POPULARITY
In this action-packed episode of the PowerShell Podcast, we kick off with a loaded preshow featuring an exciting announcement of PowerShelldle, a community tip, and a deep dive into my own PowerShell journey in response to a viewer question. The main segment is a fascinating conversation with Spencer Alessi, where we delve into the world of PowerShell and pentesting. Spencer generously shares the tools he would use as a sysadmin pentesting his own environment, including PowerSploit, PingCastle, Bloodhound, LockSmith, and ADeleg. He provides invaluable tips for PowerShell enthusiasts looking to transition into security and pentesting, shedding light on the current and emerging trends in the security landscape. Spencer also gives us insights into the role that PowerShell plays in his role as a pentester. Get ready for a riveting episode filled with tips, tools, and trends in the world of PowerShell and security. Guest Bio and links: I'm a hacker, pentester, wiz-bang exploit slinger hiding in the shadows and co-host of the Cyber Threat Perspective Podcast. I currently do offensive security things at SecurIT360, primarily focused on internal pentesting/assume breach, which I really really enjoy. I love PowerShell, Windows and Active Directory. I consider myself a blue-hearted red teamer. Watch The PowerShell Podcast on YouTube: https://www.youtube.com/watch?v=DnEfyGjMMwE https://www.meetup.com/gainesville-powershell-user-group/events/298931068/ https://discord.gg/pdq https://powershelldle.com https://twitter.com/AndrewPlaTech/status/1749469780786946435 https://powershell.org/2017/11/powershell-devops-global-summit-2018-scholarship-recipient/ https://github.com/techspence/ScriptSentry… https://github.com/techspence/HackerArt/… https://github.com/TrimarcJake/Locksmith… https://github.com/PowerShellMafia/PowerSploit… https://github.com/S3cur3Th1sSh1t/PowerSharpPack… https://spenceralessi.com https://twitter.com/techspence https://linkedin.com/in/spenceralessi… https://youtube.com/@techspence https://offsec.blog https://www.youtube.com/@CyberThreatPOV https://www.linkedin.com/in/andrewplatech/ https://twitter.com/AndrewPlaTech
Yay! It's time for another tale of pentest pwnage! Highlights include: Making sure you take multiple rounds of "dumps" to get all the delicious local admin creds. Why lsassy is my new best friend. I gave a try to using a Ubuntu box instead of Kali as my attacking system for this test. I had pretty good results. Here's my script to quickly give Ubuntu a Kali-like flair: sudo apt-get update sudo apt-get upgrade -y sudo apt-get install openssh-server -y sudo apt-get install nmap curl dnsrecon git net-tools open-vm-tools-desktop python3.8 python3-pip unzip wget xsltproc -y #Aha helps take output from testssl.sh and make it nice and HTML-y sudo git clone https://github.com/theZiz/aha.git /opt/aha #Awesome-nmap-grep makes it easy to grep nmap exports for just the data you need! sudo git clone https://github.com/leonjza/awesome-nmap-grep.git /opt/awesome-nmap-grep #bpatty is...well...bpatty! sudo git clone https://github.com/braimee/bpatty.git /opt/bpatty #CrackMapExec is...awesome sudo mkdir /opt/cme cd /opt/cme sudo curl https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.1.0dev/cme-ubuntu-latest.1.zip -L -o cme.zip sudo unzip cme.zip sudo chmod +x ./cme #eyewitness is a nice recon tool for putting some great visualization behind nmap scans sudo git clone https://github.com/FortyNorthSecurity/EyeWitness.git /opt/eyewitness cd /opt/eyewitness/Python/setup sudo ./setup.sh #impacket is "a collection of Python classes for working with network protocols" #I currently primarily use it for ntlmrelayx.py sudo git clone https://github.com/CoreSecurity/impacket.git /opt/impacket cd /opt/impacket sudo pip3 install . #mitm6 is a way to tinker with ip6 and get around some ip4-level protections sudo git clone https://github.com/fox-it/mitm6.git /opt/mitm6 cd /opt/mitm6 sudo pip3 install -r requirements.txt # install service-identity sudo pip3 install service-identity # lsassy sudo python3 -m pip install lsassy #nmap-bootstrap-xsl turns nmap scan output into pretty HTML sudo git clone https://github.com/honze-net/nmap-bootstrap-xsl.git /opt/nmap-bootstrap-xsl #netcreds "Sniffs sensitive data from interface or pcap" sudo git clone https://github.com/DanMcInerney/net-creds /opt/netcreds #PCCredz parses pcaps for sensitive data sudo git clone https://github.com/lgandx/PCredz /opt/pcredz #Powersploit is "a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment" sudo git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit #PowerupSQL is a tool for discovering, enumerating and potentially pwning SQL servers! sudo git clone https://github.com/NetSPI/PowerUpSQL.git /opt/powerupsql #responder is awesome for LLMNR, NBT-NS and MDNS poisoning sudo git clone https://github.com/lgandx/Responder.git /opt/responder
There’s been a long held stigma amongst our infosec cohort and it’s getting in the way of doing business. What’s the stigma, you ask? “Know-it-all” techies who are unable to communicate. Unfortunately, this shortcoming also puts our jobs at stake. According to a recent cybersecurity survey, the board of directors polled said that IT and security executives will lose their jobs because of their failure to provide the board with useful, actionable information. It gets worse. More than half of board members say that the data presented is too technical. In an effort to redeem ourselves and to understand the problem, I suggested role playing with the Inside Out Security panel – Cindy Ng, Kilian Englert, Mike Buckbee, and Kris Keyser – and to also practice speaking with executives about cybersecurity. I presented two practical scenarios. The first prompt: explain why you might need UBA, even if you already have a SIEM tool. The other: explain the importance of keeping the health data generated from a wearable, safe and secure. Articles discussed in our podcast: How to derive a profit from the data deluge Headphones that spy on listeners New phone sign-in feature that skips the password Microchip implanted in between one’s thumb and index finger Microsoft fixed critical vulnerabilities in uncredited update released in March Tool of the week: Powersploit
Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ballenthin-Graeber-Teodorescu-WMI-Attacks-Defense-Forensics.pdf WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis Matt Graeber Reverse Engineer, FireEye Inc. Willi Ballenthin Reverse Engineer, FireEye Inc. Claudiu Teodorescu Reverse Engineer, FireEye Inc. Windows Management Instrumentation (WMI) is a remote management framework that enables the collection of host information, execution of code, and provides an eventing system that can respond to operating system events in real time. FireEye has recently seen a surge in attacker use of WMI to carry out objectives such as system reconnaissance, remote code execution, persistence, lateral movement, covert data storage, and VM detection. Defenders and forensic analysts have largely remained unaware of the value of WMI due to its relative obscurity and completely undocumented file format. After extensive reverse engineering, our team has documented the WMI repository file format in detail, developed libraries to parse it, and formed a methodology for finding evil in the repository. In this talk, we will take a deep dive into the architecture of WMI, reveal a case study in attacker use of WMI in the wild, describe WMI attack mitigation strategies, show how to mine its repository for forensic artifacts, and demonstrate how to detect attacker activity in real-time by tapping into the WMI eventing system. By the end of this talk, we will have convinced the audience that WMI is a valuable asset not just for system administrators and attackers, but equally so for defenders and forensic analysts. Matt Graeber is a reverse engineer in the FireEye Labs Advanced Reverse Engineering (FLARE) team with a varied background in reverse engineering, red teaming, and offensive tool development. Since joining FireEye, Matt has reversed a vast quantity of targeted and commodity malware samples and served as an instructor of Mandiant's Advanced Malware Analysis course. Matt is the author of various PowerShell modules used for pentesting and reverse engineering including PowerSploit and PowerShellArsenal. He has also been designated a Microsoft "Most Valuable Professional" in PowerShell. Twitter: @mattifestation Willi Ballenthin is a reverse engineer in the FLARE team who specializes in incident response and computer forensics. He can typically be found investigating intrusions at Fortune 500 companies and enjoys reverse engineering malware, developing forensic techniques, and exploring the cutting edge. Willi is the author of a number of cross-platform Python libraries including python-registry, python-evtx, and INDXParse.py. Twitter: @williballenthin Claudiu Teodorescu is a reverse engineer in the FLARE team. Prior to joining FireEye, Claudiu worked for Guidance Software, writing forensic parsers for different file formats to support the EnCase forensic tool. Also, as the Cryptographic Officer of the company, he supported EnCase integration with different disk/volume/file based encryption products including Bitlocker, McAfee EEPC, Checkpoint FDE, Symantec EEPC, etc.
Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf The Secret Life of Krbtgt Christopher Campbell SECURITY RESEARCHER A tale of peril and woe, Krbtgt is the domain account that you just can't quit. Quiet and harmless, it has been with your enterprise since you first installed Active Directory. Although disabled, it has witnessed years of poor configurations, remote code execution vulnerabilities and bad administrator passwords. Come hear Krbtgt's story and see why its days should be numbered. If you don't laugh, you'll cry. This talk is targeted at Windows administrators, penetration testers and incident handlers and will explore why Microsoft's implementation of Kerberos is not the answer to its many credential problems. Chris is a security practitioner with over a decade of experience attacking and securing enterprise networks. Currently, he is a security researcher and developer for the Harris Corporation. Formerly, Chris spent over 12 years in the U.S. Army Reserve and spent four years as an operator in the Computer Exploitation section of the U.S. Army Red Team. He has a Master of Science in Information Assurance from Capitol College and holds several industry certifications that he’d prefer you not hold against him. Chris is one of the developers of PowerSploit and has given presentations at BlackHat USA, Derbycon, Shmoocon Firetalks and multiple Bsides events. He maintains a blog at www.obscuresec.com and is active on twitter (@obscuresec).
Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-Path-Less-Traveled.pdf The $env:PATH less Traveled is Full of Easy Privilege Escalation Vulns Christopher Campbell SECURITY RESEARCHER 15 years after APT was released for Linux, Microsoft is finally going to ship Windows with a package manager! Windows PowerShell OneGet is the easiest and fastest way to install applications and will be a fundamental part of how Microsoft wants you to administer your enterprise. In this talk we will go over OneGet, Nuget and Chocolatey and observe some of the security problems that will have to be overcome before widespread adoption. We will go over the hundreds of privilege escalation vulnerabilities that were found in the over 1800 unique packages that are already available on the repository server. We will also demo vulnerabilities against one of the package managers and PowerShell itself. Come see how to find third-party privilege escalation bugs at scale with the newest addition to PowerSploit. Chris is a security practitioner with over a decade of experience attacking and securing enterprise networks. Currently, he is a security researcher and developer for the Harris Corporation. Formerly, Chris spent over 12 years in the U.S. Army Reserve and spent four years as an operator in the Computer Exploitation section of the U.S. Army Red Team. He has a Master of Science in Information Assurance from Capitol College and holds several industry certifications that he’d prefer you not hold against him. Chris is one of the developers of PowerSploit and has given presentations at BlackHat USA, Derbycon, Shmoocon Firetalks and multiple Bsides events. He maintains a blog at www.obscuresec.com and is active on twitter (@obscuresec).