BSidesCharm - 2018 - Adding Simulated Users to Your Pentesting Lab with PowerShell

hi folks iron gig here unfortunately the device that was capturing the camera had some problems we thought we were still getting sound because the indicators are still showing sound but that did not work out uh i do have audio in this talk once you get to the 21 minute mark or so or you can go see the version that they performed at besides nashville this year sorry for the inconvenience

so

foreign

so

foreign

foreign

foreign

so

foreign

foreign

foreign

foreign

foreign

foreign

so

foreign

foreign

foreign

so

foreign

foreign

foreign

so

foreign

foreign

foreign

so

foreign

foreign

foreign

all right so that's what it's like running just locally that's pretty useful for if you only have you know your home lab is just a desktop or a laptop with a few vms on it if you have kind of a dedicated lab environment then you might have 10 20 systems running on it and you don't want to have to go in and execute the script after logging in as your target user so that's where we use the remote stuff so we're going to jump to our lab that's up in aws which has a number of systems on it and show you what it's like to do some of that remote configuration and execution of the script

so let's take a look at that config file before we actually run it here so this is what it looks like for our script at the moment um the server ip is specifying the server we're running this from because it'll actually create a share there that that the remote hosts need to read back to just once but need to reach back to to actually grab the content of the script then our check in intervals here and link depth and then here's our actual hosts that we're going to run on so same command here except we don't have a standalone flag we've got the config.xml flag and then specify that file we just showed you and we can just go ahead and so this is

actually a different function inside the tool invoke configure hosts will will run that configuration we talked about so we're going to do that first before we actually kick it off yeah and this is just going to add all of our users to the remote desktops group and change those couple registry key settings we were talking about the red errors you see right here is our lazy programming of those users are already assigned to the groups on these workstations so it's just giving you an error saying that the user is already in the remote desktops group so it's not breaking anything it's just not handling that error very well right now so once you've configured your remote

host based on your config file you should be able to just run it and if you give it the all flag it should do both internet browsing uh the share mapping and then also it should check the email for any new emails and open up attachments and links i'm going to go over how it's doing all the stuff there yeah yeah so you can see a bunch of output here um to kick off the remote tasks we're actually using schedule tasks um because that was the easiest way we could find to kick off those tasks in the interactive session most of the other ways that come to mind like wmi or ps exec or that kind of thing will

run those tasks in session zero which does not show up at all and would not be how a real user runs internet explorer or outlook or anything so that's the big object you can see here is the scheduled task object and then you can see some cmd key things here that's what we're using to do the scripted remote desktop so adding the credentials to the local cmd key here which adds them to the credential manager it saves them as like associated with that target and then cleaning up afterwards after we do the remote desktop so so we should have four of these remote desktop sessions running and hopefully they all have internet explorer up by now

um looks like they do that's good maybe even on our reddit one you'll see it go to a different length than its home page okay we'll use something other than the bbc for that demo um that's gone somewhere so what we wanted to show next was what it looks like to do a fishing campaign on these users we can just send a link to start yep we can send a link to so the the outlook functionality of this what it does right now is it does the send receive and then it waits like a solid minute or so because we're finding that if you try to do a send receive and then open email right away it's

going to miss a lot of emails so you got to give it some time for new email to come in from the mail server should also note that if you want to simulate phishing campaigns like this you do have to have office installed outlook for this tool and then outlook has to be configured to be connected to a mail server so whether that's gpo settings you know automatically configuring your user to set up their outlook account when they first log in or if you go in and do that configuration yourself we don't have that as part of the configuration script right now but if it's not too much that's something we're looking to add into it

later

all right did you send that to everyone yep senator all four of these all right so in a minute or so we should see a new internet explorer process pop up on these hosts going to google i think you put in and what we do with that is if you're sending links we only spawn that internet explorer process for 15 seconds before we kill it so that way you can do this a bunch of times and then and not have like 30 internet explorer sessions running on your remote hosts and bogging it down so hopefully this comes through shortly

this is my fail safe to check to see if outlook is actually doing scripted outlook things we've managed to land on some interesting pages here msn and some other language i'm gonna put her away all right we've got google here we go you see google over on this one and that should also get killed and go away shortly so you can see you these emails come in at different times on each of these systems um just based on however our mail server is feeling like delivering the emails

