Get the TLS ciphers suite order

Last year, Microsoft published an advisory about a vulnerability in Schannel where weak/insecure ciphers were used in TLS sessions. More recently Microsoft also published an Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows.

In the above advisory, they introduced a GPO setting where you can set a new ciphers suite order. Nice, I love it.
But wait, without that GPO setting,…

  • How do I know what is the order of ciphers being used?

The question was answered on this stackoverflow.com forum page
Unfortunately it doesn’t work with PowerShell 2.0 (default version) on Windows 7 and I get the following error
inptrsize-operator

  • What about newer systems?

The code proposed on the stackoverflow.com forum page works in Windows 8.1 and PowerShell 4.0. There’s also a module called TLS but it doesn’t have the Get-TlsCipherSuite cmdlet😦
tls-module-on-windows81

On Window 10, you’ve got more in the TLS module and the Get- TlsCipherSuite is available🙂

On Windows 10 to get the order of ciphers, you simply do

(Get-TlsCipherSuite).Name
  • How can I get the order of ciphers whatever the operating system and its version of PowerShell?

I’ve slightly changed the code proposed on the stackoverflow.com forum page : line 49 replaced by 48😎

Additional links
Documented ciphers suites per OS
Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows
BCryptEnumContextFunctions function
CRYPT_CONTEXT_FUNCTIONS structure
BCryptFreeBuffer function

Testing WSUS server operational status

During the summer, someone asked the following questionwsus-monitoring-question on the WSUS patchmanagement.org mailing list.

I replied and immediately thought that Pester would do the job and quickly showed how he could test if he can connect to the console.

I’ve actually more than a WSUS server to manage. So, I started separating the environmental configuration data from the pester tests code almost the same way Mike F. Robbins did in his recent post where he goes far beyond to what I did.

I think it’s a great idea and here’s what I did in my case to monitor my WSUS server operational status.

To get started, I copied the Pester module on my WSUS server, imported the module and did in the ISE:

# helper to create the required files and folder if not present
New-Fixture -Path  ~/Documents/Pester -Name Test-WSUS
# Put the config data into that file:
psEdit ~/Documents/Pester/Test-WSUS.ps1
# Put the pester code into that file:
psEdit ~/Documents/Pester/Test-WSUS.Tests.ps1

After the first 3 commands, here’s what the ISE console looked liked
pester-new-fixture-wsus-tests

The first file Test-WSUS.ps1 looks like this by default.
It will be used to store my configuration data.
pester-wsus-tests-01

The second file Test-WSUS.Tests.ps1 is where I’ll write the pester tests code
pester-wsus-tests-02

After editing the 1rst file Test-WSUS.ps1 like this:
pester-test-wsus-file (fake data in this case)

…and the 2nd file Test-WSUS.Tests.ps1 like this:

…I’m actually ready to assess the operational readiness of my WSUS configuration by using the following cmdlet:

Invoke-Pester -Script ~/Documents/Pester/Test-WSUS.Tests.ps1

wsus-server-config-invoke-pester

I still feel like a Pester newbie but no doubt that Pester rocks 😎

Communauté PowerShell francophone, à vos calendriers

Une avalanche de bonnes nouvelles pour la rentrée, c’est pas génial ? : PowerShell open-source, dispo sur Linux et MacOS,…et la création du 1er FRPSUG pour pouvoir discuter PowerShell dans la langue de Molière😀

Plusieurs MVP francophones passionnés par PowerShell ont créé ce ‘User Group’ et vous proposent 1x par mois un RDV en ligne.

C’est gratuit et 100% virtuel (diffusé et enregistré sur YouTube) parce que notre répartition géographique est très loin de se limiter à l’hexagone. Je pense à nos amis québécois, belges, suisses etc. qui sont de la partie.

J’aime PowerShell et lis ces quelques lignes > je veux pas râter ça, que dois-je faire ?

Qu’est-ce qu’il y a au menu ?

FRPSUG-Event1

FRPSUG-Event2

… la suite sur: http://www.meetup.com/FrenchPSUG/

PowerShell is all about the Community

PowerShell just reached a huge milestone since Jeffrey Snover wrote the Monad Manifesto more than 10 years ago.

PowerShell is now Open-source Software (OSS) under the MIT license and available on GitHub.

  • Why so excited about this?

We’ve been waiting for it for a long time. It was made possible since Microsoft also Open sourced .Net Core and refactored PowerShell to run on top of .Net Core (aka PowerShell Core and running in Nano server).

This means that it’s more and more mature and just started to become a cross-platform community-driven configuration and automation framework able to manage both API oriented operating system (Windows) and document oriented operating systems (Linux) from anywhere. It clearly aims at providing a consistent and sustainable experience for IT pros and developers for everybody.

  • What else does that mean?

Well, if it’s open sourced, it’s about the community. Microsoft embraced the heterogeneity of both the community and the ecosystem and allows its partners and any customer anybody to be successful.
You, actually anybody running on any operating system (Linux, Microsoft and MacOS) can use these ALPHA versions of PowerShell, submit issues and participate in its development.

