Powering Up Linux: Unleashing PowerShell for Penetration Testing and Red Team

so uh welcome everyone I want to thank you all for taking the time to be here and also I do want to give a shout out to the organizers the volunteers that put this conference together sometimes their time goes unnoticed but I want to make sure that I send a thanks to everybody to make this a part of it so I want to welcome you on my talk it's going to be called powering up Linux unleash power shell for penetration testing and Red Team operations so for some of you guys that do not know me my name is is TJ null I've been a hacker and mostly been working in the pen testing and aerospac

and defense sector for about several years I used to work for a company called defense security he used to help build out Cali Linux so many of pen testers probably use that for day time to time so any tools any packages content writing I was pretty much the guy who did a lot of that back then um before that I also worked as a sock analyst and I'll talk a little bit more about my story about how I got into this stuff but outside of infos cuz you know we always got of have something to do outside of work right I like to play lacrosse I like to go hike uh and also watch sports so go

bills so today's this is going to be the agenda for the talk right I'm going to break some things down for you guys I'm going to get you guys some cool things about why to use Powershell for Linux in a day-to-day operation um and also talk about some of the things that I found and also we're going to do a bit of a demo well I had some things for the demo that didn't work as as planned but I will be releasing a tool today for any of you guys that want to use this in your operations that you have and then after that I'll save some time for any questions any answers or just any

chitchat just for fun so getting started here real quick by show hand how many you know what Powershell is I would hope that most of you do because otherwise I would have to like talk about how or like what the purpose of powers shell is I don't really want to do that I think the slide really kind of covers it itself but Power shell is awesome all right I mean for us as pentesters and as red teamers we love us in our day-to-day job does it get to a point where it gets excessively tiring yes it is because we want challenges we want to find new things that are out there and unfortunately Powershell is

still being used as a common dropper in a technique that we use today but we're not here to talk about power shell for Windows we're going to talk about Linux right so why are we talking about Powershell for Linux so what's cool about Powers shelf for Linux is that when Windows was decided to open a lot of their where Microsoft was starting to open a lot of their stuff out to the public um they wanted to actually release Powershell to be a crossplatform scripting language that could be used for anybody so in 2006 that's when they decided to release it for all Linux operating systems the first operating systems actually had it were yuntu Centos and red hat systems at the time

um so how did I get into getting into this stuff right so when I was working as a sock analyst in the private sector uh we would have a box that we would just do all of our dirty testing on and on that box the guys would want C Linux on it and I was like wait why are we running Cali Linux to detonate Mau on it that doesn't make sense and it's like well there's different tools that we want to try there's different techniques that we want to do so I got stuck with this Mau campaign that I was always doing research on called emotet anybody familiar with emotet by show hands most some of you okay good so emotet is an

annoying campaign it's probably still around to this day doesn't go away but a lot of emotet would do back in 2017 to 2020 was they would always drop some type of macro document and it'll have some type of Powershell dropper in it and Powershell would be used to basically infect the system by putting another dropper on there or an executable in place right so when it got to the point where we were trying to detonate the Malu on the system and try to get Powershell to actually give us the code itself we would always break our boxes on the window side but on Linux it didn't so Linux I was able to get the callbacks I was able to get the

ioc indicators for it and I would take those ioc indicators I would then write rules for it for our team and we would block them out from there so when got time to use it for Cali my team lead was like Hey you know Powershell works for Linux you should actually find a way to get it installed on there I was like you know what challenge accept it I'll go ahead and try it out so that's how I got into it I started looking into po sh for Linux trying to learn how to get into that I found a bug into it where if you tried to install Powershell on Cali Linux uh there was a specific library

that was needed and that was an old dependency for a lot of other main program so if you installed it map would be removed metas framework would be removed all of like the big main tools that use it would just wipe it so I was like oh crap this isn't good so I talked to Microsoft about it and I reported the bug to them about it and they were like this is not an issue this is not a problem talk to C team about it I'm like okay let me go talk to C team about it C team's like this is not our support this is not our problem we're not doing this I'm like well who's going to fix it then

so I kept trying to find ways to fix it right so I found different libraries that actually supported it that made the changes into it worked with Microsoft to get the changes in and get it patched and we got it patched so just a little accident is where I started digging more into this because there's some really cool stuff in power shelf for Linux and different commands and different operations um and I'll get into a little bit more about that later when we talk about the capabilities so then from there in 2018 when I found that book 2019 C I worked with the KY Linux team afterwards and said hey what can we do about getting

