Superuser

So I have been back for about 2 weeks now and things have been hectic to say the least. 

Hajj was awesome and I doubt I can do the subject justice and while being back is awesome I miss everything about the trip.

Since I have gotten back I managed to give myself a crash course in C and write my first workable app (just barely though :P ).

But getting back to work at this time of year is tough to say the least because everyone is going on holiday just while you are getting started.

I have a few interesting things that are keeping me going for now. First of my promise to write up the rest of my powershell talk. Once that is done hopefully I can get back to RemoteLeecher.

There is still much that needs to be done , so till next time (or till I have insomnia again).

RC1140

Hello and Getting Started

So Post ZaCon2 I thought it would be good to do a follow up to my talk ,this will hopefully give me a chance to explain things more in depth and also get feedback.

The content will be almost identical with minor additions.

So as detailed before one the of the main reasons that you would want is the fact that its available by default on so more and more MS OS’s. At the moment this is limited to Windows 7 and Windows Server 2008R2 but MS has stated that they will be including it in future versions of windows.

As to what PowerShell is, its a shell that supersedes the CMD.exe shell that people have become used to in windows. Together with this its also a complete scripting and automation language which has tight integration with the .Net framework. The .Net integration means that it does not need to cover every piece of functionality , it can instead let .Net cover any functionality that it may not have.

Accessing PowerShell and the Basics

For the most part I will run the entire post through the ISE, this is a integrated scripting environment which provides extremely useful functionality in the form of a unified environment.

Download the following Hello World script.

Launch the ISE and open the script once it has been downloaded( you can do this by typing Powershell ISE into the search box on the start menu)

Once the script has been loaded you can run it as is with no modifications needed. The script doesn’t do anything useful other than output strings to the console , its purpose is just to indicate how to do basic commands in PowerShell.

Hello World Explanation

I am going to be going line by line (over the important ones atleast) through the file explaining what it does

Line 1 : This is simply the example of a inline comment anything typed after a # symbol is not executed, this does not need to be on a new line ,it could be at the end of line if required.

Line 2 : This shows the basic creation of a variable and casting it to a int type , though this is technically not required since its a empty string which powershell converts to a 0.

Line 3 : This shows how variables are returned from functions and also how to output them to the console. The alternative way to output to the console is to use Write-Host $CleanVariableName

Line 4-8 : Shows a multi line comment anything included is not executed

Line 9 : Again this is the creation of a variable but because the {} are used when creating the variable name we are allowed to put anything between the 2 braces. Case in point we used a # symbol which is a comment symbol.

Line 13 : This shows the first case of quotes in powershell , firstly for those coming from .Net both single and double quotes are treated as string instead of a char and a string. This line just shows how to concat 2 strings together

Line 15-16 : Shows the beauty of using double quotes. It allows us to embed variables into string , thereby removing the need to concat strings and avoid long and ugly strings.

Line 18 ,25,33,41 : These lines respectively show the various loops that are available in powershell , the only think to keep in mind is the -lt on line 20. Powershell does not use the < sign etc , instead it uses the -lt. To get more details about the rest of the signs use the following command in PowerShell “get-help about_comparison_operators”.

That pretty much takes care of the Hello world script , till the next most try and play around with the basics or even try and convert some of your existing scripts.

Also since I have no idea how or if tumblr supports comments , please hit me on twitter(RC1140) or mail(jameel at superuser.co.za)

~RC1140

My word was this one long and annoying function to get working in PowerShell.

So as many of you might know I love anything and everything that is to do with PowerShell and as such when I had the task of creating a RDP brute forcer  I was naturally excited.

But there was one slight problem , I did not want to go down the route of making a BruteForcer which just basically sent key strokes to the server. While this does work , in my mind it is surely not the cleanest or best way to do it. So after some research I decided to try and go down the route of generating RDP files which basically connected to the server of your choice.

This process had its own flaws but when stuck between a rock and a hard place I stuck with the rock. The problem that presented itself was that there was no visible way to send the password to the RDP program (mstsc) ,Initial analysis showed that this is stored in windows credential vault which I really didnt want to poke around with for the time being.

After a bit more reading it turns out that you can pass a password to the application via RDP files you just need to hash your password using with the Win32 API and more specifically the CryptProtectData function. Now this initially got me all happy because there is some documentation out there showing the use of Win32 API calls by using DllImports.

Sadly I learnt that just because you see one example on the internet this does not mean things are going to be easy (which I was really hoping for). It so turns out that the CryptProtectData requires very specific structs for its data and there is not a single example of making DllImports with custom structs in PowerShell on the net (Prove me wrong , but late at night you tend to miss some of them).

After getting totally stumped at this point I tried a ton of other ways to see how I could get this done , the one simple alternative was to create a .net dll (in your language of choice) that would make the call for me , but I really did not want to have to load a DLL everytime or compile the code on the fly in PowerShell (which again is relatively easy).

After much poking I finally found a way to build a struct in PowerShell (as part of the Invoke) and lo and behold everything pretty much fell into place after that. So i present you with hash-password.ps1 , atm it needs to be dot sourced to be used but I dont mind that since its what I needed originally (A function to hash the password) , I am pretty sure there are other people that can do better and if you do please show me how so that I can use it.

The hashstring generated from that function can be stuck into a .RDP as such

password 51:b:<insert the hash here>

Thanks

RC1140

Who needs wget when you can do this in powershell :P

(New-Object System.Net.WebClient).DownloadFile(“<replace this with the URL you wan to download>”,”<replace this with the absolute path of the file you want to save the data to >”)

I have been having tons of fun with powershell recently , I think its time I shared some of my fun.

First things first load up powershell , its comes installed in all versions of win7 if i remmber correct. Hit Win+R then type powershell

Next paste the following code by right clicking in the powershell window.

[xml]$page = (New-Object System.Net.WebClient).DownloadString(“http://localhost/api”)

Obviously you need to replace http://localhost/api with what ever webservice you want to play with.

I’ll leave it up to you to investigate what you can do with the $page variable.

A guy walks down the road and walks past a frog… The frog calls out: “if you kiss me, I’ll turn into a beautiful princess.” He bends down, picks up the frog and put it in his pocket.

The frog speaks up again and says: “if you kiss me, I’ll turn into a beautiful princess. I will tell everyone how smart and brave you are, and that you are my hero.” The guy takes the frog out of his pocket, looks at it, smiles and puts it back into his pocket.

The frog speaks up again and says: “if you kiss me, I’ll turn into a beautiful princess and be you loving companion for a month”. The guy takes the frog out of his pocket, looks at it, smiles and puts it back into his pocket.

A little frustrated the frog speaks up again and says: “if you kiss me, I’ll turn into a beautiful princess and be your loving companion for a year. I’ll do ANYTHING that you want.”

The guy takes the frog out of his pocket, looks at it, smiles and puts it back into his pocket. Very irritated the frog asks him: “what is the matter, why don’t you want to kiss me?” The guy replies: “you see, I’m a computer programmer, and don’t really have time for a girlfriend… but a talking frog is cool”