SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Training 2016 - Offensive PowerShell for Red and Blue Teams"

Difference between revisions of "Training 2016 - Offensive PowerShell for Red and Blue Teams"

From BruCON 2017

Jump to: navigation, search
Line 1: Line 1:
 
=Offensive PowerShell for Red and Blue Teams=
 
=Offensive PowerShell for Red and Blue Teams=
In this course, you'll learn how to attack Windows network using PowerShell, based on real world penetration tests. The course runs on a lab network to which attendees will have Free access for one month after the training. The class consists of hands-on, challenges and demonstrations
+
In this course, you'll learn how to attack Windows network using PowerShell, based on real world penetration tests. It includes a mixture of lectures, demonstrations, exercises, hands-on and as well as a CTF which attendees could try during and after the course.  
  
 
===Course Description===
 
===Course Description===
PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language available by default in all modern Windows computers. It could interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows network. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell.  
+
Penetration Tests and Red Team operations for secured environments need altered approaches. You cannot afford to touch disk, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.
  
This training is aimed towards attacking Windows network using PowerShell and is based on real world penetration tests done by the instructor. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase.  
+
PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language available by default in all modern Windows computers. It could interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell. This training is aimed towards attacking Windows network using PowerShell and is based on real world penetration tests and Red Team engagements for highly secured environments. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase. Some of the techniques (see the course content for details), implemented using PowerShell, used in the course:
Some of the techniques (see the course content for details), implemented using PowerShell, used in the course:
 
 
* In-memory shellcode execution using client side attacks.
 
* In-memory shellcode execution using client side attacks.
* Exploiting SQL Servers (more than executing commands)
+
* Exploiting SQL Servers (Command Execution, trust abuse, lateral movement.)
 
* Using Metasploit payloads with no detection
 
* Using Metasploit payloads with no detection
 
* Active Directory trust mapping, abuse and Kerberos attacks.
 
* Active Directory trust mapping, abuse and Kerberos attacks.
* Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
+
* Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text  
 
* Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
 
* Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
 
* Network relays, port forwarding and pivots to other machines.
 
* Network relays, port forwarding and pivots to other machines.
Line 17: Line 16:
 
* Bypass security controls like Firewalls, HIPS and Anti-Virus.
 
* Bypass security controls like Firewalls, HIPS and Anti-Virus.
  
The course is a mixture of demonstrations, exercises, hands-on and lecture. The course also has a live CTF which attendees could try with and after the training. Attendees would be able to write own scripts and customize existing ones for security testing after this training. This training aims to change how you test a Windows based environment.
+
The course is a mixture of demonstrations, exercises, hands-on and lecture. The training focuses more on methodology and techniques than tools. '''Attendees will get free one month access to a complete Active Directory environment after the training'''. Attendees would be able to write own scripts and customize existing ones for security testing after this training. This training aims to change how you test a Windows based environment.
  
 
= Course contents =
 
= Course contents =
  
 +
==Day 1 – PowerShell Essentials==
 
* Introduction to PowerShell
 
* Introduction to PowerShell
 
* Language Essentials
 
* Language Essentials
Line 33: Line 33:
 
** Writing simple PowerShell scripts
 
** Writing simple PowerShell scripts
 
* Extending PowerShell with .Net
 
* Extending PowerShell with .Net
 +
* Accessing Windows API
 
* WMI with PowerShell
 
* WMI with PowerShell
 
* Playing with the Windows Registry
 
* Playing with the Windows Registry
 
* COM Objects with PowerShell
 
* COM Objects with PowerShell
 +
 +
==Day 2 – Getting a foothold==
 
* Recon, Information Gathering and the likes
 
* Recon, Information Gathering and the likes
 
* Vulnerability Scanning and Analysis
 
* Vulnerability Scanning and Analysis
Line 45: Line 48:
 
** Using Metasploit and PowerShell together
 
** Using Metasploit and PowerShell together
 
** Porting Exploits to PowerShell
 
** Porting Exploits to PowerShell
 +
 +
==Day 3 – Post Exploitation and Lateral Movement==
 
* Post-Exploitation – What PowerShell is actually made for
 
* Post-Exploitation – What PowerShell is actually made for
 
** Enumeration and Information Gathering
 
** Enumeration and Information Gathering
Line 50: Line 55:
 
** Dumping System and Domain Secrets
 
** Dumping System and Domain Secrets
 
** Kerberos attacks (Golden, Silver Tickets and more)
 
** Kerberos attacks (Golden, Silver Tickets and more)
** MITM Attacks
 
** Backdoors
 
 
* Pivoting to other machines
 
* Pivoting to other machines
** Poshing the hashes™
+
** Poshing the hashesTM
 
** Replaying credentials
 
** Replaying credentials
 
** Network Relays and Port Forwarding
 
** Network Relays and Port Forwarding
 
* Achieving Persistence
 
* Achieving Persistence
* Clearing Tracks
+
* Detecting and stopping PowerShell attacks
 
* Quick System Audits with PowerShell
 
* Quick System Audits with PowerShell
* Detecting PowerShell attacks
 
 
* Security controls available with PowerShell
 
* Security controls available with PowerShell
  
=== What would the attendees gain ===
+
==What would the attendees gain==
  
* PowerShell Hacker’s Cheat Sheet, access to the online CTF, solutions to exercises, sample source code, Lab manual, Lab machines (VM) , updated tools and extra slides explaining things which could not be covered.
+
* One month access to the online lab.
 +
* PowerShell Hacker’s Cheat Sheet, solutions to exercises, sample source code, Lab manual, Lab machines (VM) , updated tools and extra slides explaining things which could not be covered.
 
* The attendees would learn a powerful attack method which could be applied from day one after the training.
 
* The attendees would learn a powerful attack method which could be applied from day one after the training.
* The attendees would understand that it is not always required to use a third party tool or non-native code on the target machine for post exploitation.
+
* The attendees would understand that it is not always required to use third party executables, non-native code or memory corruption exploits on the targets.
* The attendees would learn how PowerShell makes things easier than previous scripting options on Windows like VB.
+
* The attendees would learn how PowerShell reduces dependence on existing frameworks yet seamlessly integrates with them.
* After the training, you get '''one month free access to the labs hosted in Amazon EC2''' so you can continue to develop your skills on your own
 
  
 
= Target audience =
 
= Target audience =
Line 79: Line 81:
 
* Basic understanding of how penetration tests are done.
 
* Basic understanding of how penetration tests are done.
 
* Basic understanding of a programming or scripting language could be helpful but is not mandatory.
 
* Basic understanding of a programming or scripting language could be helpful but is not mandatory.
* An open mind
+
* An open mind.
  
 
= Hardware/software Requirements =
 
= Hardware/software Requirements =
 
A Windows 7 or later system with 4 GB RAM, with Administrative access and ability to run
 
A Windows 7 or later system with 4 GB RAM, with Administrative access and ability to run
PowerShell scripts. Ability to run VMware virtual machines.
+
PowerShell scripts. Ability to run VMware virtual machines and RDP to other systems
  
 
=Trainer Biography=
 
=Trainer Biography=
 
[[File:Nikhil.Mittal.jpg|thumb|125px]]
 
[[File:Nikhil.Mittal.jpg|thumb|125px]]
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.
+
Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 7+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.
 +
 
 +
He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.
 +
 
 +
Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Shakacon, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more.
  
 
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/nikhil_mitt @nikhil_mitt]
 
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/nikhil_mitt @nikhil_mitt]
  
 
Links :  
 
Links :  
* [http://www.labofapenetrationtester.com/ Nikhil Website]
+
* [http://www.labofapenetrationtester.com/ Nikhil Blog]
  
 
''Wed. 24 - 26 October 2016 (09:00 - 17:00) (3-day)''
 
''Wed. 24 - 26 October 2016 (09:00 - 17:00) (3-day)''

Revision as of 19:43, 29 May 2016

Offensive PowerShell for Red and Blue Teams

In this course, you'll learn how to attack Windows network using PowerShell, based on real world penetration tests. It includes a mixture of lectures, demonstrations, exercises, hands-on and as well as a CTF which attendees could try during and after the course.