Friday Fun: capture pokemon using PowerShell

A few years ago, I wrote a quick function to download all the pokemon pictures from www.pokemon.com/us/pokedex for my kids to create the equivalent of the pokedex:

Pokedex-01

Beyond that, I don’t know anything about Pokemon, so don’t ask me anything about them😛

Due to the recent success of Pokémon Go, I thought that I should extend the function, make it more friendly, accessible,… and share it, of course😀

If you like Pokemon and PowerShell, this page is for you. You’ll discover, get to know Pokemon and have them all at your finger tips in your favorite console:

The first thing to do is to capture all the pictures from the main site:
Capturing-pokemon-ISE-03

The function aims to download all the files. You can launch it, interrupt it, relaunch it. It’ll restart where it left till the end. You’ve got to have at least 720 (the current total of pokemon) jpeg files in the Pokedex folder so that the other functions work.
The Build-Pokedex function will always end by displaying how many Pokemon exist.

Capturing-pokemon-ISE-04

Now, to use the Find-Pokemon and Show-Pokemon, it’s pretty straightforward

www.GIFCreator.me_S6xeyX

If you just pipe the two cmdlets together, the picture will be shown:

Find-Pokemon -Name Kyurem | Show-Pokemon 

Show-pokemon-01

If you use the -Online switch, the default browser should open the web page corresponding to the pokemon you looked for

Find-Pokemon -Name Kyurem | Show-Pokemon -Online

Show-pokemon-02

To discover a new Pokemon more randomly, you can do

0..720 | Get-Random | Find-Pokemon | Show-Pokemon -Online

Enjoy and have fun😎

post-exploitation: using PS 5.0 security settings to hide code execution

I’ve started playing with all the new security features introduced in PowerShell 5.0 – ScriptBlock Logging, Protected EventLog and Transcripts mentioned in the PowerShell ♥ the Blue Team post.

All the following assumes that the target machine has already been breached, that you already have admin credentials on the box. It does not take advantage of any vulnerability.

Here’s the context of the scenario, let’s assume that:

  • the target computer owned is a Windows 10 computer
  • you’ve admin credentials on that box
  • a group policy was set and at least configures both the scriptblock logging and protected eventlog (just in case there are credentials in the code): see for example my previous post

or let’s say

  • I’m a local admin of a Windows 10 computer
  • My domain admin set a GPO that configured all the new WMF 5.0 settings: transcript, scriptblock logging and protected eventlog
  • I don’t want him or anybody to look over my shoulder

The goal is to hide the execution of a command in plain sight without touching the disk even if there’s already a Group Policy that enables scriptblock logging, protected eventlog and transcription.

How? By

  • using another another public key created on the fly that replaces the GPO settings
  • turning off transcripts if they are on
  • restoring gracefully the initial GPO parameters that configure protected eventlogs and transcripts

The first part of code when running isn’t hidden, it makes a lot of noise and can be detected by usual means.

The code is available in the following gist/link

Let’s see it in action as a picture is worth a thousand words:

attack-demo-01

attack-demo-02

As you can see, I’ve added two switches to let transcription on and to export the public and private keys of the new certificate used on the fly. Without the two switches, it doesn’t touch the disk (well, forensically speaking it still does because the registry, certificate stores, eventlogs,… are modified).

Read-protectedEventLog-02
If I don’t have the private key, I cannot decrypt the message in the protected eventlogs😦
But, if I import the private key left and use the code from my previous post, I can see:
attack-demo-04

As I left transcription on, I can also see:
attack-demo-03

It’s a nice convenient way to stop everybody watching what you do, isn’t it😉

Reading protected eventlogs

I’ve been working with many certificates (their private key) used to decrypt back the protected eventlogs (encrypted initially with their public key).

The good news is, you can add as many private keys as you want, they’ll be all be used along to decrypt protected messages. Microsoft did a pretty good job on the Unprotect-CmsMessage cmdlet.

Lee Holmes originally presented in the PowerShell ♥ the Blue Team post how to post-process the content of protected event log messages using the following command:

Get-WinEvent Microsoft-Windows-PowerShell/Operational |
Where-Object Id -eq 4104 | Unprotect-CmsMessage 

Get-WinEvent is a very powerful cmdlet but it doesn’t know of protected messages natively.
No problem, here’s the way to extend its ability to recognize and decrypt protected messages😀

First, I import the private keys into my Personal store like this

if (Test-Path -Path "$($HOME)\privatekey_*.pfx" -PathType Leaf) {
    Get-ChildItem -Path "$($HOME)\privatekey_*.pfx" | ForEach-Object {
        Import-PfxCertificate -FilePath "$($_.FullName)" -CertStoreLocation Cert:\currentuser\My -Password (ConvertTo-SecureString -AsPlainText '12345678' -Force)
    }
}

The 2nd step consists in adding the isProtected and UnprotectedMessage properties on the fly and pass it to Out-GridView cmdlet at the end:

Everything looks normal…
Read-protectedEventLog-01

Until,… Notice the second event, it’s encrypted, but I don’t have the private key loaded in my store to decrypt it. Its UnprotectedMessage property is empty.
That doesn’t sound good😉
Read-protectedEventLog-02