Tag Archives: Security

Decipher obfuscated URLs with PowerShell

I recently received a message on Skype from a friend I had not talked to for a while, I was happy to see it was spam. Not because it was spam, but because it was using an encoded Url. After taking a quick look at the structure I thought, this is definitely something I can decode.

To me this looked like hexadecimal code, and I quickly threw together a PowerShell one-liners to decode to decode this, note that I skip the first six character because:

1
2
3
-join [char[]](
'%6A%61%61%70%62%72%61%73%73%65%72%2E%63%6F%6D' -split '%' |
Where-Object {$_} | ForEach-Object {[Convert]::ToInt32($_,16)})

This provides us with the following output:

jaapbrasser.com

Because this is a little bit hard to read, let’s break it up into chunks:

1
2
3
4
5
$Split      = '%6A%61%61%70%62%72%61%73%73%65%72%2E%63%6F%6D' -split '%'
$Split      = $Split | Where-Object {$_}
$Integers   = $Split | ForEach-Object {[Convert]::ToInt32($_,16)})
$Characters = [char[]]$Integers
-join $Characters

So let’s go line-by-line through what the code does:

  1. Split the code on the %-character
  2. Skip the first entry, because we split on %, the first result will be empty and can cause errors later
  3. Convert the hexadecimal number to integers using the Convert type accelerator
  4. Convert the integers to Char by strong typing them to a Char array
  5. Use the join operator to turn it into a string

So now that we have this complete, we no longer have to guess where the encoded link is going to lead us. In my case, the link of my friend happened to take me a Russian website trying to get me involved in binary option trading:

For more information about percent encoding as a concept, have a look at the Wikipedia page over here:

Wikipedia – Percent-Encoding

I have created a function for to be able to perform this this conversion in the future, I made it available on GitHub, TechNet Gallery and the PowerShell Gallery:

Share

Wrapup of BSides Amsterdam 2017

Last Friday I had the pleasure to speak at BSides Amsterdam, a security centered conference that hosted its first iteration in Amsterdam. I could not pass up on the opportunity to attend this event. Here is an excerpt about the BSides concept from their site at bsidesams.nl:

Security BSides is a community-driven framework for building events, by and for, information security community members. These events are already happening in major cities all over the world! We are responsible for organizing an independent BSides-Approved event in Amsterdam, for the Netherlands.

It was a full day with topics ranging from hardware hacking to botnet infrastructure. With 13 sessions on a single day it was very interesting to take part in this event and to be able to speak and network with professionals from all different sides of the spectrum. I have attached some pictures to give you an impression of the day at BSides Amsterdam:

It was a full day with topics ranging from hardware hacking to botnet infrastructure. With 13 sessions on a single day it was very interesting to take part in this event and to be able to speak and network with professionals from all different sides of the spectrum.

At the event I spoke about using PowerShell to Automate security and specifically about how to detect malicious activity. All the code and slides are as always available in my Events GitHub repository:

Automating security with PowerShell

I also shared this slidedeck and my others on SlideShare:

Share

PowerShell and Security – Presentation at iSense

As mentioned in the previous blog post I was invited to speak at iSense to talk about PowerShell and Security. This event was fully by sponsored by iSense who provided the attendees with a great experience. Before my session I was briefly interviewed and the interview, in Dutch, will be available soon.

Security is a topic that continues to make headlines around the world and as a result, PowerShell is mentioned more often either as an method to exploit or to prevent and secure your system. In this presentation I showed how PowerShell can be configured to provide insights in what scripts and tools are running in your environment and how to secure your PowerShell endpoints using Just Enough Administration, JEA.

The audience after 90 minutes of PowerShell and Security

The audience after 90 minutes of PowerShell and Security

After the presentation I received a lot of questions about PowerShell in general and the Dutch PowerShell User Group, we will soon be holding another PowerShell User Group meeting, for more information visit the following link: 10th DuPSUG Meeting, there are at the time of writing still a few tickets available for this event on the 9th of March.

Furthermore, at the Dutch PowerShell User Group we are working on putting out some events that are a bit more beginner oriented. For anyone who is interested in learning more about PowerShell stay tuned as we have a lot of good interesting stuff in the works.