Powell installed by default so any different Cali Linux operating system that you use you build Powershell is automatically installed by default took us a year to do that and then the trend kept moving forward so Ubuntu now if anybody wants to download yuntu server in their setup and installation you can actually add powers shells and add an option and it'll install Powershell for you on the fly so moving on to the capabilities with Powershell for Linux why use it right well think of it crossplatform compatibility is one of the big things right any type of scripts any tools that you write any modules that you want to install you can actually do that now there are some modules that won't work

and I'll talk a little bit more about that in a little bit um the next thing I want to talk about Cloud platform integration right Powershell works very well with Azure and different Azure modules and commandlets that you can use you can actually use the um a and Azure ad module right if you want to interact with your Azure environments that are in place which is cool um flexible scripting language ever wanted to write bash andet and Powershell at the same time and have it all run together yeah I could do that it's super cool so and then also just going back to like the libraries and modules they're easy to install they're easy to import

if there's any type of tools or techniques that you wanted to try you can go ahead and do that with it so getting into that why are we actually talking about Powershell still I don't get it some of us I know we don't get it still but some people also say Powershell is dead yeah it's not Powershell is still being trending in our world today so to give you guys some examples right Ukraine military right recently it was F on February 1st 2024 um a security operations team actually found that Russia uh was using a m campaign called skunk worm and skunk worm was an actual dropper that they packaged in and that dropper would drop

poers shell onto the systems as their first initial web request that went through the big screen connect wise vulnerability that's on Sentinel one anybody seen that or had to deal with that last year yeah that that was a mess an Absolut mess that a lot of us had to go through and deal with so some hour campaigns actually were using we're abusing this screen connectwise vulnerability and all they had to do was write a simple Powershell oneliner that PO shell oneliner went through AV and EDR defenses that were being used for screen connects said oh this looks legit we're going to go ahead and run it anyway and that's how they got their malware campaign onto there it's pretty

crazy on how that goes in and then everyone's for some people on The Blue Team side they're like but wait hold on we have Amy we're okay right and's going to stop this no problem no no so off SEC actually um Victor here actually just released the article uh two weeks ago I don't know if anybody's seen it or read it but what this article talks about is it talks about an actual bypass that he found where you don't have to go through the virtual protect or API like CIS call functions you act and also bypasses memory protections that are in place all you have to do is just pad and stuff into the Anie dll buffer

and from there you can get any code just to pass through and Escape into it so an doesn't even do any of the checking it just says oh hey this looks legit we'll go ahead and run it so those are just some examples I want to give you guys like about power Shield yes it's still running in our environments today it is still being used you know thread actors are still using this on a constant basis so what no threat actors still us it to this day well there's a whole list about them BC BC security posted this several months ago and I still Ed it to this day as like an actual example as to

why we still use we still see these thread actors are going out and using Powershell in this way minor attack right they always post some type of framework or article that talks about the top five you know known techniques that are out there that are causing a lot of problems where's pow show on that list guys number one number one it's awful so we have that still being used till this day of where it's at so now that I've given you guys a perspective about how power shell works why do we still talk about Powershell all right now we're going to start getting into the Linux side of Powershell right so recently A lot of my testing that I've been doing