all right so we can also send more malicious payloads than just links so we have a demo office macro attack configured here which is going to use cobalt strike and it's just using the the default beacon macro that comes built in with the tool so we don't have av or anything like that configured on these systems because this would definitely get caught but it works for demonstration purposes so after that gets sent out we should have the uncomfortable wait period again but then once the emails come in they should save those attachments to one of those trusted directories i think it's like app data temp or something like that and then open them and that'll

automatically execute the macro and we should see some command and control channels come back here in a

minute that guy just got his google email yeah these guys are lagging today yeah um we hadn't considered it yet because internet explorer is what we see most places but it wouldn't be hard to to add it in there i.e is pretty safe because it's always going to be installed on your your windows systems that you're running it on so uh if we want to do chrome or something we could probably add it as like a flag to specify chrome or firefox i guess another safe way to do that would be to go with the default browser yep you could do that too hey somebody got owned all right so one of our users managed to open that

email and enable macros and enable content and run the macro all without us having to go onto that system and touch anything so when you just have a couple systems it's not so bad to do it yourself but you can see how having this running on an environment with you know 30 different users would really make your phishing campaigns and and other scenario is a lot more realistic given how long it took for our second google to show up this might be another minute

so the only limitation so far on scaling out to larger environments is that it does open up a remote desktop process to each system um but that actually doesn't take up like that much memory or processing or anything it's not doing it and you can disconnect those sessions so we've considered doing things like closing those sessions after they open we haven't run it on you know 20 30 systems yet so it hasn't been an issue for us but uh we've also made some minor adjustments to the scheduled task and configured auto logins so like for the labs that we give people we have it just run as an auto login script so that way anytime

you know we boot up the system it'll be persistent through reboots and just automatically log the user on and then start the task on logon so it should scale pretty well if you're trying to do it on a ton of systems with remote desktop it might get buggy and slowed out on your your remote server that you're launching it from but we haven't actually ran into any performance issues with that yet you sir today

i think we've managed to get back all of our c2 channels as well so that seems to have worked survived another live cloud demo it's dangerous [Applause] all right so some of the future work that we want to do um with this tool is mostly around adding additional user behavior right now it's kind of limited in what types of activities it simulates even though we think you know opening emails browsing the internet mapping shares that sort of activity is kind of the bulk of what the average user is going to do day to day we want to be able to expand that a little bit and especially you know in the in the fishing realm of things

a lot of phishing attacks aren't necessarily sending macros out you might be just trying to collect credentials so we want to build in a way to automatically submit credentials to log on forms on web pages that you visit and also enable you to download and execute hosted files so instead of sending an attachment you could host your payload and then send a link and the user would go to the link download and execute the file we also want to do actual file read writes to the network shares so not just trying to map illegitimate shares that don't exist but also going to real shares and doing file reads and rights just to kind of create some more

legitimate looking network traffic we also are considering a c-sharp version so if you're doing anything crazy with white listing or you don't have powershell in your lab on certain systems you can just drop an executable to disk and run it and it should be fine

so we also want to kind of branch out and do more than just your average user simulation with a tool that would simulate kind of sys admin type activities so anything from remote powershell commands administrative logins making configuration changes and one of the big reasons for that is we want to open up the tool to right now it's kind of focused on you know for red teamers and pen testers to make the lab more realistic and go in and learn how to hack things but we also realize that labs can be really useful for for blue teams too so if you have a sim in your lab and you're adjusting a bunch of logs if you're just running this tool and

having your attackers go in and create red team traffic or using like a red team automation type tool it's going to be really easy for your threat hunters or your stock analysts to go into your sim and identify all the bad traffic because you can probably just say okay well anywhere powershell with a 500 character command line length was run that's where all my bad guys are so this should hopefully expand that to create some additional legitimate looking remote administration type traffic to make it more realistic for actually identifying malicious behavior anything to add no that's it all right well i know we're a bit early our demo went smoother than expected so if you have any questions feel free

to ask them now

we haven't considered that yet um

this it's an interesting thought i i don't think we have any plans to immediately do that because there's lots of stuff we want to still add on with just the windows version but i can see how it'd be useful so we'll keep it on the on the radar for things to do when we run out other ideas all right anymore we still have a 50 gift certificate but i guess it goes to that man [Laughter] all right well thanks everyone we'll be around for or a while after this so if you have questions or think of think of something you didn't want to ask here we'll be around outside thanks