful post exploitation framework built on
PowerShell
•
Integrates tools from Powersploit
•
Easily Extensible
Rajganesh Pandurangan, an experienced security consultant, discusses the use of PowerShell for pentesting and security assessments. The content covers PowerShell basics, tools required, a web application exploitation distro, and a pentesting methodology. It also includes information on Rajganesh's background, expertise, and useful resources in the field of cybersecurity.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Pentesting with Powershell by Rajganesh Pandurangan
Rajganesh (Raj) Pandurangan - OSCP, CISSP, CEH, QSA, PA- QSA MCSD.NET Email: prajganesh@gmail.com Senior Managing Consultant at U.S.Bank 16 years of security consulting experience Results-driven success across a multitude of Fortune 100 companies Consulting Services Web Application security assessment. Mobile security assessment. Network penetration testing. Wireless security testing. Security code review. Payment Card Industry Assessment Security GAP assessment. Implementing effective security solutions and strategies
Web Applications and Exploitation Distro (WAED) Site: http://www.waed.info Features: WAED is based on Debian 8.0 distribution. Use Docker to provide sandboxed environment Pre-installed web application testing tools 13 pre-installed vulnerable web application Each application can be started separately DEMO
What is Powershell Microsoft attempt to make admins use command line Task automation and configuration management framework Command line shell and scripting language Built on .NET framework Provides full access to WMI and COM Perform administrative tasks on local and remote windows systems Great for log parsing and WMI queries Available by default on Windows 7 and up
Contd.. Security Lot of work in DFIR -http://www.invoke-ir.com DLL injection WMI Abuse Hard to protect against attacks
Host Machine (Mac) Kali Linux External Testing External PFSENSE -port 80, 443 (Firewall, IDS, IPS, DNS,DHCP) 192.168.15.100 DHCP https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo 0Zga2juUBxxFTH4Bk DMZ Windows 2012 Domain Controller, DNS 192.168.15.248 https://www.youtube.com/watch?v=50VhoeG_6rY http://www.rebeladmin.com/2014/07/step-by-step-guide-to- setup-active-directory-on-windows-server-2012/ Internal Kali Linux Internal Testing 192.168.15.249 Debian - WAED Windows 7 192.168.15.125 Windows 10 192.168.15.135 Windows 8 https://www.youtube.com/watch?v=w1QPijf4Wa0 https://www.youtube.com/watch?v=9Rs4RSfTgL0
Tools Required for Offensive Powershell Nishang - https://github.com/samratashok/nishang Powersploit - https://github.com/PowerShellMafia/PowerSploit Empire - https://github.com/PowerShellEmpire/Empire Posh-SecMod -https://github.com/darkoperator/Posh-SecMod PSAttack - https://github.com/jaredhaight/PSAttack PowerUPSQL - http://seclist.us/powerupsql-a-powershell-toolkit-for- attacking-sql-server.html
Few Important Scripts Import-module Port-Scan out-csv, out-excel Get-help Get-NetComputer Get-NetDomainController Get-Netuser, Get-Netuser -user pentest3 Get-NetLocalGroup Invoke-filefinder Find-LocalAdminAccess Invoke-UserHunter Get-ServiceUnquoted Invoke-TokenManipulation -enumerate Invoke-TokenManipulation -createprocess "cmd.exe" -username "NT AUTHORITY\SYSTEM (ls hklm:\security) Get-PassHashes Invoke-Mimikatz Invoke-AllChecks Get-GPPPassword Invoke-CredentialsPhish
Powershell Empire http://www.powershellempire.com Powerful post exploitation framework built on PowerShell Integrates tools from Powersploit Easily Extensible
