1 00:00:00,690 --> 00:00:07,690 NIKHIL MITTAL. Hi DEF CON! Thank you. I'm Nikhil Mittal. I'm from India and I'll be 2 00:00:08,950 --> 00:00:14,839 talking about Powerpreter post exploitation like a boss. So how many of you are penetration 3 00:00:14,839 --> 00:00:18,930 testers? (Showing of hands) 4 00:00:18,930 --> 00:00:22,570 You surely do post exploitation? Yes or no? 5 00:00:22,570 --> 00:00:28,140 AUDIENCE: Yes. NIKHIL MITTAL: Yeah. So we will have a 6 00:00:28,140 --> 00:00:34,249 look at something which could be used to enhance your post exploitation experience. It sounds 7 00:00:34,249 --> 00:00:41,249 like a vendor term, but yes. And let's have fun. 8 00:00:41,780 --> 00:00:48,780 So something about me. I'm a hacker who goes by the handle sombrat asho. This is my total 9 00:00:56,109 --> 00:01:01,280 handle. And you can find my blog posts on my blog. 10 00:01:01,280 --> 00:01:08,280 I'm creator of Kautilya and Nishang. Kautilya is a toolkit which could be used to use human 11 00:01:08,970 --> 00:01:15,970 interface devices like TNC and others, for penetration tests or for whatever you want 12 00:01:17,280 --> 00:01:21,430 it to be. Nishang is a post exploitation framework in 13 00:01:21,430 --> 00:01:28,430 Powershell. Powerpreter is going to be a part of this framework. You can find both of these 14 00:01:30,840 --> 00:01:37,420 on Google code links or on my blog. I'm interested in offensive information security 15 00:01:37,420 --> 00:01:44,420 methodology to hack systems, getting into systems. I'm a freelance penetration tester. 16 00:01:46,300 --> 00:01:52,450 I've spoken twice. And I've spoken at a couple of conferences before this. And this is my 17 00:01:52,450 --> 00:01:59,450 first time at DEF CON. (Shouts) 18 00:01:59,780 --> 00:02:04,659 Thank you. (Applause) 19 00:02:04,659 --> 00:02:11,659 So what we will be looking at is what is the need for post exploitation? What is Powershell 20 00:02:12,840 --> 00:02:19,840 in a couple of slides? Why do we need Powershell? Then we will have a look at powerpreter, its 21 00:02:20,780 --> 00:02:27,780 architecture, usage, payloads and much more details. Then this is a web shell which I 22 00:02:28,420 --> 00:02:35,420 call C# Darknet and Powershell. And then limitations and conclusions. 23 00:02:37,450 --> 00:02:44,450 So what is post exploitation? For me, it is the most important part of a penetration test. 24 00:02:45,870 --> 00:02:50,400 As a freelance penetration tester, I know that someone who is going to pay me doesn't 25 00:02:50,400 --> 00:02:55,230 necessarily understand what a shell is. "I got access through my PC?" I say "yeah, okay, 26 00:02:55,230 --> 00:03:01,140 I got access through my PC." That's the kind of response you get in a meeting with a client. 27 00:03:01,140 --> 00:03:08,140 But those guys want to pay you. So we need some ways to show actual data, 28 00:03:10,599 --> 00:03:17,599 things like if it's a pharma company that complains their customers submit against them, 29 00:03:18,640 --> 00:03:25,640 if it's a supply chain management company, then the profit they take at every step of 30 00:03:27,360 --> 00:03:32,000 the supply chain, things like that. So this differentiates a good penetration 31 00:03:32,000 --> 00:03:38,020 tester with something which will return a piece of crap. 32 00:03:38,020 --> 00:03:45,020 So this is Powershell. It's a shell and a scripting language, which is present I think 33 00:03:47,630 --> 00:03:54,630 by default on all Windows systems. It's an automation framework, designed to help system 34 00:03:55,129 --> 00:04:00,480 admins and of course penetration testers who know how to use it to their profit. 35 00:04:00,480 --> 00:04:07,480 It's built on a dot net framework and it's tightly integrated with Windows. Yes, it's 36 00:04:09,129 --> 00:04:13,840 by default on Windows. (Laughter) 37 00:04:13,840 --> 00:04:20,840 So why Powershell? Anybody here uses Powershell for their penetration testing things? 38 00:04:21,350 --> 00:04:23,340 (Showing of hands) Wow, nice. 39 00:04:23,340 --> 00:04:29,490 Any one of you use Nishang by any chance? (Showing of hands) 40 00:04:29,490 --> 00:04:36,380 Oh, whoo. Just out of curiosity, anybody here uses Kautilya 41 00:04:36,380 --> 00:04:40,740 or knows what is it already? (Showing of hands) 42 00:04:40,740 --> 00:04:46,870 Okay, thank you. So, yes, why Powershell? It's easy to learn 43 00:04:46,870 --> 00:04:53,870 and powerful. The help system is quite good. You can read help, have the commands leads 44 00:04:56,600 --> 00:05:03,600 or commands or whatever. We're not going into the details of that. And one thing which I 45 00:05:04,410 --> 00:05:11,030 have come to during my penetration tests is that it is trusted by system administrators, 46 00:05:11,030 --> 00:05:16,350 account managers, et cetera. Nobody actually cares about Powershell. There are a lot more 47 00:05:16,350 --> 00:05:23,350 things to have a look at. You can consider it a bash of Windows. Many things like, commands 48 00:05:26,990 --> 00:05:33,600 like LS, CAD, et cetera, the very common ones, are user aliases in Powershell, so you will 49 00:05:33,600 --> 00:05:40,600 be very comfortable using it. And this means less dependence on any liability 50 00:05:41,350 --> 00:05:47,169 which converts your code to executable, let's say (inaudible) to EXE or things like that. 51 00:05:47,169 --> 00:05:54,169 And to some level less dependence on MSF, too. MSF is very good. I mean, Powerpreter 52 00:05:54,880 --> 00:06:01,880 is nowhere near Meterpreter, from where it borrows its name. But Windows is all around 53 00:06:02,740 --> 00:06:09,740 MSF, so it's good if sometimes you have something in your tool chest other than MSF which can 54 00:06:09,900 --> 00:06:13,520 help you in achieving things in a similar way. 55 00:06:13,520 --> 00:06:20,520 Powerpreter, yes, it's a post exploitation tool within Powershell. It's a module. How 56 00:06:23,020 --> 00:06:27,460 many Powershell programmers or guys you use Powershell, other than penetration testing 57 00:06:27,460 --> 00:06:32,590 for anything? (Showing of hands) 58 00:06:32,590 --> 00:06:39,449 Similar answer. Okay. Okay. It's a module or a script. It 59 00:06:39,449 --> 00:06:46,449 depends on the usage. So how powerpreter is designed is if you rename a file to PS 1, 60 00:06:46,530 --> 00:06:52,880 which is the default extension for Powershell scripts, it could be used as a Powershell 61 00:06:52,880 --> 00:06:58,960 script. And if you limit it as PSM 1, then it's a partial module. 62 00:06:58,960 --> 00:07:05,960 Pay loads and features are all divided into different functions. Each function represents 63 00:07:07,070 --> 00:07:14,070 a different functionality. So if you have some code which you want to 64 00:07:14,870 --> 00:07:20,130 include with powerpreter, so that it's helpful, and this could be used, for example, for assistance, 65 00:07:20,130 --> 00:07:26,270 pivoting, et cetera. Then you can try a new function, copy it into your Powershell module, 66 00:07:26,270 --> 00:07:33,270 and you're good to go. So how to use Powershell. So since we are 67 00:07:33,960 --> 00:07:40,960 talking about post exploitation, we will assume that we have access to a machine. We have 68 00:07:42,100 --> 00:07:47,819 access to a machine. And we will try to make our way to other machines on the network, 69 00:07:47,819 --> 00:07:52,639 back door that machine or pull it out of that machine, more effectively than could be done 70 00:07:52,639 --> 00:07:59,639 using nonPowershell methods or at least most -- in the most, MNLDB. And, yes, the third 71 00:08:04,490 --> 00:08:11,050 thing, it could also be used with a Meterpreter shell. You can use --> and one thing, if you 72 00:08:11,050 --> 00:08:16,210 using it from the Meterpreter shell, you won't be able to get an interactive Powershell prompt 73 00:08:16,210 --> 00:08:23,210 from Meterpreter. It's the way Powershell handles outward redirection. And other than 74 00:08:26,490 --> 00:08:31,340 from Meterpreter, if you have any custom shell which gives you the ability to execute code 75 00:08:31,340 --> 00:08:36,219 on a machine, you can always use Powershell and hence powerpreter. 76 00:08:36,219 --> 00:08:43,219 So there are many payloads in powerpreter. Let's have a look at it. That would be the 77 00:08:43,760 --> 00:08:50,760 most lengthy part of this talk. Most of the time it will be in the demonstrations. 78 00:08:53,690 --> 00:09:00,690 So these are the capabilities of powerpreter. Assistance using WMIE prominent event from 79 00:09:01,540 --> 00:09:08,540 ZMOS will sign into the machine. It won't be starter script or something like that, 80 00:09:11,140 --> 00:09:17,410 service failure or schedule task. It won't be anything of this. It would be --> we will 81 00:09:17,410 --> 00:09:23,649 use WMIE, (inaudible) that's it. That's it. (inaudible). We will have a look at it. 82 00:09:23,649 --> 00:09:30,649 One other thing, we will use built-in Powershell demoting to pivot to other machines, the tool 83 00:09:30,959 --> 00:09:37,959 is possible. We just run commands noninteractively, or we will interactively run commands or scripts 84 00:09:40,570 --> 00:09:47,570 or whatever on a remote machine. We have a simple function called enable duplicate 85 00:09:48,480 --> 00:09:55,360 token, written by a friend Nicholas, which allows --> which is nothing great. But if you 86 00:09:55,360 --> 00:10:00,760 are an admin level machine you can get system level access and do stuff like dumping hashes 87 00:10:00,760 --> 00:10:06,130 or SUCRA. Then there are helper functionalities. Simple 88 00:10:06,130 --> 00:10:13,130 ones like (inaudible) executables to Unicode, encoded text or basic script for encoding, 89 00:10:16,880 --> 00:10:23,110 or execution of SUCRA. So these are some helper functionalities. 90 00:10:23,110 --> 00:10:30,110 Deployment. We can deploy a partial from our partial session for partial remoting session. 91 00:10:33,140 --> 00:10:40,140 We can use Metrepreter. What else we can use? We can use PS exec because it allows us to 92 00:10:41,959 --> 00:10:48,959 execute commands on a remote machine. (Shouts and applause) 93 00:11:00,519 --> 00:11:04,640 And of course we need a volunteer from the audience, first time DEF CON person. Your 94 00:11:04,640 --> 00:11:11,640 hand shot up. Everybody else is like damn it! 95 00:11:28,670 --> 00:11:33,740 To our new speaker and our new attendee. (Applause) 96 00:11:33,740 --> 00:11:40,740 Busy afternoon. We have got to go. And no following us. We know you're out there. 97 00:11:56,709 --> 00:12:03,519 NIKHIL MITTAL: Okay. So ... (Laughter) 98 00:12:03,519 --> 00:12:08,870 Powerpreter could be deployed using drive by downloads. We will use external application, 99 00:12:08,870 --> 00:12:15,870 which will execute VB code, which in turn would download powerpreter from a server, 100 00:12:18,390 --> 00:12:23,680 and execute it. And we can also use human individuals, because 101 00:12:23,680 --> 00:12:30,680 I love to insert HID into everything. So select some couple of functionalities, and run it 102 00:12:32,620 --> 00:12:39,620 from your HID device, from your HID. Sorry. So let's get down with the demos. 103 00:12:50,519 --> 00:12:56,829 So let's assume --> do you want me to assume that I have clear text passwords of the remote 104 00:12:56,829 --> 00:13:00,850 machine or do I have the hashes of the remote machine? 105 00:13:00,850 --> 00:13:07,850 AUDIENCE: (Shouting) NIKHIL MITTAL: Okay. Okay. So this is the 106 00:13:09,910 --> 00:13:16,910 attacker machine and we will use WCE to pass the hashes. So let me put the target first. 