lately has actually been not on Windows not in Windows Active Directory environments a lot of uh corporations are now starting to move away from actually building out their Windows like server infrastructures and actually are starting to move into more of a active directory management server or service with for instance like red hat satellite and free IPA and so when these companies are using that they're looking at other tools that they can use like Powershell for actual script and automation other scenarios I've seen has been hybrid environments where you do have you you still have your windows and you have your Linux stuff right and they're all they're all contained on one active directory environment that's

being used power shell we can actually go ahead and interact with a lot of that stuff that's there so getting into that right so what are the benefits uh from a from a pent testers perspective of using power shelf for Linux well benefits is there's no Amy that's the nicest thing ever no Amy for Security remote Administration tools we can use PS sessions to actually interact with Windows systems and Linux systems if Powershell is actually enabled and I'll show you guys how that works there's limited logging capabilities also on Linux so Powershell for Windows right you can have event view or you can have tracks you can have different IDs right to log everything uh

the only way really to be able to do any type of logging on pow shelf for Linux is by looking at VAR log messages if you have the audit D log or the configurations all set up from there kind of scary on how that all plays out limitations that we got though there are some unsupported command L right I talked about earlier if there's specific tools that you guys want to use or different Powershell modules that are in place you might not be able to get them to work there's some scripts in out in the real world still to this day that might not work with the Linux side so you may have to have a Windows system

right ability use pseudo yeah this is the one that stinks it's like I want to get root access can't get root access with it it's only limited to it the only way you can is if run Powershell with pseudo capabilities that's the only way you can get full route access to the entire system but most of the time when you're sshing into a system or you have a subsystem set up in Powershell it's usually contained in the environment but you can still interact with that user's environment or their workspace that's there that's pretty much it that what's what you can do with it so let's go ahead and get into some scenarios so now we're going to actually look at some

that we have here so talking about initial AIS right so couple organizations that I've seen will have a subsystem set up for poers shell on it so this is an example right here U with SSH remoting so instead of you going ahead and sshing into the system and getting a regular Linux shell you can actually get a poers shell prompt that shows up in their environments so in order to do that what you're going to have to do is a couple things right on the target system that you're using or let's say you know your Linux box that you got you then have to enable Pub Key authentication password authentication and then you also have to add the

subsystem path of where Powershell is so on you been to systems you actually have to go into the snap package path to go ahead and point where Powershell is to go ahead and run it in the subsystem or if you install Powershell anywhere else by Source you just add that path once we go ahead and we add that path and we go ahead and restart the SS service then we can actually interact with the session itself this is where the fun stuff comes in so if you guys are looking at this a little bit confused or like how does this all work right what we're doing here is we're creating a new PSS session we are going to our Target system and

then we're giving a username for it so think of it just like how you would log into you know a Windows system through Powershell you're doing the same thing but what's really cool with the authentication is there's three different ways we can authenticate with a basic input we can negotiate with the system and my favorite out of all is you can actually authenticate with currus tickets yeah so some Linux systems right love to use the sssd the service or the configuration file right so we can take a user's ceros tickets that are saved there on the system grab those tickets and we can log in just like that and get an actual PSS session from there so once

we create the new PSS session we can enter it log into it and we can run b.net Powershell commands we could do whatever we want in this little subsystem it's crazy so that's that's the one cool thing about it the second thing we can also do is if we don't want to interact with the session right we don't want to have any type of op obsc you know go off right or any type of vent IDs we can actually go ahead and invoke commands to it anyone ever played with a tool called evil winrm okay so that's few of you right so like an evil winrm right you don't really get an actual full session in

evil inrm you are able to pull scripts from your assist system right and be able to run them or import them into it right so it runs in that session itself it doesn't run on the actual disc or on the system for you so with using the PS session all I can do is invoke a Command put a script Block in or import a module and it'll run it on the system for me without touching disc how many you guys are like wait is this real you guys like scared about this this this is cool stuff it's scary but it's cool stuff all right so now that we got ourselves access to a Target right let's say we find