Course Description

Penetration Tests and Red Team operations for secured environments need altered approaches. You cannot afford to touch disk, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.

PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language available by default in all modern Windows computers. It could interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell. This training is aimed towards attacking Windows network using PowerShell and is based on real world penetration tests and Red Team engagements for highly secured environments. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase. Some of the techniques (see the course content for details), implemented using PowerShell, used in the course:

  • In-memory shellcode execution using client side attacks.
  • Exploiting SQL Servers (Command Execution, trust abuse, lateral movement.)
  • Using Metasploit payloads with no detection
  • Active Directory trust mapping, abuse and Kerberos attacks.
  • Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
  • Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
  • Network relays, port forwarding and pivots to other machines.
  • Reboot and Event persistence
  • Bypass security controls like Firewalls, HIPS and Anti-Virus.

The course is a mixture of demonstrations, exercises, hands-on and lecture. The training focuses more on methodology and techniques than tools. Attendees will get free one month access to a complete Active Directory environment after the training. Attendees would be able to write own scripts and customize existing ones for security testing after this training. This training aims to change how you test a Windows based environment.

Course contents

Day 1 – PowerShell Essentials

  • Introduction to PowerShell
  • Language Essentials
    • Using ISE
    • Help system
    • Syntax of cmdlets and other commands
    • Variables, Operators, Types, Output Formatting
    • Conditional and Loop Statements
    • Functions
    • Modules
    • PowerShell Remoting and Jobs
    • Writing simple PowerShell scripts
  • Extending PowerShell with .Net
  • Accessing Windows API
  • WMI with PowerShell
  • Playing with the Windows Registry
  • COM Objects with PowerShell

Day 2 – Getting a foothold

  • Recon, Information Gathering and the likes
  • Vulnerability Scanning and Analysis
  • Exploitation – Getting a foothold
    • Exploiting MSSQL Servers
    • Client Side Attacks with PowerShell
    • PowerShell with Human Interface Devices
    • Writing shells in PowerShell
    • Using Metasploit and PowerShell together
    • Porting Exploits to PowerShell

Day 3 – Post Exploitation and Lateral Movement

  • Post-Exploitation – What PowerShell is actually made for
    • Enumeration and Information Gathering
    • Privilege Escalation
    • Dumping System and Domain Secrets
    • Kerberos attacks (Golden, Silver Tickets and more)
  • Pivoting to other machines
    • Poshing the hashesTM
    • Replaying credentials
    • Network Relays and Port Forwarding
  • Achieving Persistence
  • Detecting and stopping PowerShell attacks
  • Quick System Audits with PowerShell
  • Security controls available with PowerShell

What would the attendees gain

  • One month access to the online lab.
  • PowerShell Hacker’s Cheat Sheet, solutions to exercises, sample source code, Lab manual, Lab machines (VM) , updated tools and extra slides explaining things which could not be covered.
  • The attendees would learn a powerful attack method which could be applied from day one after the training.
  • The attendees would understand that it is not always required to use third party executables, non-native code or memory corruption exploits on the targets.
  • The attendees would learn how PowerShell reduces dependence on existing frameworks yet seamlessly integrates with them.

Target audience

Penetration Testers, Red Team members, System Administrators, Blue Team members and security professionals.

Requirements

  • Basic understanding of how penetration tests are done.
  • Basic understanding of a programming or scripting language could be helpful but is not mandatory.
  • An open mind.

Hardware/software Requirements

A Windows 7 or later system with 4 GB RAM, with Administrative access and ability to run PowerShell scripts. Ability to run VMware virtual machines and RDP to other systems

Trainer Biography

Nikhil.Mittal.jpg

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 7+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Shakacon, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more.


300px-twitter-icon.jpg @nikhil_mitt

Links :

Wed. 24 - 26 October 2016 (09:00 - 17:00) (3-day)

Register.jpg

Back to Training Overview