107 00:13:27,200 --> 00:13:32,560 AUDIENCE: Increase your font size on your terminal. Please. 108 00:13:32,560 --> 00:13:39,560 NIKHIL MITTAL: What? The font size? AUDIENCE: Yes. 109 00:13:41,490 --> 00:13:48,490 (Applause) NIKHIL MITTAL: Better? 110 00:13:50,180 --> 00:13:57,180 Meanwhile, it is putting. So what we'll do, we will use these hashes with WCE, and on 111 00:14:01,130 --> 00:14:07,260 our victim we will have administrative access, because it's a post exploitation thing. Please 112 00:14:07,260 --> 00:14:11,950 don't shoot me. So we will have a remote session, which is 113 00:14:11,950 --> 00:14:18,889 partial remoting a built-in feature of partial, which is enabled by default post server 2012. 114 00:14:18,889 --> 00:14:25,889 So we will have a remoting session on the victim machine. There we will download the 115 00:14:26,959 --> 00:14:33,959 powerpreter module, import it, and we will have fun. 116 00:14:50,250 --> 00:14:57,250 So... okay. So we have hashes with us. So let's... okay. This (inaudible) session command 117 00:15:55,380 --> 00:16:02,339 lid opens a PS session with this remote computer name, which is called Akila, which means stand-alone. 118 00:16:02,339 --> 00:16:09,339 It's not part of any domain. Let me try with credentials, then. Maybe I 119 00:16:28,680 --> 00:16:35,680 have older hashes with me. I think that was an issue because my attacker 120 00:18:44,600 --> 00:18:50,690 machine had Powershell version 3 and the victim is Powershell version 2. So maybe because 121 00:18:50,690 --> 00:18:54,009 of that, because I just tested it before the talk. 122 00:18:54,009 --> 00:19:01,009 Okay. So the roles are reversed, so my VM machine is now attacker. 123 00:19:04,029 --> 00:19:11,029 (Laughter) Okay. So let's... 124 00:19:13,159 --> 00:19:20,159 Okay. I'm... Now if I import the model -- 125 00:19:21,679 --> 00:19:28,059 AUDIENCE: (Shouts) NIKHIL MITTAL: Sorry. 126 00:19:28,059 --> 00:19:35,059 AUDIENCE: Font size. NIKHIL MITTAL: Yep. 127 00:19:35,720 --> 00:19:42,720 Okay. So the module is already there. Either we can download it using this one liner, which 128 00:19:43,119 --> 00:19:50,119 is test. But I'm not going to do that, because I already wasted a couple of minutes. 129 00:19:52,179 --> 00:19:59,179 So I renamed it to update it to PSM 1, just because I was testing some things. So let's 130 00:20:03,849 --> 00:20:10,849 import this. So now we have some functions imported into this current partial session. 131 00:20:11,529 --> 00:20:18,529 For example, let's see --> it won't be beautiful, but let's see what is --> some basic information 132 00:20:22,330 --> 00:20:29,330 about the client. Okay. Isn't looking beautiful bad? As you can see, 133 00:20:32,539 --> 00:20:36,049 we have -- (Laughter) 134 00:20:36,049 --> 00:20:43,049 We have logged in --> we have logged in users, Powershell environment, trusted hosts, for 135 00:20:44,999 --> 00:20:51,999 the same sessions, we simply use commands. Are they initiated on the machine? No. Environment. 136 00:20:55,119 --> 00:21:01,499 Some details about the current user. No SMNP, install applications, install applications 137 00:21:01,499 --> 00:21:08,499 for current user, dominant node system, standalone system. Content of ECC holds. Running services, 138 00:21:10,859 --> 00:21:17,859 local users, local groups, the LAN info. This is the thing which you message on. Okay? 139 00:21:19,869 --> 00:21:26,119 It's a crock. So this gives us a basic idea about the target 140 00:21:26,119 --> 00:21:33,119 system. Now, let's have a look at the basic things 141 00:21:35,539 --> 00:21:42,539 like (inaudible) keys. So one thing I would like you to note is, for example, when I say 142 00:21:45,879 --> 00:21:52,409 get WM --> this is an