Edit – I just had this pointed out to me that on Friday 17th March Lee Holmes wrote about this very attack on his blog here – http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/. This is a pure coincidence and I was not aware of this blog post by Lee at the time.
We all know that Microsoft has added some nice features to PowerShell v5 to help out the Blue teams, Constrained Language Mode, Deep Scriptblock logging, system wide transcripts and AMSI to name a few.
This blog is not a lesson on each of the features mentioned above, for more information this is a great place to start – Microsoft PowerShell Blue team.
This blog is also not about the awesome bypasses highlighted by Casey Smith, aka @SubTee, again detailed info can be found here – @SubTee Blog.
What I’ve found is probably not even new, but I can’t find anything written about it. This is a very simple and almost too easy a way to bypass Constrained Language Mode. I still can’t believe it myself.
Continue reading “Simple Bypass for PowerShell Constrained Language Mode”
You have obtained some level of admin creds, (local, domain or otherwise) to a windows server/domain, there is no RDP. There is however the WinRM service, PSRemoting to give it its other name, this allows an admin to create a remote PowerShell session to the server and run commands or scripts, very much like the ssh service used on Linux systems.
The admin level creds you have will allow you to connect to the remote server(s) via PSRemoting, and you will want to run hacker PowerShell tools in the remote session to further infiltrate the server or systems, however, given the lack of RDP and the locked down state of the network and services, you may struggle to get the likes of PowerSploit onto the remote system.
So for instance we might want to run Invoke-Mimikatz on the remote server to extract clear text credentials stored on the server. Lets explore PSRemoting in a liitle more depth.
Continue reading “PowerShell PSRemoting Pwnage”
I wrote this little PowerShell script to quickly test for HTTP Security Headers.
It still needs improvements, but it’s mostly there.
Hope you find it useful, if you find any issues, please let me know via Github and I’ll try to fix them ASAP
I’ve added logging functionality to write all of the script output to a file.
Also forgot to mention this script requires PowerShell 3.0.
A colleague @benpturner and I came up with this from an idea I had, it gives an Interactive PowerShell session from Metasploit, using newly developed Metasploit payloads.
Check out the blog post here for more information – https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit