Searching for password files in PowerShell on a Penetration test!

Searching for password files in PowerShell

Searching for files in PowerShell, more specifically potential password files. During the course of a pentest once you have compromised a windows host there is a good chance that you will want to enumerate the box further and gather as much info as possible. If this is a low privilege user you are likely going to want to escalation your privileges to higher account. This being known as post-exploitation. This will most likely include searching the local system for passwords. Sure we can use the windows built-in gui however we can also use PowerShell. We can use the following syntax in PowerShell to search for files with the text ‘password’ in the filename, just like below. We use the wildcard ‘*’ either end of the ‘passwords’ so we can search for variations in the file name. Ace!

Searching for files in powershell

Simple and quick!


Conducting a PowerShell Port Scan – Post Exploitation

How to conduct a PowerShell Port Scan. Using PowerShell to conduct a simple port scan is very useful. If you have compromised a Windows server on a pentest and want to conduct a quick port scan you can use PowerShell. This might be to verify open ports on a neighboring system or to check egress filtering outbound to the internet using a public IP.

Using this simple one liner will produce a port scan of all ports 1-65536, the code snippet will also ask you for the IP address you want to port scan. Of course you can swap out the port range or simply substitute the ‘1..65536’ for something shorter like ’80, 445, 3389′ just like in the second example:

And in action this looks like the below:

PowerShell Port Scan

PowerShell Port Scan


PowerShell Port Scan

Check your Egress Filtering with a PowerShell port scan script

Firewall Egress Filtering Check with PowerShell

This is just a quick post so I can refer to myself more than anything! However this is a useful couple of lines to to conduct a port scan from a windows device with PowerShell. This can be used in a number of situations however is especially ideal to check your egress filtering out to a server on the internet or to a segmented network. In the below few lines we are testing the first 1000 ports this can be bumped up to 65535 if wanted and the server that you are port scanning is listed as X.X.X.X.

This particular script has been pulled from Black Hills Information Security page here. An alternative from Microsoft’s ‘Hey, Scripting Guy! Blog’ can be found here.

The Common Problem

Often organisations lack adequate egress filtering, by this I mean outbound connects that can be established on a number of ports from within the heart of the network. Client machines and typical internal application servers don’t need to access a range of services out on the Internet. Once a nasty exploit has got an attacker onto a network they will look to get a foothold within the network lateral move and phone home to command and control server. Having a range of ports open to clients and servers allows attackers to make an outbound connects from whole host of tools, including PowerShell for that matter.

The Solution

Check you egress filtering and lock down any unwanted open ports out to the internet, your perimeter firewalls should not allow these outbound connections. Obviously certain services are going to need to make outbound connections such as web proxy and email gateways and these rules should be appropriately provisioned. To take this one step further enable your outbound firewall rules on your local hosts, ‘hang on a sec, you must be crazy’ I hear you say, however by doing this you will be help prevent the lateral movement of attackers through your network as well as being able to get off your network back out to the Internet.


Monitoring ‘Domain Admins’ with PowerShell!

Free Active Directory Monitoring with PowerShell, keep an eye on those high privilege level groups!

Monitoring active directory groups such as ‘Domain Admins’ (DA) and ‘Enterprise Admins’ (EA) in Active Directory (AD) is vitally important within your IT shop. You need to be aware of any changes happening to high privilege level groups especially ones that have the level of access that DA and EA groups have. This of course also extends further than just administering AD privilege groups also your high level application groups that you may want to monitor such as Lync and SCCM. The worst case scenario is you find a username you not aware of has been dropped in your DA group, as soon as this happens you want to know and investigate immediately. You don’t need any fancy tools to monitor active directory groups, you just need some a few lines of PowerShell coupled with the Send-MailMessage feature and bingo you have some powerful alerting.

I’ve just pulled the below script¬† together in a few minutes which very simple pulls the DA group and emails the contents to the desired location in the script.

This is just a simple script to query the contents of a group and mail it. What you would ideally want is a comparison of a before and after state and some intelligence within the script to either; email you if any changes have been made including the additions or do nothing if no changes have been made. Then scheduling the script to run every 5 minutes with Task Scheduler, allows you to have pretty good overview of your high privilege accounts.  Such a script thankfully already exists over at TechNet

Alternative tools do exist such as SolarWinds LEM and ChangeAuditor etc, however this is free after all and requires very little effort to implement!