independent script. This is not because of powerpreter. It's residing 143 00:21:52,409 --> 00:21:59,409 in that system. Better I get out of this photo. Okay. 144 00:22:06,649 --> 00:22:13,649 So this GAB double N keys function shows us the keys in plain text of all the WiFi double 145 00:22:16,009 --> 00:22:22,879 N system, double N profiles, the setting on that system, of which it is connected to in 146 00:22:22,879 --> 00:22:29,879 the past. Oh, that's my home WiFi. 147 00:22:34,289 --> 00:22:41,289 (Laughter and applause) Just to make things faster, I made a list 148 00:22:48,619 --> 00:22:53,499 of what I want to demonstrate. Double N keys and clear, done. 149 00:22:53,499 --> 00:23:00,479 Kilogram, I'm not showing this. Next time. Okay. We already had hashes. We assumed that 150 00:23:00,479 --> 00:23:07,479 we had had hashes. But suppose I got access to this system from a remote shell. You don't 151 00:23:07,809 --> 00:23:14,809 have access to the password hashes. Then let's use this. Will we get hashes? No, we won't. 152 00:23:18,039 --> 00:23:25,039 Because we need system privileges to execute this thing. So for that we have a helper function, 153 00:23:27,049 --> 00:23:34,049 called enable duplicate token. This duplicates system token from the service, and assigns 154 00:23:34,639 --> 00:23:41,639 it to the current partial thread. So we run both of these in tandem. And here we do have 155 00:23:45,219 --> 00:23:52,219 the hashes of the system. (Applause) 156 00:23:53,909 --> 00:24:00,909 Okay. But these are hashes. What if you want LSS secrets from the machine. Let's try it 157 00:24:04,210 --> 00:24:11,210 out. But this is a 64 bit system, our new victim. 158 00:24:17,659 --> 00:24:24,659 So for that I need to execute --> okay. This is the correct font? 64 bits. 159 00:24:51,419 --> 00:24:58,419 AUDIENCE: (Commenting) NIKHIL MITTAL: Okay. Thank you. 160 00:25:01,009 --> 00:25:08,009 Okay. This is the 32 bit partial, because LSS has shortened the 32 bit registry. And 161 00:25:19,590 --> 00:25:26,590 here we have to --> we will import powerpreter in this 32 bit Powershell, call enable duplicate 162 00:25:34,840 --> 00:25:41,840 and call get LSE, so that works. Let's see. Okay. So we will import it... So we have the 163 00:27:13,369 --> 00:27:20,369 LSS secrets of this machine. So this is --> okay. It's my password. 164 00:27:21,669 --> 00:27:28,669 (Applause) Okay. Now, let me try again to get back to 165 00:27:35,580 --> 00:27:42,339 the older victim. Because for a couple of these things, I have a skilled server running 166 00:27:42,339 --> 00:27:48,749 on the older victim. Rather let's use it on the same machine. 167 00:27:48,749 --> 00:27:55,749 So now we are --> just for the sake of demonstration, we are running it on the same machine. But 168 00:27:57,839 --> 00:28:04,839 I swear it works on the both machines, too. Let's try this and invoke producer, it's a 169 00:28:13,739 --> 00:28:20,739 basic bruteforcer. Let's do it on ourselves. It's bound to be successful because it's running 170 00:28:35,839 --> 00:28:42,839 in the same machine. And we will leave it for now. Let's... Execute some MSS skill commands 171 00:28:46,210 --> 00:28:53,210 on this machine with the user name this and password this. 172 00:29:06,460 --> 00:29:13,179 So it asks whether you want to run a partial shell or a skilled shell or a command shell. 