The presentation deck and the slides are as always available on GitHub:
GitHub – Jaap Brasser – Events – iSense2017

For more information I have provided an overview of all the links in this article:

PowerShell and Security @ iSense
GitHub – Slides and code
iSense
Dutch PowerShell User Group
IT Future Lab – PowerShell and Security

Share

Next week: Presenting at iSense on PowerShell and Security

Recently I was invited by iSense to come and speak at one of their technical evenings. On the 16th of February I will be speaking on PowerShell and Security. To quote a short excerpt from the iSense website:

This demo-rich session goes into detail on some best practices on securing PowerShell and highlights and the steps that have been taken in PowerShell 5.0 that allow you to do so. In the first section of this evening we will touch some of the basic concepts of security that we have available to us in PowerShell. Then Jaap will go into detail how you can correctly implement them by demoing the functionality.

For more information on this head over to:
PowerShell and Security – The how, what and why

There are still tickets available, so if you are interested in PowerShell, Security or a combination of both I would be more than happy to meet you there.

Share

MS Fest Prague 2016 – Short Recap

msfest2016

Last weekend I had the pleasure of being invited to speak at MS Fest in Prague. This was the second year in a row for me that I was speaking at this event and it was once again great to attend and to have the opportunity to meet with people from the other side of Europe.

During the conference I did talked about PowerShell security in which I discussed the different kinds of logging that are available in PowerShell and how they can be utilized to find out what is happening on your system. Furthermore we went into Ransomware, what it is, how it operators and what we can do about it.

My slides and code are, as always, available on my GitHub account:

GitHub – Jaap Brasser – Events – MS Fest Praha

To give you an impression of the event I have included some photos taken during MS Fest:

 

Share

Quickly and securely storing your credentials – PowerShell

During the last PowerShell event I quickly demo’ed the Export-CliXml functionality to quickly, easily, and most importantly, securely store credentials to a file. In this article I will describe the following three steps:

  • Store credentials in a variable
  • Export the variable to a file
  • Import the credential object from the file into a variable

To get a credential object we can either manually create one or use the Get-Credential cmdlet to prompt for the account details:

1
$Credential = Get-Credential

To store the credentials into a .cred file:

1
$Credential | Export-CliXml -Path "${env:\userprofile}\Jaap.Cred"

And to load the credentials from the file and back into a variable:

1
2
$Credential = Import-CliXml -Path "${env:\userprofile}\Jaap.Cred"
Invoke-Command -Computername 'Server01' -Credential $Credential {whoami}

StoreCredentials

The advantage of this methodology is that you can leverage the versitility of PowerShell to ensure that the data is not only exported, but also stored in a secure manner using secure strings. It should be noted that these credential files that are created can only be opened by the same user on the same system. It can be used to store any type of credentials, both local accounts and domain accounts can be saved in this manner.

Note that you are not limited to storing a single set of credentials in this manner, you could use any number of accounts, for example the following example will prompt for 3 different sets and store them in a hash table. This can then be exported/imported in a similar manner:

1
2
3
4
5
6
7
8
9
10
$Hash = @{
    'Admin'      = Get-Credential -Message 'Please enter administrative credentials'
    'RemoteUser' = Get-Credential -Message 'Please enter remote user credentials'
    'User'       = Get-Credential -Message 'Please enter user credentials'
}
$Hash | Export-Clixml -Path "${env:\userprofile}\Hash.Cred"
$Hash = Import-CliXml -Path "${env:\userprofile}\Hash.Cred"
Invoke-Command -ComputerName Server01 -Credential $Hash.Admin -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.RemoteUser -ScriptBlock {whoami}
Invoke-Command -ComputerName Server01 -Credential $Hash.User -ScriptBlock {whoami}

Share

MSFest Prague 2015 – Slides and Code

MSFestBanner

At the end of November I had the pleasure to attend and speak at MSFest in Prague. This event aimed at the Czech IT Professional and Developer community had a wide variety of topics and I was asked to do two sessions on PowerShell. I presented the following two sessions:

  • PowerShell Security features and threat management
  • PowerShell Advanced Toolmaking

PowerShell Advanced Toolmaking

I have put the presentation and the code online in my Events GitHub repository.

All links in this article are available here:

Links in this Article
MS Fest Praha
Jaap Brasser – GitHub
MSFest Prague 2015 – Code and Slides
Share