credentials we can actually do pass the hash if we want like I said get a curos ticket right what are some things we are going to look in this Powershell prompt right well a lot of devops Sis Sis Engineers or CIS admins love to create custom variables and some of them will create actually hardcode them in their session so we can use a command link called get variable and what G variable does it'll list all the different variables that someone or basically what poers shell has in place right so that we can automate things or for users right they create their own so what I did was I actually wrote a little Powershell script here um and in

this Powershell script what it does is it parses through all the system functions are already on the system and goes ahead and just gives me a list of what user functions are actually there so I don't know if anybody can you guys can see the screenshot a little bit it looks a little small on my end here but so what we're basically doing is we're parsing through all of the system commandlets that are there getting through the variables onto it and once we go ahead and do get local user variable right we see that there is a local user variable called credentials so once we go ahead and we check out what credentials is we can

then go ahead and see that there is a credential for administrator and it's under secure string so what does that mean well that string right there is a variable that we can probably parse and we can probably extract that to get user credentials on there um so what's really cool about just using this function here right is I can get other variables so any other user any user variables that created like I can see all that being parsed which is cool I mean cool for a pentest or hacker side and I don't know about the blue team side I'm sorry about that but anyways going to my point where I was going to next right so now that we

gone through scenario 2 we know that there are credentials that are there let's go ahead and see if we can actually extract those right so this is where it gets even more funnier right how many you guys use the Microsoft Windows credentials uh module all right so you guys use it on window so Windows uh when you're saving credentials on a Windows system it actually encrypts it it encrypts it in a string in a format on Linux it does not it encodes any of your strings in HEX yeah I don't know why Microsoft did this I I said the same thing when I posted this about it Microsoft's like it's a feature we're not going to make

any changes to it like okay fair enough get I got that many I got the response too many times so how do we extract the credential this is what we do we go ahead on the user's PSS session we can go ahead and call out the variable and we can use a command L called export CLI XML and what that's going to do is it's going to go ahead and actually grab the XML data that's saved from that credential parse the credential for us and we can actually see it right there so in here now you see the XML data that's being dumped you see the user name and you see the password right and

the password is encoded in HEX so how do we decode it well Powers Shell's got tools right to decode stuff from base 64 base 10 hex right so we can write something just like this we can write a command L called hex password right we put our hex string that's in there and then from there we go ahead and we split the hex password we convert it to asky for us right to give us the characters and that's and that's the password we get so we get password summer 2024 exclamation point that's a great password got to love it being there so now that I've shown you guys three little scenarios on how this works

right now I'm going to show you something really cool where we can automate all that stuff so it's going to be a demo time so please pray the demo gods for this one I hope this all works so I'm going to introduce you guys to a new tool called Catalyst and now what catalyst is is it's a Linux priv script that you can use on Powers shelf for Linux it's already focused on the commands that are in net core and the reason why I wrote it is you can see it there I just wrote for fun I was like I want to figure out like what commandlets can I use and what commandlets I can't

use for Powershell um and since I work with a lot of systems that have Powershell for Linux on there I got tired of trying to parse everything go through command by command by command and to show you guys how it works it's really straightforward and simple so so I'm going to go ahead and exit out of the PowerPoint here real quick quick and we're going to go ahead and look at some code uh can everybody see that huh not yet okay see mind

I oh great technical difficulties see this is why we pray the demal gods okay okay and okay so there's my screen I guess I have to drag it over okay oh this is going to be so weird I got to do it through here uh okay where's the full screen oh perfect actually yeah that works I can see it there thanks man all right so everybody can kind of see this right all right so this is Catalyst and it's a cool Power script I wrote for all the stuff I've I've done on assessments where I've just automated everything and put it into one section here so right here starting from line 334 and going all the

way down we have functions that are already built in so anybody actually I get a show our hands real quick how many you guys use Linux uh PR scripts on your assessments like Lin PE or Lindy no by showing hands I'm just curious okay so think of it like this but but in Powershell just for Linux systems that's all it is so what we have is we have functions already written where we can get the host operating system information we can check to see if a Linux system is actually joined to uh a domain right what is it using to do it is it using centrify is it using realm we have checks already in place for that