173 00:29:13,179 --> 00:29:20,179 Let's pick partial. So now we have a partial shell on this machine. So let's check what 174 00:29:23,519 --> 00:29:30,519 is the version? So it's version 2. And we can do more stuff. So there are already many 175 00:29:44,330 --> 00:29:51,330 built-in commandlets in partial which could be very useful in a penetration test. For 176 00:29:54,690 --> 00:30:01,690 example, get process. Okay. We do have a basic port scanner, too, 177 00:30:10,869 --> 00:30:17,869 but let's leave it. Okay. We do have execute shell code, but let's 178 00:30:21,309 --> 00:30:26,969 leave it, too. Because I want to show you one more thing which was not present in the 179 00:30:26,969 --> 00:30:33,969 slides on the DVD. That's why. Let's have a look at pivoting. So there will 180 00:30:44,389 --> 00:30:51,389 be pivot to. Meanwhile, it's getting up. Let's have a look at the video. Okay. I'm on the 181 00:31:23,899 --> 00:31:30,899 remote machine. Zoom out. Zoom out. As you can see, I'm on the remote machine. Okay. 182 00:31:34,139 --> 00:31:41,139 I think I'll open it in VLC. It's not taking it. Okay. I'll try to --> okay. So we are on 183 00:32:06,429 --> 00:32:13,429 a remote machine. And I just imported the module. And this is a backdoor called wait 184 00:32:16,759 --> 00:32:23,759 for command, which waits --> which polls URL for commands, and only when --> for those who 185 00:32:32,989 --> 00:32:39,989 can't see, I'm sorry. So we have this check URL this space and as the payload URL we will 186 00:32:41,729 --> 00:32:48,729 use this space for the URL. You can use any service, any website, any Web app you want. 187 00:32:49,019 --> 00:32:55,259 Okay. We have the check URL, the payload URL, the magic string. The magic string the payload 188 00:32:55,259 --> 00:33:01,969 will check --> if the magic string provided to the payload matches this one, only then 189 00:33:01,969 --> 00:33:08,969 the payload will execute. This says chart 1, 2, 3, and the stop string is stop. Whenever 190 00:33:12,109 --> 00:33:19,089 stop comes in place of the start, we will see the backdoor is stop. 191 00:33:19,089 --> 00:33:26,089 Okay. We just downloaded powerpreter and got hashes of the system. As you can see, the 192 00:33:29,830 --> 00:33:36,830 payload was this. The payload was this. And now we change the payload to maybe get 193 00:34:00,039 --> 00:34:07,039 process. And meanwhile in the background, the backdoor, it's waiting for either the 194 00:34:14,769 --> 00:34:21,769 start string or the next command. Until the time stop is not found on the check URL, it 195 00:34:26,109 --> 00:34:33,109 will keep looking for new commands or new payloads on the payload URL part. In the time 196 00:34:34,159 --> 00:34:41,159 -- it takes one minute, it takes 60 seconds to execute commands in between. So that it 197 00:34:42,639 --> 00:34:47,129 doesn't create too much noise or too much traffic to get caught easily. So after waiting 198 00:34:47,129 --> 00:34:54,129 for one minute --> okay. So I'm running out of time. So, yes, it will show the process 199 00:35:04,549 --> 00:35:11,549 and then I'll change it to stop and it will stop. 200 00:35:23,500 --> 00:35:29,059 Let's leave the payload thing while I blog about it. 201 00:35:29,059 --> 00:35:36,059 Okay. Let's see the --> what is the IP of this victim? 202 00:35:46,019 --> 00:35:53,019 Assume you have file upload or somehow you can upload files to an SP.net machine or server. 203 00:35:59,819 --> 00:36:06,819 So you can use this. This will become handy. What is it, 146... first the slides. Because 204 00:36:27,029 --> 00:36:32,359 I have made the slides so we have to go through them. 205 00:36:32,359 --> 00:36:39,359 Okay, it's named after the God of death, yimlat. How many of you know yimlat here? I see a 206 00:36:42,990 --> 00:36:49,990 couple of you physicists here, so you might know it. So it's God of death; it sounds bad 207 00:36:52,549 --> 00:36:58,660 ass. So its redundancy shall donate, as I said that is what I call it, the UI is designed 208 00:36:58,660 --> 00:37:05,660 to be --> to look like an actual Powershell shell, a Powershell prompt. And you have the 209 00:37:06,069 --> 00:37:11,609 ability to download and upload files. You can execute scripts using the encode and execute 210 00:37:11,609 --> 