Monday, January 14, 2013

Automating Screenshots with PowerShell

Penetration tests can become very hectic at a moment's notice. One second you are casually reviewing HTML source for a target website and the next dropping a webshell and hooking browsers before staying up all night trying to gain persistent domain-admin access to the enterprise. Keeping notes during hectic times can be difficult, tedious and potentially distracting. Sometimes, it pays to have something taking notes for you. I like to utilize both a key-logger that does time stamping and take frequent screenshots.

There are applications that can take screenshots for you at regular intervals and in the past I used an AutoIt macro to printscreen and save. That works well when I am on my own machine, but what if I was at a kiosk or doing an insider assessment from one of their workstations? I needed a PowerShell script that could take a screenshot at regular intervals, time stamp it, save it to a file and not tamper with the contents of the clipboard.

While looking for a good script to start from, I found this one that uses inline C# which seemed a little over-the-top. Another one seemed simple and straight-forward so I started working with it. After getting the function built, I was quickly annoyed with data from the clipboard disappearing. I knew I had to find another way. After digging through MSDN for an hour, I found the Bitmap Class and the System Info Class.

After loading the System.Windows.Forms assembly, I created a function that will be called to take the screenshot and save it to the disk:


Next we need a way to distinguish each file and a way to stamp them with the time it was taken:


Now we just need to settle on parameters, add this to a do-while loop and wrap the whole thing in a try-catch block. The result is Get-TimedScreenshot:

Get-TimedScreenshot     

Instead of downloading or installing additional software, we now have a script that will take periodic screenshots.  The images can be large so I wouldn't recommend leaving it running overnight, but its great to help you fill in gaps in note-taking at the end of a long hacking session.

***Updated 8/6/2013: The maintained version of this script can by found within the PowerSploit framework here.



There is also a clear post-exploitation use for the function. You can schedule it to run and maybe add a check to see if the screensaver is running to make sure you aren't wasting space. I think the function is pretty flexible and with event triggering and an email function could potentially be used as a simple parental alert system. As is, it works for my purposes which is to remind me what I did today. I hope you find it useful and thanks for reading. In case you were wondering, it works well with multiple monitor setups:



Please let me know if you have any issues, bugs or questions. Hopefully, I will see you at Shmoocon and Firetalks. Also, if you are in town, check out Shmoocon Epilogue.  The other talks look really good, but I get the chance to present "No Tools? No Problem! Building a PowerShell Bot." It will cover chaining simple tasks like this one into a nefarious PowerShell script.

-Chris

Thursday, January 10, 2013

Test Antivirus with EICAR and PowerShell

Typically, penetration testers are able to demonstrate a complete compromise of their customer's systems without flagging antivirus products. There are many methods of bypassing antivirus that can be used, but sometimes customers begin to wonder if their AV is working at all. The EICAR test file is an innocuous file that was created for that exact problem.

The EICAR test file can be download from here, but it is also trivial to generate yourself. New-Eicar is a PowerShell function that can be used to ensure that your antivirus is properly flagging new files. Originally, I wanted to create a script that would generate the eicar.com file and then wait for it to be deleted. Unfortunately, testing the script resulted in different results based on the different product responses and the product's settings. So I settled on just generating the file and letting the AV product alert (like this):


Here is the code, but the maintained version will be on github:

New-Eicar Function     

Running it on a machine with AV should result in this:



Let me know if you have any questions or improvement suggestions!

-Chris

Monday, January 7, 2013

Resolve Shortened Links in Bulk with PowerShell

Recently, I was working on a task that required resolving hundreds of shortened URLs that were being parsed by another script. Shortened URLs are often used to obscure or hide the actual location from a casual user in the hopes that they will click on it.

I needed something that could take pipeline input (objects passed from another script) and handle a variety of shortening services and was unable to find anything that met those requirements. Get-ShortenedURL is a PowerShell function that uses .Net to parse out the redirect URL (or more precisely the URI) and return it. Errors aren't really handled in a useful way, so you may want to add a "Write-Verbose" statement if you are interested in error handling.

Get-ShortenedURL Function

There are serious OPSEC concerns with using this method when dealing with malware or targeted attacks. The script is going to leave a record that it resolved the URL.  There are services that can help with that and most shortening sites have an API which exposes the long URL. However, this can be used in a pinch to prevent being sent to a classic music video or to resolve bulk addresses.



-Chris