Hackers of India

PowerPreter: Post Exploitation Like a Boss

By  Nikhil Mittal  on 03 Aug 2013 @ Defcon


Presentation Material

Abstract

Powerpreter is “The” post exploitation tool. It is written completely in powershell which is present on all modern Windows systems. Powerpreter has multiple capabilties which any post exploitation shell worth its salt must have, minus the detection by anti virus or other countermeasure tools. Powerpreter has, to name a few, functions like stealing infromation, logging keys, dumping system secrets, in-memory code execution, getting user credenitals in plain, introducing vulnerabilties, stealing/modifying registry, web server and impersonate users. It is also capable of backdooring a target using multiple methods/payloads which could be controlled using top third party websites. Based on available privs, it could be used to pivot to other machines on a network and thus execute commands, code, powershell scripts etc. on those. It also contains a web shell which includes all these functionalities. It also has limited ability to clean up the system and tinker with logs. Almost all the capabilities of Powerpreter are persistent across reboots, memory resident and hard to detect. Powerpreter uses powershell which enables it not to use any “foreign” code. It could be deployed in a skeleton mode which pulls functionality from the internet on demand. It aims to improve Windows post exploitation practices and help in the most important phase of a Pen Test. The talk will be full of live demonstrations.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker is demonstrating a tool called Powerpreter, which is a web shell that allows for remote control and execution of commands on a Windows machine or network. The tool is named after Yimlat, the God of death, and has a UI designed to resemble a Powershell shell. It allows for file upload and download, script execution, and command execution on remote machines. The speaker showcases the features of Powerpreter, including its ability to encode and execute scripts using compressed postscript by Carlos Perez.

The tool is still in development and has some limitations, such as requiring community testing and having issues with key logging from partial remoting sessions. Additionally, backdoors can be detected with careful traffic analysis due to the fixed time interval polling of the source.

The speaker concludes by thanking fellow Powershell hackers and friends, and announces another interesting Powershell talk scheduled for the next day.