which is pretty cool um also have ways to check for processes getting list of drives right is the system what system what does the system have for local drives is it connected to any network drives any shares we can get that network activity check for login users I like this one this is this one my fun one uh check for any type of antivirus installed even though most of the time most Linux systems don't have AV installed um check to see if credential manager installed any other Powershell modules we have here um this function here will go ahead and hunt for any type of credentials any Powershell credentials power shell scripts AWS credentials Azure credentials that are on the Linux Target

system power shell user history this is pretty interesting that I found um depending on what Linux operating system you use Powershell will have its own file save for any type of commands that you run in that history but I've seen on other Linux systems it'll pull not just the Powershell user history it will also pull the Linux users history as well too so you get it all at once just pretty neat and then a function just to check for useful programs on the target so this is just a basic simple priv script I didn't add anything else to it I kind of kept the checks to be the same um but there's some other stuff I've added in

there too that you guys are going to see in a little bit but what's really nice about Powershell right is we can write these functions we can write all these checks and all I have to do is if I want to make a change where if I'm on an assessment or a program right and I want to just go ahead and search for PS1 files all I do is just uncomment the little pound sign here that module's going to go ahead and run makes it easy said and done so going back up scrolling up here this is where all the all the back end meat comes in lot it's a lot that I put into this but I think it'll be fun for

everybody to use so all you basically have to do right if you're on a Target system or you want to run this locally yourself we're going to go ahead and run it here I wanted to run this on a Target system but for some reason I'm having some command lit like module issues with WS man on the yuntu side so I'm going to get that fixed later but just to give you guys an idea of how quick and easy this

is and we're done so scroll up and we'll just give a we'll go ahead and just do a quick breakdown of the data so start here you can remove the banner it's easy to get rid of we check the power shell version that's on the target what it's running we check what type of operating system kernel information is all here gives a nice breakdown of that um checking to see the system's joined active directory right tells us it's not joined the active directory Gathering current process list I I didn't have that commented out local network drives that comments out there there goes ahead it shows us the list of the different drives right the provider for it right how much is

used how much is free in the dis bace that we need grabbing current network connections this was fun right now there's only just this one but if there's any other concurrent connections we can see that uh routing information already pulls that out puts it in a nice table for us to see as we parse that currently logged in users antivirus that's on the software credential manager tools are installed on the system that's a plus um and then tools that are installed on the system here so that's pretty quick just to get all that data so the only thing that is not included like Powershell wise like everything is running in this script either on Powershell or net core the

only module that is not running in that and I can go ahead and show you guys here real quick is this function here called get network activity the only reason why get network activity is using SSS Tac ntlp right you can change it to netstat Nao or nap if you want whatever you want to do you can add the Linux commands for it right um the only reason why we can't inow shell there's no module that can actually pull the network connection stuff is because there are certain Windows command lits that are needed to run it that are not compatible with Linux right now so hopefully that'll change in the future um so some of you guys on Windows if you

guys use the get net TCP connection function right that gives you all that status and data that's the function that they're looking to implement soon in the future I don't know when yet but once it does I hope to make some changes to the script for that so that builds and parses all that data out that we see here so but going back to the script here real quick and the rest of the output that's pretty much it that's how that's how this tool works so if anybody wants to be able to play with this tool check it out if you guys have any feedback you know uh suggestions what else should be added features you guys want to write

something for it I'm more than happy to talk more about it on GitHub the the code is all on GitHub for anybody that wants to access it check it out from there um but other than that let me go ahead and go back to the PowerPoint here um current slide there we go perfect other than that that's pretty much it for my talk um I hope you guys enjoy this but does anybody have any questions or things they want to talk about no no question is pre- straightforward I [Laughter] guess awesome well thank you guys for coming to my talk I really do appreciate it and I hope you guys enjoy the rest of beide Buffalo today thank you guys