Tag Archives: Security

MS Fest Prague 2016 – Short Recap

msfest2016

Last weekend I had the pleasure of being invited to speak at MS Fest in Prague. This was the second year in a row for me that I was speaking at this event and it was once again great to attend and to have the opportunity to meet with people from the other side of Europe.

During the conference I did talked about PowerShell security in which I discussed the different kinds of logging that are available in PowerShell and how they can be utilized to find out what is happening on your system. Furthermore we went into Ransomware, what it is, how it operators and what we can do about it.

My slides and code are, as always, available on my GitHub account:

GitHub – Jaap Brasser – Events – MS Fest Praha

To give you an impression of the event I have included some photos taken during MS Fest:

 

Quickly and securely storing your credentials – PowerShell

During the last PowerShell event I quickly demo’ed the Export-CliXml functionality to quickly, easily, and most importantly, securely store credentials to a file. In this article I will describe the following three steps:

  • Store credentials in a variable
  • Export the variable to a file
  • Import the credential object from the file into a variable

To get a credential object we can either manually create one or use the Get-Credential cmdlet to prompt for the account details:

1
$Credential = Get-Credential

To store the credentials into a .cred file:

1
$Credential | Export-CliXml -Path "${env:\userprofile}\Jaap.Cred"

And to load the credentials from the file and back into a variable:

1
2
$Credential = Import-CliXml -Path "${env:\userprofile}\Jaap.Cred"
Invoke-Command -Computername 'Server01' -Credential $Credential {whoami}

StoreCredentials

The advantage of this methodology is that you can leverage the versitility of PowerShell to ensure that the data is not only exported, but also stored in a secure manner using secure strings. It should be noted that these credential files that are created can only be opened by the same user on the same system. It can be used to store any type of credentials, both local accounts and domain accounts can be saved in this manner.

Note that you are not limited to storing a single set of credentials in this manner, you could use any number of accounts, for example the following example will prompt for 3 different sets and store them in a hash table. This can then be exported/imported in a similar manner:

1
2
3
4
5
6
7
8
9
10
$Hash = @{
    'Admin'      = Get-Credential -Message 'Please enter administrative credentials'
    'RemoteUser' = Get-Credential -Message 'Please enter remote user credentials'
    'User'       = Get-Credential -Message 'Please enter user credentials'
}
$Hash | Export-Clixml -Path "${env:\userprofile}\Hash.Cred"
$Hash = Import-CliXml -Path "${env:\userprofile}\Hash.Cred"
Invoke-Command -ComputerName Server01 -Credential $Hash.Admin -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.RemoteUser -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.User -ScriptBlock {whoami}

MSFest Prague 2015 – Slides and Code

MSFestBanner

At the end of November I had the pleasure to attend and speak at MSFest in Prague. This event aimed at the Czech IT Professional and Developer community had a wide variety of topics and I was asked to do two sessions on PowerShell. I presented the following two sessions:

  • PowerShell Security features and threat management
  • PowerShell Advanced Toolmaking

PowerShell Advanced Toolmaking

I have put the presentation and the code online in my Events GitHub repository.

All links in this article are available here:

Links in this Article
MS Fest Praha
Jaap Brasser – GitHub
MSFest Prague 2015 – Code and Slides

Experts Live event in the Netherlands

Experts_Live_website_logo

Today Experts Live is kicking off in one hour, this is the biggest community driven event for IT Professionals in the Netherlands. There are more than 40 technical sessions presented by community and technical leaders and I am proud to be presenting here on PowerShell today.

ExpertsLiveSpeakerInfo

If you are unable to join the event today I will be sure to I will share the materials I presented over the next couple of weeks. For more information about this event, please have a look at the site here:
www.expertslive.nl

My day at TechEd Pre-conference

Yesterday I attended the TechEd Europe 2013 Pre-conference. I had signed up for the ‘Lessons from the Field: Useful Hacker Techniques for Administrators’ session by Hasain Alshakarti, Paula Januszkiewicz and Marcus Murray. They were quite knowledgeable on the subject matter and presented their information in an interesting way.

To give a short overview of the topics that were covered:

  • Use a vulnerable .aspx page on an IIS server in combination with several methods of escalation of privilege to compromise a Active Directory domain.
  • Managed Service Accounts as a method to harden application servers
  • Abusing Direct Memory Access used by Firewire/Thunderbolt to compromise a fully patched Windows 8 machine using the Inception tool
  • Using offline registry to compromise a machine
  • Using Aerodump to snif and hack networks
  • www.cloudcracker.com is a website that cracks WPA2 passwords in twenty minutes
  • Using mimikatz to grab username and password from memory
  • Using findstr.exe to grab plain text passwords / hashed passwords from virtual machine memory snapshots
  • Core Impact Professional, a hacking / administrative tool that can useful in both scenarios. Either as a emergency response tool or as a malicious tool to take control of computers.
  • Rubberducky: A usb key that acts as a keyboard which can be used to bypass UAC and other security features to quickly install malware on a sytem.
  • Volitility a memory analysis tool which can be used to gather a variety of information from a dump file. Including passwords and credential hashes

Downloads for this session are available at:

http://sdrv.ms/11ka1Ju
http://cqure.pl
http://truesec.com