00:37:18,609 button. And if the remote is enabled, you can also run commands on remote machines using 211 00:37:19,400 --> 00:37:26,400 this Web shell. So before the demo, meet Emrad. Oh, what is this? Wife of Emrad. So is it 212 00:37:33,369 --> 00:37:40,369 visible? Better now? Let's have a quick look at it. If you type 213 00:37:46,339 --> 00:37:52,700 help, it will show you how you can execute commands that are on this --> on the victim 214 00:37:52,700 --> 00:37:59,700 using this. And the best thing in this is encode and execute, this option. You can actually 215 00:38:00,849 --> 00:38:07,559 copy a fairly large partial script in this command console. And when you click it, it 216 00:38:07,559 --> 00:38:14,559 uses compressed postscript by Carlos Perez. Thanks to him. It compresses the script and 217 00:38:16,069 --> 00:38:19,630 uses partial encoded command to execute it on the victim. 218 00:38:19,630 --> 00:38:26,630 If you want to have a look at it, it will take time. Let's see whether we are really 219 00:38:29,099 --> 00:38:36,099 able to do something. Yes, some basic commands. Yes. Users. Any command you want me to run 220 00:38:52,950 --> 00:38:59,950 here? Anything. And one thing is if you want to download or 221 00:39:01,069 --> 00:39:06,089 upload any file, the help clearly says you have to physically type here. For example, 222 00:39:06,089 --> 00:39:13,089 if you want to upload a file to the current directory, you have to put the full name here. 223 00:39:14,269 --> 00:39:21,269 Let's say 1.-- no. That's it. Browse for it. Sorry. Browse for it. Select it and upload 224 00:39:29,210 --> 00:39:36,210 it. That's a little bit inconvenient, but it's for the purpose of mandating a feel of 225 00:39:36,440 --> 00:39:43,440 a proper Powershell prompt. Okay. Limitations. You have to undergo community 226 00:39:46,339 --> 00:39:52,700 testing. I've been using this for the past six months. Many of the payloads are already 227 00:39:52,700 --> 00:39:59,640 part of Nishang. So some of them have undergone some testing. Others have not. So bugs will 228 00:39:59,640 --> 00:40:05,630 keep coming, I think, but will improve in time. And one aspect is key logger does not 229 00:40:05,630 --> 00:40:11,549 work from the partial remoting session. I don't know why. It's maybe because of the 230 00:40:11,549 --> 00:40:18,549 run space descriptions from the partial remoting session. I'm not aware of any key logger in 231 00:40:19,549 --> 00:40:25,170 partial which runs from a partial remoting session. And yes, backdoors can be detected 232 00:40:25,170 --> 00:40:31,619 with careful traffic analysis, because it's a fixed time interval and it will --> in which 233 00:40:31,619 --> 00:40:36,630 it polls the source. Payload depends upon partial remoting. 234 00:40:36,630 --> 00:40:42,859 Okay. To conclude with, partial gives you much control over a Windows machine or Windows 235 00:40:42,859 --> 00:40:49,859 network and powerpreter utilizes this thing, in an attempt to easy this most important 236 00:40:51,450 --> 00:40:56,769 phase of a penetration test. Obviously there are other ways to do the same thing. Powershell 237 00:40:56,769 --> 00:41:03,769 just makes it or tries to make it easier. I would like to thank, give shout, and give 238 00:41:04,769 --> 00:41:11,769 credit to all these guys who are friends and fellow Powershell hackers. So I would request 239 00:41:13,220 --> 00:41:20,220 applause for these guys. (Applause) 240 00:41:23,509 --> 00:41:27,730 And I would like to thank my friend Arthur, who helped me getting here. 241 00:41:27,730 --> 00:41:33,170 And there is another interesting Powershell talk tomorrow by Joe. Please make sure you 242 00:41:33,170 --> 00:41:37,799 attend it. Thank you. Any questions, insults, feedbacks? You're welcome. 243 00:41:37,799 --> 00:41:39,059 Thank you. (Applause)